RHEL / CentOS Linux: Nginx Chroot Jail Start / Stop / Restart Shell Script
simple shell script to start / stop / restart chrooted nginx web server under CentOS / RHEL Linux. You must have Nginx web server setup in a chroot (jail) so that you can minimizes the damage done by a potential break-in by isolating the web server to a small section of the filesystem. You can also mount $jail/tmp as a separate filesystem (/images/tmpfile.bin) with the noexec,nosuid, nodev options under Linux like operating systems.
#!/bin/bash
# Name : nginx.rc
# URL: http://bash.cyberciti.biz/security/linux-nginx-start-stop-restart-chrooted-jail/
# Purpose: A simple shell script wrapper to chroot nginx in $_newroot under Linux
# ----------------------------------------------------------------------------
# Author: nixCraft
# Copyright: 2011 nixCraft under GNU GPL v2.0+
# ----------------------------------------------------------------------------
# Last updated: 18/Dec/2012 - Added support for secure /tmp mount
# Last updated: 19/Dec/2012 - Bug fixed in ln
# Last updated: 10/Mar/2013 - Bug fixed in status()
# ----------------------------------------------------------------------------
# jail location - must be up, see how to setup nginx using chroot
# http://www.cyberciti.biz/faq/howto-run-nginx-in-a-chroot-jail/
_newroot="/nginxjail"
# RHEL nginx and other binary paths
_nginx="/usr/sbin/nginx"
_chroot="/usr/sbin/chroot"
_killall="/usr/bin/killall"
# 0 turn off or # 1 turn on
_securetmp=0
_securetmproot="/path/to/images/nginx_jail_tmp.bin"
[ ! -d "$_newroot" ] &# mount /tmp securely inside $_newroot
# see http://www.cyberciti.biz/faq/howto-mount-tmp-as-separate-filesystem-with-noexec-nosuid-nodev/
mounttmp(){
if [ $_securetmp -eq 1 ]
then
mount | grep -q $_securetmproot
if [ $? -eq 0 ]
then
echo "*** Secure root enabled and mounted ***"
else
echo "*** Turning on secure /tmp..."
[ ! -f "$_securetmproot" ] &mount -o loop,noexec,nosuid,rw "$_securetmproot" "$_newroot/tmp"
chmod 1777 "$_newroot/tmp"
rm -rf "$_newroot/var/tmp"
ln -s ../tmp "$_newroot/var/tmp"
fi
fi
}
start(){
echo -en "Starting nginx...\t\t\t"
$_chroot $_newroot $_nginx && echo -en "[ OK ]" || echo "[ Failed ]"
}
stop(){
echo -en "Stoping nginx...\t\t\t"
$_killall "${_nginx##*/}" && echo -en "[ OK ]" || echo "[ Failed ]"
}
reload(){
echo -en "Reloading nginx...\t\t\t"
$_chroot $_newroot $_nginx -s reload && echo -en "[ OK ]" || echo "[ Failed ]"
}
## Fancy status
status(){
echo
pgrep -u ${_nginx##*/} ${_nginx##*/} &>/dev/null
[ $? -eq 0 ] && echo "*** Nginx running on $(hostname) ***" || echo "*** Nginx not found on $(hostname) ***"
echo
echo "*** PID ***"
#pgrep -u ${_nginx##*/} ${_nginx##*/}
ps aux | grep "${_nginx##*/}" | egrep -v 'grep|bash'
echo
echo "FD stats:"
for p in $(pidof ${_nginx##*/}); do echo "PID # $p has $(lsof -n -a -p $p|wc -l) fd opend."; done
echo
echo "Jail dir location:"
pwdx $(pgrep -u "root" "${_nginx##*/}") | grep --color "$_newroot"
echo
echo "*** PORT ***"
netstat -tulpn | egrep --color ':80|:443'
}
## Make sure /tmp is securely mounted inside jail ##
mounttmp
## main ##
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
reload)
reload
;;
status)
status
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|status}"
;;
esac
# just send \n
echo
How do I use this script?
Download the script:
Use it as follows:
Sample outputs:
# cd /tmp
# wget http://bash.cyberciti.biz/dl/593.sh.zip
# unzip 593.sh.zip
# mv 593.sh /etc/rc.d/nginx.jail.rc
# chmod +x /etc/rc.d/nginx.jail.rcUse it as follows:
# /etc/rc.d/nginx.jail.rc start
# /etc/rc.d/nginx.jail.rc stop
# /etc/rc.d/nginx.jail.rc restart
# /etc/rc.d/nginx.jail.rc statusSample outputs:
Fig.01 nginx.rc in action
No comments:
Post a Comment