Go back ⮌

Jailed website user for Nginx

We have Nginx working, now we should add default website. This method can be easily used to create more websites in somehow isolated environment. Website files will be stored in /srv/www. First step is creating group for website users.

addgroup website

Then we change ssh configuration in /etc/ssh/sshd_config as follows:

System sftp internal-sftp

Match Group website
	X11Forwarding no
	AllowTcpForwarding no
	ChrootDirectory /srv/www/%u/
	ForceCommand internal-sftp

Reload SSH and user with group and populate directory tree, if you want, you can also add password:

useradd -g website -d /public -s /sbin/nologin example
mkdir -p /srv/www/example/public /srv/www/example/private /srv/www/example/logs
chown -R example:website /srv/www/example/*
passwd example

In /etc/nginx/sites-available add new file named e.g. example, fill it:

server {
	listen 80 default_server;
	listen [::]:80 default_server;
	
	add_header X-Clacks-Overhead "GNU Terry Pratchett";
	
	server_name example.com www.example.com;
	
	root /srv/www/example/public;
	access_log /srv/www/example/logs/access.log;
	error_log /srv/www/example/logs/error.log;

	index index.html;

	location / {
		try_files $uri $uri/ =404;
	}
}

Create soft link in /etc/nginx/sites-enabled to our newly created configuration file. If you want to disable website, just remove the link. Test and restart nginx after that.

cd /etc/nginx/sites-enabled
ln -s ../sites-available/example example
nginx -t
systemctl restart nginx

And that’s how you add new websites to your nginx server. Just remember to have only one instance of “default_server” in all of your configuration files.