CGI support - Sorry to bring it up

musicdenotation · May 8, 2014, 4:11pm

Hi All,
We’ve built a new EC2 server based on Virtualmin + Nginx. I’ve seen
Nginx recommended a lot over the years so thought if we are moving to
the cloud, and want things to be optimal, then it’s time to give it a
go. Before our setup has been Virtualmin + Apache (with suexec and
fcgid).

For some of our old Perl CGI scripts we’ve hit the issue I’m sure most
of you are familiar with. I’ve searched for solutions and have found a
number, all of which have various caveats. It’s unclear as to what they
best way to deal with this is. Along with plain CGI (and fastcgi) suexec
is an important security feature to ensure that compromised scripts
don’t have permission to wreak havoc on other user accounts, and run
things with tight permissions (along with sorting our FTP script upload
issues you can have).

There are various hack arounds for suexec style behaviour, I haven’t
figured yet how they can work with the CGI workarounds.

It seems like this is such a common demand that there should be an
established (efficient and reliable) solution to deal with it by now?

Any pointers would be greatly appreciated.

Lyle

Lyle · May 8, 2014, 4:27pm

is an important security feature to ensure that compromised scripts
Any pointers would be greatly appreciated.

Lyle

nginx mailing list
[email protected]
nginx Info Page

uWSGI has full (and solid) CGI support, and it pairs perfectly with
nginx:

http://uwsgi-docs.readthedocs.org/en/latest/CGI.html

recent releases (>= 2.0.2) supports async modes so you can spawn
multiple
cgi script without the need of a 1:1 mapping with a thread.

You will find the plugin exposes features not available in apache
(included accelerators)

–
Roberto De Ioris
http://unbit.it

Lyle · May 13, 2014, 1:35am

On Thu, May 08, 2014 at 03:11:24PM +0100, Lyle wrote:

Hi there,

For some of our old Perl CGI scripts we’ve hit the issue I’m sure
most of you are familiar with. I’ve searched for solutions and have
found a number, all of which have various caveats. It’s unclear as
to what they best way to deal with this is. Along with plain CGI
(and fastcgi) suexec is an important security feature to ensure that
compromised scripts don’t have permission to wreak havoc on other
user accounts, and run things with tight permissions (along with
sorting our FTP script upload issues you can have).

I may be being slow here, but: what’s the specific issue you’re
concerned
about?

suexec is a way for a (CGI) script-processing server to run scripts
under a separate user account.

nginx doesn’t do CGI.

nginx does most kinds of “active” content by being a client to another
server which actually does the work. That server could run suexec,
I suppose, or it could run everything under a separate user account.

Cheers,

f

Francis D. [email protected]