Running Nginx as Non-Root User
A guide to replace system nginx with a user-level nginx instance, without sudo for daily operations.
1. Allow nginx to bind to privileged ports (80/443)
sudo setcap 'cap_net_bind_service=+ep' /usr/bin/nginxVerify:
getcap /usr/bin/nginx
2. Give user access to Let’s Encrypt certs
sudo setfacl -m u:$USER:rx /etc/letsencrypt/sudo setfacl -m u:$USER:rx /etc/letsencrypt/live/sudo setfacl -m u:$USER:rx /etc/letsencrypt/archive/sudo setfacl -R -m u:$USER:rx /etc/letsencrypt/live/yourdomain.com/sudo setfacl -R -m u:$USER:rx /etc/letsencrypt/archive/yourdomain.com/4. Disable system nginx
sudo systemctl stop nginxsudo systemctl disable nginx5. Create user systemd service
mkdir -p ~/.config/systemd/user/nano ~/.config/systemd/user/nginx.service[Unit]Description=Nginx HTTP ServerAfter=network.target
[Service]Type=forkingPIDFile=/tmp/nginx.pidExecStart=/usr/bin/nginxExecReload=/usr/bin/nginx -s reloadExecStop=/usr/bin/nginx -s stopPrivateTmp=false
[Install]WantedBy=default.targetCheck your
nginxpath first withwhich nginxand update accordingly.
6. Enable and start the service
systemctl --user daemon-reloadsystemctl --user enable nginxsystemctl --user start nginxsystemctl --user status nginx7. Allow user services to run without being logged in
sudo loginctl enable-linger $USERWithout this, user services stop when you log out.
Useful commands
# Reload configsystemctl --user reload nginx
# Stop/startsystemctl --user stop nginxsystemctl --user start nginx
# View logstail -f /tmp/nginx-error.logtail -f /tmp/nginx-access.log
# Test config/usr/bin/nginx -t