| onefang | I'm looking at switching from apache to nginx, or at least trying it out. The nginx wiki says you can combine SSL and non SSL in the same server block. The examples says don't do that! I want to NOT have to duplicate everything if they have to be seperate server blocks. Anyone got clue? | 12:25 |
|---|---|---|
| onefang | Or I guess I could split out the common bit into an include file. | 12:25 |
| djph | onefang: fairly certain it's the same idea as apache -- you've got a listener on 80 and 443 ... | 12:26 |
| onefang | Yes, I know that. | 12:27 |
| djph | Although these days I've just got the listener on 80 redirecting to 443, rather than serving anything itself | 12:27 |
| onefang | What I want to do is have both configured identically, without having to actually duplicate the config. | 12:27 |
| onefang | Soooo web site says I can do that, the example says not to. | 12:28 |
| djph | sounds about right ... "just because you can doesn't mean you should" and all that .. | 12:28 |
| onefang | I'll try the split and include method for now I think. I'm not ready for SSL testing yet anyway. | 12:30 |
| onefang | Might just be that they fixed that bug in the version documented on the web site, but the fix isn't in Daedalus. | 12:33 |
| djph | could be | 12:34 |
| onefang | Ah there's a snippets directory that looks like it's for this sort of random include file. | 12:35 |
| djph | nice :) | 12:35 |
| rwp | onefang, If you are still looking for Nginx examples I can furnish several working ones from my collective. | 17:58 |
| onefang | I'm slowly making progress with it, but it's 2 AM now. I'll look into it more tomorrow. | 17:59 |
| onefang | Currrently having trouble with running cgit under nginx. The links wont go anywhere. | 18:00 |
| onefang | Nginx is a big complex beasty, will take some time to tame it. Only started this arvo. | 18:00 |
| onefang | But it seems you CAN just put both ports in the one server section. B-) | 18:01 |
| rwp | onefang, Here is a simple complete example: https://paste.debian.net/plain/1322312 | 18:27 |
| rwp | Compared to Apache configuration Nginx is much simpler. That's one of the reasons I prefer Nginx because Apache is really convoluted by comparison. | 18:28 |
| onefang | I haven't gotten to Let's Encrypt yet, but I did spot an example using the default self signed cert that's generated at system install time. | 18:29 |
| rwp | If you don't have a valid certificate yet then strip out all of the 443 and ssl lines. | 18:30 |
| onefang | I read some reviews and comparisons, one of my big use cases is my Devuan mirror. Pure static content and lots of it. Nginx should improve things for that. | 18:30 |
| rwp | And that is the way to bootstrap a Domain Validation cert too. Start with just http online. Get a DV cert through Let's Encrypt. Then add in the ssl configuration for the cert and enable https. | 18:30 |
| onefang | Snakeoil cert is fine for just testing on my desktop. | 18:30 |
| rwp | One of the abuses suffered on the net these days is a Slow HTTP attack where clients connect or half connect and then just hang onto the server trying to run it out of process slots. | 18:31 |
| rwp | That attack really grinds up Apache. But Nginx seems to hardly notice. That's another reason Nginx is a preferred server. It can just shrug off a lot of attacks. | 18:32 |
| * onefang thanks you and goes back to relaxing. Sleep might happen. | 18:34 | |
| rwp | To run CGI scripts everyone I know uses the FastCGI daemon. But while that is simple to set up small it is a little confusing to set up for a larger production network facing system. Given your late hour I won't say how I configure it here but chat with me when you are awake and I will descript the setup. | 18:34 |
| onefang | Think you have covered the bits I already figured out. B-) | 18:35 |
| onefang | Just getting it to work with cgit is proving tricky. Slowly made progress though. | 18:36 |
| rwp | cgit? Let me paste you a working configuration... | 18:36 |
| onefang | OK. Not actually sleepy anyway. lol | 18:36 |
| rwp | cgit configuration: https://paste.debian.net/plain/1322314 | 18:37 |
| onefang | Not much different from what I figured out, but a few things I haven't seen before. | 18:38 |
| * onefang tries it. | 18:38 | |
| rwp | That will push you into using fcgiwrap spawn-fcgi multiwatch pretty much immediately. | 18:38 |
| onefang | I was already using spawn-fcgi for a previous project, but under Apache. | 18:39 |
| onefang | I see /home/rwp/tmp/cgit-stuff/cgit-1.2.3+git2.25.1/cgit I'm guessing you compiled your own? | 18:41 |
| rwp | Hmm... paste.debian.net is complaining my next paste is a spam for some reason. Grr... | 18:41 |
| rwp | Yes. You can see the packaged version is commented out. I was testing a newer version. | 18:42 |
| onefang | Works after a quick test. Thanks again. | 18:44 |
