≡ Menu

RHEL / CentOS Linux: Nginx Chroot Jail Start / Stop / Restart Shell Script

A simple shell script to start / stop / restart chrooted nginx web server under CentOS / RHEL Linux. You must have Nginx web server setup in a chroot (jail) so that you can minimizes the damage done by a potential break-in by isolating the web server to a small section of the filesystem. You can also mount $jail/tmp as a separate filesystem (/images/tmpfile.bin) with the noexec,nosuid, nodev options under Linux like operating systems.

#!/bin/bash
# Name : nginx.rc
# URL: http://bash.cyberciti.biz/security/linux-nginx-start-stop-restart-chrooted-jail/
# Purpose: A simple shell script wrapper to chroot nginx in $_newroot under Linux
# ----------------------------------------------------------------------------
# Author: nixCraft 
# Copyright: 2011 nixCraft under GNU GPL v2.0+
# ----------------------------------------------------------------------------
# Last updated: 18/Dec/2012 - Added support for secure /tmp mount
# Last updated: 19/Dec/2012 - Bug fixed in ln
# Last updated: 10/Mar/2013 - Bug fixed in status()
# ----------------------------------------------------------------------------
# jail location - must be up, see how to setup nginx using chroot
# http://www.cyberciti.biz/faq/howto-run-nginx-in-a-chroot-jail/
_newroot="/nginxjail"
# RHEL nginx and other binary paths
_nginx="/usr/sbin/nginx"
_chroot="/usr/sbin/chroot"
_killall="/usr/bin/killall"
# 0 turn off or # 1 turn on
_securetmp=0
_securetmproot="/path/to/images/nginx_jail_tmp.bin"
[ ! -d "$_newroot" ] &# mount /tmp securely inside $_newroot
# see http://www.cyberciti.biz/faq/howto-mount-tmp-as-separate-filesystem-with-noexec-nosuid-nodev/
mounttmp(){
	if [ $_securetmp -eq 1 ]
	then
		mount | grep -q $_securetmproot
		if [ $? -eq  0 ]
		then
			echo "*** Secure root enabled and mounted ***"
		else
			echo "*** Turning on secure /tmp..."
			[ ! -f "$_securetmproot" ] &mount -o loop,noexec,nosuid,rw "$_securetmproot" "$_newroot/tmp"
			chmod 1777 "$_newroot/tmp"
			rm -rf "$_newroot/var/tmp"
			ln -s ../tmp "$_newroot/var/tmp"
		fi
	fi
}
start(){
	echo -en "Starting nginx...\t\t\t"
	$_chroot $_newroot $_nginx && echo -en "[ OK ]" || echo "[ Failed ]"
}
stop(){
	echo -en "Stoping nginx...\t\t\t"
	$_killall "${_nginx##*/}" && echo -en "[ OK ]" || echo "[ Failed ]"
}
reload(){
	echo -en "Reloading nginx...\t\t\t"
	$_chroot $_newroot $_nginx -s reload && echo -en "[ OK ]" || echo "[ Failed ]"
}
## Fancy status
status(){
	echo
	pgrep -u ${_nginx##*/} ${_nginx##*/} &>/dev/null
	[ $? -eq 0 ] && echo "*** Nginx running on $(hostname) ***" || echo "*** Nginx not found on $(hostname) ***"
	echo
	echo "*** PID ***"
	#pgrep -u ${_nginx##*/} ${_nginx##*/}
	ps aux | grep "${_nginx##*/}" | egrep -v 'grep|bash'
	echo
	echo "FD stats:"
	for p in $(pidof ${_nginx##*/}); do echo "PID # $p has $(lsof -n -a -p $p|wc -l) fd opend."; done
	echo
	echo "Jail dir location:"
	pwdx $(pgrep -u "root" "${_nginx##*/}") | grep  --color "$_newroot"
	echo
	echo "*** PORT ***"
	netstat -tulpn | egrep --color  ':80|:443'
}
## Make sure /tmp is securely mounted inside jail ##
mounttmp
## main ##
case "$1" in
        start)
                start
                ;;
        stop)
                stop
                ;;
        restart)
                stop
                start
                ;;
        reload)
                reload
		;;
        status)
                status
                ;;
        *)
                echo $"Usage: $0 {start|stop|restart|reload|status}"
                ;;
esac
# just send \n
echo

How do I use this script?

Download the script:
# cd /tmp
# wget http://bash.cyberciti.biz/dl/593.sh.zip
# unzip 593.sh.zip
# mv 593.sh /etc/rc.d/nginx.jail.rc
# chmod +x /etc/rc.d/nginx.jail.rc

Use it as follows:
# /etc/rc.d/nginx.jail.rc start
# /etc/rc.d/nginx.jail.rc stop
# /etc/rc.d/nginx.jail.rc restart
# /etc/rc.d/nginx.jail.rc status

Sample outputs:

Fig.01 nginx.rc in action

Fig.01 nginx.rc in action

{ 0 comments… add one }
Security: Are you a robot or human?

Leave a Comment