Project

General

Profile

setenv syntax to add request header from environment variable

Added by fredcwgo_BR about 2 months ago

Howdy all ,

When trying to add request headers to the scgi so that a uwsgi python receives the SSL environment from lighttpd as added request headers, can't figure out what is the syntax to inherit the environment values.

Any help is appreciated.,

Best regards,.

lighttpd:: 1.4.65-1 :: http://ftp.br.debian.org/debian bookworm/main amd64 Packages
uwsgi:: 2.0.20-4+b2 :: http://ftp.br.debian.org/debian bookworm/main amd64 Packages
Python 3.10.7
Flask 2.0.3
Werkzeug 2.0.2

OS :: /etc/debian_version :: bookworm/sid

**$ cat /etc/lighttpd/conf-enabled/15-scgi-pySIC.conf 

server.modules                += ( "mod_setenv" )
server.modules += ( "mod_scgi" )
scgi.protocol = "uwsgi" 
scgi.server = (
  "/TESTEuWSGI/" => (( "host" => "127.0.0.1", "port" => 3031, "check-local" => "disable", "scgi.debug"=>1,)),
  "/SICInforma/" => (( "host" => "127.0.0.1", "port" => 3032, "check-local" => "disable", "scgi.debug"=>1,)),
)

*******

 $HTTP["url"] =~"^/SICInforma/" {
          setenv.add-request-header = ( "X-TESTE-Header" => "insert/append request header", 
                 "X-SSL_CLIENT_M_SERIAL" => env.SSL_CLIENT_M_SERIAL ,
         "X-SSL_CLIENT_S_DN_ROLEOCCUPANT" => env.SSL_CLIENT_S_DN_ROLEOCCUPANT  ,
         "X-SSL_CLIENT_S_DN_ROLE" => env.SSL_CLIENT_S_DN_ROLE , 
         "X-SSL_CLIENT_S_DN_OWNER" => env.SSL_CLIENT_S_DN_OWNER ,
         "X-SSL_CLIENT_S_DN_MEMBER" => env.SSL_CLIENT_S_DN_MEMBER ,
         "X-SSL_CLIENT_S_DN_EMAILADDRESS" => env.SSL_CLIENT_S_DN_EMAILADDRESS ,
         "X-SSL_CLIENT_S_DN_CN" => env.SSL_CLIENT_S_DN_CN ,
         "X-SSL_CLIENT_S_DN_OU" => env.SSL_CLIENT_S_DN_OU ,
         "X-SSL_CLIENT_S_DN_O" => env.SSL_CLIENT_S_DN_O ,
         "X-SSL_CLIENT_S_DN_L" => env.SSL_CLIENT_S_DN_L ,
         "X-SSL_CLIENT_S_DN_ST" => env.SSL_CLIENT_S_DN_ST ,
         "X-SSL_CLIENT_S_DN_C" => env.SSL_CLIENT_S_DN_C,
         "X-SSL_CLIENT_S_DN" => env.SSL_CLIENT_S_DN ,
         "X-SSL_CLIENT_VERIFY" => env.SSL_CLIENT_VERIFY ,
         "X-SSL_CIPHER_ALGKEYSIZE" => env.SSL_CIPHER_ALGKEYSIZE ,
         "X-SSL_CIPHER_USEKEYSIZE" => env.SSL_CIPHER_USEKEYSIZE ,
         "X-SSL_CIPHER" => env.SSL_CIPHER ,
         "X-SSL_PROTOCOL" => env.SSL_PROTOCOL,
    )
}

How to reproduce:

export SSL_CLIENT_M_SERIAL="foobar" 
export SSL_CLIENT_S_DN_ROLEOCCUPANT="foobar" 
export SSL_CLIENT_S_DN_ROLE="foobar" 
export SSL_CLIENT_S_DN_OWNER="foobar" 
export SSL_CLIENT_S_DN_MEMBER="foobar" 
export SSL_CLIENT_S_DN_EMAILADDRESS="foobar" 
export SSL_CLIENT_S_DN_CN="foobar" 
export SSL_CLIENT_S_DN_OU="foobar" 
export SSL_CLIENT_S_DN_O="foobar" 
export SSL_CLIENT_S_DN_L="foobar" 
export SSL_CLIENT_S_DN_ST="foobar" 
export SSL_CLIENT_S_DN_C="foobar" 
export SSL_CLIENT_S_DN="foobar" 
export SSL_CLIENT_VERIFY="foobar" 
export SSL_CIPHER_ALGKEYSIZE="foobar" 
export SSL_CIPHER_USEKEYSIZE="foobar" 
export SSL_CIPHER="foobar" 
export SSL_PROTOCOL="foobar" 

