FastCGI integration for cgit?

FastCGI integration for cgit?

[lekensteyn]

Hi all,

I am investigating the options for deploying cgit+gitolite. As I am running 
nginx, I have to use fastcgi or something similar.

Some resources that I found during a search:

- http://russellhaering.com/2009/12/22/running-cgit-under-nginx/
- https://gist.github.com/stran12/1394757
- http://polemon.org/cgit_nginx
- http://blog.zx2c4.com/293

Their instructions however, do suggest the use of nginx + spawn-cgi + fcgiwrap 
+ cgit. I have some issues with it:

- Even if nginx and cgit run as different users, nginx can still run arbitrary 
commands under the rights of cgit (via SCRIPT_FILENAME).
- If the only goal of fcgiwrap is to run cgit, why fcgiwrap at all and not 
integrate it into cgit?

So I was wondering if somebody has already considered integrating fastcgi into 
cgit or other experiences with a nginx+(fastcgi+)cgit setup? I do not expect 
much traffic, but still want to have a secure (isolated) setup with predictable 
resource use.

Regards,
Peter

FastCGI integration for cgit?

[john]

On Sat, Apr 13, 2013 at 01:51:03AM -0700, Peter Wu wrote:
> I am investigating the options for deploying cgit+gitolite. As I am
> running nginx, I have to use fastcgi or something similar.
> 
> Some resources that I found during a search:
> 
> - http://russellhaering.com/2009/12/22/running-cgit-under-nginx/
> - https://gist.github.com/stran12/1394757
> - http://polemon.org/cgit_nginx
> - http://blog.zx2c4.com/293
> 
> Their instructions however, do suggest the use of nginx + spawn-cgi +
> fcgiwrap + cgit. I have some issues with it:
> 
> - Even if nginx and cgit run as different users, nginx can still run
> arbitrary commands under the rights of cgit (via SCRIPT_FILENAME).
> - If the only goal of fcgiwrap is to run cgit, why fcgiwrap at all and
> not integrate it into cgit?
> 
> So I was wondering if somebody has already considered integrating
> fastcgi into cgit or other experiences with a nginx+(fastcgi+)cgit
> setup? I do not expect much traffic, but still want to have a secure
> (isolated) setup with predictable resource use.

The problem with implementing FastCGI in CGit is that CGit currently
relies on the OS cleaning up resources when the process exits.  So if we
use the same process for multiple requests it will just keep growing (in
terms of memory use).

There has recently been some progress on improving the CGit side of
this, but Git also takes this approach for repository objects.

In addition to that, Git isn't designed for a process to work on more
than one repository, so it would be difficult to make CGit handle
multiple repositories in a single process correctly.

Given all of that, any implementation of FastCGI in CGit is going to
look more or less the same as fcgiwrap, so I don't see any reason not to
just use that.

AFAICT, SCRIPT_FILENAME should be managed for you by the webserver and
if you are using nginx then it can't actually be used to run arbitrary
commands [1].  But I've never use it so perhaps someone with experience
of using CGit with nginx would like to comment here.

[1] http://nginx.localdomain.pl/wiki/FcgiWrap

FastCGI integration for cgit?

[Jason]

On Sat, Apr 13, 2013 at 10:51 AM, Peter Wu <lekensteyn at gmail.com> wrote:
> So I was wondering if somebody has already considered integrating fastcgi into
> cgit

This is planned for future versions once we take care of some memory
management issues. For now, fcgiwrap is sufficient.

fcgiwrap+nginx configuration (was: Re: FastCGI integration for cgit?)

[lekensteyn]

On Monday 15 April 2013 16:32:42 Jason A. Donenfeld wrote:
> On Sat, Apr 13, 2013 at 10:51 AM, Peter Wu <lekensteyn at gmail.com> wrote:
> > So I was wondering if somebody has already considered integrating fastcgi
> > into cgit
> 
> This is planned for future versions once we take care of some memory
> management issues. For now, fcgiwrap is sufficient.

fcgiwrap works indeed, a different patch[1] got merged that allows multiple
commands to be specified. In order to enable smart HTTP for git and cgit, I use
the following command to start fcgiwrap:

    fcgiwrap -p /opt/cgit/cgit.cgi -p /usr/lib/git-core/git-http-backend

My nginx server configuration with caching enabled is below, hopefully it
will be of help to someone:

# based on http-backend.c from git v1.8.2.1, service_cmd
location ~ "^/[^/]+/(git-(receive|upload)-pack|HEAD|info/refs|objects/(info/(http-)?alternates|packs)|[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(pack|idx))$" {
    fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
    fastcgi_param GIT_PROJECT_ROOT /home/git/repositories;
    fastcgi_param PATH_INFO $fastcgi_script_name;
    include fastcgi_params;
    fastcgi_pass unix:/var/run/fcgi-cgit.sock;
}

fastcgi_cache cgit;
fastcgi_cache_key "$request_method$request_uri";

# requests which do not change very often
location ~ ^/[^/]+/(commit|patch|diff|snapshot|tag|stats|about) {
    fastcgi_cache_valid 1h;
    fastcgi_param SCRIPT_FILENAME /opt/cgit/cgit.cgi;
    fastcgi_param PATH_INFO $fastcgi_script_name;
    include fastcgi_params;
    fastcgi_pass unix:/var/run/fcgiwrap-cgit.sock;
}

try_files $uri @cgit;

location @cgit {
    fastcgi_cache_valid 5m;
    fastcgi_param SCRIPT_FILENAME /opt/cgit/cgit.cgi;
    fastcgi_param PATH_INFO $fastcgi_script_name;
    include fastcgi_params;
    fastcgi_pass unix:/var/run/fcgiwrap-cgit.sock;
}

 [1]: https://github.com/gnosek/fcgiwrap/commit/1b44aba5