DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 15th January 2015
22decembre 22decembre is offline
Port Guard
 
Join Date: Dec 2014
Posts: 42
Default Nginx to serve recursive directories and files

I have seen that I share always the same set of files via usb or other ways (some large videos for learning language purpose).

So I wanted to stop doing that and simplify my life by simply setup a ftp-like access to these files on my openbsd server and though using nginx was fine for it (simply because it's already there, working fine to serve my other websites).

I create a directory in /var/www that I call files, and in that directory, I create symlinks to the actual directories where the files are, in /home/videos, then I create a basic nginx conf :

Code:
server {
listen 443 ssl;
listen 80;
listen [::]:80;
listen [::]:443 ssl;

server_name files.22decembre.eu;

location / {
        root /var/www/files;
        autoindex on;
        }

        access_log      /var/www/logs/access.log;
        error_log       /var/www/logs/files.errors.log;
}
NB : I have not set any auth yet. I will do it when the current problem is solved.

When I browser to the http root, I can see the three links, but when I click on one of them, pooof, 404.

How to make nginx simply serve recursive files ? I am doing something wrong ?
Reply With Quote
  #2   (View Single Post)  
Old 15th January 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

The nginx application runs chrooted by default in 5.6. All of its files must physically reside within its root directory structure, which by default is /var/www.

See the -u option of nginx(8) to disable this security feature.
Reply With Quote
  #3   (View Single Post)  
Old 15th January 2015
22decembre 22decembre is offline
Port Guard
 
Join Date: Dec 2014
Posts: 42
Default

You mean that nginx can't access files outside the chroot, right ?

If so, what are my solution ? Do you have any suggestion ?
Reply With Quote
  #4   (View Single Post)  
Old 15th January 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I believe you may choose from among these options:
  1. Run nginx without chroot, using the -u "unsecure" option mentioned in my response above.
  2. Create NFS mount points for the applicable /home directory structures, and mount them inside /var/www.
  3. Move the /home directories (and perhaps the users' $HOME) inside /var/www.
  4. Run an nginx instance with its chroot within /home rather than in /var/www.
  5. Move or copy the files from /home to /var/www.
Reply With Quote
  #5   (View Single Post)  
Old 15th January 2015
22decembre 22decembre is offline
Port Guard
 
Join Date: Dec 2014
Posts: 42
Default

Well, honestly none of your proposition seems better (except maybe the nfs one).

Yet I understand you're trying to give me good suggestions !
Reply With Quote
  #6   (View Single Post)  
Old 15th January 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I just noticed that options 3 and 5 are really the same.

I have used NFS loopback mounts for this, but no longer do. Now I just keep files that are intended to be shared within /var/www.

Another option would be to store the structure within /var/www, but symlink the directories back to users within /home.
Reply With Quote
  #7   (View Single Post)  
Old 15th January 2015
22decembre 22decembre is offline
Port Guard
 
Join Date: Dec 2014
Posts: 42
Default

Quote:
Originally Posted by jggimi View Post
Another option would be to store the structure within /var/www, but symlink the directories back to users within /home.
I don't understand it.

I created a directory "files" in /var/www, and inside it, linked to the actual content.

Code:
stephane@blackblock:/var/www/files ls -l
total 0
lrwxr-xr-x  1 root  daemon  23 Jan 14 22:09 Anna Pihl -> /home/videos/Anna Pihl/
lrwxr-xr-x  1 root  daemon  38 Jan 14 22:09 Edderkoppen - Miniseries -> /home/videos/Edderkoppen - Miniseries/
lrwxr-xr-x  1 root  daemon  21 Jan 14 22:09 Matador -> /home/videos/Matador/
Isn't that what you mean ? Nginx sees well the links, because it can index them (when accessing the url in a browser, it displays well the links to Matador etc...)
Reply With Quote
  #8   (View Single Post)  
Old 15th January 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
...linked to the actual content.
No that will not work. Instead, put the files inside /var/www and add symlinks in /home. A chrooted process cannot access files outside of what it can reach directly from its root path. Symlinks outside that structure are inaccessible.

Your users, however, are not running chrooted, and have access to all filesystems. They can use symlinks; the webserver is chrooted and cannot.

