A simple shell script to start / stop / restart chrooted nginx web server under CentOS / RHEL Linux. You must have Nginx web server setup in a chroot (jail) so that you can minimizes the damage done by a potential break-in by isolating the web server to a small section of the filesystem. You can also mount $jail/tmp as a separate filesystem (/images/tmpfile.bin) with the noexec,nosuid, nodev options under Linux like operating systems.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 | #!/bin/bash # Name : nginx.rc # URL: https://bash.cyberciti.biz/security/linux-nginx-start-stop-restart-chrooted-jail/ # Purpose: A simple shell script wrapper to chroot nginx in $_newroot under Linux # ---------------------------------------------------------------------------- # Author: nixCraft - http://www.cyberciti.biz # Copyright: 2011 nixCraft under GNU GPL v2.0+ # ---------------------------------------------------------------------------- # Last updated: 18/Dec/2012 - Added support for secure /tmp mount # Last updated: 19/Dec/2012 - Bug fixed in ln # Last updated: 10/Mar/2013 - Bug fixed in status() # ---------------------------------------------------------------------------- # jail location - must be up, see how to setup nginx using chroot # http://www.cyberciti.biz/faq/howto-run-nginx-in-a-chroot-jail/ _newroot="/nginxjail" # RHEL nginx and other binary paths _nginx="/usr/sbin/nginx" _chroot="/usr/sbin/chroot" _killall="/usr/bin/killall" # 0 turn off or # 1 turn on _securetmp=0 _securetmproot="/path/to/images/nginx_jail_tmp.bin" [ ! -d "$_newroot" ] &# mount /tmp securely inside $_newroot # see http://www.cyberciti.biz/faq/howto-mount-tmp-as-separate-filesystem-with-noexec-nosuid-nodev/ mounttmp(){ if [ $_securetmp -eq 1 ] then mount | grep -q $_securetmproot if [ $? -eq 0 ] then echo "*** Secure root enabled and mounted ***" else echo "*** Turning on secure /tmp..." [ ! -f "$_securetmproot" ] &mount -o loop,noexec,nosuid,rw "$_securetmproot" "$_newroot/tmp" chmod 1777 "$_newroot/tmp" rm -rf "$_newroot/var/tmp" ln -s ../tmp "$_newroot/var/tmp" fi fi } start(){ echo -en "Starting nginx...\t\t\t" $_chroot $_newroot $_nginx && echo -en "[ OK ]" || echo "[ Failed ]" } stop(){ echo -en "Stoping nginx...\t\t\t" $_killall "${_nginx##*/}" && echo -en "[ OK ]" || echo "[ Failed ]" } reload(){ echo -en "Reloading nginx...\t\t\t" $_chroot $_newroot $_nginx -s reload && echo -en "[ OK ]" || echo "[ Failed ]" } ## Fancy status status(){ echo pgrep -u ${_nginx##*/} ${_nginx##*/} &>/dev/null [ $? -eq 0 ] && echo "*** Nginx running on $(hostname) ***" || echo "*** Nginx not found on $(hostname) ***" echo echo "*** PID ***" #pgrep -u ${_nginx##*/} ${_nginx##*/} ps aux | grep "${_nginx##*/}" | egrep -v 'grep|bash' echo echo "FD stats:" for p in $(pidof ${_nginx##*/}); do echo "PID # $p has $(lsof -n -a -p $p|wc -l) fd opend."; done echo echo "Jail dir location:" pwdx $(pgrep -u "root" "${_nginx##*/}") | grep --color "$_newroot" echo echo "*** PORT ***" netstat -tulpn | egrep --color ':80|:443' } ## Make sure /tmp is securely mounted inside jail ## mounttmp ## main ## case "$1" in start) start ;; stop) stop ;; restart) stop start ;; reload) reload ;; status) status ;; *) echo $"Usage: $0 {start|stop|restart|reload|status}" ;; esac # just send \n echo |
How do I use this script?
Download the script:
# cd /tmp
# wget http://bash.cyberciti.biz/dl/593.sh.zip
# unzip 593.sh.zip
# mv 593.sh /etc/rc.d/nginx.jail.rc
# chmod +x /etc/rc.d/nginx.jail.rc
Use it as follows:
# /etc/rc.d/nginx.jail.rc start
# /etc/rc.d/nginx.jail.rc stop
# /etc/rc.d/nginx.jail.rc restart
# /etc/rc.d/nginx.jail.rc status
Sample outputs: