"GOT", but the "O" is a cute, smiling pufferfish. Index | Thread | Search

From:
Omar Polo <op@omarpolo.com>
Subject:
Re: simplify gotwebd server matching and fix manpage lie
To:
Stefan Sperling <stsp@stsp.name>
Cc:
gameoftrees@openbsd.org
Date:
Thu, 22 Jun 2023 17:07:52 +0200

Download raw body.

Thread 
On 2023/06/22 15:53:26 +0200, Stefan Sperling <stsp@stsp.name> wrote:
> On Mon, Jun 19, 2023 at 06:41:54PM +0200, Omar Polo wrote:
> > This is an attempt at simplifying how gotwebd select the server to
> > use.
> > 
> > Currently, if there is not a match on the server name, it attempt to
> > match the "subdomain" (the first component of the URL, e.g. "git"
> > should the Host header be "git.example.com") against the server names,
> > and falls back to the first server defined.
> > 
> > The server name is taken from the SERVER_NAME fastcgi parameter, the
> > subdomain by taking the first component of the HTTP_HOST, i.e. "www"
> > should the host be "www.example.com", but also "example" if the host
> > name is "example.com", which I find a bit confusing.
> > 
> > Finally, updates the manpage explaning how the matching works.  I'm
> > dropping the lie about SNI as gotwebd doesn't do TLS: it's the server'
> > responsability to do TLS and check SNI, not a fastcgi application one.
> > gotwebd only looks at the SERVER_NAME (and currently at part of
> > HTTP_HOST).
> 
> Is this related deeply to the httpd diff you sent to tech@?

not exactly, but the two things are connected.

> Would gotwebd depend on -current httpd if this gets committed?
> I doubt it, but just wanted to make sure.

Nope.

The problem is on the httpd side.  Let's say you have a httpd(8)
config like

	server "*.example.com" {
		location "/" {
			fastcgi socket "/run/gotwebd.sock"
		}
		location "/*" {
			root "/htdocs/gotwebd"
			# ...
		}
	}

gotwebd will always get a SERVER_NAME of "*.example.com" which is
invalid, instead of let's say "www.example.com" or "git.example.com".

with my httpd diff SERVER_NAME is (hopefully) set correct so if we
have multiple `server' stanzas in gotwebd.conf the matching actually
works.

Noone seems to have being bitten by it probably because nobody is
running gotwebd on multiple domains like that or because it uses the
first defined `server' if noone match and that yields the 'correct'
behaviour.  Or maybe due to the undocumented "subdomain" matching, but
I doubt.

> In any case, I prefer the simpler matching rules, so ok by me.

I really wanted to move away from HTTP_HOST and use SERVER_NAME only
which is IMHO more correct.  also because SERVER_NAME must be defined
per the CGI spec (and so also in fastcgi), HTTP_HOST doesn't.

(httpd always requires a Host header and so will always set
HTTP_HOST.)

should the subdomain matching really be used readding it back
(documented this time) is easy.