[arch-general] community/NUT access cgi in /usr/share/nut/cgi without FollowSymLinks?
All / Maxime, With the nut build option setting: --with-cgipath=/usr/share/nut/cgi \ when using apache with the default /srv/http/cgi-bin location, how are you supposed to access the cgi files in /usr/share/nut/cgi "Safely"? I have the entire /usr/share/nut/html directory protected by a dbm database file manipulated with dbmmanage, so to reach the <Directory> you must authenticate. That said, the only way I can make the cgi scripts work is by setting Options FollowSymLinks in the <Directory> for "/srv/http/cgi-bin" after symlinking (e.g. ln -s /usr/share/nut/cgi /srv/http/cgi-bin/nut) Is this safe? Is this intended way to provide access to the cgi scripts? -- David C. Rankin, J.D.,P.E.
June 3, 2020 8:24 AM, "David C. Rankin" <drankinatty@suddenlinkmail.com
wrote:
All / Maxime,
With the nut build option setting:
--with-cgipath=/usr/share/nut/cgi \
when using apache with the default /srv/http/cgi-bin location, how are you supposed to access the cgi files in /usr/share/nut/cgi "Safely"?
I have the entire /usr/share/nut/html directory protected by a dbm database file manipulated with dbmmanage, so to reach the <Directory> you must authenticate. That said, the only way I can make the cgi scripts work is by setting Options FollowSymLinks in the <Directory> for "/srv/http/cgi- bin" after symlinking (e.g. ln -s /usr/share/nut/cgi /srv/http/cgi- bin/nut)
Is this safe? Is this intended way to provide access to the cgi scripts?
-- David C. Rankin, J.D.,P.E.
Hi David, I haven't used apache in years so please take this with a grain of salt. On nginx I'm using the alias directive, restricting access to the upsset.cgi to my local network [0], as suggested by the nut documentation in /etc/upsset.conf. It seems apache has a similar alias directive so you may be able to achieve the same without using any symlink [1]. [0] https://paste.xinu.at/BNUJFeuBycXUw8fB/ [1] https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias Cheers, -- Maxime
On 06/05/2020 04:04 AM, Maxime Gauduin via arch-general wrote:
Hi David,
I haven't used apache in years so please take this with a grain of salt. On nginx I'm using the alias directive, restricting access to the upsset.cgi to my local network [0], as suggested by the nut documentation in /etc/upsset.conf. It seems apache has a similar alias directive so you may be able to achieve the same without using any symlink [1].
[0] https://paste.xinu.at/BNUJFeuBycXUw8fB/ [1] https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias
Cheers,
Thanks for the reply, I already use the alias for the html directory, but the problem is with the cgi scripts since the default cgi-bin directory is /srv/http/cgi-bin, you cannot declare a second alias for cgi-bin to /usr/share/nut/cgi -- apache will fail to start due to conflicting aliases. Currently I have: ## nut directory Alias /nut/ "/usr/share/nut/html/" Alias /nut "/usr/share/nut/html/" <Directory "/usr/share/nut/html"> ... <Directory "/usr/share/nut/cgi"> Options +ExecCGI </Directory> The problem is that the link in the nut files is hardwired to, e.g.: http://yourdomain.tld/cgi-bin/nut/upsstats.cgi so it looks for the cgi-bin directory off of the document root not under /usr/share/nut/cgi and you can't alias to /cgi-bin/nut to /usr/share/nut/cgi because /cgi-bin/nut will never match due to the default alias of /cgi-bin. So it looks like the way I have it will have to work, otherwise we have to hack the urls in the nut/html files to look for the cgi scripts in /usr/share/nut/cgi instead of under /cgi-bin/nut -- David C. Rankin, J.D.,P.E.
Hello David, On 6 Jun 2020 10:33 a.m., "David C. Rankin" <drankinatty@suddenlinkmail.com> wrote: On 06/05/2020 04:04 AM, Maxime Gauduin via arch-general wrote:
Hi David,
I haven't used apache in years so please take this with a grain of salt. On nginx I'm using the alias directive, restricting access to the upsset.cgi to my local network [0], as suggested by the nut documentation in /etc/upsset.conf. It seems apache has a similar alias
directive so you may be able to achieve the same without using any symlink [1].
[0] https://paste.xinu.at/BNUJFeuBycXUw8fB/ [1] https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias
Cheers,
Thanks for the reply, I already use the alias for the html directory, but the problem is with the cgi scripts since the default cgi-bin directory is /srv/http/cgi-bin, you cannot declare a second alias for cgi-bin to /usr/share/nut/cgi -- apache will fail to start due to conflicting aliases. That would work with location statements in nginx. You can use more than one per path and the best fitting one will be used. Perhaps you could switch over to nginx and/or reverse proxy to your Apache if you need it for some paths? Currently I have: ## nut directory Alias /nut/ "/usr/share/nut/html/" Alias /nut "/usr/share/nut/html/" <Directory "/usr/share/nut/html"> ... <Directory "/usr/share/nut/cgi"> Options +ExecCGI </Directory> The problem is that the link in the nut files is hardwired to, e.g.: http://yourdomain.tld/cgi-bin/nut/upsstats.cgi so it looks for the cgi-bin directory off of the document root not under /usr/share/nut/cgi and you can't alias to /cgi-bin/nut to /usr/share/nut/cgi because /cgi-bin/nut will never match due to the default alias of /cgi-bin. So it looks like the way I have it will have to work, otherwise we have to hack the urls in the nut/html files to look for the cgi scripts in /usr/share/nut/cgi instead of under /cgi-bin/nut -- David C. Rankin, J.D.,P.E. Best wishes, NTS
participants (3)
-
David C. Rankin
-
Maxime Gauduin
-
NTS