Serving Tmp Files From Nginx

Daemons storing files in /tmp makes implementing security harder, especially when they run with root privileges - daemons should be storing runtime data into /run instead and persistent data in /var/lib (plus there’s /var/run/___ and /var/cache/___ for… stuff).

When installing nginx on RedHat Enterprise Linux 8.0, nginx will not serve files from the /tmp directory because of PrivateTmp in the SystemD unit file. For some reason, if you have to serve files from /tmp, PrivateTmp has to be disabled:

    sudo vi /usr/lib/systemd/system/nginx.service  #Comment out the following line
    #PrivateTmp=true

The configuration for nginx to serve files from /tmp for a “virtual directory” (an IIS term) is:

    sudo vi /etc/nginx/nginx.conf  #Add the following to the nginx.conf
    location ~ ^/titanium/(.*)$ {
        alias	/tmp/chocolate/$1;
    }

PrivateTmp was introduced in Fedora 16 (with some bugs), and has been in use in Fedora 17 and Red Hat Enterprise Linux 7. Also see the JoinsNamespaceOf if you want an alternative to disabling PrivateTmp - for multiple daemons to use the same private pam_namespace.