From: Alex Ivanov <gnidorah@ya.ru>
To: Jacob Keller <jacob.keller@gmail.com>
Cc: Git mailing list <git@vger.kernel.org>
Subject: Re: Socket activation for GitWeb FastCGI with systemd?
Date: Wed, 04 Apr 2018 19:36:08 +0300 [thread overview]
Message-ID: <2030761522859768@web13j.yandex.ru> (raw)
In-Reply-To: <CA+P7+xoaOt4KwTOQSfwiyB1CQ317kbCZ2u26RoPA02Z4WYr9EA@mail.gmail.com>
03.04.2018, 23:04, "Jacob Keller" <jacob.keller@gmail.com>:
> On Tue, Apr 3, 2018 at 11:53 AM, Alex Ivanov <gnidorah@ya.ru> wrote:
>> Hi.
>> I want to use systemd as fastcgi spawner for gitweb + nginx.
>> The traffic is low and number of users is limited + traversal bots. For that reason I've decided to use following mimimal services
>>
>> gitweb.socket
>> [Unit]
>> Description=GitWeb Socket
>>
>> [Socket]
>> ListenStream=/run/gitweb.sock
>> Accept=false
>>
>> [Install]
>> WantedBy=sockets.target
>>
>> gitweb.service
>> [Unit]
>> Description=GitWeb Service
>>
>> [Service]
>> Type=simple
>> ExecStart=/path/to/gitweb.cgi --fcgi
>> StandardInput=socket
>>
>> However this scheme is not resistant to simple DDOS.
>> E.g. traversal bots often kill the service by opening non existing path (e.g http://host/?p=repo;a=blob;f=nonexisting/path;hb=HEAD showing in browser 404 - Cannot find file) many times consecutively, which leads to
>> Apr 03 21:32:10 host systemd[1]: gitweb.service: Start request repeated too quickly.
>> Apr 03 21:32:10 host systemd[1]: gitweb.service: Failed with result 'start-limit-hit'.
>> Apr 03 21:32:10 host systemd[1]: Failed to start GitWeb service.
>> and 502 Bad Gateway in browser. I believe the reason is that gitweb.service dies on failure and if it happens too often, systemd declines to restart the service due to start limit hit.
>> So my question is how to correct systemd services for GitWeb to be resistant to such issue? I prefer to use single process to process all clients.
>> Thanks.
>
> This sounds like a systemd specific question that might get a better
> answer from the systemd mailing list.
Thanks I will try that too.
>
> That being said, I believe if in this case gitweb is dying due to the
> path not existing? You might be able to configure systemd to
> understand that the particular exit code for when the path doesn't
> exist is a "valid" exit, and not a failure case..
I will try to do that, but I'm afraid that there may be other ways to remotely abuse the service.
>
> I'm not entirely understanding your goal.. you want each request to
> launch the gitweb process, and when it's done you want it to exit? But
> if there are multiple connections at once you want it to stay alive
> until it services them all? I think the best answer is configure
> systemd to understand that the exit code for when the path is invalid
> will be counted as a success.
I want a single process for all connections too keep RAM usage at minimal. I also though it fits my case since number of users is low.
>
> Thanks,
> Jake
prev parent reply other threads:[~2018-04-04 16:43 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-03 18:53 Socket activation for GitWeb FastCGI with systemd? Alex Ivanov
2018-04-03 20:04 ` Jacob Keller
2018-04-04 16:36 ` Alex Ivanov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2030761522859768@web13j.yandex.ru \
--to=gnidorah@ya.ru \
--cc=git@vger.kernel.org \
--cc=jacob.keller@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).