Discussion:
[Mojolicious] Apache Config for Mojo CGI setup - opinions?
Alexander Karelas
2018-11-20 04:22:47 UTC
Permalink
I have made some webapps that I use internally. I use them so rarely
(just a couple of page views per week each) that I thought it wasn't
worth having a hypnotoad running for each and waste resources (RAM
mainly), especially since the number of these webapps might increase a
lot in the future, and I don't care about response time (2 seconds is
fine) so I thought I'd set them up as CGI sites.

With some experimentation, I ended up with this Apache conf file the
VirtualServer (for Apache v2.4). It routes arbitrary URLs to the right
route handler.

What do you think of it? Is it secure (suppose an evil user has access
to it)? Can it be improved? Can it be simplified, maybe? Is this useful
material for the mojo Wiki / POD?

I'm interested in your opinions, because my experience with Apache is
not that big.


*  DocumentRoot /opt/mysite/html
  ScriptAlias /cgi-bin/ /opt/mysite/cgi-bin/

  <Directory "/opt/mysite/html">
      RewriteEngine On
      RewriteBase /
      RewriteRule (.*) /cgi-bin/my_app.pl/$1 [L]
      Require all granted
  </Directory>

  # for the case when the user types manually
/cgi-bin/local/bin/some-command.pl
  # i.e. the only CGI script that's allowed to run is my_app.pl
  <LocationMatch "^/cgi-bin/(?!my_app.pl/)">
      Require all denied
  </LocationMatch>

  <Directory "/opt/mysite/cgi-bin">
      Require all granted
      Options ExecCGI
      SetHandler cgi-script
  </Directory>
*
--
You received this message because you are subscribed to the Google Groups "Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mojolicious+***@googlegroups.com.
To post to this group, send email to ***@googlegroups.com.
Visit this group at https://groups.google.com/group/mojolicious.
For more options, visit https://groups.google.com/d/optout.
Alexander Karelas
2018-11-20 04:26:50 UTC
Permalink
I should note that the entire webapp (the templates/ subdir, the public/
subdir, etc) resides in the cgi-bin/ directory. my_app.pl happens to be
a Mojolicious::Lite app in this case.

- Alex
Post by Alexander Karelas
I have made some webapps that I use internally. I use them so rarely
(just a couple of page views per week each) that I thought it wasn't
worth having a hypnotoad running for each and waste resources (RAM
mainly), especially since the number of these webapps might increase a
lot in the future, and I don't care about response time (2 seconds is
fine) so I thought I'd set them up as CGI sites.
With some experimentation, I ended up with this Apache conf file the
VirtualServer (for Apache v2.4). It routes arbitrary URLs to the right
route handler.
What do you think of it? Is it secure (suppose an evil user has access
to it)? Can it be improved? Can it be simplified, maybe? Is this
useful material for the mojo Wiki / POD?
I'm interested in your opinions, because my experience with Apache is
not that big.
*  DocumentRoot /opt/mysite/html
  ScriptAlias /cgi-bin/ /opt/mysite/cgi-bin/
  <Directory "/opt/mysite/html">
      RewriteEngine On
      RewriteBase /
      RewriteRule (.*) /cgi-bin/my_app.pl/$1 [L]
      Require all granted
  </Directory>
  # for the case when the user types manually
/cgi-bin/local/bin/some-command.pl
  # i.e. the only CGI script that's allowed to run is my_app.pl
  <LocationMatch "^/cgi-bin/(?!my_app.pl/)">
      Require all denied
  </LocationMatch>
  <Directory "/opt/mysite/cgi-bin">
      Require all granted
      Options ExecCGI
      SetHandler cgi-script
  </Directory>
*
--
You received this message because you are subscribed to the Google Groups "Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mojolicious+***@googlegroups.com.
To post to this group, send email to ***@googlegroups.com.
Visit this group at https://groups.google.com/group/mojolicious.
For more options, visit https://groups.google.com/d/optout.
Dan Book
2018-11-20 05:09:49 UTC
Permalink
Even simpler, I think, is to alias everything to your one script, so you
don't have to worry about what else might be in that directory.

ScriptAlias "/cgi-bin/" "/opt/mysite/cgi-bin/my_app.pl"

https://httpd.apache.org/docs/2.4/mod/mod_alias.html#scriptalias talks
about some strategies for this.

