Re: [arch-general] community/NUT access cgi in /usr/share/nut/cgi without FollowSymLinks?
Hello David, On 6 Jun 2020 10:33 a.m., "David C. Rankin" wrote: On 06/05/2020 04:04 AM, Maxime Gauduin via arch-general wrote: > > Hi David, > > I haven't used apache in years so please take this with a grain of > salt. On nginx I'm using the alias directive, restricting access to > the upsset.cgi to my local network [0], as suggested by the nut > documentation in /etc/upsset.conf. It seems apache has a similar alias directive so you may be able to achieve the same without using any symlink [1]. > > [0] https://paste.xinu.at/BNUJFeuBycXUw8fB/ > [1] https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias > > Cheers, > Thanks for the reply, I already use the alias for the html directory, but the problem is with the cgi scripts since the default cgi-bin directory is /srv/http/cgi-bin, you cannot declare a second alias for cgi-bin to /usr/share/nut/cgi -- apache will fail to start due to conflicting aliases. That would work with location statements in nginx. You can use more than one per path and the best fitting one will be used. Perhaps you could switch over to nginx and/or reverse proxy to your Apache if you need it for some paths? Currently I have: ## nut directory Alias /nut/ "/usr/share/nut/html/" Alias /nut "/usr/share/nut/html/" ... Options +ExecCGI The problem is that the link in the nut files is hardwired to, e.g.: http://yourdomain.tld/cgi-bin/nut/upsstats.cgi so it looks for the cgi-bin directory off of the document root not under /usr/share/nut/cgi and you can't alias to /cgi-bin/nut to /usr/share/nut/cgi because /cgi-bin/nut will never match due to the default alias of /cgi-bin. So it looks like the way I have it will have to work, otherwise we have to hack the urls in the nut/html files to look for the cgi scripts in /usr/share/nut/cgi instead of under /cgi-bin/nut -- David C. Rankin, J.D.,P.E. Best wishes, NTS
Re: [arch-general] community/NUT access cgi in /usr/share/nut/cgi without FollowSymLinks?
On 06/05/2020 04:04 AM, Maxime Gauduin via arch-general wrote: > > Hi David, > > I haven't used apache in years so please take this with a grain of > salt. On nginx I'm using the alias directive, restricting access to > the upsset.cgi to my local network [0], as suggested by the nut > documentation in /etc/upsset.conf. It seems apache has a similar alias > directive so you may be able to achieve the same without using any symlink > [1]. > > [0] https://paste.xinu.at/BNUJFeuBycXUw8fB/ > [1] https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias > > Cheers, > Thanks for the reply, I already use the alias for the html directory, but the problem is with the cgi scripts since the default cgi-bin directory is /srv/http/cgi-bin, you cannot declare a second alias for cgi-bin to /usr/share/nut/cgi -- apache will fail to start due to conflicting aliases. Currently I have: ## nut directory Alias /nut/ "/usr/share/nut/html/" Alias /nut "/usr/share/nut/html/" ... Options +ExecCGI The problem is that the link in the nut files is hardwired to, e.g.: http://yourdomain.tld/cgi-bin/nut/upsstats.cgi so it looks for the cgi-bin directory off of the document root not under /usr/share/nut/cgi and you can't alias to /cgi-bin/nut to /usr/share/nut/cgi because /cgi-bin/nut will never match due to the default alias of /cgi-bin. So it looks like the way I have it will have to work, otherwise we have to hack the urls in the nut/html files to look for the cgi scripts in /usr/share/nut/cgi instead of under /cgi-bin/nut -- David C. Rankin, J.D.,P.E.
Re: [arch-general] community/NUT access cgi in /usr/share/nut/cgi without FollowSymLinks?
June 3, 2020 8:24 AM, "David C. Rankin" wrote: > All / Maxime, > > With the nut build option setting: > > --with-cgipath=/usr/share/nut/cgi \ > > when using apache with the default /srv/http/cgi-bin location, how > are you > supposed to access the cgi files in /usr/share/nut/cgi "Safely"? > > I have the entire /usr/share/nut/html directory protected by a dbm > database > file manipulated with dbmmanage, so to reach the you must > authenticate. That said, the only way I can make the cgi scripts work > is by > setting Options FollowSymLinks in the for "/srv/http/cgi- > bin" > after symlinking (e.g. ln -s /usr/share/nut/cgi /srv/http/cgi- > bin/nut) > > Is this safe? Is this intended way to provide access to the cgi > scripts? > > -- > David C. Rankin, J.D.,P.E. Hi David, I haven't used apache in years so please take this with a grain of salt. On nginx I'm using the alias directive, restricting access to the upsset.cgi to my local network [0], as suggested by the nut documentation in /etc/upsset.conf. It seems apache has a similar alias directive so you may be able to achieve the same without using any symlink [1]. [0] https://paste.xinu.at/BNUJFeuBycXUw8fB/ [1] https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias Cheers, -- Maxime
