DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 11th March 2018
toprank toprank is offline
Fdisk Soldier
 
Join Date: Feb 2018
Posts: 52
Default httpd.conf serving /location requests

I'm having some difficulty switching completely to OpenBSD httpd, and getting my httpd.conf correctly serving domain.tld/app requests from its location.

The PHP app resides in /var/www/app but domain.tld/app requests return a 404 not found error.

This is my full httpd.conf. I've tried a number of different syntaxes for this but have only been successful when creating a new server "app.domain.tld" serving requests from root "/var/www/app", but would prefer being able to reach this app at /app.

Code:
server "domain.tld" {
        alias www.domain.tld
        listen on * port 80
        listen on * tls port 443
        directory index index.php
        
        tls {
                key "/etc/ssl/private/domain.tld.key"
                certificate "/etc/ssl/domain.tld.fullchain.pem"
        }

        connection max request body 5000000000

        location "/*.php*" {
                fastcgi socket "/run/php-fpm.sock"
        }

        location "/app*" {
                root "/app"
        }

        location "/.well-known/acme-challenge/*" {
                root "/acme"
                root strip 2 
        }
}

server "cloud.domain.tld" {
        listen on * tls port 443
        root "/cloud/"
        directory index index.php
        tls {
                key "/etc/ssl/private/domain.tld.key"
                certificate "/etc/ssl/domain.tld.fullchain.pem"
        }
        hsts

        location "/db_structure.xml" { block }
        location "/.ht*"             { block }
        location "/README"           { block }
        location "/data*"            { block }
        location "/config*"          { block }

        location "/*.php*" {
                fastcgi socket "/run/php-fpm.sock"
        }
}
Reply With Quote
  #2   (View Single Post)  
Old 11th March 2018
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,241
Default

Your application uses PHP, but that location (/app*) does not have a PHP socket. Remember, the purpose of location specifies specific server rules that are not applicable to the entire server{}.
Reply With Quote
  #3   (View Single Post)  
Old 13th March 2018
toprank toprank is offline
Fdisk Soldier
 
Join Date: Feb 2018
Posts: 52
Default

Ah! Thanks, jggimi. I thought the preceding fastcgi directive would cover this location too.

I'm making progress. The following now returns an "Access denied."

Code:
        location "/app*" {
                root "/app"
                authenticate itac with "/file"
                fastcgi socket "/run/php-fpm.sock"
                directory index index.php
       }
The authenticate dialog box appears, but after entering credentials I'm presented with the "Access denied." screen. The only error in /var/www/logs/error.log is:

Code:
Access to the script '/app' has been denied (see security.limit_extensions)
But I don't know that changing the default in /etc/php-fpm.conf is the right thing to do.
Reply With Quote
  #4   (View Single Post)  
Old 13th March 2018
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,241
Default

From http://php.net/manual/en/install.fpm.configuration.php

security.limit_extensions string

Limits the extensions of the main script FPM will allow to parse. This can prevent configuration mistakes on the web server side. You should only limit FPM to .php extensions to prevent malicious users to use other extensions to execute php code. Default value: .php .phar
Reply With Quote
  #5   (View Single Post)  
Old 14th March 2018
toprank toprank is offline
Fdisk Soldier
 
Join Date: Feb 2018
Posts: 52
Default

The "You should only limit FPM to .php extensions to prevent malicious users to use other extensions to execute php code." concerns me.

Interestingly, moving /app from /var/www/app to /var/www/htdocs/app makes domain.tld/app accessible. I don't get the security.limit_extensions error that I was getting with /app at the former location and the previously shown httpd.conf config; but I can't discern the difference in httpd.conf.

Failed httpd.conf with /var/www/app:

Code:
server "domain.tld" {
        alias www.domain.tld
        listen on * port 80
        listen on * tls port 443
        directory index index.php
        
        tls {
                key "/etc/ssl/private/domain.tld.key"
                certificate "/etc/ssl/domain.tld.fullchain.pem"
        }

        connection max request body 5000000000

        location "/*.php*" {
                fastcgi socket "/run/php-fpm.sock"
        }

        location "/app*" {
                root "/app"
                authenticate itac with "/file"
                fastcgi socket "/run/php-fpm.sock"
                directory index index.php
       }

        location "/.well-known/acme-challenge/*" {
                root "/acme"
                root strip 2 
        }
}

server "cloud.domain.tld" {
        listen on * tls port 443
        root "/cloud/"
        directory index index.php
        tls {
                key "/etc/ssl/private/domain.tld.key"
                certificate "/etc/ssl/domain.tld.fullchain.pem"
        }
        hsts

        location "/db_structure.xml" { block }
        location "/.ht*"             { block }
        location "/README"           { block }
        location "/data*"            { block }
        location "/config*"          { block }

        location "/*.php*" {
                fastcgi socket "/run/php-fpm.sock"
        }
}
Successful httpd.conf with /var/www/htdocs/app:

Code:
server "domain.tld" {
        alias www.domain.tld
        listen on * port 80
        listen on * tls port 443
        directory index index.php
        
        tls {
                key "/etc/ssl/private/domain.tld.key"
                certificate "/etc/ssl/domain.tld.fullchain.pem"
        }

        connection max request body 5000000000

        location "/*.php*" {
                fastcgi socket "/run/php-fpm.sock"
        }

        location "/.well-known/acme-challenge/*" {
                root "/acme"
                root strip 2 
        }
}

server "cloud.domain.tld" {
        listen on * tls port 443
        root "/cloud/"
        directory index index.php
        tls {
                key "/etc/ssl/private/domain.tld.key"
                certificate "/etc/ssl/domain.tld.fullchain.pem"
        }
        hsts

        location "/db_structure.xml" { block }
        location "/.ht*"             { block }
        location "/README"           { block }
        location "/data*"            { block }
        location "/config*"          { block }

        location "/*.php*" {
                fastcgi socket "/run/php-fpm.sock"
        }
}
There must be a difference between the two configurations, but I'm missing it!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
www/nextcloud and httpd.conf subdomain config toprank OpenBSD Packages and Ports 31 2nd March 2018 10:50 AM
httpd rc.conf.local question psypro OpenBSD General 3 30th October 2016 05:54 PM
httpd.conf chroot morophla OpenBSD General 4 19th April 2015 02:07 PM
Update httpd.conf IPs from DNS zones. bigb89 Programming 16 2nd December 2008 02:02 AM
httpd.conf Snoop1990 General software and network 5 29th July 2008 04:30 AM


All times are GMT. The time now is 05:51 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick