From mboxrd@z Thu Jan  1 00:00:00 1970
From: john at keeping.me.uk (John Keeping)
Date: Sat, 13 Apr 2013 10:34:10 +0100
Subject: FastCGI integration for cgit?
In-Reply-To: <28484901.erkyi2NjQ4@al>
References: <28484901.erkyi2NjQ4@al>
Message-ID: <20130413093410.GN2222@serenity.lan>

On Sat, Apr 13, 2013 at 01:51:03AM -0700, Peter Wu wrote:
> I am investigating the options for deploying cgit+gitolite. As I am
> running nginx, I have to use fastcgi or something similar.
> 
> Some resources that I found during a search:
> 
> - http://russellhaering.com/2009/12/22/running-cgit-under-nginx/
> - https://gist.github.com/stran12/1394757
> - http://polemon.org/cgit_nginx
> - http://blog.zx2c4.com/293
> 
> Their instructions however, do suggest the use of nginx + spawn-cgi +
> fcgiwrap + cgit. I have some issues with it:
> 
> - Even if nginx and cgit run as different users, nginx can still run
> arbitrary commands under the rights of cgit (via SCRIPT_FILENAME).
> - If the only goal of fcgiwrap is to run cgit, why fcgiwrap at all and
> not integrate it into cgit?
> 
> So I was wondering if somebody has already considered integrating
> fastcgi into cgit or other experiences with a nginx+(fastcgi+)cgit
> setup? I do not expect much traffic, but still want to have a secure
> (isolated) setup with predictable resource use.

The problem with implementing FastCGI in CGit is that CGit currently
relies on the OS cleaning up resources when the process exits.  So if we
use the same process for multiple requests it will just keep growing (in
terms of memory use).

There has recently been some progress on improving the CGit side of
this, but Git also takes this approach for repository objects.

In addition to that, Git isn't designed for a process to work on more
than one repository, so it would be difficult to make CGit handle
multiple repositories in a single process correctly.

Given all of that, any implementation of FastCGI in CGit is going to
look more or less the same as fcgiwrap, so I don't see any reason not to
just use that.

AFAICT, SCRIPT_FILENAME should be managed for you by the webserver and
if you are using nginx then it can't actually be used to run arbitrary
commands [1].  But I've never use it so perhaps someone with experience
of using CGit with nginx would like to comment here.

[1] http://nginx.localdomain.pl/wiki/FcgiWrap