How to get nginx + uwsgi to exec, not display, perl cgi script?
Hi all. I'm setting up a local Git server, with Gitweb + Gitolite. The gitolite wrapper is installed & working. Now I'm working on the Gitweb frontend. I run Nginx as my webserver. Usually with PHP, using fpm. Gitweb's gitweb.cgi looks like it needs perl CGI. For perl cgi I'm trying to get it working with UWSGI, https://uwsgi-docs.readthedocs.io/en/latest/Nginx.html https://nginx.org/en/docs/http/ngx_http_uwsgi_module.html#example I installed git --version git version 2.22.0 ls -al /usr/share/gitweb/gitweb.cgi -rwxr-xr-x 1 root root 247K Jul 24 05:27 /usr/share/gitweb/gitweb.cgi grep "\$version =" /usr/share/gitweb/gitweb.cgi our $version = "2.22.0"; nginx -v nginx version: nginx/1.17.1 uwsgi --version 2.0.18 I set up the nginx vhost server { listen 127.0.0.1:60080 http2; root /usr/share/gitweb; index gitweb.cgi; location / { try_files $uri $uri/ @gitweb; } location @gitweb { root /usr/share/gitweb; include uwsgi_params; gzip off; uwsgi_param UWSGI_SCRIPT gitweb; uwsgi_param GITWEB_CONFIG /etc/gitweb/gitweb.conf; uwsgi_pass unix:/run/uwsgi/uwsgi.sock; uwsgi_modifier1 5; } } and the uwsgi server /etc/uwsgi/uwsgi.ini [uwsgi] strict = 1 master = true processes = 2 binary-path = /usr/sbin/uwsgi plugin-dir = /usr/lib64/uwsgi logto = /var/log/uwsgi/uwsgi.log uid = wwwrun gid = www umask = 022 uwsgi-socket = /run/uwsgi/uwsgi.sock chmod-socket = 660 chown-socket = wwwrun:www plugins = http,psgi chdir = /usr/share/gitweb psgi = gitweb.cgi nginx & uwsgi services are both running ps aux | egrep "nginx|uwsgi" wwwrun 17463 0.0 0.1 89468 23704 ?Ss 07:03 0:00 /usr/sbin/uwsgi --autoload --ini /etc/uwsgi/uwsgi.ini wwwrun 17465 0.0 0.1 97664 17184 ?Sl 07:03 0:00 /usr/sbin/uwsgi --autoload --ini /etc/uwsgi/uwsgi.ini wwwrun 17468 0.0 0.1 97664 17184 ?Sl 07:03 0:00 /usr/sbin/uwsgi --autoload --ini /etc/uwsgi/uwsgi.ini root 18006 0.0 0.0 211264 4276 ?Ss 07:10 0:00 nginx: master process /opt/nginx/sbin/nginx -c /etc/nginx/nginx.conf -g pid /run/nginx.pid; wwwrun 18007 0.0 0.0 211416 5492 ?S07:10 0:00 nginx: worker process wwwrun 18008 0.0 0.0 212068 10300 ?S07:10 0:00 nginx: worker process wwwrun 18009 0.0 0.0 211416 5492 ?S07:10 0:00 nginx: worker process wwwrun 18011 0.0 0.0 211416 5492 ?S07:10 0:00 nginx: worker process wwwrun 18012 0.0 0.0 211452 5052 ?S07:10 0:00 nginx: cache manager process ls -al /run/uwsgi/uwsgi.sock srw-rw 1 wwwrun www 0 Aug 12 07:03 /run/uwsgi/uwsgi.sock= when I go to the site http://127.0.0.1:60080/ I just get the script listing in the browser #!/usr/bin/perl # gitweb - simple web interface to track changes in git repositories # # (C) 2005-2006, Kay Sievers # (C) 2005, Christian Gierke # # This program is licensed under the GPLv2 use 5.008; use strict; use warnings; ... no errors anywhere, just the script display. I'm missing something basic since it's not running the script. :-/ Anyone have any experience with gitweb + uwsgi on nginx? Or know a good working example? Thanks! ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Fallback default server sharing cert information about other domains than for the URL you visit ?
