cmsimple / nginx / fastcgi

[beate_r]

I am setting up cmsimple (currently 2.9 + security fix) under the nginx webserver using fastcgi due to its smaller memory footprint. Things are configured in analogy to the hints of using drupal 4.7 with nginx. Two vhosts using different cmsimple setups are affected.
I almost works.

What does not work: logins.
Affected are both logins to the system itself as well as logins to protected pages.
In addition not all images will be displayed.

Everything is working with apache 2.2.2 + mod_php

The current setup uses port 888 for nginx and port 80 for apache; both web servers access the same directory structure.

Any suggestions?

THX

Beate

[beate_r]

Well, no suggestions, but al lot of reads

After some testing i found a solution, even without the need of the rewrite rule given on the cmsimple site. It is already slightly optimized, but i guess there might be room for further improvement. Maybe it is of interest.

The code snippet below refers to a typical vhost section. It should be noted that passing image files through nginx' gzip module might lead to truncation of the data. So it is advisable not onloy for performance to serve these files statically.

Code: Select all

    server {
        listen          80;
        server_name     www.example.com;

        location / {
            root        /var/www/example.com/;
            index       index.html;
            fastcgi_index index.php;

            include     /etc/nginx/fastcgi_params;
            fastcgi_param SCRIPT_FILENAME /var/www/example.com$fastcgi_script_n\
ame;
            fastcgi_param QUERY_STRING    $query_string;
            if (-f $request_filename) {
                break;
            }
            # CMSIMPLE specific: don't allow dynamic files in certain directories
            if ( $uri !~ "/(images|downloads)/" ) {
                fastcgi_pass  127.0.0.1:9999;
            }
        }

        # security: protect critical directories
        location ~ /(cmsimple|templates|content)/ {
            deny        all;
        }
      

        # serve static files directly
        location ^/.*+.(jpg|jpeg|gif|css|png|js|ico|htm|html)$ {
            root /var/www/example.com;
            access_log        off;
            expires           30d;
        }

        # userdir simulation
        location ~ /~([a-zA-Z0-9]*)/(.*) {
            # the [a-zA-Z0-9] is for the greedy .
            root        /home/;
            autoindex   on;
            index       index.html;
            rewrite ^/~([a-zA-Z0-9]*)/(.*)$ /$1/public_html/$2 break;
        }
    }

in addition, the following settings have to be added to /etc/nginx/fastcgi_params

Code: Select all

## bea ++
fastcgi_pass_header Authorization;
fastcgi_intercept_errors off;

Beate

Edit: added protection of critical pages

[Connie]

Beate,

as this is a very valuable information relating to a very special situation, why not add this to http://www.cmsimplewiki.com/?

That would be great help!

[beate_r]

done

Beate

[beate_r]

When i wrote my server configuration i did not consider that nginx does not recognize apache/ncsa conformant .htaccess pages. Therefore any protective measures must be taken within the configuration of each vhost in nginx.

Here the missing code (which i added to my original posting as well):

Code: Select all

        location ~ /(cmsimple|templates|content)/ {
            deny        all;
        }

This addition is crucial - missing protection allows intruders to access the login password.

Beate