| rwp | Here is a full production configuration that includes various other tidbits too. https://www.proulx.com/tmp/cgit.savannah.gnu.org.conf.txt | 18:44 |
| rwp | I don't know why paste.debian.net did not accept it. | 18:44 |
| onefang | Think the only other thing I need is to get it to run PHP, which sounds easy enough. | 18:44 |
| onefang | Which was a definite tomorrow task. | 18:45 |
| rwp | Here is a RoundCube PHP example for Chimaera: https://paste.debian.net/plain/1322316 | 18:46 |
| rwp | For Daedalus the PHP version numbers update of course. | 18:46 |
| onefang | I'll look at that later. Thanks again. | 18:47 |
| rwp | I'll just note that the default Debian package starts 1 fcgiwrap daemon by default. That's not enough to keep up with a busy site. Increase FCGI_CHILDREN=10 or whatever you wish in /etc/default/fcgiwrap to run more children. The "multiwatch" daemon will monitor and start these. | 18:52 |
| rwp | On Devuan this should just work. On Debian with systemd this does not just work and to make it work one must create a local systemd override fcgiwrap.service file. On Devuan you won't need it but if anyone needs it for a systemd system please mention it and I will post what I have done for it. | 18:54 |
| freem | Hi. I am trying to setup coredump generation for a program running under runsvdir's supervision. So far, I tried adding "ulimit -c unlimited" in the run file itself, modifying /proc/sys/kernel/core_pattern to "/var/dumps/%e-%p-%s-%t.core" as root (and ensuring the folder exists), or "| cat - > /var/dumps/%e-%p-%s-%t.core", setting /proc/sys/kernel/core_uses_pid to "1"... without any success | 19:04 |
| freem | that VPS is currently running under Debian, but is not using systemd, so I'm asking for just the regular kernel stuff, not something specific to any program... I suppose? | 19:06 |
| freem | I tried asking that on #debian, but got the answer that most people there use systemd (which is true, I guess, and makes sense, since it's distro's defaults). | 19:07 |
| rwp | freem, That seems like it should work. | 19:07 |
| freem | well, I usually try reading doc before bugging people on IRC :) | 19:07 |
| rwp | And yes I have given up talking with most of the Debian community. They have lost the title that we always loved of being the Universal Operating System. Not anymore. | 19:07 |
| rwp | Let me try a test here and see if I can reproduce a core dump. It's been a while. | 19:08 |
| freem | it's sad, because this is kernel stuff and directly _un_ related to systemd | 19:08 |
| rwp | Which release are you running? | 19:08 |
| freem | stable, but lemme double check | 19:08 |
| freem | yes, bookworm, although the kernel is a bit out of date | 19:08 |
| rwp | Right. Not related to systemd at all. But unless you are wearing the same robes they are then they won't even entertain a discussion and will bark at you the entire while. | 19:08 |
| freem | no, I was just ignored | 19:09 |
| freem | and when I re-asked, I got the answer "most of us use systemd" | 19:09 |
| rwp | Debian Bookworm without systemd? Or Devuan Daedalus? I will get onto my correct test system if I know. | 19:09 |
| freem | I would have had this answer earlier, I'd probably have thought about asking somewhere else earlier, as well | 19:09 |
| freem | bookworm | 19:09 |
| freem | I've been using debian since a while, when I tried devuan it was a bit... rough on the edges :) | 19:10 |
| freem | and I never used systemd | 19:10 |
| freem | well, I did... for 3 months or so. | 19:10 |
| rwp | Then you are okay in my book. :-) | 19:10 |
| rwp | Literally I did nothing more than "ulimit -c unlimited" then "sleep 30" and Control-\ to send it SIGQUIT and it dumped a "core" file okay. | 19:10 |
| freem | I tried, because I was curious. I noticed it added nothing useful so went back. I was on the mailing list at that time, and noticed people talking about runit, so gave it a try. I fell in love. | 19:11 |
| freem | that was before devuan's birth | 19:11 |
| rwp | Devuan fully supports init freedom and we love runit too. | 19:11 |
| freem | yeah, that is what I'd expect, but I'm wondering if runit does not modifies some stuff | 19:11 |
| freem | as per the documentation, coredumps might not be generated if UID change or something | 19:12 |
| freem | well, I have also tried voidlinux | 19:12 |
| freem | turns out my runit-scripts are more... err... unadvanced than the stuff I've found :) | 19:12 |
| freem | http://deadbeef.fr/projects/autoinst/files.html that's the stuff I wrote myself a long while ago, works nicely for me. | 19:13 |
| rwp | I changed /proc/sys/kernel/core_pattern to /var/dumps/%e-%p-%s-%t.core as you described. I started "sleep 30". I pressed Control-\ and sleep dumped core to /var/dumps/sleep-14509-3-1720113175.core no problem. | 19:13 |
| freem | http://deadbeef.fr/projects/autoinst/file/etc/runit/log.run.html and http://deadbeef.fr/projects/autoinst/file/etc/runit/common.html being the core of my systems | 19:13 |
