Re: [rt-users] perlbrew/cpanm installation on centos 6
On Sat, Jun 9, 2012 at 8:26 AM, Natxo Asenjo wrote: > On Sat, Jun 9, 2012 at 8:17 AM, Natxo Asenjo wrote: > >> >> With FastCgiIpcDir *and* the dir with permissions 777, it works blocking >> some images: >> >> [Sat Jun 09 08:15:28 2012] [error] [client 192.168.0.160] FastCGI: >> invalid (dynamic) server "/opt/rt4/share/html/NoAuth/images/bpslogo.png": >> access for server (uid -1, gid -1) not allowed: execute not allowed, >> referer: http://rt.ipa.asenjo.nx/ >> [Sat Jun 09 08:15:28 2012] [error] [client 192.168.0.160] FastCGI: >> invalid (dynamic) server "/opt/rt4/share/html/NoAuth/images/bpslogo.png": >> access for server (uid -1, gid -1) not allowed: execute not allowed, >> referer: http://rt.ipa.asenjo.nx/ >> >> If the FastCgiIpcDir has perms 770 for apache:apache , it does not work. >> > > by the way, the permissions for those images are: > > ls -l /opt/rt4/share/html/NoAuth/images/ > total 40 > -rw-r--r--. 1 root bin 334 Jun 8 21:11 autohandler > -rw-r--r--. 1 root bin 3929 Jun 8 21:11 bpslogo.png > drwxr-xr-x. 2 root bin 4096 Jun 8 21:11 css > -rw-r--r--. 1 root bin 914 Jun 8 21:11 empty_star.gif > drwxr-xr-x. 2 root bin 4096 Jun 8 21:11 farbtastic > -rw-r--r--. 1 root bin 335 Jun 8 21:11 favicon.png > drwxr-xr-x. 2 root bin 4096 Jun 8 21:11 jquery_ui > -rw-r--r--. 1 root bin 161 Jun 8 21:11 star.gif > drwxr-xr-x. 2 root bin 4096 Jun 8 21:11 tablesorter > -rw-r--r--. 1 root bin 81 Jun 8 21:11 test.png > > So they are world readable and still being blocked. Perhaps they should be > owned by apache? > found it: http://requesttracker.wikia.com/wiki/ApacheConfig#How_to_avoid_processing_images_like_dynamic_content -- natxo
Re: [rt-users] perlbrew/cpanm installation on centos 6
On Sat, Jun 9, 2012 at 8:17 AM, Natxo Asenjo wrote: > > With FastCgiIpcDir *and* the dir with permissions 777, it works blocking > some images: > > [Sat Jun 09 08:15:28 2012] [error] [client 192.168.0.160] FastCGI: invalid > (dynamic) server "/opt/rt4/share/html/NoAuth/images/bpslogo.png": access > for server (uid -1, gid -1) not allowed: execute not allowed, referer: > http://rt.ipa.asenjo.nx/ > [Sat Jun 09 08:15:28 2012] [error] [client 192.168.0.160] FastCGI: invalid > (dynamic) server "/opt/rt4/share/html/NoAuth/images/bpslogo.png": access > for server (uid -1, gid -1) not allowed: execute not allowed, referer: > http://rt.ipa.asenjo.nx/ > > If the FastCgiIpcDir has perms 770 for apache:apache , it does not work. > by the way, the permissions for those images are: ls -l /opt/rt4/share/html/NoAuth/images/ total 40 -rw-r--r--. 1 root bin 334 Jun 8 21:11 autohandler -rw-r--r--. 1 root bin 3929 Jun 8 21:11 bpslogo.png drwxr-xr-x. 2 root bin 4096 Jun 8 21:11 css -rw-r--r--. 1 root bin 914 Jun 8 21:11 empty_star.gif drwxr-xr-x. 2 root bin 4096 Jun 8 21:11 farbtastic -rw-r--r--. 1 root bin 335 Jun 8 21:11 favicon.png drwxr-xr-x. 2 root bin 4096 Jun 8 21:11 jquery_ui -rw-r--r--. 1 root bin 161 Jun 8 21:11 star.gif drwxr-xr-x. 2 root bin 4096 Jun 8 21:11 tablesorter -rw-r--r--. 1 root bin 81 Jun 8 21:11 test.png So they are world readable and still being blocked. Perhaps they should be owned by apache?
