release notes: Explain how to run nginx master as root. Fixes #84391
This commit is contained in:
Niklas Hambüchen
parent
5bca1a7664
commit
ba50a7a3f1
|
|
@ -809,7 +809,8 @@ auth required pam_succeed_if.so uid >= 1000 quiet
|
|||
<listitem>
|
||||
<para>
|
||||
The nginx web server previously started its master process as root
|
||||
privileged, then ran worker processes as a less privileged identity user.
|
||||
privileged, then ran worker processes as a less privileged identity user
|
||||
(the <literal>nginx</literal> user).
|
||||
This was changed to start all of nginx as a less privileged user (defined by
|
||||
<literal>services.nginx.user</literal> and
|
||||
<literal>services.nginx.group</literal>). As a consequence, all files that
|
||||
|
|
@ -817,6 +818,13 @@ auth required pam_succeed_if.so uid >= 1000 quiet
|
|||
certificates and keys, etc.) must now be readable by this less privileged
|
||||
user/group.
|
||||
</para>
|
||||
<para>
|
||||
To continue to use the old approach, you can configure:
|
||||
<programlisting>
|
||||
services.nginx.appendConfig = let cfg = config.services.nginx; in ''user ${cfg.user} ${cfg.group};'';
|
||||
systemd.services.nginx.serviceConfig.User = lib.mkForce "root";
|
||||
</programlisting>
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
|
|
|
|||
Loading…
Reference in New Issue