Disable fastcgi (php) for one virtual host in lightty

Thursday, January 20th, 2011

There is no official way to disable fcgi for a specific virtual host in lighttpd. After much experimentation, I found a couple of ways to disable fcgi for a specific vhost. This could be useful if you want to disallow php/perl/ruby (or all of them) on a sensible website, or for a specific customer. One possible way was to have a full fastcgi.server for each vhost where it was allowed. This was a bad solution because it will fork a lot of useless php/perl process. And the configuration would quickly become a mess anyway.

I had two goals:

  • Find a way to disable all fcgi for the specific vhost.
  • Find a way to disable a specific fcgi for the specific vhost. (eg: disable php but allow perl)

The first way is to disable all fcgi for a vhost. It is possible by adding the following snippet inside the vhost (the $HTTP["host"] == "domain.td" {} block):

static-file.exclude-extensions = ()
fastcgi.server = ()
fastcgi.map-extensions = ()

The second way, and most likely the best way since you can have per-fcgi control, is to match on the file name by adding this snippet in the vhost configuration:

$HTTP["url"] =~ ".php$" {
static-file.exclude-extensions = ()
fastcgi.server = ()
}

The last method I tried was using a UUID to declare the fcgi, and then map it to its extension. The main problem with this, it's that if your client see your configuration file somehow, he will be able to run a script by renaming it to the UUID.

First, use a UUID instead of an extension to declare your fcgi servers:

fastcgi.server = ( "034343-43423423-php-342423" => ((
"max-procs" => 1,
"bin-path" => "/usr/bin/php-cgi",
"bin-environment" => (
"PHP_FCGI_CHILDREN" => "3",
"PHP_FCGI_MAX_REQUESTS" => "250"
),
"socket" => "/tmp/php.socket"
)),
"034343-43423423-ruby-342423" => ((
"max-procs" => 1,
"bin-path" => "/usr/bin/custom-fcgi",
"bin-copy-environment" => ("LANG", "TERM"),
"socket" => "/tmp/ruby.socket"
))
)
fastcgi.map-extensions = (".php" => "034343-43423423-php-342423", ".rb" => "034343-43423423-ruby-342423" )

And then redeclare the map-extensions inside the vhost configuration according to what you want to allow:
Eg, to disable php:

fastcgi.map-extensions = (".rb" => "034343-43423423-ruby-342423" )

I hope that one of those methods will help you!

Filed in Uncategorized | | Permalink | Comments (0)

Lighttpd and WP-Super-Cache

Thursday, January 20th, 2011

I was not able to find a simple way to use wp-super-cache with lighttpd, some were using 100 lines lua script and the others were unreliable at best. After an hour of fiddling, I came with the following configuration.

What it does:

  • It serves a cache file only if the user is not logged in.
  • If no cache exists, the 404 handler loads index.php which will either find the correct page (and generate missing cache), or return a true 404.
  • It does not mess with /wp-admin or /wp-content or any file that exists outside the cache.

What might not work:

  • I did not test if logging works properly in lighttpd when the hit use the 404 handler. Although it should be trivial to fix

In green are the values that you will have to edit

	$HTTP["host"] == "blog.alexou.net" {
		server.document-root = "/var/www/wordpress"
		server.error-handler-404 = "index.php"
		$HTTP["cookie"] !~ "^.*(comment_author_|wordpress_logged_in|wp-postpass_).*$" {
			url.rewrite-once = ( "^/wp-admin(.*)(?:\?(.*))?$" => "wp-admin$1?$2" )
			url.rewrite-if-not-file = ("^/(.*)$" => "wp-content/cache/supercache/blog.alexou.net/$1" )
		}
	}

Note: You need lighttpd >= 1.4.24, since earlier versions do not have rewrite-if-not-file.

Filed in Uncategorized | | Permalink | Comments (0)

Disable open file security warning windows 7

Sunday, January 9th, 2011

When you deal with a lot of applications/drivers installations (sys admin?), that retarded warning gets a bit annoying to say the least.

YES I DID CLICK THAT FILE, WHY DO YOU ASK ME, AGAIN? Open it already. I know you care about my security dear microsoft software engineer, but i’ll manage it from here, mk?

Sure, one could uncheck the checkbox, but the checkbox applies only to the specific file being executed, not all exes.

Enough blah blah, here’s the fix:

Fire up the group policy editor (Run -> gpedit.msc) .

And go to User -> Admin Templates -> Windows Components -> Attachment Manager -> Inclusion list for low risk file types.

Click Enable and add .exe;.msi to the list. (See picture)

Filed in Uncategorized | | Permalink | Comments (0)

Nothing to hide huh?

Tuesday, August 17th, 2010

{ Government, Google, Banks, Telcos }: Well if you have nothing to hide you wouldn’t mind if I check all your data?

Me: Having nothing to hide does not mean having something to share. I’m doing nothing illegal. But I hide it anyway. That’s called privacy.

People working for the government (Police, Politician) should have no privacy AT ALL while on duty. Citizens should have a right to privacy.

The idea that if “I do nothing wrong, I won’t mind being watched” assumes that the government is full of good people that will not abuse their power, ever. Anything taken out of context can appear wrong. Can you assure me that nobody with power will never watch me for their own profit? No business competitor? No mad ex wife? No policemen trying to cover its own mistakes? You will never be at the wrong place at the wrong time? Can you assure me that something will never be made illegal? If sex outside wedlock is made illegal, would you still be happy to have all that footage of you raping these thai prostitutes?

Every information about a citizen should be his own property. Sadly, in our world, major corporations and government are above the law.

Just because I’m paranoid doesn’t mean that they’re not out to get you.

Filed in Uncategorized | | Permalink | Comments (0)

Scrolling in GTK+ apps with synaptics driver

Friday, July 30th, 2010

When using a Windows laptop, you might be stuck with a synaptic touchpad.

Those crappy drivers with their so-called virtual scrolling create a fake window below the cursor to display their custom scrolling icon.

That window interfere with the signal sent to the application under, and GTK for some reason can’t detect that (most likely the devs don’t care about us).

The result is being unable to scroll in popular GTK apps like Wireshark or Pidgin.

After playing with Spy++ and Procmon for some time, I found an interesting registry key that solved my problem.

This setting will disable the custom cursor when you scroll, effectively fixing the scrolling problem in GTK apps.

First you have to open regedit. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Synaptics\SynTPEnh and create a new DWORD called UseScrollCursor with a value of 0.

Restart SynTPEh (or reboot).

Scrolling should work in GTK apps now, but you won’t see the scrolling cursor anymore.

Update: If that does not work, you can try to run

taskkill /im SynTPEnh.exe

Source: http://forums.mozillazine.org/viewtopic.php?f=38&t=1524405
Thanks to pieter for that link!

Happy scrolling!

Filed in Uncategorized | | Permalink | Comments (3)