Hello, how do I add snippets (mainly mod_rewrite equivalents for nginx) being a client of a site and not a server admin? is this not available? Thank you.
Is this for security ? It makes nginx much less attractive for what it's most usefull: shared hosting.
Yes, for security and ease of implementation. But it should be possible to extend this function so that clients can add snippets too. As the admin will see all snippets then, it might be a bit confusing for him so we might hav to limit that fnction in away that a admin does not see any user snippets.
It is important to note, that bad nginx directives or errors entered into options tab of a site, can and will crash a nginx server. So Nginx directives must be entered with care. I'm not sure I would ever feel comfortable with a client having the ability to enter them in.
Yes, I'm concerned with security too. Till: I guess admin can be limited to see only snippets created by himself. This will require an extra column for each snipped (owner/creator). Regarding stability problems, Is the issue worse with nginx than with the .htaccess tricks that can be done on apache? Rockdrala: I understand the snippet is limited to the virtualhost running the snippet. Could you make an example of a snippet that will break stuff outside of the virtualhost (i.e.... dos or resource of xss?) Thank you.
a wrong .htaccess file affects only the website were it is created while the custom directives affect the whole server. No, it is not limited to the vhost. Its the same as if you would enter a wrong configuration in the vhost file of apache. A single wrong line will bring down the whole server. Thats why the customdirectives fields are only availabe for the admin and not to the client. Tere is no corresponding functionality to a.htaccess file in nginx.
So, what would be the suggested scenario for using nginx with "untrusted" users? Would you suggest to have them open a support request with their snippet, then after evaluation by an admin get that snippet in the available snippets so that the client can add it to their nginx config? Or, perhaps a different road can be pursued: For example check if nginx parses the new snippet correctly and allow it only when no errors are thrown from it? Can you envision situations where a nginx parser will accept the snippet, but break other sites running in nginx?
