fastCGI

[Tim]

Allegedly, on or about 14 June 2013, Rafnews sent:
> Goal:
> i'm trying to create at home a webserver for testing purposes, having 
> the same behavior as webhosting companies offers.
> the purpose behind that it's to have a representative environment when
> testing to not have particular "surprises" with web application i 
> developed when migrating them to production servers.

And that is something I did years ago, for the same reasons you outline.

The files I serve from my webserver are owned by me.
The CGI scripts the webserver runs are owned be me.

The directory permissions for the webserver, right back to the first
directory in the path, have the "other" user permissions of readable and
executable (user and group permissions don't matter, because they
pertain to me, not the webserver).  e.g. rwx---r-x  This needs to be
done with the /var directory, the /var/www/ directory, and any further
sub-directories.

The file permissions for the webserver, for the files it will serve,
have the "other" user permissions of readable and executable (again,
user and group permissions don't matter, because they pertain to me, not
the webserver).  e.g.  rw----r--

The script permissions *may* have to have the executable bit set, too,
but that hasn't been the case with the scripts I were playing with.
That'll probably depend on whatever handles the scripts.

If SELinux is enforcing restrictions on your server, then the SELinux
contexts have to be appropriately set to allow it.  This will be done,
by default, if you directly create your webfiles in the normal places
for serving them (in ~/public_html/ or in /var/www/html/), or if you
copy files from somewhere else to either of those locations.  The
contexts will be wrong if you *move* files to those locations.  In that
case you will need to reset the SELinux attributes on those files to
their defaults, after putting the files in place.

I have served files from ~/public_html/ and /var/www/html/ in this way
for many years.  To make life easier for me, I've either changed the
ownership of /var/www/html/ to myself, so I can easily write files in
the web root directories.  Or, I've created a subdirectory that I own
in /var/www/html/, for the same reason, and that's where I serve my test
files from.

> for now, all files/folders have correct permissions but owner is 
> apache:apache

This is a VERY BAD IDEA.  As various messages have said, mine included,
servable files should be owned by the author, not apache.  There are
three file permission groups, owner, group, and other.  The third group,
"other," is what everyone else is allowed to do with the files, everyone
else being whoever is not the individual-owner or the group-owner.
These are the permissions that let apache read *your* files.

I'm not familiar with FastCGI, but just looking quickly at it, it looks
like a replacement program so that *it* runs your CGI instead of Apache
doing it.  I don't know if that's a real advantage, or just a perceived
one.

> 1. FastCGI settings:
> my webserver was running (on PHP 5.4, _not php-fpm_) correctly using
> the standard Apache 2.4 handler, now i'm trying to make use of FastCGI
> bit without success.
> Here is my php.conf file setting from apache 2.4.4:
> 
>     DirectoryIndex index.php
> 
>     php_value session.save_handler "files"
>     php_value session.save_path    "/var/lib/php/session"
> 
> 
> i removed the addtype and handler as suggested on internet. I added in
> myvhosts.conf the following thing (withing <VirtualHost *:80> tag):
> <IfModule proxy_module>
>     ProxyPassMatch ^/(.*\.php(/.*)?)$
> fcgi://127.0.0.1/var/www/html/info/$1
>    </IfModule>
> 
> where info is 1 subdirectoy of my webroot.
> 
> Apache starts, however when i want to access to webpage i get the 
> following error (in vhost log dedicated to my website):
> [Fri Jun 14 14:16:07.827425 2013] [proxy:error] [pid 24500] 
> (111)Connection refused: AH00957: FCGI: attempt to connect to 
> 127.0.0.1:8000 (*) failed
> [Fri Jun 14 14:16:07.827539 2013] [proxy_fcgi:error] [pid 24500]
> [client 
> 127.0.0.1:40982] AH01079: failed to make connection to backend:
> 127.0.0.1
> 
> Q1: my webserver (even if it is a local webserver for testing) has a 
> fixe IP address. Should i use it in <ifModule proxy_module> tag
> instead 
> of 127.0.0.1 ?

My guess would be that if it's acting as a proxy listening on 127.0.0.1
then you need to access your webbrowser through http://127.0.0.1/.  If
you prefer to use it's actual network IP address, then your
configuration probably needs to specify that it listens on that address,
too.

You may need to open up your firewall, too.  It's probably blocking
access.  By this, I mean open up appropriate holes through it, not
switch the entire firewall off.

If SELinux is enforcing restrictions on your computer, then you may also
need to set options to allow access to the webserver on the ports that
you're using.  The defaults are probably to disallow it.  They used to
be, but I haven't looked at such settings on more recent Fedora releases
to see what the defaults are.

> Q2: port in error log is 8000, where can i set it ? is it possible to 
> tell fastCGI to use standard 80 and to not conflict with standard
> http ? 
> if yes how ?

If it's acting as a proxy, it may need to be on a different port than
the webserver.

> 2. suExec:
> While checking httpd logs i discovered that:
> [suexec:notice] [pid 24705] AH01232: suEXEC mechanism enabled
> (wrapper: 
> /usr/sbin/suexec)
> 
> so it mean suExec is running on server.
> if i change all files/folders owner to
> "rafnews:rafnews" (files/folders 
> in /var/www/html) apache do not work and no webpage is displayed.
> 
> so where is my mistake ?

Probably permissions of the files you're trying to work with.

Before you start playing with CGI, or other scripting, first get flat
file serving to work (i.e. static .html pages).  Then, move onto the
more complex things.

-- 
[tim at localhost ~]$ uname -rsvp
Linux 3.8.13-100.fc17.x86_64 #1 SMP Mon May 13 13:36:17 UTC 2013 x86_64

All mail to my mailbox is automatically deleted, there is no point
trying to privately email me, I will only read messages posted to the
public lists.

George Orwell's '1984' was supposed to be a warning against tyranny, not
a set of instructions for supposedly democratic governments.