*** Just checking.. 
:~$ echo ${SSL_CLIENT_M_SERIAL}
foobar

:~$ lighttpd -p -f /etc/lighttpd/lighttpd.conf > xx
Undefined env variable: SSL_CLIENT_M_SERIAL
2022-10-20 15:46:27: (configfile.c.2111) source: /etc/lighttpd/conf-enabled/15-scgi-pySIC.conf line: 6 pos: 69 parser failed somehow near here: (COMMA)
2022-10-20 15:46:27: (configfile.c.2111) source: /etc/lighttpd/lighttpd.conf line: 51 pos: 0 parser failed somehow near here: (EOL)
:~$ 

:~$  /usr/sbin/lighttpd -p -f /etc/lighttpd/lighttpd.conf > lighttpd_conf_mimesuppressed.txt (( edited for removal of mime info ))
:~$ cat lighttpd_conf_mimesuppressed.txt 
config {
    var.CWD                        = "/home/frederico" 
    var.PID                        = 637267
    server.document-root           = "/var/www/html" 
    server.upload-dirs             = ("/var/cache/lighttpd/uploads")
    server.errorlog                = "/var/log/lighttpd/error.log" 
    server.pid-file                = "/run/lighttpd.pid" 
    server.username                = "www-data" 
    server.groupname               = "www-data" 
    server.port                    = 80
    server.feature-flags           = (
        "server.h2proto"                   => "enable",
        "server.h2c"                       => "enable",
        "server.graceful-shutdown-timeout" => 5,
    )
    server.http-parseopts          = (
        "header-strict"            => "enable",
        "host-strict"              => "enable",
        "host-normalize"           => "enable",
        "url-normalize-unreserved" => "enable",
        "url-normalize-required"   => "enable",
        "url-ctrls-reject"         => "enable",
        "url-path-2f-decode"       => "enable",
        "url-path-dotseg-remove"   => "enable",
    )
    index-file.names               = ("index.php", "index.html", "index.lighttpd.html")
    url.access-deny                = ("~", ".inc")
    static-file.exclude-extensions = (".php", ".pl", ".fcgi")
    fastcgi.server                 = (
        ".php" => (
            (
                "bin-path"              => "/usr/bin/php-cgi",
                "socket"                => "/run/lighttpd/php.socket",
                "max-procs"             => 1,
                "bin-environment"       => (
                    "PHP_FCGI_CHILDREN"     => "4",
                    "PHP_FCGI_MAX_REQUESTS" => "10000",
                ),
                "bin-copy-environment"  => ("PATH", "SHELL", "USER"),
                "broken-scriptfilename" => "enable",
            ),
        ),
    )
    ssl.pemfile                    = "/etc/lighttpd/GFMail02.pem" 
    alias.url                      = (
        "/phpmyadmin"   => "/usr/share/phpmyadmin",
        "/javascript"   => "/usr/share/javascript",
        "/postfixadmin" => "/usr/share/postfixadmin/public",
    )
    scgi.protocol                  = "uwsgi" 
    scgi.server                    = (
        "/TESTEuWSGI/" => (
            (
                "host"        => "127.0.0.1",
                "port"        => 3031,
                "check-local" => "disable",
                "scgi.debug"  => 1,
            ),
        ),
        "/SICInforma/" => (
            (
                "host"        => "127.0.0.1",
                "port"        => 3032,
                "check-local" => "disable",
                "scgi.debug"  => 1,
            ),
        ),
    )
    server.modules                 = (
        "mod_indexfile",
        "mod_access",
        "mod_alias",
        "mod_redirect",
        "mod_auth",
        "mod_fastcgi",
        "mod_openssl",
        "mod_setenv",
        "mod_scgi",
        "mod_dirlisting",
        "mod_staticfile",
    )

    $SERVER["socket"] == "[::]:80" {
        # block 1

    } # end of $SERVER["socket"] == "[::]:80" 

    $SERVER["socket"] == "0.0.0.0:443" {
        # block 2
        ssl.engine                = "enable" 
        ssl.pemfile               = "/etc/lighttpd/GFMail02.pem" 
        ssl.cipher-list           = "HIGH" 
        ssl.verifyclient.activate = "enable" 
        ssl.verifyclient.enforce  = "enable" 
        ssl.verifyclient.username = "enable" 
        ssl.verifyclient.ca-file  = "/etc/lighttpd/CA-GF.crt" 

    } # end of $SERVER["socket"] == "0.0.0.0:443" 

    $SERVER["socket"] == "[::]:443" {
        # block 3
        ssl.engine = "enable" 

    } # end of $SERVER["socket"] == "[::]:443" 

    $HTTP["url"] =^ "/SICInforma/" {
        # block 4
        setenv.add-request-header = (
            "X-TESTE-Header"                 => "insert/append request header",
            "X-SSL_CLIENT_M_SERIAL"          => "foobar",
            "X-SSL_CLIENT_S_DN_ROLEOCCUPANT" => "foobar",
            "X-SSL_CLIENT_S_DN_ROLE"         => "foobar",
            "X-SSL_CLIENT_S_DN_OWNER"        => "foobar",
            "X-SSL_CLIENT_S_DN_MEMBER"       => "foobar",
            "X-SSL_CLIENT_S_DN_EMAILADDRESS" => "foobar",
            "X-SSL_CLIENT_S_DN_CN"           => "foobar",
            "X-SSL_CLIENT_S_DN_OU"           => "foobar",
            "X-SSL_CLIENT_S_DN_O"            => "foobar",
            "X-SSL_CLIENT_S_DN_L"            => "foobar",
            "X-SSL_CLIENT_S_DN_ST"           => "foobar",
            "X-SSL_CLIENT_S_DN_C"            => "foobar",
            "X-SSL_CLIENT_S_DN"              => "foobar",
            "X-SSL_CLIENT_VERIFY"            => "foobar",
            "X-SSL_CIPHER_ALGKEYSIZE"        => "foobar",
            "X-SSL_CIPHER_USEKEYSIZE"        => "foobar",
            "X-SSL_CIPHER"                   => "foobar",
            "X-SSL_PROTOCOL"                 => "foobar",
        )

    } # end of $HTTP["url"] =^ "/SICInforma/" 

    $HTTP["url"] =^ "/phpmyadmin/templates" {
        # block 5
        url.access-deny = ("")

    } # end of $HTTP["url"] =^ "/phpmyadmin/templates" 

    $HTTP["url"] =^ "/phpmyadmin/libraries" {
        # block 6
        url.access-deny = ("")

    } # end of $HTTP["url"] =^ "/phpmyadmin/libraries" 
}

Replies (1)

RE: setenv syntax to add request header from environment variable - Added by gstrauss about 2 months ago

When trying to add request headers to the scgi so that a uwsgi python receives the SSL environment from lighttpd as added request headers, can't figure out what is the syntax to inherit the environment values.

Why bother with that approach? How is that useful in actual real-world use? I recommend that you start by writing a "Hello World" program to run as SCGI and dump the environment received by the SCGI program, and then use curl to connect to lighttpd using https and a test client certificate. While testing you should probably use ssl.verifyclient.enforce = "disable"

BTW, the syntax works for me, using lighttpd 1.4.67 (available in bookworm). Check your shell includes and maybe test with /bin/dash.

$ cat t.conf
server.modules += ("mod_setenv")
server.document-root="/dev/shm" 
$HTTP["url"] =~"^/SICInforma/" {
   setenv.add-request-header = (
       "X-TESTE-Header" => "insert/append request header",
       "X-SSL_CLIENT_M_SERIAL" => env.SSL_CLIENT_M_SERIAL ,
   )
}
$ SSL_CLIENT_M_SERIAL=hi lighttpd -f t.conf -tt; echo $?
0
$ SSL_CLIENT_M_SERIAL=hi lighttpd -f t.conf -p
config {
    var.CWD              = "/dev/shm" 
    var.PID              = 25157
    server.modules       = ("mod_setenv")
    server.document-root = "/dev/shm" 

    $HTTP["url"] =^ "/SICInforma/" {
        # block 1
        setenv.add-request-header = (
            "X-TESTE-Header"        => "insert/append request header",
            "X-SSL_CLIENT_M_SERIAL" => "hi",
        )

    } # end of $HTTP["url"] =^ "/SICInforma/" 
}

    (1-1/1)