auth errors with nginx + fcgiwrap
Robin Becker
robin at reportlab.com
Tue Jan 13 12:46:54 UTC 2015
I have configured a multi-realm repository setup to run through nginx + fcgiwrap.
In the nginx site each realm is defined like this
> location ~ /hg-xxxx(/|$) {
> auth_basic "XXXX Mercurial";
> auth_basic_user_file /home/path/etc/auth/passwd-hg-xxxx;
> try_files /home/path/etc/nginx/html/maintenance.html @hg;
> }
and I have several of those.
The location @hg looks like this
> location @hg {
> fastcgi_pass unix:/run/fcgiwrap.socket;
> fastcgi_param PATH_INFO $fastcgi_script_name;
> fastcgi_param QUERY_STRING $query_string;
> fastcgi_param REQUEST_METHOD $request_method;
> fastcgi_param CONTENT_TYPE $content_type;
> fastcgi_param CONTENT_LENGTH $content_length;
> fastcgi_param SERVER_PROTOCOL $server_protocol;
> fastcgi_param SERVER_PORT $server_port;
> fastcgi_param SERVER_NAME $server_name;
> fastcgi_param SCRIPT_FILENAME /var/www/hg/hg.cgi;
> fastcgi_param SCRIPT_NAME $fastcgi_script_name;
> fastcgi_param REQUEST_URI $request_uri;
> fastcgi_param DOCUMENT_URI $document_uri;
> fastcgi_param DOCUMENT_ROOT $document_root;
> fastcgi_param SERVER_PROTOCOL $server_protocol;
> fastcgi_param GATEWAY_INTERFACE CGI/1.1;
> fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
> fastcgi_param REMOTE_ADDR $remote_addr;
> fastcgi_param REMOTE_PORT $remote_port;
> fastcgi_param REMOTE_USER $remote_user if_not_empty;
> fastcgi_param SERVER_ADDR $server_addr;
> fastcgi_param SERVER_PORT $server_port;
> fastcgi_param SERVER_NAME $server_name;
> fastcgi_param HTTPS $https if_not_empty;
> }
I have a single hg.cgi script which is a modified version of hgwebdir.cgi. When
run it has extra code at the start to normalize the path info
> import os
> environ=os.environ
> path_info = environ['PATH_INFO']
> if path_info.startswith('/'):
> path_info = path_info[1:]
> if '/' in path_info:
> script_name = path_info.split('/',1)
> path_info = '/' + script_name[1]
> script_name = script_name[0]
> else:
> script_name = path_info
> path_info = '/'
> environ['PATH_INFO'] = path_info
> environ['SCRIPT_NAME'] = '/'+script_name
and then at the end instead of loading a fixed config I use the script_name to
select one of several configs eg
> application = hgwebdir('/var/www/hg/conf.d/%s.conf'%script_name)
> wsgicgi.launch(application)
this scheme appears to work well and I can checkout, browse, push etc etc and
the authentication seems to work well with each realm controlled by a separate
auth file and mercurial config.
However, I notice that my nginx error log is filled with messages saying
requests were made without user / password even though the request succeeds
ie this request
> C:\Users\user\tmp\sandbox>hg incom
> comparing with https://bilbo@hg.host.com/hg-xxxx/sandbox
> searching for changes
> no changes found
results in this access.log
> hg.host.com 192.168.0.3 - - [13/Jan/2015:12:36:03 +0000] "GET /hg-xxxx/sandbox?cmd=batch HTTP/1.1" 401 188 "-" "mercurial/proto-1.0" 443
> hg.host.com 192.168.0.3 - bilbo [13/Jan/2015:12:36:03 +0000] "GET /hg-xxxx/sandbox?cmd=batch HTTP/1.1" 200 211 "-" "mercurial/proto-1.0" 443
and this error.log
> 2015/01/13 12:36:03 [error] 14939#0: *414 no user/password was provided for basic authentication, client: 192.168.0.3, server: hg.host.com, request: "GET /hg-xxxx/sandbox?cmd=capabilities HTTP/1.1", host: "hg.host.com"
> 2015/01/13 12:36:03 [error] 14939#0: *415 no user/password was provided for basic authentication, client: 192.168.0.3, server: hg.host.com, request: "GET /hg-xxxx/sandbox?cmd=batch HTTP/1.1", host: "hg.host.com"
I do have a password stored for the bilbo user, but it seems we always try first
without auth being set or something. Our jenkins test machine causes the nginx
error log to fill up quite rapidly.
Is there a way to remedy this problem?
I am quite new to nginx and we didn't see this with the previous apache2 setup.
--
Robin Becker
More information about the Mercurial
mailing list