Im running a build of lighttpd with mod_fastcgi enabled. I use /etc/init.d/spawn-fcgi to startup a bunch of php-cgi processes and then run /etc/init.d/lighttpd to start lighty. After starting spawn-fcgi and lighttpd processes, looking at netstat you will see: # netstat -an --inet Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:1026 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:10030 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN Above you can see the fcgi process listening on 0.0.0.0:1026. But looking at my config I see: # grep ADDR /etc/conf.d/spawn-fcgi FCGI_WEB_SERVER_ADDRS="127.0.0.1" ALLOWED_ENV="$ALLOWED_ENV PHP_FCGI_MAX_REQUESTS FCGI_WEB_SERVER_ADDRS" # grep PORT /etc/conf.d/spawn-fcgi FCGIPORT="1026" So according to the config it should be listening on 127.0.0.1:1026. This also means my fcgi process is open to connections from outside, a potential security problem. Examining /etc/init.d/spawn-fcgi I see that indeed the -a flag to spawn-fcgi is not used. The fix is to add the -a parameter to the command-line in /etc/init.d/spawn-fcgi. Here's a diff: 18c18 < EX="${SPAWNFCGI} -a ${FCGI_WEB_SERVER_ADDRS} -p ${FCGIPORT} -f ${FCGIPROGRAM} -u ${USERID} \ --- > EX="${SPAWNFCGI} -p ${FCGIPORT} -f ${FCGIPROGRAM} -u ${USERID} \ This should be a simple to fix.
(In reply to comment #0) > Above you can see the fcgi process listening on 0.0.0.0:1026. > > But looking at my config I see: > > # grep ADDR /etc/conf.d/spawn-fcgi > FCGI_WEB_SERVER_ADDRS="127.0.0.1" > ALLOWED_ENV="$ALLOWED_ENV PHP_FCGI_MAX_REQUESTS FCGI_WEB_SERVER_ADDRS" I doubt FCGI_WEB_SERVER_ADDRS is meant to be used for this purpose, as it's added to the spawned process's enviroment. But indeed, being able to specify the bind address along with the port is useful, so I did the following changes to make this possible: --- init.d/spawn-fcgi.old 2008-12-12 14:19:41.000000000 +0100 +++ init.d/spawn-fcgi 2008-12-26 14:34:36.377632673 +0100 @@ -15,8 +15,8 @@ ebegin "Starting spawn-fcgi" export PHP_FCGI_MAX_REQUESTS FCGI_WEB_SERVER_ADDRS - EX="${SPAWNFCGI} -p ${FCGIPORT} -f ${FCGIPROGRAM} -u ${USERID} \ - -g ${GROUPID} -C ${PHP_FCGI_CHILDREN}" + EX="${SPAWNFCGI} -a ${FCGIHOST} -p ${FCGIPORT} -f ${FCGIPROGRAM} \ + -u ${USERID} -g ${GROUPID} -C ${PHP_FCGI_CHILDREN}" # copy the allowed environment variables unset E --- conf.d/spawn-fcgi.old 2008-12-26 14:13:28.725394121 +0100 +++ conf.d/spawn-fcgi 2008-12-26 14:15:37.332200846 +0100 @@ -13,7 +13,10 @@ ## ABSOLUTE path to the PHP binary FCGIPROGRAM="/usr/bin/php-cgi" -## bind to tcp-port on localhost +## bind to this IP +FCGIHOST="127.0.0.1" + +## bind to tcp-port on FCGIHOST FCGIPORT="1026" ## number of PHP childs to spawn
this is fixed by the new www-servers/spawn-fcgi ebuild. its a standalone spawn-fcgi package (based on spawn-fcgi from lighttpd) and it includes a init script rewritten from scratch. future lighty releases will not feature the spawn-fcgi binary any more. check it out.
lighttpd will not be fixed. spawn-fcgi has a fix.
