1

I'm currently working on the renewal of my Web plateform and switching from Apache to Nginx.

So I've to test all our administrative and internal applications before doing it.

Well, so far, I didn't face any problems, BUT it would be a little bit too easy without it :D

So, today, I install my supervision plateform using the following component:

  • OS: Debian Squeeze 6.0.6
  • WebServer: Nginx 1.2.5
  • FastCGI: fcgiwrap 1.0.3-3
  • PhpCGI: php 5.4.11
  • Supervision: Nagios 3.4.3

Here is my directories structure:

/usr/local/$APPNAME$/$SUBTREE$ --> Aim for all binaries and libraries outside the OS.
/etc/$APPNAME$/$SUBTREE$ --> Directory for all binaries configuration files.
/srv/apps/$WEBAPPNAME$/$SUBTREE$/ --> Directory for all HTML/PHP/CGI related files.

Following these I've got:

/usr/local/nagios/ all owned by nagios user/group.
/usr/local/nginx/ all owned by nginx user/group.
/usr/local/fcgiwrap/ all owned by nginx user/group.
/usr/local/phpcgi/ all owned by nginx user/group.

&

/etc/nagios/ all owned by nagios user/group.
/etc/nginx/ all owned by nginx user/group.

&

/srv/app/nagios/{cgi-bin;stylesheets;etc} all owned by nginx.

My PhpCGI Wrapper is running well and serving PHP pages as requested because I've got the Nagios main page correctly displayed.

The problem seems to come from my FastCGI Wrapper which doesn't stop to send a stupid error claiming that it don't have be called with any DOCUMENT_ROOT or SCRIPT_FILENAME parameters.

But, regarding my Nginx Configuration, everything seems to be OK.

I found something related on an other ServerFault question, but the upgrade of the FastCGI wrapper doesn't help me.

Here is my NGinx config:

  1 user                    nginx nginx;
  2 worker_processes        4;
  3 pid                     /var/run/nginx/nginx.pid;
  4 error_log               /var/log/nginx/error.log;
  5
  6 events {
  7     worker_connections 1024;
  8 }
  9
 10
 11 http {
 12     include             mime.types;
 13     default_type        application/octet-stream;
 14     sendfile            on;
 15     keepalive_timeout   65;
 16     gzip                on;
 17
 18 upstream fcgiwrap {
 19         server unix:/var/run/fcgiwrap.socket;
 20 }
 21
 22
 23     server {
 24         listen                  443;
 25         server_name             nagios.domain.tld;
 26         root                    /srv/apps/nagios;
 27         ssl                     on;
 28         ssl_certificate         /etc/nginx/security/cert.crt;
 29         ssl_certificate_key     /etc/nginx/security/cert.key;
 30         ssl_session_timeout     5m;
 31         ssl_protocols           SSLv2 SSLv3 TLSv1;
 32         ssl_ciphers             HIGH:!aNULL:!MD5;
 33         ssl_prefer_server_ciphers on;
 34
 35         charset         utf8;
 36         access_log      /var/log/nginx/access.log;
 37
 38         location / {
 39                 index index.php;
 40                 auth_basic "Nagios Restricted Access";
 41                 auth_basic_user_file /etc/nagios/passwd.users;
 42         }
 43
 44         location ~\.php$ {
 45                 auth_basic "Nagios Restricted Access";
 46                 auth_basic_user_file /etc/nagios/passwd.users;
 47                 include fastcgi_params;
 48                 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 49                 fastcgi_pass 127.0.0.1:9000;
 50         }
 51
 52         location ~\.cgi$ {
 53                 auth_basic "Nagios Restricted Access";
 54                 auth_basic_user_file /etc/nagios/passwd.users;
 55                 include fastcgi_params;
 56                 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 57                 fastcgi_param AUTH_USER $remote_user;
 58                 fastcgi_param REMOTE_USER $remote_user;
 59                 fastcgi_pass fcgiwrap;
 60         }
 61     }
 62 }

the Fcgiwrap socket is handle by nginx, and all my permissions seems good.

So if you have any clue or help, it would be greatly appreciate :D

Thanks in advance.

quanta
  • 50,327
  • 19
  • 152
  • 213
Dr I
  • 943
  • 16
  • 33
  • Are you sure it's not your HTTP auth restrictions? Try disabling the `auth_basic` directives. – mgorven Feb 04 '13 at 18:15
  • Indeed, I'm sure that is not an auth relative issue because, when I add a rewrite rule into the CGI location, I've either, a 502 Bad gateway related to the fact that FastCGI can't open /srv/apps/nagios/nagios/cgi-bin/cgibinary.cgi but this is due to an incorrect rewrite condition and regex comparaison. Or a Nagios Whoops! Error: Could not read configuration data. So I'm wondering if there is not another permission problem somewhere. – Dr I Feb 05 '13 at 09:28

1 Answers1

1

Look toward your fcgiwrap running as nginx user/group. Not sure about Debian, but in RHEL/CentOS the Nagios RPM install script adds the nagios group to the apache user via:

/usr/sbin/usermod -a -G nagios apache

which can be verified with

id apache

This allows Apache to get at Nagios object information/status. You'll want to give nginx the same nagios group privileges.

Moonshine
  • 26
  • 1
  • I did not answer my own question, but yeah, it was a matter of groups access ;-) indeed, I've to push my nagios user into the nginx group. Thank for your answer anyway ;-) – Dr I Apr 30 '13 at 15:26