Trouble getting [system] nginx to run as regular user

[ackalker]

Arch linux, Julia 7435ffa, nginx-1.2.6-1

The current launch-julia-webserver doesn't work with nginx as shipped by Arch Linux when started as a regular (i.e. non-root) user.

How to reproduce:

$ /usr/bin/launch-julia-webserver 
Connect to http://localhost:2000/ for the web REPL.
SCGI server started on port 2001.
0 open sessions.
nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
2013/01/26 01:57:22 [emerg] 24586#0: mkdir() "/var/lib/nginx/client-body" failed (13: Permission denied)
^Ccleaning up...
exiting...
cat: ../logs/nginx.pid: No such file or directory
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]

Overriding client_body_temp_path only brings more and more permission errors. This is related to how nginx is configured in Arch Linux (reasonably well locked-down, obviously not intended to be run as a regular user):

$ nginx -V
nginx version: nginx/1.2.6
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --sbin-path=/usr/sbin/nginx --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --user=http --group=http --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/client-body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-imap --with-imap_ssl_module --with-ipv6 --with-pcre-jit --with-file-aio --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_realip_module --with-http_ssl_module --with-http_stub_status_module --add-module=/usr/lib/passenger/ext/nginx

Fixing this seems to require quite a few extra directives in Julia's $PREFIX/etc/nginx.conf , and I haven't managed to add all of them yet. I'm quite certain that users of other distros may face similar problems. Looking back at this, I'm wondering if it wouldn't be better to just use one of the ###s of Python scripts out there to setup a simple webserver. I think it is safe to say that many of Julia's target audience will have Python installed (SciPy, NumPy, Sage...), Other alternatives could be NodeJS or Embedded Javascript (Ejs), either of which are much easier to configure (usually with just a single .js file).

Any comments?

[vtjnash]

nginx claims it is not possible to redirect the log file: http://wiki.nginx.org/CoreModule#error_log, although you could just enable write access to that folder chmod a+w /var/log/nginx/

nginx is a very tiny/lightweight/fast webserver compared to the other options you mentioned. I recommend letting julia build it. It runs on port 2000, not 80, so you can have your system version proxy to it.

[ackalker]

chmod a+w /var/log/nginx/ is not an option, it's a gaping security hole. Not acceptable. Least one can do is add the 'sticky bit' to prevent users from hijacking each other's log files. Some smartypants doing a dd if=/dev/zero of=/var/log/nginx/zzoommpp could trash the system. Have a user create a symlink in there and bots could have a field day collecting GET data.

Well, I've been at it trying to add in all the required overrides, but, sorry to say, nginx is plain horrible to configure when the only thing you get are error messages of the form "mkdir() "/some/dir" failed (13: Permission denied)" with no clue as to what directive controls that (and no, they don't always match up to configure!). Yuck!

[ackalker]

Got stuck. Arch Linux nginx includes Passenger module which doesn't honor proxy_temp_path directive (probably a bug, since exactly that was fixed in nginx some time ago), so it's stuck at /var/lib/nginx/proxy. No way to use nginx as regular user for now unless one rebuilds nginx package without Passenger support.

[ackalker]

nginx issue now worked around in Arch package.