auth errors with nginx + fcgiwrap

Robin Becker robin at reportlab.com
Tue Jan 13 12:46:54 UTC 2015


I have configured a multi-realm repository setup to run through nginx + fcgiwrap.

In the nginx site each realm is defined like this


>     location ~ /hg-xxxx(/|$) {
>         auth_basic "XXXX Mercurial";
>         auth_basic_user_file /home/path/etc/auth/passwd-hg-xxxx;
>         try_files /home/path/etc/nginx/html/maintenance.html @hg;
>         }

and I have several of those.

The location @hg looks like this

>     location @hg {
>         fastcgi_pass unix:/run/fcgiwrap.socket;
>         fastcgi_param PATH_INFO $fastcgi_script_name;
>         fastcgi_param QUERY_STRING $query_string;
>         fastcgi_param REQUEST_METHOD $request_method;
>         fastcgi_param CONTENT_TYPE $content_type;
>         fastcgi_param CONTENT_LENGTH $content_length;
>         fastcgi_param SERVER_PROTOCOL $server_protocol;
>         fastcgi_param SERVER_PORT $server_port;
>         fastcgi_param SERVER_NAME $server_name;
>         fastcgi_param SCRIPT_FILENAME /var/www/hg/hg.cgi;
>         fastcgi_param SCRIPT_NAME $fastcgi_script_name;
>         fastcgi_param REQUEST_URI $request_uri;
>         fastcgi_param DOCUMENT_URI $document_uri;
>         fastcgi_param DOCUMENT_ROOT $document_root;
>         fastcgi_param SERVER_PROTOCOL $server_protocol;
>         fastcgi_param GATEWAY_INTERFACE CGI/1.1;
>         fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
>         fastcgi_param REMOTE_ADDR $remote_addr;
>         fastcgi_param REMOTE_PORT $remote_port;
>         fastcgi_param REMOTE_USER $remote_user if_not_empty;
>         fastcgi_param SERVER_ADDR $server_addr;
>         fastcgi_param SERVER_PORT $server_port;
>         fastcgi_param SERVER_NAME $server_name;
>         fastcgi_param HTTPS $https if_not_empty;
>         }


I have a single hg.cgi script which is a modified version of hgwebdir.cgi. When 
run it has extra code at the start to normalize the path info

> import os
> environ=os.environ
> path_info = environ['PATH_INFO']
> if path_info.startswith('/'):
>     path_info = path_info[1:]
> if '/' in path_info:
>     script_name = path_info.split('/',1)
>     path_info = '/' + script_name[1]
>     script_name = script_name[0]
> else:
>     script_name = path_info
>     path_info = '/'
> environ['PATH_INFO'] = path_info
> environ['SCRIPT_NAME'] = '/'+script_name

and then at the end instead of loading a fixed config I use the script_name to 
select one of several configs eg

> application = hgwebdir('/var/www/hg/conf.d/%s.conf'%script_name)
> wsgicgi.launch(application)

this scheme appears to work well and I can checkout, browse, push etc etc and 
the authentication seems to work well with each realm controlled by a separate 
auth file and mercurial config.

However, I notice that my nginx error log is filled with messages saying 
requests were made without user / password even though the request succeeds

ie this request

> C:\Users\user\tmp\sandbox>hg incom
> comparing with https://bilbo@hg.host.com/hg-xxxx/sandbox
> searching for changes
> no changes found


results in this access.log
> hg.host.com 192.168.0.3 - - [13/Jan/2015:12:36:03 +0000] "GET /hg-xxxx/sandbox?cmd=batch HTTP/1.1" 401 188 "-" "mercurial/proto-1.0" 443
> hg.host.com 192.168.0.3 - bilbo [13/Jan/2015:12:36:03 +0000] "GET /hg-xxxx/sandbox?cmd=batch HTTP/1.1" 200 211 "-" "mercurial/proto-1.0" 443

and this error.log
> 2015/01/13 12:36:03 [error] 14939#0: *414 no user/password was provided for basic authentication, client: 192.168.0.3, server: hg.host.com, request: "GET /hg-xxxx/sandbox?cmd=capabilities HTTP/1.1", host: "hg.host.com"
> 2015/01/13 12:36:03 [error] 14939#0: *415 no user/password was provided for basic authentication, client: 192.168.0.3, server: hg.host.com, request: "GET /hg-xxxx/sandbox?cmd=batch HTTP/1.1", host: "hg.host.com"

I do have a password stored for the bilbo user, but it seems we always try first 
without auth being set or something. Our jenkins test machine causes the nginx 
error log to fill up quite rapidly.

Is there a way to remedy this problem?

I am quite new to nginx and we didn't see this with the previous apache2 setup.
-- 
Robin Becker


More information about the Mercurial mailing list