Re: [rt-users] perlbrew/cpanm installation on centos 6
On Sat, Jun 9, 2012 at 12:57 AM, Kevin Falcone wrote: > On Fri, Jun 08, 2012 at 10:07:16PM +0200, Natxo Asenjo wrote: > > On Fri, Jun 8, 2012 at 5:34 PM, Thomas Sibley > wrote: > > > > My rt.conf apache virtual host config: > > > > FastCgiServer /opt/rt4/sbin/rt-server -processes 5 -idle-timeout 300 > > > > > > ServerName rt.domain.tld > > ### Optional apache logs for RT > > # Ensure that your log rotation scripts know about these files > > ErrorLog /opt/rt4/var/log/apache2.error > > TransferLog /opt/rt4/var/log/apache2.access > > LogLevel debug > > > > AddDefaultCharset UTF-8 > > > > Alias /NoAuth/images/ /opt/rt4/share/html/NoAuth/images/ > > ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/ > > > > DocumentRoot "/opt/rt4/share/html" > > > > Order allow,deny > > Allow from all > > > > Options +ExecCGI > > AddHandler fastcgi-script fcgi > > > > > > > > Your FastCgiServer line looks different from the one in > docs/web_deployment.pod. > > you are right, I had bee trying stuff and forgotten to set it back: FastCgiIpcDir /var/www/html/fastcgi-rt/ FastCgiServer /opt/rt4/sbin/rt-server.fcgi -processes 5 -idle-timeout 300 SetHandler fastcgi-script ServerName rt.ipa.asenjo.nx ### Optional apache logs for RT # Ensure that your log rotation scripts know about these files ErrorLog /opt/rt4/var/log/apache2.error TransferLog /opt/rt4/var/log/apache2.access LogLevel debug AddDefaultCharset UTF-8 Alias /NoAuth/images/ /opt/rt4/share/html/NoAuth/images/ ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/ DocumentRoot "/opt/rt4/share/html" Order allow,deny Allow from all Options +ExecCGI AddHandler fastcgi-script fcgi If I do not set the FastCgiIpcDir directive it does not work at all. Without FastCgiIpcDir: /opt/rt4/var/log/apache2.error: [Sat Jun 09 08:12:34 2012] [error] [client 192.168.0.160] (13)Permission denied: FastCGI: failed to connect to server "/opt/rt4/sbin/rt-server.fcgi": connect() failed [Sat Jun 09 08:12:34 2012] [error] [client 192.168.0.160] FastCGI: incomplete headers (0 bytes) received from server "/opt/rt4/sbin/rt-server.fcgi" /var/log/httpd/error.log [Sat Jun 09 08:13:29 2012] [crit] (13)Permission denied: FastCGI: can't create server "/opt/rt4/sbin/rt-server.fcgi": bind() failed [/etc/httpd/logs/fastcgi/f758b05f8779532382e3166ad1890013] [Sat Jun 09 08:13:30 2012] [crit] (13)Permission denied: FastCGI: can't create server "/opt/rt4/sbin/rt-server.fcgi": bind() failed [/etc/httpd/logs/fastcgi/f758b05f8779532382e3166ad1890013] With FastCgiIpcDir *and* the dir with permissions 777, it works blocking some images: [Sat Jun 09 08:15:28 2012] [error] [client 192.168.0.160] FastCGI: invalid (dynamic) server "/opt/rt4/share/html/NoAuth/images/bpslogo.png": access for server (uid -1, gid -1) not allowed: execute not allowed, referer: http://rt.ipa.asenjo.nx/ [Sat Jun 09 08:15:28 2012] [error] [client 192.168.0.160] FastCGI: invalid (dynamic) server "/opt/rt4/share/html/NoAuth/images/bpslogo.png": access for server (uid -1, gid -1) not allowed: execute not allowed, referer: http://rt.ipa.asenjo.nx/ If the FastCgiIpcDir has perms 770 for apache:apache , it does not work. Is this normal behaviour? Thanks for your help. -- natxo -kevin >
Re: [rt-users] perlbrew/cpanm installation on centos 6
