Hello, Some good progress on making savannah work with nginx.
A mostly-working NGINX configuration is below. It's a bit messy, but works with stock nginx/php5-fpm configuration (from Ubuntu 14.04), and with no php code modification in savannah. Comments and improvements are very welcomed. regards, - assaf This file is frontend0:/etc/nginx/sites-available/sv-agn-test. The apache upstream is frontend0:/etc/apache2/sites-available/sv-agn-nginx-proxy.dev . ==== # Test server: running savane's php under nginx. # For questions write to [email protected] # # This minimal setup ignores all the usual savannah stuff # (ssl, let's-encrypt, gnu/nongnu) and only exposes # port 81 . # # Apache's server on frontend0 will proxy # requests from https://agn.frontend0.savannah.{gnu,nongnu}.org to here. # server { server_name agn.frontend0.savannah.gnu.org agn.frontend0.savannah.nongnu.org _; listen 81; listen [::]:81; root /home/agn/savannah/savane/frontend/php; # Default to gnu version of savannah, # switch to nongnu based on host name. # This variable is used later by fastcgi. set $savane_conf "/home/agn/savannah/etc/savane/"; if ($host ~ nongnu\.org) { set $savane_conf "/home/agn/savannah/etc/savane/nongnu-conf"; } # Explicit handling of 3 scripts which require PATH_INFO processing. # # The reason for all this mess is that old PHP + Apache had a convenient # behaviour of walking up a URI path until something executable was found, # then execute it as PHP. e.g. URI of "/projects/coreutils" would # first try the non-existing file <savane>/frontend/php/projects/coreutils, # the fallback to executing '<savane>/frontend/php/projects' with # 'coreutils' as the additional parameter (in PATH_INFO?). # Savannah's apache/php configuration allowed for these files to be # executed as PHP with explicit 'SetHandler', so this 'just worked'. # # Newer PHPs changed this behaviour, but allowed reverting back # using 'cgi.fix_pathinfo=0' in /etc/php5/fpm/php.ini. # There are many conflicting posts online about how to make it work # with nginx/php5-fpm, mentioning PATH_TRANSLATED and other voodoo settings. # # I (agn) could not get any of them to 'just work'. If you have suggestions, # please write to [email protected] . # # Since these are the only three cases in savannah where a PHP script # appears in the middle of the URI and needs this PATH_INFO hack, # I created this specific nginx 'location' block. # This works with the (recommended? safer?) fix_pathinfo=1 setting. # # NOTES: # 1. The PHP script files are really named projects/users/file # (no .php extension). They are in <savane>/frontend/php/ . # 2. A symlink with .php extension was created for each # (e.g. projects.php -> projects). # This was not needed for apache/php. # However, to execute files without .php extension in php5-fpm one must # disable the new 'security.limit_extensions' setting in # /etc/php5/fpm/pool.d/*.conf - and that would be a shame # (and less secure). # So in this new nginx/php5-fpm configuration, visiting # /projects/coreutils will execute projects.php with 'coreutils' # as PATH_INFO parameter. # 3. SCRIPT_FILENAME must point to the file to be executed. # The 'split path info' regex extracts the filename as the first # regex group (will be stored in $fastcgi_script_name), # and the 'parameter' as the second regex group (will be stored # in '$fastcgi_path_info' and passed on in PATH_INFO. location ~ ^/(projects|users|file|test)/ { # Must be FIRST, as 'SCRIPT_FILENAME/PATH_INFO' are overriden below. include fastcgi_params; fastcgi_cache off; # the first regex group will be 'projects|users|file', # the second regex group will be the parameter (e.g project/user to search for). fastcgi_split_path_info ^(/[a-z]+)(/[\w-]+)$; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name.php; fastcgi_pass unix:/var/run/php5-fpm-sv-agn.sock; fastcgi_param SAVANE_CONF $savane_conf; # Debug messages (viewable in the 'returned HTTP server headers') add_header X-debug-request-uri "$request_uri" ; add_header X-debug-uri "$uri" ; add_header X-debug-args "$args" ; add_header X-debug-script-filename "$document_root$fastcgi_script_name.php"; } # no PHP processing for any submitted files (from project registration) location /submissions_uploads/ { root /home/agn/savannah/var/www/ ; } # Execution of PHP scripts - if they really end with PHP. # TODO: # 1. Check if the files actually exist, reject if not. # 2. Check if the files are under $document_root, another safely # layer against uploaded PHPs. # 3. Ensure the default PATH_INFO (and other settings) in 'fastcgi_params' # config file and not exploitable with savannah (which perhaps does # not have the safest php structure and code). # 4. before jumping on try_files, be aware of # https://trac.nginx.org/nginx/ticket/321 location ~ \.php$ { fastcgi_cache off; include fastcgi_params; fastcgi_pass unix:/var/run/php5-fpm-sv-agn.sock; fastcgi_param SAVANE_CONF $savane_conf; # Debug messages (viewable in the 'returned HTTP server headers') add_header X-debug-request-uri "$request_uri" ; add_header X-debug-uri "$uri" ; add_header X-debug-args "$args" ; add_header X-debug-script-filename "$document_root$fastcgi_script_name"; } # All other files (non PHP files) - serve as is. # Note special handling of directories: # If the $uri is a directory under document_root (i.e. <savane/frontend/php), # AND there is a $uri/index.php file - redirect to it (and let the # PHP location block handle it). E.g. "/search/?foo=bar" and "/search?foo=bar" # both redirect to '/search/index.php?foo=bar'. # # TODO: # 1. This extra redirection is ugly, wasteful, and sometimes adds an double slash # (e.g. "/search//index.php?foo=bar"). # 2. IfIsEvil, I know. But 'return' in 'if' is fine. # # However, if you know how to improve/fix these (e.g. with 'try_files'), # please do write to [email protected]. # Please ensure your suggestion actually works, on Ubuntu 14.04 with stock # nginx 1.4.6 / php5-fpm3 5.5.9 location / { if (-f $document_root$uri/index.php) { return 302 https://$host$uri/index.php?$args; } } } ====
