hiawatha cgi question

[chrisf]

Mustafa, I just updated to newest kloxoMR 6.5.1b and noticed the cgi-wrapper conf tpl and the automation of users into the cgi wrapper conf file!  THANK YOU!

My question is, is this ready for production, or still being developed?

I am wondering about the reverse proxy mask.

[MRatWork]

Still something trouble with hiawatha-proxy because I want hiawatha or hiawatha-proxy only using cgi-wrapper. The problem related to ReverseProxy arguments in hiawatha itself.

[chrisf]

I see, and understand.  I just posted on hiawatha forum concerning using multiple !.  in reverse proxy, we will await Hugo's response.  If this is possible, it will be easy.  It works great for only one filetype (ie: .pl)

https://www.hiawatha-webserver.org/forum/topic/1656

This is the new topic:
https://www.hiawatha-webserver.org/forum/topic/1686

[MRatWork]

The code in latest upload is 'ReverseProxy (^\/$|^\/.*\.php.*$|^\/([a-z0-9-]+\/?)*$) http://127.0.0.1:30080/' and in previous 'ReverseProxy ^/.* http://127.0.0.1:30080/'.

In latest upload:
1. only php will reverseproxy
2. Work:
- /index.php
- /index.php?a=b
- /
- /subdir/
3. Not work:
- /?a=b
- /subdir/?a=b

[chrisf]

That is no good Mustafa, ONLY true reason to use reverse-proxy at this point is .htaccess rewrite rules.  Hiawatha could serve php through php-fpm without apache.

Your solution stops .htaccess from working.

Best solution is using the 'reverse but/except' setting.  As explained in the first post on hiawatha forum.  But this only works for one filetype, or I am not configuring it right, but, I addressed this in the second post, hopefully Hugo will answer and we will see.  If we can use multiple excludes, this will be easy.

[chrisf]

I GOT IT MUSTAFA!

Change the reverse proxy line to

Code: [Select]

ReverseProxy !\.(pl|cgi|py|rb|shmtl) http://127.0.0.1:30080/ 300

That tells hiawatha to reverse proxy EVERYTHING BUT those filetypes!  PERFECT!  .htaccess works perfectly!

Everything works!  The cgi-wrapper jails the scripts to the home/{user} directory!  THATS WHAT I CALL SECURE CGI!

https://convictionshosting.com/test.cgi - cgi / perl script
https://convictionshosting.com/test.py - python script
https://convictionshosting.com/test.rb - ruby script

All work, testing the chroot cgi wrapper now!

[chrisf]

Still a problem with the cgi-wrapper chroot.  Actually fell asleep at the computer trying to get it chrooting /home/{user} but there seems to be a problem.

Continuing my investigation.

[MRatWork]

I have no idea how to limiting perl access to certain dir only like php with open_basedir.

Look like only with 'real' chroot/jail.

[chrisf]

The cgi-wrapper only chroots when you add the pipe | to the path.  I figured out how to chroot to /usr/chroot, had to copy all cgi handlers into this directory.

Wrap = admin_wrapper;/usr/chroot|/home/admin;admin:admin

Still problem now with cgi wrapper finding website root, cgi program.  Interesting.

Still investigating

[chrisf]

Tried
Wrap = admin_wrapper;/home/admin|{website root};admin:admin

As if /home/admin/domain.com:
Wrap = admin_wrapper;/home/admin|domain.com;admin:admin

Now different error.... hmmmmm.... need Hugo's help.  Waiting for his response on my forum post.

[chrisf]

I have it working, and you don't get more secure than this!

There is a drawback.  Each client/user must have about 35MB for perl.  You can lower this by 28 MB (needing only 7 MB if you include no shared libraries), but, we offer about 100 to 120 clients per box, so the 5 G is nothing really.

The chroot locks a client to /home/{user}  and the cgi-wrapoer runs at the users id,group, so no busting out.

I have a bash script almost completed that uses hiawatha's (newroot) script to set everything up automatically.  I have been testing for hours, and all runs, installed cgi guestbook and a cgi forum.  Both run chrooted through hiawatha.

https://convictionshosting.com/test.cgi notice doc root is /convictionshosting.com not /home/admin/convictionshosting.com
https://convictionshosting.com/test2.cgi tries to 'ls /home' but can not due to chroot