NGINX 修改启动账户

nginx降低权限

1、修改nginx的启动账户

• 修改启动账户，并设置nginx的启动账户为nginx

  $ sudo vim /etc/nginx/nginx.conf
  # 注释掉nginx的配置用户
  # user  nginx;
  worker_processes  auto;
  
  error_log  /var/log/nginx/error.log notice;
  # 修改pid位置
  # pid        /var/run/nginx.pid;
  pid /var/run/nginx/nginx.pid;

• 修改nginx配置文件目录权限

  $ sudo chown -R nginx:nginx /etc/nginx
  $ sudo chmod 750 /etc/nginx

• 修改nginx缓存目录权限

  $ sudo chown -R nginx:nginx /var/cache/nginx
  $ sudo chmod -R 750 /var/cache/nginx

• 修改nginx日志权限

  $ sudo chown -R nginx:nginx /var/log/nginx
  $ sudo chmod -R 750 /var/log/nginx

• 修改启动文件

  # 主要是增加启动账户和nginx的pid位置
  $ sudo vim /usr/lib/systemd/system/nginx.service
  [Unit]
  Description=nginx - high performance web server
  Documentation=http://nginx.org/en/docs/
  After=network-online.target remote-fs.target nss-lookup.target
  Wants=network-online.target
  
  [Service]
  User=nginx
  Group=nginx
  Type=forking
  ExecStartPre=/usr/bin/mkdir -p /var/run/nginx
  ExecStartPre=/usr/bin/chown nginx:nginx /var/run/nginx
  ExecStartPre=/usr/bin/chmod 0750 /var/run/nginx
  PIDFile=/var/run/nginx/nginx.pid
  ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
  ExecReload=/bin/sh -c "/bin/kill -s HUP $(/bin/cat /var/run/nginx/nginx.pid)"
  ExecStop=/bin/sh -c "/bin/kill -s TERM $(/bin/cat /var/run/nginx/nginx.pid)"
  PermissionsStartOnly=true
  
  [Install]
  WantedBy=multi-user.target

• 提权nginx可用1024以下端口

  $ sudo setcap cap_net_bind_service=+eip /usr/sbin/nginx

• 删除自带页面

  $ sudo rm -fv /usr/share/nginx/html/index.html
  $ sudo rm -fv /usr/share/nginx/html/50x.html

• 启动nginx

  $ sudo systemctl daemon-reload
  $ sudo systemctl start nginx
  $ sudo systemctl enable nginx

• 至此nginx的启动用户修改完成