User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.2.15) Gecko/20110310 Firefox/3.6.15 Build Identifier: There is a set of tasks especially in the light of ongoing FastCGI support in Bugzilla concerning work of Bugzilla with web servers different than Apache's Httpd. This involves testing and documenting of a particular set of the web servers' configuration for particlar cases. The two classes of tasks are by my vision: - translate configurational .htaccess rules into the other web server's configuration directives. This includes restriction of web access to the certain Bugzilla directrories. Frequently even one-to-one rewriting of them may not sound as a good idea. Fortunately Bugzilla's .htaccess rules are simple enough for not to be that case. But they change from version to version and the other web server's support can happen to suffer from that. - Two ( or more ) users security model. As Apache, in most installations, use the same system user and group ids (uid/gid) for both .cgi programs and static files, with mod_perl following that behavior too, this may not happen to be the case for FastCGI ( or other interfaces supported by web server to the Bugzilla's aplication server ). Reproducible: Always Steps to Reproduce: 1.get Bugzilla up and running with Apache 2.get Bugzilla up and running with other web server 3.Compare Actual Results: There is no restrictions on web serving albeit they are spelled in .htaccess files: anyone has access to localconfig and data/params, etc. Expected Results: Bugzilla should behave exactly the same, the overall performance may have a difference

The "- Two ( or more ) users security model" does not conform to a new name of this bug. Patches seem to be needed, as I pointed at https://bugzilla.mozilla.org/show_bug.cgi?id=316665#c21 This task can be formed as a different new bug or as those two either.

I believe this to be accurately reflective of the current .htaccess rules in master. Note that the seemingly-contradictory rules are an artifact of the way that nginx location processing works and are in fact required. To use: 1. put configuration in nginx.conf, adjust to taste 2. plackup -s FCGI --listen /run/bugzilla/bugzilla.sock /srv/bugzilla/app.psgi optional: add a "bugzilla" user and enable the 'suexec' variable in localconfig for extra/possibly less security.

further comments I just thought of: I use "return 403" instead of "deny all" since the former is in rewrite module which we need for REST instead of always pulling in access module which we otherwise only need for webdot.

Two variables are missing in your config file: X-Forwarded-Proto and X-Forwarded-URI, see: http://bugzilla.readthedocs.io/en/latest/installing/apache.html#apache-with-mod-proxy Could you update your config file and ask :dylan for feedback, please? :)

(In reply to Frédéric Buclin from comment #5) > Two variables are missing in your config file: X-Forwarded-Proto and > X-Forwarded-URI, see: > > http://bugzilla.readthedocs.io/en/latest/installing/apache.html#apache-with- > mod-proxy > > Could you update your config file and ask :dylan for feedback, please? :) That appears to be for use with a reverse proxy configuration, which this is not; the configuration that I attached is specifically for a FastCGI configuration.

Comment on attachment 8750044 [details] nginx configuration if this looks mostly-OK I will prepare a patch for docs/.../nginx.rst.

Comment on attachment 8750044 [details] nginx configuration Looks good!

I haven't tested all parts of this configuration; in particular, the security parts have only been lightly tested (GET /localconfig) and the REST part hasn't been tested at all. It's mostly from the .htaccess rules and Apache documentation though, so there shouldn't be any major surprises.

Comment on attachment 8750540 [details] [diff] [review] 0001-Bug-645282-Add-proper-nginx-install-instructions.patch Review of attachment 8750540 [details] [diff] [review]: ----------------------------------------------------------------- This looks good!

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git 4421d2e..67ad01e master -> master

Several errors were thrown when compiling the Nginx documentation. I also fixed the path to Bugzilla from /srv/bugzilla to the standard /var/www/html/bugzilla, for consistency with our documentation. To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git 46c7179..7ccda08 master -> master