-Dan
I have made some webapps that I use internally. I use them so rarely (just
a couple of page views per week each) that I thought it wasn't worth having
a hypnotoad running for each and waste resources (RAM mainly), especially
since the number of these webapps might increase a lot in the future, and I
don't care about response time (2 seconds is fine) so I thought I'd set
them up as CGI sites.
With some experimentation, I ended up with this Apache conf file the
VirtualServer (for Apache v2.4). It routes arbitrary URLs to the right
route handler.
What do you think of it? Is it secure (suppose an evil user has access to
it)? Can it be improved? Can it be simplified, maybe? Is this useful
material for the mojo Wiki / POD?
I'm interested in your opinions, because my experience with Apache is not
that big.
* DocumentRoot /opt/mysite/html ScriptAlias /cgi-bin/
/opt/mysite/cgi-bin/ <Directory "/opt/mysite/html"> RewriteEngine
On RewriteBase / RewriteRule (.*) /cgi-bin/my_app.pl/$1
<http://my_app.pl/$1> [L] Require all granted </Directory> # for
the case when the user types manually /cgi-bin/local/bin/some-command.pl
<http://some-command.pl> # i.e. the only CGI script that's allowed to run
is my_app.pl <http://my_app.pl> <LocationMatch "^/cgi-bin/(?!my_app.pl/
<http://my_app.pl/>)"> Require all denied </LocationMatch>
<Directory "/opt/mysite/cgi-bin"> Require all granted Options
ExecCGI SetHandler cgi-script </Directory> *
--
You received this message because you are subscribed to the Google Groups
"Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an
Visit this group at https://groups.google.com/group/mojolicious.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mojolicious+***@googlegroups.com.
To post to this group, send email to ***@googlegroups.com.
Visit this group at https://groups.google.com/group/mojolicious.
For more options, visit https://groups.google.com/d/optout.
Alexander Karelas
2018-11-20 05:12:11 UTC
Permalink
Something strange:

On a fresh CentOS 7, this conf works (i.e. mapping to
/cgi-bin/my_app.pl/further/path actually executes /cgi-bin/my_app.pl)

But on a fresh Ubuntu 18.04, it doesn't (I get a 404 Not Found because
script /cgi-bin/my_app.pl/further/path does not exist).

Don't know how to fix this on Ubuntu.

- Alex
Post by Alexander Karelas
I have made some webapps that I use internally. I use them so rarely
(just a couple of page views per week each) that I thought it wasn't
worth having a hypnotoad running for each and waste resources (RAM
mainly), especially since the number of these webapps might increase a
lot in the future, and I don't care about response time (2 seconds is
fine) so I thought I'd set them up as CGI sites.
With some experimentation, I ended up with this Apache conf file the
VirtualServer (for Apache v2.4). It routes arbitrary URLs to the right
route handler.
What do you think of it? Is it secure (suppose an evil user has access
to it)? Can it be improved? Can it be simplified, maybe? Is this
useful material for the mojo Wiki / POD?
I'm interested in your opinions, because my experience with Apache is
not that big.
*  DocumentRoot /opt/mysite/html
  ScriptAlias /cgi-bin/ /opt/mysite/cgi-bin/
  <Directory "/opt/mysite/html">
      RewriteEngine On
      RewriteBase /
      RewriteRule (.*) /cgi-bin/my_app.pl/$1 [L]
      Require all granted
  </Directory>
  # for the case when the user types manually
/cgi-bin/local/bin/some-command.pl
  # i.e. the only CGI script that's allowed to run is my_app.pl
  <LocationMatch "^/cgi-bin/(?!my_app.pl/)">
      Require all denied
  </LocationMatch>
  <Directory "/opt/mysite/cgi-bin">
      Require all granted
      Options ExecCGI
      SetHandler cgi-script
  </Directory>
*
--
You received this message because you are subscribed to the Google Groups "Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mojolicious+***@googlegroups.com.
To post to this group, send email to ***@googlegroups.com.
Visit this group at https://groups.google.com/group/mojolicious.
For more options, visit https://groups.google.com/d/optout.
Alexander Karelas
2018-11-20 06:11:34 UTC
Permalink
Thanks to Dan Book, I searched a bit more. Plain ScriptAlias didn't do
the trick, but ScriptAliasMatch worked beautifully on both CentOS and
Ubuntu (provided you enable the cgi module of Apache, of course, which I
hadn't done before, and mysteriously wasn't getting an error for unknown
Apache directives):

This apache config seems a lot simpler and more secure, I think,
therefore better.


*<VirtualHost *:80>**
**  ServerName apache-dev.lxd**
**  DocumentRoot /opt/mysite/html*

*  ScriptAliasMatch "^/cgi-bin/(.*)" "/opt/mysite/cgi-bin/my_app.pl/$1"**
**
**  <Directory "/opt/mysite/html">**
**      RewriteEngine On**
**      RewriteBase /**
**      RewriteRule (.*) /cgi-bin/$1 [L]**
**      Require all granted**
**  </Directory>**
**
**  <Directory "/opt/mysite/cgi-bin">**
**      Require all granted**
**  </Directory>**
**</VirtualHost>**
*
--
You received this message because you are subscribed to the Google Groups "Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mojolicious+***@googlegroups.com.
To post to this group, send email to ***@googlegroups.com.
Visit this group at https://groups.google.com/group/mojolicious.
For more options, visit https://groups.google.com/d/optout.
Alexander Karelas
2018-11-20 06:21:30 UTC
Permalink
I even tried curl with /../other.pl and /cgi-bin/../other.pl, and these
still went through my_app.pl, so we're fine I think!

- Alex
Post by Alexander Karelas
Thanks to Dan Book, I searched a bit more. Plain ScriptAlias didn't do
the trick, but ScriptAliasMatch worked beautifully on both CentOS and
Ubuntu (provided you enable the cgi module of Apache, of course, which
I hadn't done before, and mysteriously wasn't getting an error for
This apache config seems a lot simpler and more secure, I think,
therefore better.
*<VirtualHost *:80>**
**  ServerName apache-dev.lxd**
**  DocumentRoot /opt/mysite/html*
*  ScriptAliasMatch "^/cgi-bin/(.*)" "/opt/mysite/cgi-bin/my_app.pl/$1"**
**
**  <Directory "/opt/mysite/html">**
**      RewriteEngine On**
**      RewriteBase /**
**      RewriteRule (.*) /cgi-bin/$1 [L]**
**      Require all granted**
**  </Directory>**
**
**  <Directory "/opt/mysite/cgi-bin">**
**      Require all granted**
**  </Directory>**
**</VirtualHost>**
*
--
You received this message because you are subscribed to the Google Groups "Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mojolicious+***@googlegroups.com.
To post to this group, send email to ***@googlegroups.com.
Visit this group at https://groups.google.com/group/mojolicious.
For more options, visit https://groups.google.com/d/optout.
Alexander Karelas
2018-11-20 06:31:13 UTC
Permalink
And of course, you can SetEnv all the MOJO environment variables you
want (eg MOJO_MODE to production)

https://httpd.apache.org/docs/2.4/mod/mod_env.html#SetEnv
Post by Alexander Karelas
I even tried curl with /../other.pl and /cgi-bin/../other.pl, and
these still went through my_app.pl, so we're fine I think!
- Alex
Post by Alexander Karelas
Thanks to Dan Book, I searched a bit more. Plain ScriptAlias didn't
do the trick, but ScriptAliasMatch worked beautifully on both CentOS
and Ubuntu (provided you enable the cgi module of Apache, of course,
which I hadn't done before, and mysteriously wasn't getting an error
This apache config seems a lot simpler and more secure, I think,
therefore better.
*<VirtualHost *:80>**
**  ServerName apache-dev.lxd**
**  DocumentRoot /opt/mysite/html*
*  ScriptAliasMatch "^/cgi-bin/(.*)" "/opt/mysite/cgi-bin/my_app.pl/$1"**
**
**  <Directory "/opt/mysite/html">**
**      RewriteEngine On**
**      RewriteBase /**
**      RewriteRule (.*) /cgi-bin/$1 [L]**
**      Require all granted**
**  </Directory>**
**
**  <Directory "/opt/mysite/cgi-bin">**
**      Require all granted**
**  </Directory>**
**</VirtualHost>**
*
--
You received this message because you are subscribed to the Google Groups "Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mojolicious+***@googlegroups.com.
To post to this group, send email to ***@googlegroups.com.
Visit this group at https://groups.google.com/group/mojolicious.
For more options, visit https://groups.google.com/d/optout.
Loading...