Merge pull request #1492 from thresheek/master

nginx: Documented UID changes and how to run as an arbitrary user
2019-06-04 14:28:45 -07:00 · 2019-06-04 14:28:45 -07:00 · 3929e65253
parent 7c3f6e7b7a 027ddb7deb
commit 3929e65253
1 changed files with 36 additions and 0 deletions
--- a/nginx/content.md
+++ b/nginx/content.md
@ -118,6 +118,42 @@ web:
  command: [nginx-debug, '-g', 'daemon off;']
 ```

+## User and group id
+
+Since 1.17.0, both alpine- and debian-based images variants use the same user and group ids to drop the privileges for worker processes:
+
+```console
+$ id
+uid=101(nginx) gid=101(nginx) groups=101(nginx)
+```
+
+## Running %%IMAGE%% as a non-root user
+
+It is possible to run the image as a less privileged arbitrary UID/GID. This, however, requires modification of %%IMAGE%% configuration to use directories writeable by that specific UID/GID pair:
+
+```console
+$ docker run -d -v $PWD/nginx.conf:/etc/nginx/nginx.conf %%IMAGE%%
+```
+
+where nginx.conf in the current directory should have the following directives re-defined:
+
+```nginx
+pid        /tmp/nginx.pid;
+```
+
+And in the http context:
+
+```nginx
+http {
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path       /tmp/proxy_temp_path;
+    fastcgi_temp_path     /tmp/fastcgi_temp;
+    uwsgi_temp_path       /tmp/uwsgi_temp;
+    scgi_temp_path        /tmp/scgi_temp;
+...
+}
+```
+
 ## Monitoring nginx with Amplify

 [Amplify](https://amplify.nginx.com/signup/) is a free monitoring tool that can be used to monitor microservice architectures based on nginx. Amplify is developed and maintained by the company behind the nginx software.