|
|
|
|
|
|
by duijf
1084 days ago
|
|
|
> Ports below 1024 can be opened only by root. Or processes running with the CAP_NET_BIND_SERVICE capability! [1] Capabilities are a Linux kernel feature. Granting CAP_NET_BIND_SERVICE to nginx means you do not need to start it with full root privileges. This capability gives it the ability to open ports below 1024 Using systemd, you can use this feature like this: [Service]
ExecStart=/usr/bin/nginx -c /etc/my_nginx.conf
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
User=nginx
Group=nginx
(You probably also want to enable a ton of other sandboxing options, see `systemd-analyze security` for tips)[1]: https://man7.org/linux/man-pages/man7/capabilities.7.html |
|
|