03.04.2018, 23:04, "Jacob Keller" <jacob.kel...@gmail.com>:
> On Tue, Apr 3, 2018 at 11:53 AM, Alex Ivanov <gnido...@ya.ru> wrote:
>> Hi.
>> I want to use systemd as fastcgi spawner for gitweb + nginx.
>> The traffic is low and number of users is limited + traversal bots. For
>> that reason I've decided to use following mimimal services
>>
>> gitweb.socket
>> [Unit]
>> Description=GitWeb Socket
>>
>> [Socket]
>> ListenStream=/run/gitweb.sock
>> Accept=false
>>
>> [Install]
>> WantedBy=sockets.target
>>
>> gitweb.service
>> [Unit]
>> Description=GitWeb Service
>>
>> [Service]
>> Type=simple
>> ExecStart=/path/to/gitweb.cgi --fcgi
>> StandardInput=socket
>>
>> However this scheme is not resistant to simple DDOS.
>> E.g. traversal bots often kill the service by opening non existing path
>> (e.g http://host/?p=repo;a=blob;f=nonexisting/path;hb=HEAD showing in
>> browser 404 - Cannot find file) many times consecutively, which leads to
>> Apr 03 21:32:10 host systemd[1]: gitweb.service: Start request repeated too
>> quickly.
>> Apr 03 21:32:10 host systemd[1]: gitweb.service: Failed with result
>> 'start-limit-hit'.
>> Apr 03 21:32:10 host systemd[1]: Failed to start GitWeb service.
>> and 502 Bad Gateway in browser. I believe the reason is that gitweb.service
>> dies on failure and if it happens too often, systemd declines to restart the
>> service due to start limit hit.
>> So my question is how to correct systemd services for GitWeb to be
>> resistant to such issue? I prefer to use single process to process all
>> clients.
>> Thanks.
>
> This sounds like a systemd specific question that might get a better
> answer from the systemd mailing list.
Thanks I will try that too.
>
> That being said, I believe if in this case gitweb is dying due to the
> path not existing? You might be able to configure systemd to
> understand that the particular exit code for when the path doesn't
> exist is a "valid" exit, and not a failure case..
I will try to do that, but I'm afraid that there may be other ways to remotely
abuse the service.
>
> I'm not entirely understanding your goal.. you want each request to
> launch the gitweb process, and when it's done you want it to exit? But
> if there are multiple connections at once you want it to stay alive
> until it services them all? I think the best answer is configure
> systemd to understand that the exit code for when the path is invalid
> will be counted as a success.
I want a single process for all connections too keep RAM usage at minimal. I
also though it fits my case since number of users is low.
>
> Thanks,
> Jake