Abstract
So recently I upgraded foswiki from 1.2 (never released but I had it) to 2.1.4. My adventures with this were mostly succesful, thanks to the timely help of
GeorgeClark. I found that I had to do some coding to get it to work like I wanted, so I'm detailing this work here in case anyone finds it useful.
Strategy
I use nginx. The idea for me is to use fastcgi to proxy requests to the foswiki daemon, but I do not want to do this over the loopback interface for security and performance reasons. What I want to happen is for nginx to proxy to a unix domain socket just like I do mojolicious and php. My rationale for this is two fold:
- Using unix domain sockets is generally more performant than using the loopback IP. An actual IP socket needs socket memory in the kernel and you run into things like TIME_WAIT on localhost sockets (solvable by net.inet.tcp.nolocaltimewait, but still).
- If you run a web server doing a lot of different things, the localhost interface is not as secure as a unix domain socket. If you share a server with PHP, it's common for PHP to be tricked into writing to the localhost interface and you absolutely do not want something or someone constructing their own fastcgi requests.
I also want foswiki to be started the FreeBSD way, with a proper rc.d script and observing the controls and overrides in
/etc/rc.conf.
Implementation
The first order of business is the rc.d script. Attached to this page is a decent and working rc.d script for freebsd.
There is a permission issue with the unix domain socket. On freebsd we tend to run services with their own uid and gid as a security idea. So for example, nginx runs as the uid/gid
nginx/nginx
, and foswiki will run as
foswiki/foswiki. This provides the best isolation from a unix permission standpoint. However we now have a problem in that the foswiki daemon, running as
foswiki
will create a socket as
foswiki
and not as nginx. When nginx goes to write to the fastcgi socket, it will get a permission denied (which usually shows up as a 5XX error on the web). This is not what we want.
So an awesome fix for this is to make the socket owned by
foswiki but change it's group access to
nginx
and then change the mode to
0660
.
The rc.d script has hooks to do this for you. In fact, if you see a better way to implement this, then you can set the appropriate variables in /etc/rc.conf to achieve your own implementation.
The rc.d script also has hooks for setting everything I could think of. It's defaults conform to what you will get if you install foswiki via ports (which you should do).
If you use this script, you'll need to create the
/var/run/foswiki
directory owned by
foswiki
and mode 755.
--
DaveHayes - 28 Nov 2017