Abstract

So recently I upgraded foswiki from 1.2 (never released but I had it) to 2.1.4. My adventures with this were mostly succesful, thanks to the timely help of GeorgeClark. I found that I had to do some coding to get it to work like I wanted, so I'm detailing this work here in case anyone finds it useful.

Strategy

I use nginx. The idea for me is to use fastcgi to proxy requests to the foswiki daemon, but I do not want to do this over the loopback interface for security and performance reasons. What I want to happen is for nginx to proxy to a unix domain socket just like I do mojolicious and php. My rationale for this is two fold:

1. Using unix domain sockets is generally more performant than using the loopback IP. An actual IP socket needs socket memory in the kernel and you run into things like TIME_WAIT on localhost sockets (solvable by net.inet.tcp.nolocaltimewait, but still).
2. If you run a web server doing a lot of different things, the localhost interface is not as secure as a unix domain socket. If you share a server with PHP, it's common for PHP to be tricked into writing to the localhost interface and you absolutely do not want something or someone constructing their own fastcgi requests.

I also want foswiki to be started the FreeBSD way, with a proper rc.d script and observing the controls and overrides in /etc/rc.conf.

Implementation

The first order of business is the rc.d script. Attached to this page is a decent and working rc.d script for freebsd.

There is a permission issue with the unix domain socket. On freebsd we tend to run services with their own uid and gid as a security idea. So for example, nginx runs as the uid/gid nginx/nginx, and foswiki will run as foswiki/foswiki. This provides the best isolation from a unix permission standpoint. However we now have a problem in that the foswiki daemon, running as foswiki will create a socket as foswiki and not as nginx. When nginx goes to write to the fastcgi socket, it will get a permission denied (which usually shows up as a 5XX error on the web). This is not what we want.

So an awesome fix for this is to make the socket owned by foswiki but change it's group access to nginx and then change the mode to 0660.

The rc.d script has hooks to do this for you. In fact, if you see a better way to implement this, then you can set the appropriate variables in /etc/rc.conf to achieve your own implementation.

The rc.d script also has hooks for setting everything I could think of. It's defaults conform to what you will get if you install foswiki via ports (which you should do).

If you use this script, you'll need to create the /var/run/foswiki directory owned by foswiki and mode 755.

-- DaveHayes - 28 Nov 2017

Comments

Commenting is disabled while not logged in