Nginx & Passenger user permissions. Best practice? - ruby-on-rails

I'm new to nginx, what's best practice for user/group permissions, when deploying (Ruby) application, using nginx and passenger?
Is better deploy as root or "deployer" user in some group? And how should I set folder/file permissions.
On Apache server I have /public /log and some other folders writible by www-data and user is root. This configuration doesn't work on nginx (for me).
Thanks

You should use separate user per application and Passenger/Nginx should automatically use the directory owner to run the process, never use root user.

Related

Hosting a rails app inside another website's directory

I have a php site on my server, suppose it is example.com.
And I want to run an rails app inside the domain like example.com/rails.
I am using nginx and tried to edit the example.com's host config and proxied the /rails location to unicorn upstream. But that did not work.
Is it possible to do like example.com/rails ?

Rails app deploy users

I'm working on deploying my Rails app with Capistrano and the deploy is failing as it cannot create directory.
I have two users on my server:- root and deploy.
Capistrano is using the deploy user.
I have told Capistrano to deploy the app to /var/rails_apps/
It's /var/rails_apps/ that it cannot create a directory in.
What user should own that folder? root or deploy?
The server has nginx on it so I guess the site will run as www-data which looks to be nginx's user but I'm not sure what other areas should be owned by? Any clarification on this area?
deploy should own that folder. Nginx is just your web server, it is going to proxy requests to your application, which is likely running as a unicorn process (should run as deploy).

shared/sockets permissions for Thin and Nginx

I deployed Rails application to VDS with Nginx and Thin. I had to add shared_children.push "tmp/sockets" to deploy.rb cause cap deploy:setup doesn't create tmp/sockets by default which prevents Thin from starting.
This shared_children.push "tmp/sockets" creates sockets in deploy_to/shared directory.
Nginx worker processes run on behalf of nginx user, while shared/sockets has 770 permissions and app1.deployers owners. That is why nginx cannot read/write sockets files despite socket files theirselves have 777 permissions.
1. What is better, to change permissions of shared/sockets to 777 or to add nginx user to deployers group, or to deploy and to run Thin on behalf of nginx user?
I'd like to run each application on behalf of not nginx user but separate user for each app. 2. Does that make sence practically?
ps
Also I didn't find any mention someone gets permission denied errors in /var/log/nginx/errors.log due to incorrect permissions of shared/sockets. I think I miss something very simple and basic.
Maybe people deploy and on behalf of nginx or www-data users regardless how many applications are deployed to the same server?

Should I run the all unicorn processes as www-data (non-root)?

I'm running a a Rails 3 application with Unicorn and Nginx. Currently, Unicorns runs as root and due to this line in unicorn.rb:
user "www-data"
but I'm wondering whether I should just run all Unicorn process as www-data. Would there be any problem doing that? I'm using a file socket, so opening a port (<1024) is not an issue I'll have. Anything else I should be aware of?
You should not be running your application as root. This gives the application root permissions which in turn means that if you make a mistake and expose the file system, an attacker can have root permissions without much effort.
I avoid running as www-data or other shared users. Instead I create a user for the specific app and give them their own unique permissions. In my case, I am running multiple applications on one server and this allows for an added layer of protection in case one app is compromised.
Here is a good read on some of the things that can go wrong: https://jhalderm.com/pub/papers/dcvoting-fc12.pdf

Rails application permission on apache

What should be the permission on rails app directory on apache server???
What is your deployment design?
Normally you'd use mongrels and apache as a load balancer for them.
So you'd run the mongrels as a user for your site, and all the rails directory should have permissions for that user.
You probably have a 'www' or 'apache' user that owns your static content and apache root document directory.
It's common convention to make this user own your rails app as well to preserve the same permissions.
If you use something like capistrano, I think it has builtin recipes for permission structure on top of your release directory after deploying.
As Angelus said, it depends on your server setup and deployment design. You can use mongrels (or thins, or unicorns, or...) with Apache as a reverse-proxy, but your question leads me to believe you're using Phusion Passenger (aka mod_rails).
If that's the case, the mod_rails site has several very helpful screencasts which you should watch. Generally, though, mod_rails will run as whichever user owns your app's environment.rb file. See the Passenger user switching docs for details on your permission setup.
While installing apache it creates www-data group and owner so you have to give the ownership of this user for your application.
Then restart the apache service.
rails application works fine.

Resources