You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Dragon <dr...@crimson-dragon.com> on 2007/03/21 19:01:05 UTC
[users@httpd] Revisiting my FastCGI problem
I originally posted here last week about a problem I am having with
FastCGI under Apache.
After enabling debug log level and doing a few other experiments, I
have come to the conclusion that something is blocking Apache from
connecting to unix sockets. mod_fcgid attempts to create a socket (I
surmise to communicate with apache...) but it can't connect to it.
In desperation, I also loaded up Lighttpd to serve my application on
another port and configured it to use uid apache and gid apache so I
didn't have to go mess with directory and file permissions. It has
the exact same problem.
This is on an FC4 system with Plesk control panel running on it.
Does anyone know if there is some way that access to these sockets
can be restricted on a per-user basis?
If so, how is this configured (or more accurately, how do I disable
such restriction)?
Dragon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Venimus, Saltavimus, Bibimus (et naribus canium capti sumus)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Revisiting my FastCGI problem
Posted by Dragon <dr...@crimson-dragon.com>.
Mark Lavi wrote:
>I would recommend enabling logging of SELinux in order to confirm your
>assumption rather than show us a configuration that may or may not be in
>use - and may or may not be the answer for your hypothesis of the
>problem.
>
>SELinux logging and configuration, etc. are an OS based domain for
>questions, you're straying outside of Apache at this point.
---------------- End original message. ---------------------
I understand that selinux is not an Apache issue, but it is
irrelevant to this discussion anyway as I am now certain that it is
not a factor. After reading up on it, I used the getenforce command
to check the state of selinux, it is disabled on this machine just
like the config says it is and just to be sure, I also forced it off
using setenforce 0 to disable it.
I am still stuck with the same problem and am no closer to a solution
within Apache. The problem is with Apache and mod_fcgid trying to
open and connect to a unix socket to communicate with each other,
they simply can't do it. The socket gets created but the connect from
mod_fcgid is refused which then causes it to end the script execution
attempt and produces the premature end of script headers error.
For now, I do have a work around that I have already tested using
lighttpd on an alternate port, this is OK for now as it is not a
high-volume application or a heavily loaded server. However, I would
eventually like to get it working as it should under Apache. Because
this is on a Plesk-controlled machine and administered by some people
who are rather unskilled in this area, I want it to run under the
tools they have and know.
If anyone has any other ideas on what to look at next, I'm all ears.
Dragon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Venimus, Saltavimus, Bibimus (et naribus canium capti sumus)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Revisiting my FastCGI problem
Posted by Mark Lavi <ml...@sgi.com>.
I would recommend enabling logging of SELinux in order to confirm your
assumption rather than show us a configuration that may or may not be in
use - and may or may not be the answer for your hypothesis of the
problem.
SELinux logging and configuration, etc. are an OS based domain for
questions, you're straying outside of Apache at this point.
--Mark
Mark Lavi, Enterprise Web Management Team @ SGI
mailto:mlavi@sgi.com || phone:+1-650-933-7707
-----Original Message-----
From: Dragon [mailto:dragon@crimson-dragon.com]
Sent: Wednesday, March 21, 2007 11:54 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Revisiting my FastCGI problem
Richard Lynch wrote:
>I don't know much about this, but you may be running afoul of the SE
>Linux settings in /etc/
---------------- End original message. ---------------------
Yeah, I thought that might be the case but this is what is in
/etc/selinux/config:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
From that, it looks like it should not even be loading selinux.
I also checked the kernel modules with modprobe to be sure and I
don't see selinux in the output.
Dragon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Venimus, Saltavimus, Bibimus (et naribus canium capti sumus)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Revisiting my FastCGI problem
Posted by Dragon <dr...@crimson-dragon.com>.
Richard Lynch wrote:
>I don't know much about this, but you may be running afoul of the SE
>Linux settings in /etc/
---------------- End original message. ---------------------
Yeah, I thought that might be the case but this is what is in
/etc/selinux/config:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
From that, it looks like it should not even be loading selinux.
I also checked the kernel modules with modprobe to be sure and I
don't see selinux in the output.
Dragon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Venimus, Saltavimus, Bibimus (et naribus canium capti sumus)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Revisiting my FastCGI problem
Posted by Richard Lynch <ce...@l-i-e.com>.
I don't know much about this, but you may be running afoul of the SE
Linux settings in /etc/
On Wed, March 21, 2007 1:01 pm, Dragon wrote:
> I originally posted here last week about a problem I am having with
> FastCGI under Apache.
>
> After enabling debug log level and doing a few other experiments, I
> have come to the conclusion that something is blocking Apache from
> connecting to unix sockets. mod_fcgid attempts to create a socket (I
> surmise to communicate with apache...) but it can't connect to it.
>
> In desperation, I also loaded up Lighttpd to serve my application on
> another port and configured it to use uid apache and gid apache so I
> didn't have to go mess with directory and file permissions. It has
> the exact same problem.
>
> This is on an FC4 system with Plesk control panel running on it.
>
> Does anyone know if there is some way that access to these sockets
> can be restricted on a per-user basis?
>
> If so, how is this configured (or more accurately, how do I disable
> such restriction)?
>
>
> Dragon
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Venimus, Saltavimus, Bibimus (et naribus canium capti sumus)
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org