[Pkg-nginx-maintainers] Bug#822792: your mail

[Michael Lustfield]

On Thu, Nov 10, 2016 at 6:35 AM, Elrond
<elrond+bugs.debian.org at samba-tng.org> wrote:
> On Wed, Nov 09, 2016 at 18:47:15 -0600, Michael Lustfield wrote:
>> I'd like to get something like _provider_php available via php-fpm as well as
>> uwsgi-plugin-php.
>
> Okay, so if an admin only wants to handle local .php files
> on the default server they have to:
>
> 1. Install php-fpm, which then would hopefully bring
>    /etc/nginx/conf.d/pkg_php-fpm.conf
>
> 2. Create /etc/nginx/apps.d/local_php.conf
>    containing a global .php -> _provider_php entry
>
> Did I get that right?

Yup, if a user is creating a local/custom app, that's what would be expected.

In the same way, apps.d/pkg_drupal7.conf would have whatever php
settings it needs, but then just assume an upstream _provider_php
exists and pass to that.

>> Doing it this way would reduce security, but I'm thinking it's to a very
>> negligible degree and not very concerned.
>
> Could you elaborate on the security issues?

If we were using uwsgi, we could try to chroot/jail the web
application. It, however, prevents nice easy generic providers which
probably make more sense. I don't think this is worth worrying about,
though.

>> > 2. Do we have recommended naming for files added by the
>> >    local admin to apps.d?
>>
>> We could suggest custom_<foo>.conf.
>
> local_<foo>.conf?

I like this better, yes.


I've attached a potential drupal7.conf, but this raises a concern...
php-fpm and uwsgi need different *_pass directives. Since conf.d/* is
loaded first, it might be possible to set a configuration variable.
$provider_php_pass = (uwsgi|proxy)

I don't like that because it means using an if later, but it could work.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pkg_drupal7.conf
Type: application/octet-stream
Size: 1318 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nginx-maintainers/attachments/20161110/88fe6dea/attachment.obj>