On Fri, Jun 08, 2012 at 10:07:16PM +0200, Natxo Asenjo wrote: > On Fri, Jun 8, 2012 at 5:34 PM, Thomas Sibley wrote: > > My rt.conf apache virtual host config: > > FastCgiServer /opt/rt4/sbin/rt-server -processes 5 -idle-timeout 300 > > > ServerName rt.domain.tld > ### Optional apache logs for RT > # Ensure that your log rotation scripts know about these files > ErrorLog /opt/rt4/var/log/apache2.error > TransferLog /opt/rt4/var/log/apache2.access > LogLevel debug > > AddDefaultCharset UTF-8 > > Alias /NoAuth/images/ /opt/rt4/share/html/NoAuth/images/ > ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/ > > DocumentRoot "/opt/rt4/share/html" > > Order allow,deny > Allow from all > > Options +ExecCGI > AddHandler fastcgi-script fcgi > > > Your FastCgiServer line looks different from the one in docs/web_deployment.pod. -kevin pgp8crFtZbcBG.pgp Description: PGP signature
Re: [rt-users] perlbrew/cpanm installation on centos 6
On Fri, Jun 8, 2012 at 10:07 PM, Natxo Asenjo wrote: > Fri Jun 08 21:58:29 2012] [alert] [client 192.168.0.21] (13)Permission > denied: FastCGI: failed to connect to (dynamic) server > "/opt/rt4/sbin/rt-server.fcgi": something is seriously wrong, any chance > the socket/named_pipe directory was removed?, see the FastCgiIpcDir > directive > [Fri Jun 08 21:58:29 2012] [error] [client 192.168.0.21] FastCGI: > incomplete headers (0 bytes) received from server > "/opt/rt4/sbin/rt-server.fcgi" > If I define the FastCgiDir directive and chmod -R 777 that directory, then it works: FastCgiIpcDir /var/www/html/fastcgi-rt/ If this directory is apache:apache 770, it doesn't work. It bloks th best practical logo too: [Fri Jun 08 22:33:14 2012] [error] [client 192.168.0.160] FastCGI: invalid (dynamic) server "/opt/rt4/share/html/NoAuth/images/jquery_ui/ui-bg_flat_75_ff_40x100.png": access for server (uid 48, gid 48) not allowed: execute not allowed, referer: http://rt.ipa.asenjo.nx/ [Fri Jun 08 22:34:34 2012] [error] [client 192.168.0.21] FastCGI: invalid (dynamic) server "/opt/rt4/share/html/NoAuth/images/bpslogo.png": access for server (uid 48, gid 48) not allowed: execute not allowed, referer: http://rt.ipa.asenjo.nx/ Quite weird. -- natxo
Re: [rt-users] perlbrew/cpanm installation on centos 6
On Fri, Jun 8, 2012 at 5:34 PM, Thomas Sibley wrote: > > On 06/08/2012 10:20 AM, Natxo Asenjo wrote: > > If I try mod_fastcgi with the configuration on the web_deployment.pod I > > get errors (selinux is disabled): > > > > (13)Permission denied: FastCGI: failed to connect to server > > "/opt/rt4/sbin/rt-server.fcgi": > > So, did you try to fix the permissions? I suspect it's as simple as the > user apache is running as can't read/execute rt-server.fcgi and the > whole directory tree above it. You may need to change the group on files. > > To do that easily, re-run ./configure from the source tarball with the > appropriate --with-web-user and/or --with-web-group options and then run > make install again. You can find your original configure options at the > top of /opt/rt4/etc/RT_Config.pm. > these are the permissions in /opt/rt4/sbin: ls -l /opt/rt4/sbin/ total 216 -rwxr-xr-x. 1 root apache 3690 Jun 8 21:11 rt-attributes-viewer -rwxr-xr-x. 1 root apache 5511 Jun 8 21:11 rt-clean-sessions -rwxr-xr-x. 1 root apache 7816 Jun 8 21:11 rt-dump-metadata -rwxr-xr-x. 1 root apache 4966 Jun 8 21:11 rt-email-dashboards -rwxr-xr-x. 1 root apache 11886 Jun 8 21:11 rt-email-digest -rwxr-xr-x. 1 root apache 13054 Jun 8 21:11 rt-email-group-admin -rwxr-xr-x. 1 root apache 11797 Jun 8 21:11 rt-fulltext-indexer -rwxr-xr-x. 1 root apache 4664 Jun 8 21:11 rt-preferences-viewer -rwxr-xr-x. 1 root apache 8032 Jun 8 21:11 rt-server -rwxr-xr-x. 1 root apache 8032 Jun 8 21:11 rt-server.fcgi -rwxr-xr-x. 1 root apache 3684 Jun 8 21:11 rt-session-viewer -rwxr-xr-x. 1 root apache 17612 Jun 8 21:11 rt-setup-database -rwxr-xr-x. 1 root apache 20761 Jun 8 21:11 rt-setup-fulltext-index -rwxr-xr-x. 1 root apache 8439 Jun 8 21:11 rt-shredder -rwxr-xr-x. 1 root apache 15790 Jun 8 21:11 rt-test-dependencies -rwxr-xr-x. 1 root apache 38439 Jun 8 21:11 rt-validator -rwxr-xr-x. 1 root apache 8032 Jun 8 21:11 standalone_httpd This is my ./configure incantation: # $ ./configure --with-db-type=Pg --with-db-host=host.domain.tld --with-db-rt-pass=password --with-web-user=apache --with-web-group=apache --with-apachectl=/usr/sbin/apachectl --with-web-handler=fastcgi My rt.conf apache virtual host config: FastCgiServer /opt/rt4/sbin/rt-server -processes 5 -idle-timeout 300 ServerName rt.domain.tld ### Optional apache logs for RT # Ensure that your log rotation scripts know about these files ErrorLog /opt/rt4/var/log/apache2.error TransferLog /opt/rt4/var/log/apache2.access LogLevel debug AddDefaultCharset UTF-8 Alias /NoAuth/images/ /opt/rt4/share/html/NoAuth/images/ ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/ DocumentRoot "/opt/rt4/share/html" Order allow,deny Allow from all Options +ExecCGI AddHandler fastcgi-script fcgi In the apache error log I get plenty of these: Fri Jun 08 22:01:02 2012] [crit] (13)Permission denied: FastCGI: can't create server "/opt/rt4/sbin/rt-server": bind() failed [/etc/httpd/logs/fastcgi/5ca4b3adecea1bd2fa8ffd8f7584ca93] [Fri Jun 08 22:01:03 2012] [crit] (13)Permission denied: FastCGI: can't create server "/opt/rt4/sbin/rt-server": bind() failed [/etc/httpd/logs/fastcgi/5ca4b3adecea1bd2fa8ffd8f7584ca93] in the /opt/rt4/var/log/apache2.error Fri Jun 08 21:58:29 2012] [alert] [client 192.168.0.21] (13)Permission denied: FastCGI: failed to connect to (dynamic) server "/opt/rt4/sbin/rt-server.fcgi": something is seriously wrong, any chance the socket/named_pipe directory was removed?, see the FastCgiIpcDir directive [Fri Jun 08 21:58:29 2012] [error] [client 192.168.0.21] FastCGI: incomplete headers (0 bytes) received from server "/opt/rt4/sbin/rt-server.fcgi" I am afraid my fastcgi fu is close to zero. Learning as I go. If any one can shed light on this, that would be great. TIA. -- groet, natxo
Re: [rt-users] perlbrew/cpanm installation on centos 6
On 06/08/2012 10:20 AM, Natxo Asenjo wrote: > In a test environment I have installed rt 4.0.6 with a local Perl > (5.14.2) from perlbrew. Installing the dependencies with cpanm was a > breeze, I must say, impressive. Yep, I wish more folks used this setup. It's never resulted in dependency hell for me. > If I try mod_fastcgi with the configuration on the web_deployment.pod I > get errors (selinux is disabled): > > (13)Permission denied: FastCGI: failed to connect to server > "/opt/rt4/sbin/rt-server.fcgi": So, did you try to fix the permissions? I suspect it's as simple as the user apache is running as can't read/execute rt-server.fcgi and the whole directory tree above it. You may need to change the group on files. To do that easily, re-run ./configure from the source tarball with the appropriate --with-web-user and/or --with-web-group options and then run make install again. You can find your original configure options at the top of /opt/rt4/etc/RT_Config.pm. SELinux makes things slightly harder and more frustrating, though still possible of course, but it's disabled, so you don't have to worry about that. > The mod_proxy way looks promissing, but is it a correct way? Is anyone > else running rt from a non system Perl and apache2 in rhel/centos? Reverse proxying is certainly an option, but apache + fastcgi is a very very common setup that works solidly. Thomas