首先,关于服务器的一些背景信息
运行最新的 ubuntu 和 nginx。Nginx 是为虚拟主机设置的。用户(超过 100 人)可以通过将他们的 html 放在 $HOME/site.domain.com/public/ 来为网站提供服务。如果他们的网站对安全敏感,他们可以将一个 rsa 密钥对放在 $HOME/site.domain.com.pem $HOME/site.domain.com.key,然后 nginx 会获取该密钥,并以 https 模式提供 html,而不会出现证书错误。
问题:$HOME/site.domain.com.key 应该具有什么(chmod)权限?
以下是限制条件
- Other linux (non-root) users should not be able to "steal" .key files.
- Nginx runs as user www-data and group www-data I believe. So nginx needs to be able to have read access to any users .pem file when nginx is rebooted with `service nginx restart`
- Root users (root and ubuntu) should have access to any file using sudo
- To make user management easy, the users we added (not the ones that comes with ubuntu install) all have their primary group set as "ourcompanygroup". I'm flexible on this.
参考:http://nginx.org/en/docs/http/configuring_https_servers.html