A simple shell script to start / stop / restart chrooted nginx web server under CentOS / RHEL Linux. You must have Nginx web server setup in a chroot (jail) so that you can minimizes the damage done by a potential break-in by isolating the web server to a small section of the filesystem. You can also mount $jail/tmp as a separate filesystem (/images/tmpfile.bin) with the noexec,nosuid, nodev options under Linux like operating systems.
#!/bin/bash # Name : nginx.rc # URL: https://bash.cyberciti.biz/security/linux-nginx-start-stop-restart-chrooted-jail/ # Purpose: A simple shell script wrapper to chroot nginx in $_newroot under Linux # ---------------------------------------------------------------------------- # Author: nixCraft - http://www.cyberciti.biz # Copyright: 2011 nixCraft under GNU GPL v2.0+ # ---------------------------------------------------------------------------- # Last updated: 18/Dec/2012 - Added support for secure /tmp mount # Last updated: 19/Dec/2012 - Bug fixed in ln # Last updated: 10/Mar/2013 - Bug fixed in status() # ---------------------------------------------------------------------------- # jail location - must be up, see how to setup nginx using chroot # https://www.cyberciti.biz/faq/howto-run-nginx-in-a-chroot-jail/ _newroot="/nginxjail" # RHEL nginx and other binary paths _nginx="/usr/sbin/nginx" _chroot="/usr/sbin/chroot" _killall="/usr/bin/killall" # 0 turn off or # 1 turn on _securetmp=0 _securetmproot="/path/to/images/nginx_jail_tmp.bin" [ ! -d "$_newroot" ] &# mount /tmp securely inside $_newroot # see http://www.cyberciti.biz/faq/howto-mount-tmp-as-separate-filesystem-with-noexec-nosuid-nodev/ mounttmp(){ if [ $_securetmp -eq 1 ] then mount | grep -q $_securetmproot if [ $? -eq 0 ] then echo "*** Secure root enabled and mounted ***" else echo "*** Turning on secure /tmp..." [ ! -f "$_securetmproot" ] &mount -o loop,noexec,nosuid,rw "$_securetmproot" "$_newroot/tmp" chmod 1777 "$_newroot/tmp" rm -rf "$_newroot/var/tmp" ln -s ../tmp "$_newroot/var/tmp" fi fi } start(){ echo -en "Starting nginx...\t\t\t" $_chroot $_newroot $_nginx && echo -en "[ OK ]" || echo "[ Failed ]" } stop(){ echo -en "Stoping nginx...\t\t\t" $_killall "${_nginx##*/}" && echo -en "[ OK ]" || echo "[ Failed ]" } reload(){ echo -en "Reloading nginx...\t\t\t" $_chroot $_newroot $_nginx -s reload && echo -en "[ OK ]" || echo "[ Failed ]" } ## Fancy status status(){ echo pgrep -u ${_nginx##*/} ${_nginx##*/} &>/dev/null [ $? -eq 0 ] && echo "*** Nginx running on $(hostname) ***" || echo "*** Nginx not found on $(hostname) ***" echo echo "*** PID ***" #pgrep -u ${_nginx##*/} ${_nginx##*/} ps aux | grep "${_nginx##*/}" | egrep -v 'grep|bash' echo echo "FD stats:" for p in $(pidof ${_nginx##*/}); do echo "PID # $p has $(lsof -n -a -p $p|wc -l) fd opend."; done echo echo "Jail dir location:" pwdx $(pgrep -u "root" "${_nginx##*/}") | grep --color "$_newroot" echo echo "*** PORT ***" netstat -tulpn | egrep --color ':80|:443' } ## Make sure /tmp is securely mounted inside jail ## mounttmp ## main ## case "$1" in start) start ;; stop) stop ;; restart) stop start ;; reload) reload ;; status) status ;; *) echo $"Usage: $0 {start|stop|restart|reload|status}" ;; esac # just send \n echo
How do I use this script?
Download the script:
# cd /tmp
# wget http://bash.cyberciti.biz/dl/593.sh.zip
# unzip 593.sh.zip
# mv 593.sh /etc/rc.d/nginx.jail.rc
# chmod +x /etc/rc.d/nginx.jail.rc
Use it as follows:
# /etc/rc.d/nginx.jail.rc start
# /etc/rc.d/nginx.jail.rc stop
# /etc/rc.d/nginx.jail.rc restart
# /etc/rc.d/nginx.jail.rc status
Sample outputs:
Fig.01 nginx.rc in action
Get the latest tutorials on SysAdmin, Linux/Unix, Open Source, and DevOps topics:
- RSS feed or Weekly email newsletter
- Share to Twitter • Facebook • 0 comments... add one ↓
Related Shell Scripts:
RHEL / CentOS: Shell Script Wrapper TO Start / Stop / Restart NFSv4…
nginx Chroot Helper Bash Shell Script To Copy Libs To /lib64 and /usr/lib64
Shell Script To Update Remote RHEL and CentOS Servers Over SSH Session
Shell Script To Start FastCGI PHP Server For Nginx Web Server
Shell Script to stop DLink PCI wireless lan card DWL 520 (Debian Linux)
Linux Firewall: Simple Shell Script To Stop and Flush All Iptables Rules
| Category | List of Unix and Linux commands |
|---|---|
| File Management | cat |
| Firewall | CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
| Network Utilities | dig • host • ip • nmap |
| OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
| Package Manager | apk • apt |
| Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
| Searching | grep • whereis • which |
| User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
| WireGuard VPN | CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |