from:"koocr"

How to get nginx + uwsgi to exec, not display, perl cgi script?

2019-08-12 Thread koocr

Hi all.

I'm setting up a local Git server, with Gitweb + Gitolite.

The gitolite wrapper is installed & working.  Now I'm working on the Gitweb 
frontend.

I run Nginx as my webserver.  Usually with PHP, using fpm.

Gitweb's gitweb.cgi looks like it needs perl CGI.

For perl cgi I'm trying to get it working with UWSGI,

https://uwsgi-docs.readthedocs.io/en/latest/Nginx.html
https://nginx.org/en/docs/http/ngx_http_uwsgi_module.html#example

I installed

git --version
git version 2.22.0
ls -al /usr/share/gitweb/gitweb.cgi
-rwxr-xr-x 1 root root 247K Jul 24 05:27 
/usr/share/gitweb/gitweb.cgi
grep "\$version =" /usr/share/gitweb/gitweb.cgi
our $version = "2.22.0";
nginx -v
nginx version: nginx/1.17.1 
uwsgi --version
2.0.18

I set up the nginx vhost

server { 
listen 127.0.0.1:60080 http2;
root /usr/share/gitweb;
index  gitweb.cgi;

location / {
try_files $uri $uri/ @gitweb;
}
location @gitweb {
root /usr/share/gitweb;
include uwsgi_params;
gzip off;
uwsgi_param UWSGI_SCRIPT gitweb;
uwsgi_param GITWEB_CONFIG /etc/gitweb/gitweb.conf;
uwsgi_pass unix:/run/uwsgi/uwsgi.sock;
uwsgi_modifier1 5;
}
}

and the uwsgi server

/etc/uwsgi/uwsgi.ini
[uwsgi]
strict = 1

master = true
processes = 2

binary-path = /usr/sbin/uwsgi
plugin-dir = /usr/lib64/uwsgi
logto = /var/log/uwsgi/uwsgi.log

uid = wwwrun
gid = www
umask = 022

uwsgi-socket = /run/uwsgi/uwsgi.sock
chmod-socket = 660
chown-socket = wwwrun:www

plugins = http,psgi
chdir = /usr/share/gitweb
psgi = gitweb.cgi


nginx & uwsgi services are both running

ps aux | egrep "nginx|uwsgi"
wwwrun   17463  0.0  0.1  89468 23704 ?Ss   07:03   
0:00 /usr/sbin/uwsgi --autoload --ini /etc/uwsgi/uwsgi.ini
wwwrun   17465  0.0  0.1  97664 17184 ?Sl   07:03   
0:00 /usr/sbin/uwsgi --autoload --ini /etc/uwsgi/uwsgi.ini
wwwrun   17468  0.0  0.1  97664 17184 ?Sl   07:03   
0:00 /usr/sbin/uwsgi --autoload --ini /etc/uwsgi/uwsgi.ini
root 18006  0.0  0.0 211264  4276 ?Ss   07:10   
0:00 nginx: master process /opt/nginx/sbin/nginx -c /etc/nginx/nginx.conf -g 
pid /run/nginx.pid;
wwwrun   18007  0.0  0.0 211416  5492 ?S07:10   
0:00 nginx: worker process
wwwrun   18008  0.0  0.0 212068 10300 ?S07:10   
0:00 nginx: worker process
wwwrun   18009  0.0  0.0 211416  5492 ?S07:10   
0:00 nginx: worker process
wwwrun   18011  0.0  0.0 211416  5492 ?S07:10   
0:00 nginx: worker process
wwwrun   18012  0.0  0.0 211452  5052 ?S07:10   
0:00 nginx: cache manager process

ls -al /run/uwsgi/uwsgi.sock
srw-rw 1 wwwrun www  0 Aug 12 07:03 /run/uwsgi/uwsgi.sock=

when I go to the site

http://127.0.0.1:60080/

I just get the script listing in the browser

#!/usr/bin/perl
 
# gitweb - simple web interface to track changes in git repositories
#
# (C) 2005-2006, Kay Sievers 
# (C) 2005, Christian Gierke
#
# This program is licensed under the GPLv2
 
use 5.008;
use strict;
use warnings;
...

no errors anywhere, just the script display.

I'm missing something basic since it's not running the script. :-/

Anyone have any experience with gitweb + uwsgi on nginx?  Or know a good 
working example?

Thanks!
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Fallback default server sharing cert information about other domains than for the URL you visit ?

2019-08-09 Thread koocr

Thanks for the help.
I'm really feeling pretty stupid atm since I can't seem to find & understand a 
how-to document to get this right :-/

So I have this config

server {
listen 80  http2 default_server;
listen [::]:80 http2 ipv6only=on default_server;
server_name _;
return 301 https://$host;
}

server {
listen 172.17.0.1:443  ssl http2 default_server;
listen [FE80:...:0001]:443 ssl http2 ipv6only=on default_server;
server_name _;
ssl_trusted_certificate"/etc/ssl/trusted.crt.pem";
ssl_certificate"/etc/ssl/dummy.crt.pem";
ssl_certificate_key"/etc/ssl/dummy.key.pem";
return 444;
}

server {
listen 443 ssl http2 default_server;
listen [::]:443ssl http2 ipv6only=on default_server;
server_name _;
ssl_trusted_certificate"/etc/ssl/trusted.crt.pem";
ssl_certificate"/etc/ssl/dummy.crt.pem";
ssl_certificate_key"/etc/ssl/dummy.key.pem";
return 444;
}

server {
listen 172.17.0.1:80   http2;
listen [FE80:...:0001]:80  http2;
server_name example.com www.example.com;
location / {
return 301 https://example.com$request_uri;
}
}

server {
listen 172.17.0.1:443  ssl http2;
listen [FE80:...:0001]:443 ssl http2 ipv6only=on default_server;
server_name example.com www.example.com;
ssl_trusted_certificate"/etc/ssl/trusted.crt.pem";
ssl_certificate"/etc/ssl/chain.crt.pem";
ssl_certificate_key"/etc/ssl/privkey.pem";
add_header Strict-Transport-Security "max-age=31536; 
includeSubDomains; preload";
location / {...}
}

With that config when I try to launch nginx it fails with these errors

Aug 09 11:29:21 myhost nginx[10095]: nginx: [emerg] bind() to [::]:443 
failed (98: Address already in use)

If I comment out the IP-less listener

#   server {
#   listen 443 ssl http2 default_server;
#   listen [::]:443ssl http2 ipv6only=on 
default_server;
#   server_name _;
#   ssl_trusted_certificate"/etc/ssl/trusted.crt.pem";
#   ssl_certificate"/etc/ssl/dummy.crt.pem";
#   ssl_certificate_key"/etc/ssl/dummy.key.pem";
#   return 444;
#   }

and try again, I do get a site fail with that "Websites prove their identity 
via certificates. Firefox does not trust this site because it uses a 
certificate that is not valid for ..." error again.
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Fallback default server sharing cert information about other domains than for the URL you visit ?

2019-08-09 Thread koocr

I'll get a set up I can fool around with that more easily and see how that 
works here.

I notice that you're not using 'default_server" in your listen directive, just 
'default'.

Reading here

  https://nginx.org/en/docs/http/ngx_http_core_module.html#listen

It's not a listed option and it says

"In versions prior to 0.8.21 this parameter is named simply default. "

Was that a typo?  Or is there a new or different usage now ?
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Fallback default server sharing cert information about other domains than for the URL you visit ?

2019-08-09 Thread koocr

Hi,

> you can't  expect that they will get the return code.

Okay I guess that makes sense.

Is there any other way to get an attempt to connect to a un-hosted site to get 
a "nobody home, go away" response?
Something other than the current "there's a problem with the cert" mis-message?

> I might be wrong (needs a clarification from nginx dev/support people) 

No worry.   Hope somebody that's sure will chime in eventually.

> Just for testing purposes (if possible) you could either add the IP to 
> both listen directives or remove the ip part from the full-domain 
> server {} block to see if it changes anything.

Hm.  That doesn't really make sense to me.

This server has multiple IPs.  The hosted server needs to respond on a specific 
IP, so it needs the specific IP.

The fallback is supposed to work for all "whenever it doesn't match" cases, so 
it doesn't get an IP, right?

Did I misunderstand your point?

> Other than that depending on the requirements the other options are 
> just to make a matching server block with a valid certificate (with 
> Lets Encrypt it's quite simple and free) or have an *.example.com 
> wildcard SSL so the browsers are satisfied with 


A subdomain wildcard like that assumes that ALL subdomains of example.com are 
unhosted.  That's not true here. 

There are an infinite number of  possible mismatches.  I can't really set up a 
"valid cert" for each one.

This is about the fallback.  I thought that's what the fallback is supposed to 
handle.

Let's see if a 'dev' has some other comments.

Thanks!
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Fallback default server sharing cert information about other domains than for the URL you visit ?

2019-08-09 Thread koocr

Hi,

My own domain, let's say 'example.com', is registered in the HSTS preload 
database (https://hstspreload.org).

I setup my domain as virtual host in Nginx,

/etc/nginx/sites-enabled/example.conf

server {
listen 172.17.0.1:80;
server_name example.com www.example.com;
location / {
return 301 https://example.com$request_uri;
}
}

server {
listen 172.17.0.1:443 ssl http2;
server_name example.com www.example.com;

ssl_trusted_certificate   "/etc/ssl/trusted.crt.pem";
ssl_certificate   "/etc/ssl/chain.crt.pem";
ssl_certificate_key   "/etc/ssl/privkey.pem";

add_header Strict-Transport-Security 
"max-age=31536; includeSubDomains; preload";

location / {...}
}

The cert is good for example.com + www.example.com.

When I go to

https://example.com

it works like you would expect.


I also set up a fallback, default server in my main nginx config

/etc/nginx/nginx.conf

...
server {
listen 80   default_server;
listen [::]:80  ipv6only=on default_server;
server_name _;
return 301 https://$host;
}

server {
listen 443  ssl http2 default_server;
listen [::]:443 ssl http2 ipv6only=on default_server;
server_name _;

ssl_trusted_certificate   "/etc/ssl/trusted.crt.pem";
ssl_certificate   "/etc/ssl/null.crt.pem";
ssl_certificate_key   "/etc/ssl/nullkey.pem";

return 444;
}
include sites-enabled/*.conf;

If I go to a subdomain of my domain that has a DNS A-record pointing to the 
same IP, but no Nginx virtual hosted site,

https://subdomain.example.com

in the browser I get this message

Did Not Connect: Potential Security Issue
 Firefox detected a potential security threat and did not continue to 
subdomain.example.com because this website requires a secure connection.
 What can you do about it?
 subdomain.example.com has a security policy called HTTP Strict 
Transport Security (HSTS), which means that Firefox can only connect to it 
securely. You can’t add an exception to visit this site.
 The issue is most likely with the website, and there is nothing you 
can do to resolve it. You can notify the website’s administrator about the 
problem.
 Learn more…

Websites prove their identity via certificates. Firefox does 
not trust this site because it uses a certificate that is not valid for 
subdomain.example.com. The certificate is only valid for the following names: 
example.com, www.example.com
 
Error code: SSL_ERROR_BAD_CERT_DOMAIN
View Certificate

I expect it to fail with a 444, and only have info about the failed subdomain.

Why does it respond with cert info about the "example.com, www.example.com
" certs at all?  Those are only for the full-domain site.

What do I need to set up to just get a fallback 444 response and NO information 
about any other domain's certs etc, when I visit the un-hosted 
subdomain.example.com?

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

How to get nginx + uwsgi to exec, not display, perl cgi script?

Re: Fallback default server sharing cert information about other domains than for the URL you visit ?

Re: Fallback default server sharing cert information about other domains than for the URL you visit ?

Re: Fallback default server sharing cert information about other domains than for the URL you visit ?

Fallback default server sharing cert information about other domains than for the URL you visit ?

5 matches

Site Navigation

Mail list logo

Footer information