1

I'm building an app using Django + PostrgreSQL + Nginx on Debian 6. The app has two separate components, that will later be on different machines.

Component A calls one function from Component B using a REST API. It has sensitive data stored that should be read-only by Component A, but writable by Component B.

Component B writes data sensitive data to Component A and receives data via its API

What I would like is to separate these components, so that exposure of Comp B does not lead to exposure of sensitive data in Comp A. In order to do so I was thinking about having 2 instances of nginx running under different linux users. Then the user under which Component B is run can not see the settings.py of Comp A, which would expose login credentials to A's database and encryption keys of stored data.

My question is, how can I set up nginx to run 2 instances, each one under its own user account? If possible, I would like to use only packages available in the standard Debian repositories, lest I lose automatic upgrades.

Belda
  • 131
  • 2
  • addition: I would like to do it as much with default debian packages, so I do not loose automatic upgrades –  Aug 22 '12 at 13:20
  • The problem is not clear, you already described one solution? –  Aug 22 '12 at 13:59
  • You can't run multiple nginx instances, because mainly, any webserver is going to bind to port 80 (this would also cause a problem with trying to run both nginx and Apache, for example). You could technically run a second nginx on another port, but then you'd have to include the port in the URL anytime you connect to it, which is probably not what you want. If you truly want to separate the sites, then separate them: put them on two different servers. – Chris Pratt Aug 22 '12 at 14:25
  • @chris - they can run on different ports, Comp B is basically a background service. I'm putting them on one machine at this time to reduce cost. –  Aug 22 '12 at 14:42
  • Is this your dev environment? If so why the concern with security? You already supplied your solution for production: use multiple servers. – RickyA Aug 22 '12 at 14:57
  • yes, its a dev environment, and I can set up more servers, but that still doesn answer my question, whether it is possible to run multiple instances under different users, and if it is, than how :-) –  Aug 22 '12 at 15:28
  • I don't see anything wrong with this question; it asks something specific. –  Aug 23 '12 at 05:34
  • It *vaguely* feels like you're trying to solve this problem in the wrong tier. If you're running Django with some kind of app server (fastcgi, something-like-that), you might consider running the app servers for each component as a different user, and having just one instance of nginx which proxies to them. – nickgrim Aug 23 '12 at 08:56

2 Answers2

2

seems to me that you don't actually need 2 nginx instances to get the sepperation you want.

You have 3 agents interacting: nginx, app1, and app2. In this scenario nginx doesn't actually handle the data directly, it simply routes incoming http requests to either app1 or app2, consequently it doesn't actually have any data to leak.

Seems to me that what you really want is having the 2 django apps run as different users, with permissions set up so that app1 can't get at app 2's data (except through the rest-api).

You don't specify how nginx talks to the apps but any and all of the usual mechanisms (fastcgi, reverse proxying, scgi, ...) make it fairly easy to have a sepperate process for each app.

On the nginx side you can have clean sepparation by simply having 2 serverblocks, each with their own subdomain/domainname.

For some more piece of mind you could add some http://nginx.org/en/docs/http/ngx_http_referer_module.html#valid_referers directives to the component B nginx config to make sure it only accepts external/componentA referrals at the specified REST-api url's

cobaco
  • 423
  • 1
  • 4
  • 10
1

I've found that a good direction is to use fastcgi and start Comp B as follows:

 sudo -u youruser manage.py runfcgi
Kenny Rasschaert
  • 8,925
  • 3
  • 41
  • 58
Belda
  • 131
  • 2