run master nginx process as non-root user

confs/auto-lets-encrypt.conf

@@ -1,7 +0,0 @@
-listen 0.0.0.0:443 ssl %HTTP2%;
-ssl_certificate /etc/letsencrypt/live/%FIRST_SERVER_NAME%/fullchain.pem;
-ssl_certificate_key /etc/letsencrypt/live/%FIRST_SERVER_NAME%/privkey.pem;
-ssl_protocols TLSv1.3;
-ssl_prefer_server_ciphers off;
-ssl_session_tickets off;
-%STRICT_TRANSPORT_SECURITY%

confs/https.conf

@@ -1,4 +1,4 @@
-listen 0.0.0.0:443 ssl %HTTP2%;
+listen 0.0.0.0:8443 ssl %HTTP2%;
 ssl_certificate %HTTPS_CERT%;
 ssl_certificate_key %HTTPS_KEY%;
 ssl_protocols TLSv1.3;

confs/nginx.conf

@@ -1,18 +1,18 @@
 # /etc/nginx/nginx.conf
 
 # load dynamic modules
-load_module /usr/local/nginx/modules/ngx_http_cookie_flag_filter_module.so;
-load_module /usr/local/nginx/modules/ngx_http_geoip2_module.so;
-load_module /usr/local/nginx/modules/ngx_http_headers_more_filter_module.so;
-load_module /usr/local/nginx/modules/ngx_http_lua_module.so;
-load_module /usr/local/nginx/modules/ngx_http_modsecurity_module.so;
-load_module /usr/local/nginx/modules/ngx_stream_geoip2_module.so;
+load_module /usr/lib/nginx/modules/ngx_http_cookie_flag_filter_module.so;
+load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so;
+load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
+load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
+load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
+load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
 
 # run as daemon
 daemon on;
 
-# do NOT run as root
-user nginx;
+# PID file
+pid /tmp/nginx.pid;
 
 # worker number = CPU core(s)
 worker_processes auto;
@@ -51,6 +51,17 @@ http {
 	# maximum request body size
 	client_max_body_size %MAX_CLIENT_SIZE%;
 
+	# write logs to local syslog
+	access_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=notice combined;
+	error_log syslog:server=unix:/dev/log,nohostname,facility=local0 warn;
+
+	# temp paths
+	proxy_temp_path /tmp/proxy_temp;
+	client_body_temp_path /tmp/client_temp;
+	fastcgi_temp_path /tmp/fastcgi_temp;
+	uwsgi_temp_path /tmp/uwsgi_temp;
+	scgi_temp_path /tmp/scgi_temp;
+
 	# load caching custom config
 	include /etc/nginx/cache.conf;
 
@@ -72,10 +83,6 @@ http {
 	# get real IP address if behind a reverse proxy
         %PROXY_REAL_IP%
 
-	# write logs to local syslog
-	access_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=notice combined;
-	error_log syslog:server=unix:/dev/log,nohostname,facility=local0 warn;
-
 	# lua path and dicts
 	lua_package_path "/usr/local/lib/lua/?.lua;;";
 	%WHITELIST_IP_CACHE%

confs/server.conf

@@ -1,6 +1,5 @@
 server {
 	include /server-confs/*.conf;
-	set $session_secret %ANTIBOT_SESSION_SECRET%;
 	include /etc/nginx/main-lua.conf;
 	%LISTEN_HTTP%
 	%USE_HTTPS%