I want to configure nginx as follows:
- There are several registered users on the server.
- Every user may own several virtual hosts (they cannot configure them) of two different types: nodejs proxy or PHP.
- One user should not be able to get sensitive information (mysql database settings, etc.) from the another user's directory.
For example:
users: joe, tom
virtual hosts:
joe
www - /srv/www/main/public_html, Wordpress
app -> node.js on port 8081
tom
www - /srv/www/tom/public_html, custom, very important scripts
joe should not be able to read files from tom's directory. nginx should serve files from both directories
With apache it is possible by installing apache2-mpm-itk and specify user/group per virtual host.
With nginx it does not look possible. I see the following possible solutions:
Create FCGI handlers with different user/group for every virtual host so the PHP context will be different and set different permissions for each PHP file. Like this:
Directory: /srv/www/tom/public_html script.js - www-data:www-data script.php - tom:tom
Or use different nginx instances for every user and one main instance that proxies the requests to them.
What is better?
Run the user's FCGI/node/whatever handlers as the user (I run all my stuff out of daemontools, it's absolutely perfect for this sort of thing) and then tell nginx to proxy to them. Have all content owned by the user, and they can setup whatever permissions they like to prevent bad actors from getting at their stuff.