Use nginx defaults for fastcgi_params / uwsgi_params #1076
Conversation
| @@ -5,12 +5,13 @@ fastcgi_param REQUEST_METHOD $request_method; | |||
| fastcgi_param CONTENT_TYPE $content_type; | |||
| fastcgi_param CONTENT_LENGTH $content_length; | |||
|
|
|||
| fastcgi_param SCRIPT_FILENAME $request_filename; | |||
There was a problem hiding this comment.
It does seem like this line doesn't exist in current upstream, though there is SCRIPT_NAME.
|
As noted in comment on the relevant text, this doesn't seem to be in current upstream: |
| @@ -5,12 +5,13 @@ fastcgi_param REQUEST_METHOD $request_method; | |||
| fastcgi_param CONTENT_TYPE $content_type; | |||
| fastcgi_param CONTENT_LENGTH $content_length; | |||
|
|
|||
| fastcgi_param SCRIPT_FILENAME $request_filename; | |||
There was a problem hiding this comment.
Upstream has two files, fastcgi.conf and fastcgi_params. As written the PR syncs with fastcgi_params which doesn't set SCRIPT_FILENAME. fastcgi.conf is more modern and does set it (that's the only difference between them).
I suggest syncing to fastcgi.conf, and renaming this template to fastcgi.conf.erb... that's likely to have the least impact on users while also being explicit about which upstream fastcgi config file it's trying to replicate.
Some background here if you like: https://blog.martinfjordvald.com/2013/04/nginx-config-history-fastcgi_params-versus-fastcgi-conf/
There was a problem hiding this comment.
Thanks, that's very helpful context, so I'm glad I bugged you about this one. And here I had hoped this was going to be simple and uncontroversial.
I agree with you about this, do we just leave an existing /etc/nginx/fastcgi_params alone if it exists, though? I guess if the module doesn't include it, it's not an issue, and maybe safer than assuming we managed it in the past? Should we rename the parameter itself from fastcgi_param?
There was a problem hiding this comment.
Yeah I think it should be left alone.
I'd like the parameter to be renamed, but I don't think it's worth it...
|
@3flex: pushed a new version with those changes and updated tests. ps - Do you think it's worth making them optional (as discussed in #682), so that if they're undef, you can suppress the include entirely in the config? I roughed in the changes, but didn't push or add tests yet. |
|
With this change in, I think it makes sense to default to fastcgi.conf shipped in this module only and leave fastcgi_params alone (if it exists). And allowing users to remove the config would also be useful. |
|
And allowing users to remove the config would also be useful. Ok, this version makes it optional, and adds a few more tests that I think make sense. |
…_params to fastcgi.conf. Don't manage files if set to non-default path.
|
Edit: Probably should have checked the test results and spotted that merge conflict before clicking this 🤷♂️ but besides that, looks great! @3flex I think the conflict came from another recent change that got merged. I don't know how I missed the rubocop failure. Fixed all that and another minor issue with a test. |
|
Seems fine to me. |
| # PHP only, required if PHP was built with --enable-force-cgi-redirect | ||
| fastcgi_param REDIRECT_STATUS 200; | ||
|
|
There was a problem hiding this comment.
Curious, why this block was removed?
Seems like a good idea to keep
There was a problem hiding this comment.
@vchepkov The idea is to synchronize it with the upstream config from nginx.
But it's still possible to configure additional fastcgi params with the module, or refer to a different file.
There was a problem hiding this comment.
It seems to me this change makes configuration to deviate from upstream package:
# rpm -qf /etc/nginx/fastcgi_params
nginx-1.12.1-1.el7.ngx.x86_64
# rpm -qi nginx
Name : nginx
Epoch : 1
Version : 1.12.1
Release : 1.el7.ngx
Architecture: x86_64
Install Date: Mon 18 Sep 2017 07:13:02 AM EDT
Group : System Environment/Daemons
Size : 2640392
License : 2-clause BSD-like license
Signature : RSA/SHA1, Tue 11 Jul 2017 10:20:52 AM EDT, Key ID abf5bd827bd9bf62
Source RPM : nginx-1.12.1-1.el7.ngx.src.rpm
Build Date : Tue 11 Jul 2017 09:50:21 AM EDT
Build Host : centos7-amd64-builder-builder.gnt.nginx.com
Relocations : (not relocatable)
Vendor : Nginx, Inc.
URL : http://nginx.org/
Summary : High performance web server
Description :
nginx [engine x] is an HTTP and reverse proxy server, as well as
a mail proxy server.
# diff -u /etc/nginx/fastcgi_params /etc/nginx/fastcgi.conf
--- /etc/nginx/fastcgi_params 2017-07-11 09:50:19.000000000 -0400
+++ /etc/nginx/fastcgi.conf 2017-09-16 12:09:44.121363628 -0400
@@ -1,4 +1,6 @@
+# This file managed by puppet on host host.example.com
+fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
This change also rolling back 3404c4c
which improves security of the server and is recommended by upstream. I don't think a typical user expects to have their configuration less secure by upgrading puppet module. It would be nice if there was at least an option to easily re-enable previous configuration.
|
I think As best I could tell at the time we made these changes, |
Use nginx defaults for fastcgi_params / uwsgi_params
Per various discussions (#862), use nginx shipped defaults for fastcgi_params / uwsgi_params.
Obsoletes #855, etc.
I think long-term, we still may need a way to make this more customizable, but I think we have signoff in principle on at least pulling in the current vendor defaults from 1.10 / 1.11.