savannah-hackers-public
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] exploring savane's PHP under nginx


From: Assaf Gordon
Subject: Re: [Savannah-hackers-public] exploring savane's PHP under nginx
Date: Wed, 15 Mar 2017 00:14:40 -0400

Hello,

Some good progress on making savannah work with nginx.

A mostly-working NGINX configuration is below.
It's a bit messy, but works with stock nginx/php5-fpm configuration (from 
Ubuntu 14.04), and with no php code modification in savannah.

Comments and improvements are very welcomed.

regards,
 - assaf



This file is frontend0:/etc/nginx/sites-available/sv-agn-test.
The apache upstream is 
frontend0:/etc/apache2/sites-available/sv-agn-nginx-proxy.dev .

====
# Test server: running savane's php under nginx.
# For questions write to address@hidden
#
# This minimal setup ignores all the usual savannah stuff
# (ssl, let's-encrypt, gnu/nongnu) and only exposes
# port 81 .
#
# Apache's server on frontend0 will proxy
# requests from https://agn.frontend0.savannah.{gnu,nongnu}.org to here.
#

server {
   server_name agn.frontend0.savannah.gnu.org
               agn.frontend0.savannah.nongnu.org
               _;

   listen 81;
   listen [::]:81;

   root /home/agn/savannah/savane/frontend/php;

   # Default to gnu version of savannah,
   # switch to nongnu based on host name.
   # This variable is used later by fastcgi.
   set $savane_conf "/home/agn/savannah/etc/savane/";
   if ($host ~ nongnu\.org) {
       set $savane_conf "/home/agn/savannah/etc/savane/nongnu-conf";
   }

   # Explicit handling of 3 scripts which require PATH_INFO processing.
   #
   # The reason for all this mess is that old PHP + Apache had a convenient
   # behaviour of walking up a URI path until something executable was found,
   # then execute it as PHP. e.g. URI of "/projects/coreutils" would
   # first try the non-existing file <savane>/frontend/php/projects/coreutils,
   # the fallback to executing '<savane>/frontend/php/projects' with
   # 'coreutils' as the additional parameter (in PATH_INFO?).
   # Savannah's apache/php configuration allowed for these files to be
   # executed as PHP with explicit 'SetHandler', so this 'just worked'.
   #
   # Newer PHPs changed this behaviour, but allowed reverting back
   # using 'cgi.fix_pathinfo=0' in /etc/php5/fpm/php.ini.
   # There are many conflicting posts online about how to make it work
   # with nginx/php5-fpm, mentioning PATH_TRANSLATED and other voodoo settings.
   #
   # I (agn) could not get any of them to 'just work'. If you have suggestions,
   # please write to address@hidden .
   #
   # Since these are the only three cases in savannah where a PHP script
   # appears in the middle of the URI and needs this PATH_INFO hack,
   # I created this specific nginx 'location' block.
   # This works with the (recommended? safer?) fix_pathinfo=1 setting.
   #
   # NOTES:
   # 1. The PHP script files are really named projects/users/file
   #    (no .php extension). They are in <savane>/frontend/php/ .
   # 2. A symlink with .php extension was created for each
   #    (e.g. projects.php -> projects).
   #    This was not needed for apache/php.
   #    However, to execute files without .php extension in php5-fpm one must
   #    disable the new 'security.limit_extensions' setting in
   #    /etc/php5/fpm/pool.d/*.conf - and that would be a shame
   #    (and less secure).
   #    So in this new nginx/php5-fpm configuration, visiting
   #    /projects/coreutils will execute projects.php with 'coreutils'
   #    as PATH_INFO parameter.
   # 3. SCRIPT_FILENAME must point to the file to be executed.
   #    The 'split path info' regex extracts the filename as the first
   #    regex group (will be stored in $fastcgi_script_name),
   #    and the 'parameter' as the second regex group (will be stored
   #    in '$fastcgi_path_info' and passed on in PATH_INFO.
   location ~ ^/(projects|users|file|test)/ {

       # Must be FIRST, as 'SCRIPT_FILENAME/PATH_INFO' are overriden below.
       include fastcgi_params;

       fastcgi_cache off;

       # the first regex group will be 'projects|users|file',
       # the second regex group will be the parameter (e.g project/user to 
search for).
       fastcgi_split_path_info ^(/[a-z]+)(/[\w-]+)$;
       fastcgi_param PATH_INFO            $fastcgi_path_info;
       fastcgi_param SCRIPT_FILENAME      
$document_root/$fastcgi_script_name.php;
       fastcgi_pass unix:/var/run/php5-fpm-sv-agn.sock;

       fastcgi_param SAVANE_CONF $savane_conf;

       # Debug messages (viewable in the 'returned HTTP server headers')
       add_header X-debug-request-uri "$request_uri" ;
       add_header X-debug-uri "$uri" ;
       add_header X-debug-args "$args" ;
       add_header X-debug-script-filename 
"$document_root$fastcgi_script_name.php";
   }


   # no PHP processing for any submitted files (from project registration)
   location /submissions_uploads/ {
       root  /home/agn/savannah/var/www/ ;
   }

   # Execution of PHP scripts - if they really end with PHP.
   # TODO:
   # 1. Check if the files actually exist, reject if not.
   # 2. Check if the files are under $document_root, another safely
   #    layer against uploaded PHPs.
   # 3. Ensure the default PATH_INFO (and other settings) in 'fastcgi_params'
   #    config file and not exploitable with savannah (which perhaps does
   #    not have the safest php structure and code).
   # 4. before jumping on try_files, be aware of
   #    https://trac.nginx.org/nginx/ticket/321
   location ~ \.php$ {
       fastcgi_cache off;
       include fastcgi_params;
       fastcgi_pass unix:/var/run/php5-fpm-sv-agn.sock;

       fastcgi_param SAVANE_CONF $savane_conf;

       # Debug messages (viewable in the 'returned HTTP server headers')
       add_header X-debug-request-uri "$request_uri" ;
       add_header X-debug-uri "$uri" ;
       add_header X-debug-args "$args" ;
       add_header X-debug-script-filename "$document_root$fastcgi_script_name";
  }


  # All other files (non PHP files) - serve as is.
  # Note special handling of directories:
  # If the $uri is a directory under document_root (i.e. <savane/frontend/php),
  # AND there is a $uri/index.php file - redirect to it (and let the
  # PHP location block handle it). E.g. "/search/?foo=bar" and "/search?foo=bar"
  # both redirect to '/search/index.php?foo=bar'.
  #
  # TODO:
  # 1. This extra redirection is ugly, wasteful, and sometimes adds an double 
slash
  #    (e.g. "/search//index.php?foo=bar").
  # 2. IfIsEvil, I know. But 'return' in 'if' is fine.
  #
  # However, if you know how to improve/fix these (e.g. with 'try_files'),
  # please do write to address@hidden
  # Please ensure your suggestion actually works, on Ubuntu 14.04 with stock
  # nginx 1.4.6 / php5-fpm3 5.5.9
  location / {
       if (-f $document_root$uri/index.php) {
           return 302 https://$host$uri/index.php?$args;
       }
  }
}
====




reply via email to

[Prev in Thread] Current Thread [Next in Thread]