nginx reverse proxy using unix sockets

Hi,

I have a three jails running nginx. The first jail acts as a reverse proxy for the other two jails. At the moment the communication between them is through ip addresses.

Is it possible for them to communicate using unix file descriptors like the following?


Code:
listen unix:/var/run/jailweb1.sock ssl

I guess /var/run will need to be shared between the three jails?

Thanks
 
Keep in mind you may increase the risk of an attacker being able to use this shared filesytem to hop from one jail to another. You should test the set up and see if it improves anything, if there's no performance improvement I don't think the increased risk is worth it.
 
You may try to mount_nullfs(8) sockets between jails from the host. I don't know if it would work with the sockets, but you can at least try to put all sockets into something like /var/run/shared and mount in between jails only this directory.
 
Don't use /var/run but some other path for the socket if you still decide to go this route, it's much easier to secure a path that is not shared with other users.
 
Back
Top