[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-hackers-public] exploring savane's PHP under nginx
From: |
Assaf Gordon |
Subject: |
Re: [Savannah-hackers-public] exploring savane's PHP under nginx |
Date: |
Wed, 15 Mar 2017 00:14:40 -0400 |
Hello,
Some good progress on making savannah work with nginx.
A mostly-working NGINX configuration is below.
It's a bit messy, but works with stock nginx/php5-fpm configuration (from
Ubuntu 14.04), and with no php code modification in savannah.
Comments and improvements are very welcomed.
regards,
- assaf
This file is frontend0:/etc/nginx/sites-available/sv-agn-test.
The apache upstream is
frontend0:/etc/apache2/sites-available/sv-agn-nginx-proxy.dev .
====
# Test server: running savane's php under nginx.
# For questions write to address@hidden
#
# This minimal setup ignores all the usual savannah stuff
# (ssl, let's-encrypt, gnu/nongnu) and only exposes
# port 81 .
#
# Apache's server on frontend0 will proxy
# requests from https://agn.frontend0.savannah.{gnu,nongnu}.org to here.
#
server {
server_name agn.frontend0.savannah.gnu.org
agn.frontend0.savannah.nongnu.org
_;
listen 81;
listen [::]:81;
root /home/agn/savannah/savane/frontend/php;
# Default to gnu version of savannah,
# switch to nongnu based on host name.
# This variable is used later by fastcgi.
set $savane_conf "/home/agn/savannah/etc/savane/";
if ($host ~ nongnu\.org) {
set $savane_conf "/home/agn/savannah/etc/savane/nongnu-conf";
}
# Explicit handling of 3 scripts which require PATH_INFO processing.
#
# The reason for all this mess is that old PHP + Apache had a convenient
# behaviour of walking up a URI path until something executable was found,
# then execute it as PHP. e.g. URI of "/projects/coreutils" would
# first try the non-existing file <savane>/frontend/php/projects/coreutils,
# the fallback to executing '<savane>/frontend/php/projects' with
# 'coreutils' as the additional parameter (in PATH_INFO?).
# Savannah's apache/php configuration allowed for these files to be
# executed as PHP with explicit 'SetHandler', so this 'just worked'.
#
# Newer PHPs changed this behaviour, but allowed reverting back
# using 'cgi.fix_pathinfo=0' in /etc/php5/fpm/php.ini.
# There are many conflicting posts online about how to make it work
# with nginx/php5-fpm, mentioning PATH_TRANSLATED and other voodoo settings.
#
# I (agn) could not get any of them to 'just work'. If you have suggestions,
# please write to address@hidden .
#
# Since these are the only three cases in savannah where a PHP script
# appears in the middle of the URI and needs this PATH_INFO hack,
# I created this specific nginx 'location' block.
# This works with the (recommended? safer?) fix_pathinfo=1 setting.
#
# NOTES:
# 1. The PHP script files are really named projects/users/file
# (no .php extension). They are in <savane>/frontend/php/ .
# 2. A symlink with .php extension was created for each
# (e.g. projects.php -> projects).
# This was not needed for apache/php.
# However, to execute files without .php extension in php5-fpm one must
# disable the new 'security.limit_extensions' setting in
# /etc/php5/fpm/pool.d/*.conf - and that would be a shame
# (and less secure).
# So in this new nginx/php5-fpm configuration, visiting
# /projects/coreutils will execute projects.php with 'coreutils'
# as PATH_INFO parameter.
# 3. SCRIPT_FILENAME must point to the file to be executed.
# The 'split path info' regex extracts the filename as the first
# regex group (will be stored in $fastcgi_script_name),
# and the 'parameter' as the second regex group (will be stored
# in '$fastcgi_path_info' and passed on in PATH_INFO.
location ~ ^/(projects|users|file|test)/ {
# Must be FIRST, as 'SCRIPT_FILENAME/PATH_INFO' are overriden below.
include fastcgi_params;
fastcgi_cache off;
# the first regex group will be 'projects|users|file',
# the second regex group will be the parameter (e.g project/user to
search for).
fastcgi_split_path_info ^(/[a-z]+)(/[\w-]+)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME
$document_root/$fastcgi_script_name.php;
fastcgi_pass unix:/var/run/php5-fpm-sv-agn.sock;
fastcgi_param SAVANE_CONF $savane_conf;
# Debug messages (viewable in the 'returned HTTP server headers')
add_header X-debug-request-uri "$request_uri" ;
add_header X-debug-uri "$uri" ;
add_header X-debug-args "$args" ;
add_header X-debug-script-filename
"$document_root$fastcgi_script_name.php";
}
# no PHP processing for any submitted files (from project registration)
location /submissions_uploads/ {
root /home/agn/savannah/var/www/ ;
}
# Execution of PHP scripts - if they really end with PHP.
# TODO:
# 1. Check if the files actually exist, reject if not.
# 2. Check if the files are under $document_root, another safely
# layer against uploaded PHPs.
# 3. Ensure the default PATH_INFO (and other settings) in 'fastcgi_params'
# config file and not exploitable with savannah (which perhaps does
# not have the safest php structure and code).
# 4. before jumping on try_files, be aware of
# https://trac.nginx.org/nginx/ticket/321
location ~ \.php$ {
fastcgi_cache off;
include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm-sv-agn.sock;
fastcgi_param SAVANE_CONF $savane_conf;
# Debug messages (viewable in the 'returned HTTP server headers')
add_header X-debug-request-uri "$request_uri" ;
add_header X-debug-uri "$uri" ;
add_header X-debug-args "$args" ;
add_header X-debug-script-filename "$document_root$fastcgi_script_name";
}
# All other files (non PHP files) - serve as is.
# Note special handling of directories:
# If the $uri is a directory under document_root (i.e. <savane/frontend/php),
# AND there is a $uri/index.php file - redirect to it (and let the
# PHP location block handle it). E.g. "/search/?foo=bar" and "/search?foo=bar"
# both redirect to '/search/index.php?foo=bar'.
#
# TODO:
# 1. This extra redirection is ugly, wasteful, and sometimes adds an double
slash
# (e.g. "/search//index.php?foo=bar").
# 2. IfIsEvil, I know. But 'return' in 'if' is fine.
#
# However, if you know how to improve/fix these (e.g. with 'try_files'),
# please do write to address@hidden
# Please ensure your suggestion actually works, on Ubuntu 14.04 with stock
# nginx 1.4.6 / php5-fpm3 5.5.9
location / {
if (-f $document_root$uri/index.php) {
return 302 https://$host$uri/index.php?$args;
}
}
}
====
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [Savannah-hackers-public] exploring savane's PHP under nginx,
Assaf Gordon <=