This example (untested, do not blindly copy/paste!!) moves the directory (and subordinate files/directories) from /home/myuser/video to /var/www/files/myuser/video, and replaces the user's directory with a symlink pointing to the new location.
Code:
# mkdir -p /var/www/files/myuser/video
# chown -R myuser /var/www/files/myuser
# (cd /home/myuser/video; tar cf - .) | (cd /var/www/files/myuser/video; tar xpf -)
# rm -rf /home/myuser/video
# ln -s /var/www/files/myuser/video /home/myuser/video

Last edited by jggimi; 15th January 2015 at 07:58 PM. Reason: added a chown(8) command
Reply With Quote
  #9   (View Single Post)  
Old 15th January 2015
22decembre 22decembre is offline
Port Guard
 
Join Date: Dec 2014
Posts: 42
Default

now I understand...

will think of it.
Reply With Quote
Old 15th January 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Still untested, but I noticed ownership needed to altered for the user's files in /var/www. A chown command was added to my example above.
Reply With Quote
Old 20th January 2015
22decembre 22decembre is offline
Port Guard
 
Join Date: Dec 2014
Posts: 42
Default

would it be better to create a user with no rights at all but reading, chroot him to /home/videos and use sftp with it ?
Reply With Quote
Old 20th January 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

A choice between web server / browser and sftp is entirely an operational one. Only you (and your users) can answer whether one option is a better fit than the other.

You can use the Match, ForceCommand, and ChrootDirecotory sshd_config(5) options and either the in-process sftp subsystem or sftp-server(8) if its features are needed in order to configure restricted sftp access.

Last edited by jggimi; 20th January 2015 at 03:10 PM. Reason: added ForceCommand
Reply With Quote
Old 20th January 2015
22decembre 22decembre is offline
Port Guard
 
Join Date: Dec 2014
Posts: 42
Default

To me, it's a matter of simplicity :

- the web server has the advantage of being read-only, so more secure and efficient, but a pain in the ass to setup apparently.
- the ssh conf' is easy, already there, secure. Just need to constrain the user...

Both are part of OBSD, so it means I can trust them, as long as my conf' is correct.

So in both case I got the same result, but from an opposite path. My users don't care. I am the one who wants to make it.
Reply With Quote
Old 20th January 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

A web server is less secure than SFTP. Whether this difference matters depends upon your environment and your needs. Do any of these things matter?
  • HTTP is sent in plaintext. SFTP transfers are encrypted.
  • HTTP clients are unauthenticated except at the application layer. SFTP use requires authentication.
  • HTTPS transfers are encrypted, but HTTPS client authentication is optional (and rarely used unless deployed at the application layer).

Last edited by jggimi; 20th January 2015 at 03:40 PM. Reason: clarity of client authentication
Reply With Quote
Old 20th January 2015
22decembre 22decembre is offline
Port Guard
 
Join Date: Dec 2014
Posts: 42
Default

I was aware of these, fine. When saying secure, I was meaning concerning this precise part of the subject : files management, I prefer a read-only webserver than a ftp-like.

I had the idea, after all, to make it mandatory with tls, so https. And authentication of course.

But, here it is ! You actually got it : authentication is not easy with nginx (I would love it use either bsd auth or ldap... nope), whereas it is native with sftp & co.

So I am about to setup a sftp-server.
Reply With Quote
Old 20th January 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I use nginx with client certificates in order to secure public facing web applications. It's certainly easy to provision in nginx.conf. The hard part is certificate management, including deployment of certificates to individual client browsers.
Reply With Quote
Old 20th January 2015
22decembre 22decembre is offline
Port Guard
 
Join Date: Dec 2014
Posts: 42
Default

I think I can't use that, as my users are non-aware of certification ... I prefer to stick to the common passwd solution (with a rather long passwd).

Is there some tutorial explaining the setup of a sftp server ?
Reply With Quote
Old 20th January 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

From the OpenBSD Journal, circa 2008. Because it is dated, you may want to double check each recommendation for applicability.

http://undeadly.org/cgi?action=artic...20080220110039
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
MySQL.com Hacked to Serve Malware graudeejs News 0 26th September 2011 11:21 PM
About perdition and nginx satimis General software and network 3 10th December 2008 12:53 PM
What include and shared library directories are searched by gcc kasse FreeBSD General 3 16th July 2008 08:44 PM
/usr/local and application directories ducu_00 FreeBSD Ports and Packages 14 23rd May 2008 05:37 PM
Home directories suddenly missing in Samba Dagoles FreeBSD General 4 22nd May 2008 12:50 AM


All times are GMT. The time now is 10:49 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick