Security

How to use AppArmor to block access to folders in NGINX

Jack Wallen shows you a clever way of blocking NGINX access to particular directories with the help of AppArmor.

This comes by way of an experimentation. I wanted to find different ways to block/unblock directories for the NGINX web server. One way I found was via AppArmor. If you're not sure what AppArmor is, very simply it is a Linux kernel security module that allows for the restriction of programs' capabilities using per-program profiles. With that in mind, it is possible to create an AppArmor profile that can restrict access to directories, while allowing access to others. I'm going to demonstrate how this is done on the Ubuntu Server 18.04 platform with non-standard NGINX document roots.

SEE: You've been breached: Eight steps to take within the next 48 hours (free PDF) (TechRepublic)

What you'll need

I'm going to assume you have Ubuntu Server 18.04 up and running. As well I'll assume NGINX is installed and working. Although the Ubuntu Server platform should have AppArmor installed, it will not include one necessary tool. To fix that, open up a terminal window on your server and issue the following command:

sudo apt install apparmor-utils

With that installed, you're ready to go.

Configure NGINX

Since we're going to be serving up files from non-traditional document root directories, let's take care of creating those. First let's create two new directories with the commands:

sudo mkdir /data/www/safe
sudo mkdir /data/www/unsafe

Inside the safe directory, place an index.html file with the content:

<html>
<H2>THIS IS SAFE</H2>
</html>

Inside the unsafe directory, place an index.html file with the following content:

<html>
<H2>THIS IS UNSAFE</H2>
</html>

Now we need to alter the nginx.conf file. Open this file with the command sudo nano /etc/nginx/nginx.conf. In that file, comment out the line (by adding a # at the beginning):

include /etc/nginx/sites-enabled/*;

Under the line include /etc/nginx/conf.d/*.conf; add the following:

server {
    listen 8080;
    location / {
            root /data/www;
    }
}

Save and close that file. Reload NGINX with the command:

sudo nginx -s reload

If you point your browser to either http://SERVER_IP:8080/safe/ or http://SERVER_IP:8080/safe/ you should be able to see the content of both of the index.html files. Let's block the ability to see the file in the unsafe directory.

Create an AppArmor profile

We have to create a new AppArmor profile for NGINX. To do this, change into the AppArmor directory with the command cd /etc/apparmor.d. Within that directory, issue the command sudo aa-autodep nginx. When that command completes, place the profile in complain mode with the command sudo aa-complain nginx.

Next issue the command sudo aa-logprof. Answer A for every question, until you are prompted to save (by hitting S) the changes. Once the changes have been saved, we can now edit the NGINX profile. Issue the command sudo nano /etc/apparmor.d/usr.sbin.nginx. Edit your profile to look like this:

# Last Modified: Thu Jun 21 14:54:30 2018
#include <tunables/global>

/usr/sbin/nginx {
  #include <abstractions/base>
  #include <abstractions/lxc/container-base>
  capability dac_override,
  capability dac_read_search,
  capability net_bind_service,
  capability setgid,
  capability setuid,

  /data/www/safe/* r,
  deny /data/www/unsafe/* r,
  /etc/group r,
  /etc/nginx/conf.d/ r,
  /etc/nginx/mime.types r,
  /etc/nginx/nginx.conf r,
  /etc/nsswitch.conf r,
  /etc/passwd r,
  /etc/ssl/openssl.cnf r,
  /run/nginx.pid rw,
  /usr/sbin/nginx mr,
  /var/log/nginx/access.log w,
  /var/log/nginx/error.log w,
}

Save and close that file. Now we can place the profile in enforce mode with the command:

sudo aa-enforce nginx

Let's reload AppArmor and restart NGINX with the commands:

sudo /etc/init.d/apparmor reload
sudo service nginx restart

Now, if you point your browser to http://SERVER_IP:8080/safe, you should still see the contents of the index.html. However, if you point your browser to http://SERVER_IP:8080/unsafe, you'll get a 403 Forbidden error (Figure A).

Figure A

Figure A

We can no longer access the unsafe area.


Happy blocking

And that's all there is to blocking directories for NGINX access with AppArmor. Is it the method you'll want to employ? That's for you to decide. It is nice to know, however, that there are many different means to this particular end. At least you know that you do have the ability to lock down certain directories for NGINX access. Happy blocking!

Also see

nginxhero.jpg

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox