|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
Nginx to serve recursive directories and files
I have seen that I share always the same set of files via usb or other ways (some large videos for learning language purpose).
So I wanted to stop doing that and simplify my life by simply setup a ftp-like access to these files on my openbsd server and though using nginx was fine for it (simply because it's already there, working fine to serve my other websites). I create a directory in /var/www that I call files, and in that directory, I create symlinks to the actual directories where the files are, in /home/videos, then I create a basic nginx conf : Code:
server { listen 443 ssl; listen 80; listen [::]:80; listen [::]:443 ssl; server_name files.22decembre.eu; location / { root /var/www/files; autoindex on; } access_log /var/www/logs/access.log; error_log /var/www/logs/files.errors.log; } When I browser to the http root, I can see the three links, but when I click on one of them, pooof, 404. How to make nginx simply serve recursive files ? I am doing something wrong ? |
|
||||
The nginx application runs chrooted by default in 5.6. All of its files must physically reside within its root directory structure, which by default is /var/www.
See the -u option of nginx(8) to disable this security feature. |
|
|||
You mean that nginx can't access files outside the chroot, right ?
If so, what are my solution ? Do you have any suggestion ? |
|
|||
Well, honestly none of your proposition seems better (except maybe the nfs one).
Yet I understand you're trying to give me good suggestions ! |
|
||||
I just noticed that options 3 and 5 are really the same.
I have used NFS loopback mounts for this, but no longer do. Now I just keep files that are intended to be shared within /var/www. Another option would be to store the structure within /var/www, but symlink the directories back to users within /home. |
|
|||
Quote:
I created a directory "files" in /var/www, and inside it, linked to the actual content. Code:
stephane@blackblock:/var/www/files ls -l total 0 lrwxr-xr-x 1 root daemon 23 Jan 14 22:09 Anna Pihl -> /home/videos/Anna Pihl/ lrwxr-xr-x 1 root daemon 38 Jan 14 22:09 Edderkoppen - Miniseries -> /home/videos/Edderkoppen - Miniseries/ lrwxr-xr-x 1 root daemon 21 Jan 14 22:09 Matador -> /home/videos/Matador/ |
|
||||
Quote:
Your users, however, are not running chrooted, and have access to all filesystems. They can use symlinks; the webserver is chrooted and cannot. This example (untested, do not blindly copy/paste!!) moves the directory (and subordinate files/directories) from /home/myuser/video to /var/www/files/myuser/video, and replaces the user's directory with a symlink pointing to the new location. Code:
# mkdir -p /var/www/files/myuser/video # chown -R myuser /var/www/files/myuser # (cd /home/myuser/video; tar cf - .) | (cd /var/www/files/myuser/video; tar xpf -) # rm -rf /home/myuser/video # ln -s /var/www/files/myuser/video /home/myuser/video Last edited by jggimi; 15th January 2015 at 07:58 PM. Reason: added a chown(8) command |
|
|||
now I understand...
will think of it. |
|
|||
would it be better to create a user with no rights at all but reading, chroot him to /home/videos and use sftp with it ?
|
|
||||
A choice between web server / browser and sftp is entirely an operational one. Only you (and your users) can answer whether one option is a better fit than the other.
You can use the Match, ForceCommand, and ChrootDirecotory sshd_config(5) options and either the in-process sftp subsystem or sftp-server(8) if its features are needed in order to configure restricted sftp access. Last edited by jggimi; 20th January 2015 at 03:10 PM. Reason: added ForceCommand |
|
|||
To me, it's a matter of simplicity :
- the web server has the advantage of being read-only, so more secure and efficient, but a pain in the ass to setup apparently. - the ssh conf' is easy, already there, secure. Just need to constrain the user... Both are part of OBSD, so it means I can trust them, as long as my conf' is correct. So in both case I got the same result, but from an opposite path. My users don't care. I am the one who wants to make it. |
|
||||
A web server is less secure than SFTP. Whether this difference matters depends upon your environment and your needs. Do any of these things matter?
Last edited by jggimi; 20th January 2015 at 03:40 PM. Reason: clarity of client authentication |
|
|||
I was aware of these, fine. When saying secure, I was meaning concerning this precise part of the subject : files management, I prefer a read-only webserver than a ftp-like.
I had the idea, after all, to make it mandatory with tls, so https. And authentication of course. But, here it is ! You actually got it : authentication is not easy with nginx (I would love it use either bsd auth or ldap... nope), whereas it is native with sftp & co. So I am about to setup a sftp-server. |
|
||||
I use nginx with client certificates in order to secure public facing web applications. It's certainly easy to provision in nginx.conf. The hard part is certificate management, including deployment of certificates to individual client browsers.
|
|
|||
I think I can't use that, as my users are non-aware of certification ... I prefer to stick to the common passwd solution (with a rather long passwd).
Is there some tutorial explaining the setup of a sftp server ? |
|
||||
From the OpenBSD Journal, circa 2008. Because it is dated, you may want to double check each recommendation for applicability.
http://undeadly.org/cgi?action=artic...20080220110039 |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
MySQL.com Hacked to Serve Malware | graudeejs | News | 0 | 26th September 2011 11:21 PM |
About perdition and nginx | satimis | General software and network | 3 | 10th December 2008 12:53 PM |
What include and shared library directories are searched by gcc | kasse | FreeBSD General | 3 | 16th July 2008 08:44 PM |
/usr/local and application directories | ducu_00 | FreeBSD Ports and Packages | 14 | 23rd May 2008 05:37 PM |
Home directories suddenly missing in Samba | Dagoles | FreeBSD General | 4 | 22nd May 2008 12:50 AM |