-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve systemd units #17
base: master
Are you sure you want to change the base?
Conversation
The current https://github.com/gnosek/fcgiwrap/blob/master/systemd/fcgiwrap.service#L6 does not work on a Archlinux system. I spent HOURS over nginx 403 Forbidden errors. Eventually I came up with: http://ix.io/7kP And to my surprise I found a service file in the Arch packaging that isn't utilised: https://projects.archlinux.org/svntogit/community.git/tree/trunk/fcgiwrap.service?h=packages/fcgiwrap I don't know who to blame, though I guess I will report a bug on Archlinux now too. |
I disagree. http://code.falconindy.com is using the upstream fcgiwrap.service and fcgiwrap.socket without any problems. You'll need to be a more specific than "does not work." Being the original author of these units and someone who's reliant on them, I strongly oppose simply deleting the old units as it will break existing setups. |
I get "502 Bad Gateway" with your default http://ix.io/7kQ However if I use my own spawn-fcgi invocation, it works: http://ix.io/7kP My nginx.conf is http://sprunge.us/hEZT Any ideas how to debug this? |
Ok nevermind @falconindy, you service file does seem to work after after all. I'm using it upon http://cam.hackerspace.sg/ Thanks for your time, |
Any change to have this merged? Old file can easily be moved to new one by a If upstream still want maintain arch specific files, I can push a new version which don't touch old files. |
Any progress on this? |
@seblu I'm not sure what the benefit is for folks to use non-http user convention? It's bad enough that it's different from Debian's www-data and dealing with all the annoying perms. |
@@ -21,9 +21,16 @@ CFLAGS = @AM_CFLAGS@ | |||
|
|||
fcgiwrap: fcgiwrap.c | |||
|
|||
systemd/[email protected]: systemd/[email protected] | |||
sed -e 's,[@]sbindir[@],@sbindir@,g' < $< > $@ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this be $(SED)
when using AC_PROG_SED
?
@kaihendry Privilege separation, defence in depth? The web user has no rights to read "private" git dirs of cgit for example? |
Looks good to me, please apply @Lekensteyn 's suggestions and I'll (finally!) merge it. |
Instead of having a socket for a static and predefined user http, this patch allow to easily setup multiple sockets with your needed users. This is particulary useful when you want have socket for dedicated user. You can create an http socket (in /run/fcgiwrap-http.sock) with: $ systemctl enable [email protected] and if you need a socket for munin (in /run/fcgiwrap-munin.sock): $ systemctl enable [email protected]
Suggestions applied. Should be ok. |
LGTM for user-specific fcgiwraps (personally I use |
@seblu to improve upon this pull request, could you apply the following changes? Group socket files in a subdirectory, and make them accessible by the httpd user/group only:
Create the shared runtime directory at boot using tmpfiles.d:
Add configure options to set the httpd user/group:
|
No description provided.