[Nitro] Strange/dangerous behaviour on Lighttpd - please advice

Lars Olsson lasso at lassoweb.se
Tue Oct 10 12:04:37 EDT 2006


Hi list!!

My Nitro apps have been spinning around nicely for a couple of weeks on 
Apache proxy + lighttpd + FastCGI now. The apps work fine, but today 
when I did some testing I discovered something startling. All my pages 
are available to the browser as source!

If I use the url http://mysite/index everything is fine

If I use the url http://mysite/index.xhtml the *source* of index.xhtml 
gets sent.

I didn't have this problem when running solely on Apache, so apparently 
I must have messed something up with lighttpd.conf. I checked 
http://www.oxyliquit.de/tip/12 but I can't see any major differences 
from my setup (attached below). Can anyone see whats wrong?

<start of lighttpd - usernames, directory names and port numbers are 
made up>

## SERVER MODULES ##
## Please leave alone unless you know what you're doing ##
## See line 22 for start of required config ##

server.modules = (
				"mod_rewrite",
				"mod_redirect",
				"mod_access",
				"mod_auth",
#				"mod_status",
				"mod_fastcgi",
#				"mod_simple_vhost",
#				"mod_evhost",
				"mod_cgi",
				"mod_compress",
#				"mod_ssi",
#				"mod_usertrack",
# 				"mod_rrdtool",
				"mod_proxy",
				"mod_accesslog" )

########## REQUIRED SETTINGS #####################################
# You must change these settings to get Lighttpd up and running ##
##################################################################

# Port assignment

server.port                = 12345

# IMPORTANT
# From this point forward, you can do a search and replace for 
"yourusername"
# without the quotes, and replacing it with your real username.  Replace
# rails_instance with the name of the Rails application in question

# Document root and fastcgi settings

server.document-root	= "/home/username/nitro_sites/sitename/public/"

fastcgi.server = (
     ".php" =>
     ( "localhost" =>
       (
         "socket" => "/home/username/lighttpd-php-username.socket",
         "bin-path" => "/usr/bin/php-cgi",
         "min-procs" => 1,
         "max-procs" => 1,
         "idle-timeout" => 60,
         "allow-x-send-file" => "enable"
       )
     ),
     ".fcgi" =>
     ( "localhost" =>
       (
         "socket" => "/home/username/lighttpd-fcgi-username.socket",
         "bin-path" => 
"/home/username/nitro_sites/sitename/public/dispatch.fcgi",
         "min-procs" => 1,
         "max-procs" => 1,
         "idle-timeout" => 60,
         "allow-x-send-file" => "enable"
       )
     )
)

# Error logs and index file settings

server.errorlog			= "/home/username/logs/lighttpd_error_log"
server.indexfiles		= ( "index.php", "index.html", "index.htm", 
"default.htm" )
server.pid-file			= "/home/username/lighttpd.pid"

########## OPTIONAL SETTINGS 
######################################################
# If you want, you can change these settings, but the defaults work fine 
as well ##
###################################################################################

# turn on or off index of directory without an indexfile
server.dir-listing          = "disable"

# 404 error handler - this is recommended for Rails apps
server.error-handler-404    = "/dispatch.fcgi"

# preform URL rewriting (recommended you leave this alone unless you 
know what you're doing)
#url.rewrite = ( "^/$" => "index.html", "^([^.]+)$" => "$1.html" )

# mimetype mapping
mimetype.assign            = (
   ".pdf"          =>      "application/pdf",
   ".sig"          =>      "application/pgp-signature",
   ".spl"          =>      "application/futuresplash",
   ".class"        =>      "application/octet-stream",
   ".ps"           =>      "application/postscript",
   ".torrent"      =>      "application/x-bittorrent",
   ".dvi"          =>      "application/x-dvi",
   ".gz"           =>      "application/x-gzip",
   ".pac"          =>      "application/x-ns-proxy-autoconfig",
   ".swf"          =>      "application/x-shockwave-flash",
   ".tar.gz"       =>      "application/x-tgz",
   ".tgz"          =>      "application/x-tgz",
   ".tar"          =>      "application/x-tar",
   ".zip"          =>      "application/zip",
   ".mp3"          =>      "audio/mpeg",
   ".m3u"          =>      "audio/x-mpegurl",
   ".wma"          =>      "audio/x-ms-wma",
   ".wax"          =>      "audio/x-ms-wax",
   ".ogg"          =>      "audio/x-wav",
   ".wav"          =>      "audio/x-wav",
   ".gif"          =>      "image/gif",
   ".jpg"          =>      "image/jpeg",
   ".jpeg"         =>      "image/jpeg",
   ".png"          =>      "image/png",
   ".xbm"          =>      "image/x-xbitmap",
   ".xpm"          =>      "image/x-xpixmap",
   ".xwd"          =>      "image/x-xwindowdump",
   ".css"          =>      "text/css",
   ".html"         =>      "text/html",
   ".htm"          =>      "text/html",
   ".js"           =>      "text/javascript",
   ".asc"          =>      "text/plain",
   ".c"            =>      "text/plain",
   ".conf"         =>      "text/plain",
   ".text"         =>      "text/plain",
   ".txt"          =>      "text/plain",
   ".dtd"          =>      "text/xml",
   ".xml"          =>      "text/xml",
   ".mpeg"         =>      "video/mpeg",
   ".mpg"          =>      "video/mpeg",
   ".mov"          =>      "video/quicktime",
   ".qt"           =>      "video/quicktime",
   ".avi"          =>      "video/x-msvideo",
   ".asf"          =>      "video/x-ms-asf",
   ".asx"          =>      "video/x-ms-asf",
   ".wmv"          =>      "video/x-ms-wmv"
  )

# Use the "Content-Type" extended attribute to obtain mime type if possible
# mimetypes.use-xattr = "enable"

## deny access the file-extensions
# ~    is for backupfiles from vi, emacs, joe, ...
# .inc is often used for code includes which should in general not be part
#      of the document-root
url.access-deny             = ("~", ".inc")

<end of lighttpd.conf>


Sincerely

/lasso

-- 
________________________________________
Lars Olsson
lasso at lassoweb.se
http://www.lassoweb.se/


More information about the Nitro-general mailing list