| freem | you did that with a program running under runsv? | 19:14 |
| rwp | Void has been running runit as their main system for some time and therefore Void has become the ad-hoc reference platform for runit for most of us. | 19:14 |
| freem | perhaps the program I'm trying to run does a weird thing then | 19:14 |
| rwp | I did this from the command line as a test. Start small. Debug one simple thing. Move to the next more layered thing. | 19:14 |
| freem | well, I've found that voidlinux didn't even had logging easy to enable | 19:15 |
| freem | that's a while ago though | 19:15 |
| freem | me, I just ln -s this log.run into foo/log/run and I'm done :) | 19:15 |
| rwp | Void is a rolling release model. Good for the desktop. Not good for servers. Mostly I deal with servers. Stable releases are best for servers. | 19:15 |
| freem | log folders are created, based on the name of the service, automatically. No need for config or anything | 19:15 |
| freem | I'm too lazy to bother writing config for every daemon to log :D | 19:16 |
| rwp | Are you able to reproduce a core dump on demand from the command line like this too? Or does it fail for you at that step? | 19:16 |
| freem | lemme checj | 19:16 |
| rwp | Also make sure your /var/dumps directory is mode drwxrwxrwt which might be the problem. chmod a+w,+t /var/dumps | 19:16 |
| freem | ok... it seems it worked | 19:18 |
| freem | I'll try killing the process under supervision now | 19:18 |
| rwp | Good! Because I don't actually have a running test case that is working for runit at this moment. I would need to build one up. | 19:18 |
| freem | I didn't had the 777 perms | 19:19 |
| freem | dang... got users -.-' | 19:19 |
| rwp | That will definitely block it from working. Be sure to add +t too. | 19:19 |
| freem | I had no user on this game server the whole day, now I need to test and... there are! | 19:19 |
| freem | cursed users | 19:19 |
| rwp | cursed users | 19:19 |
| freem | without users, no bug reports, too | 19:19 |
| freem | peace | 19:19 |
| freem | well, I'll just wait and give it a try :) | 19:19 |
| freem | what's the +t? | 19:20 |
| rwp | For directories that are mode 0777 wide open the 't' bit is a security restriction that limits what users can do there. Look at the t bit on /tmp and /var/tmp for example. | 19:20 |
| rwp | I don't have a doc reference immediately but I'll see if I can find one. | 19:20 |
| freem | I'll find one, I'm curious about this security | 19:21 |
| rwp | I found this which seems acceptable https://linuxconfig.org/explaining-the-sticky-bit-what-the-t-in-linux-directory-permissions-means | 19:23 |
| freem | ah, the sticky bit | 19:24 |
| freem | yeah I got this https://www.unix.com/tips-and-tutorials/19060-unix-file-permissions.html | 19:24 |
| freem | not perfect, but I don't really need in depths explanations of things to get the bulk | 19:24 |
| freem | thanks, that is useful | 19:25 |
| rwp | It's being repurposed for this on directories. Originally on executables it meant to keep it in RAM and don't swap it out. And had no meaning on directories. So when they needed a new capability for directories it was pressed into service as a hack. And here we are with it all of these years later. | 19:25 |
| freem | it's how temporary solutions behave | 19:26 |
| rwp | And the original purpose of it just doesn't make sense anymore, and probably does nothing, because the entire memory model has changed since them. | 19:26 |
| rwp | Nothing is a permanent as a temporary solution. Or at least a temporary solution which is working. | 19:26 |
| freem | yes | 19:27 |
| rwp | So to summarize the problem you experienced was that the specified core dump directory did not have the correct permissions. Solved now. Yay! :-) | 19:27 |
| freem | "if it ain't broken, don't fix it" is sadly... or perhaps not?... a strong mantra | 19:27 |
| freem | yes | 19:27 |
| freem | well, that is likely | 19:27 |
| freem | I'll try to setup the whole thing, but at least having coredumps working for normal processes is a good start | 19:28 |
| rwp | Since this is the Devuan support channel we just like to keep things on topic here. But please come join us in #devuan-offtopic for other idle chat! It's a friendly place. And we can discuss other random things there. | 19:28 |
| freem | sure :) | 19:29 |
| freem | why not I guess | 19:29 |
| fsmithred | freem, if you ask a runit question on the devuan forum there's a good chance the runit maintainer (Lorenzo) will reply. dev1galaxy.org | 19:34 |
| freem | I'll keep this in mind | 19:35 |
| scip | hello, I have installed Daedalus and updated it today. However, it has still openssh 9.2 installed. How can I go to the latest openssh version 9.8 in order to patch against CVE-2024-6387? | 23:56 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!