Creating jailed user for nginx website

This is a method for creating somewhat isolated environment for websites and, in particular, their files through simple sshd configuration. Websites' files will be stored in /srv/www. First step is creating group for website users.

# addgroup website

Then we change ssh configuration in /etc/ssh/sshd_config as follows:

System sftp internal-sftp

Match Group website
	X11Forwarding no
	AllowTcpForwarding no
	ChrootDirectory /srv/www/%u/
	ForceCommand internal-sftp

Reload SSH and user with group and populate directory tree, if you want, you can also add password:

# useradd -g website -d /public -s /sbin/nologin example
# mkdir -p /srv/www/example/{public,private,logs}
# chown -R example:website /srv/www/example/*
# passwd example

In /etc/nginx/sites-available add new file named example, fill it:

server {
	listen 80;
	listen [::]:80;
	
	add_header X-Clacks-Overhead "GNU Terry Pratchett";
	
	server_name example.com www.example.com;
	
	root /srv/www/example/public;
	access_log /srv/www/example/logs/access.log;
	error_log /srv/www/example/logs/error.log;

	index index.html;

	location / {
		try_files $uri $uri/ =404;
	}
}

Create soft link in /etc/nginx/sites-enabled to our newly created configuration file. If you want to disable website, just remove the link. Test and restart nginx after that:

# cd /etc/nginx/sites-enabled
# ln -s ../sites-available/example example
# nginx -t
# systemctl restart nginx

Pretty much, that's it. Repeat, extend, add encryption or whatever.

See also