Thanks for the help. I'm really feeling pretty stupid atm since I can't seem to find & understand a how-to document to get this right :-/ So I have this config server { listen 80 http2 default_server; listen [::]:80 http2 ipv6only=on default_server; server_name _; return 301 https://$host; } server { listen 172.17.0.1:443 ssl http2 default_server; listen [FE80:...:0001]:443 ssl http2 ipv6only=on default_server; server_name _; ssl_trusted_certificate"/etc/ssl/trusted.crt.pem"; ssl_certificate"/etc/ssl/dummy.crt.pem"; ssl_certificate_key"/etc/ssl/dummy.key.pem"; return 444; } server { listen 443 ssl http2 default_server; listen [::]:443ssl http2 ipv6only=on default_server; server_name _; ssl_trusted_certificate"/etc/ssl/trusted.crt.pem"; ssl_certificate"/etc/ssl/dummy.crt.pem"; ssl_certificate_key"/etc/ssl/dummy.key.pem"; return 444; } server { listen 172.17.0.1:80 http2; listen [FE80:...:0001]:80 http2; server_name example.com www.example.com; location / { return 301 https://example.com$request_uri; } } server { listen 172.17.0.1:443 ssl http2; listen [FE80:...:0001]:443 ssl http2 ipv6only=on default_server; server_name example.com www.example.com; ssl_trusted_certificate"/etc/ssl/trusted.crt.pem"; ssl_certificate"/etc/ssl/chain.crt.pem"; ssl_certificate_key"/etc/ssl/privkey.pem"; add_header Strict-Transport-Security "max-age=31536; includeSubDomains; preload"; location / {...} } With that config when I try to launch nginx it fails with these errors Aug 09 11:29:21 myhost nginx[10095]: nginx: [emerg] bind() to [::]:443 failed (98: Address already in use) If I comment out the IP-less listener # server { # listen 443 ssl http2 default_server; # listen [::]:443ssl http2 ipv6only=on default_server; # server_name _; # ssl_trusted_certificate"/etc/ssl/trusted.crt.pem"; # ssl_certificate"/etc/ssl/dummy.crt.pem"; # ssl_certificate_key"/etc/ssl/dummy.key.pem"; # return 444; # } and try again, I do get a site fail with that "Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for ..." error again. ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Fallback default server sharing cert information about other domains than for the URL you visit ?
I'll get a set up I can fool around with that more easily and see how that works here. I notice that you're not using 'default_server" in your listen directive, just 'default'. Reading here https://nginx.org/en/docs/http/ngx_http_core_module.html#listen It's not a listed option and it says "In versions prior to 0.8.21 this parameter is named simply default. " Was that a typo? Or is there a new or different usage now ? ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Fallback default server sharing cert information about other domains than for the URL you visit ?
Hi, > you can't expect that they will get the return code. Okay I guess that makes sense. Is there any other way to get an attempt to connect to a un-hosted site to get a "nobody home, go away" response? Something other than the current "there's a problem with the cert" mis-message? > I might be wrong (needs a clarification from nginx dev/support people) No worry. Hope somebody that's sure will chime in eventually. > Just for testing purposes (if possible) you could either add the IP to > both listen directives or remove the ip part from the full-domain > server {} block to see if it changes anything. Hm. That doesn't really make sense to me. This server has multiple IPs. The hosted server needs to respond on a specific IP, so it needs the specific IP. The fallback is supposed to work for all "whenever it doesn't match" cases, so it doesn't get an IP, right? Did I misunderstand your point? > Other than that depending on the requirements the other options are > just to make a matching server block with a valid certificate (with > Lets Encrypt it's quite simple and free) or have an *.example.com > wildcard SSL so the browsers are satisfied with A subdomain wildcard like that assumes that ALL subdomains of example.com are unhosted. That's not true here. There are an infinite number of possible mismatches. I can't really set up a "valid cert" for each one. This is about the fallback. I thought that's what the fallback is supposed to handle. Let's see if a 'dev' has some other comments. Thanks! ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Fallback default server sharing cert information about other domains than for the URL you visit ?
Hi, My own domain, let's say 'example.com', is registered in the HSTS preload database (https://hstspreload.org). I setup my domain as virtual host in Nginx, /etc/nginx/sites-enabled/example.conf server { listen 172.17.0.1:80; server_name example.com www.example.com; location / { return 301 https://example.com$request_uri; } } server { listen 172.17.0.1:443 ssl http2; server_name example.com www.example.com; ssl_trusted_certificate "/etc/ssl/trusted.crt.pem"; ssl_certificate "/etc/ssl/chain.crt.pem"; ssl_certificate_key "/etc/ssl/privkey.pem"; add_header Strict-Transport-Security "max-age=31536; includeSubDomains; preload"; location / {...} } The cert is good for example.com + www.example.com. When I go to https://example.com it works like you would expect. I also set up a fallback, default server in my main nginx config /etc/nginx/nginx.conf ... server { listen 80 default_server; listen [::]:80 ipv6only=on default_server; server_name _; return 301 https://$host; } server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 ipv6only=on default_server; server_name _; ssl_trusted_certificate "/etc/ssl/trusted.crt.pem"; ssl_certificate "/etc/ssl/null.crt.pem"; ssl_certificate_key "/etc/ssl/nullkey.pem"; return 444; } include sites-enabled/*.conf; If I go to a subdomain of my domain that has a DNS A-record pointing to the same IP, but no Nginx virtual hosted site, https://subdomain.example.com in the browser I get this message Did Not Connect: Potential Security Issue Firefox detected a potential security threat and did not continue to subdomain.example.com because this website requires a secure connection. What can you do about it? subdomain.example.com has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site. The issue is most likely with the website, and there is nothing you can do to resolve it. You can notify the website’s administrator about the problem. Learn more… Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for subdomain.example.com. The certificate is only valid for the following names: example.com, www.example.com Error code: SSL_ERROR_BAD_CERT_DOMAIN View Certificate I expect it to fail with a 444, and only have info about the failed subdomain. Why does it respond with cert info about the "example.com, www.example.com " certs at all? Those are only for the full-domain site. What do I need to set up to just get a fallback 444 response and NO information about any other domain's certs etc, when I visit the un-hosted subdomain.example.com? ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx