I'm stumped trying to figure out why my nginx + spawn-fastcgi is serving the raw binary content instead of executing them and serving the result.
The goal is to configure Nagios Core 4.x using NginX. There are many great blogs on this; but none have shed light on my problem.
I'm currently using CentOS 6.6 NginX v1.0.15, spawn-fcgi v1.6.3, and php (php-fpm) v5.4.30.
The PHP file hosting works great (php-fpm), **it's just the spawn-fcgi content I'm having an issue with which is i charge of serving the /cgi-bin/*.cgi files. Here is my spwn-fcgi environment:
cat << _EOF > /etc/sysconfig/spawn-fcgi
OPTIONS="-u apache -g apache -a 127.0.0.1 -p 9001 -C 32 -F 1 -P /var/run/spawn-fcgi.pid -- /usr/bin/php-cgi"
_EOF
My NginX configuration:
server {
listen 80;
server_name monitor.mydomain.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443;
# Satisfy allows us to bypass authentication
# for allowed ip addresses
satisfy any;
# Local Traffic only
allow 192.168.0.0/24;
allow 127.0.0.0/8;
# drop rest of the world
deny all;
server_name monitor.mydomain.com;
root /usr/share/nagios;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK';
ssl_prefer_server_ciphers on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl on;
ssl_certificate /etc/pki/tls/certs/mydomain.com.crt;
ssl_certificate_key /etc/pki/tls/private/mydomain.com.key;
index index.php index.html index.htm;
access_log /var/log/nginx/nagios.access.log;
error_log /var/log/nginx/nagios.error.log;
# Security
auth_basic "Restricted Area";
auth_basic_user_file mynagios.htpasswd;
location ~ \.htaccess {
deny all;
}
location / {
if ($uri ~* "\.(ico|css|js|gif|jpe?g|png)(\?[0-9]+)?$") {
expires max;
break;
}
}
error_page 404 /404.html;
location = /404.html {
root /usr/share/nginx/html;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
try_files $uri = 404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
#location ~ \.cgi$ {
location /nagios/cgi-bin/ {
root /usr/lib64/nagios/cgi;
rewrite ^/nagios/cgi-bin/(.*)\.cgi /$1.cgi break;
fastcgi_param AUTH_USER $remote_user;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#fastcgi_pass unix:/var/run/php-fcgi.sock;
fastcgi_pass 127.0.0.1:9001;
include fastcgi_params;
}
}
The tool in question is running:
[root@fserver conf.d]# netstat -pnat | egrep '900(0|1)'
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 9054/php-fpm
tcp 0 0 127.0.0.1:9001 0.0.0.0:* LISTEN 28888/php-cgi
Again, in a nutshell; this config is 'almost' working very well, but a request like https://monitor.mydomain.com/nagios/cgi-bin/status.cgi servers the content:
ELF>... <raw ugly content>
It's also worth noting I was using SELinux (wrote my own module for Nagios), but have disabled it (all of SELinux) until i can resolved this cgi issue.
Any advice you guys can provide would be fantastic! TIA
