Created attachment 199186 [details] patch
Probably we should also add nginx config, mine: ================================================================================ server { listen *:80; listen [::]:80; server_name %%PHABRICATOR_DOMAIN_NAME%%; root /usr/local/lib/php/phabricator/webroot/; # When serving user-supplied content, include this header along with # the Content-Type: header, to disable content-type sniffing on some browsers. add_header X-Content-Type-Options 'nosniff'; # Enables the Cross-site scripting (XSS) filter built into most recent web browsers. add_header X-XSS-Protection "1; mode=block"; # Don't allow the browser to render the page inside an frame or iframe # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking add_header X-Frame-Options 'SAMEORIGIN'; # Tell the browser that it can only download content from the domains you explicitly allow add_header Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; object-src 'none'; worker-src 'none'"; # php for: phabricator location ~* / { if ( !-f $request_filename) { rewrite ^/(.*)$ /index.php?__path__=/$1 break; break; } # php fastcgi_pass unix:%%PATH_TO_PHP_FCGI_SOCK%%; fastcgi_connect_timeout 30s; fastcgi_read_timeout 600s; fastcgi_send_timeout 600s; fastcgi_ignore_client_abort off; fastcgi_intercept_errors on; fastcgi_index index.php; fastcgi_pass_header X-Accel-Redirect; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $uri; #necessary for URL rewrite } # serve static files directly location ~* ^.+\.(jpg|jpeg|gif|css|png|js|ico)$ { access_log off; expires 30d; add_header Last-Modified $date_gmt; } } ================================================================================
Created attachment 199228 [details] use single quotes in egrep
(In reply to rozhuk.im from comment #2) I incorporated some of these changes into https://svnweb.freebsd.org/ports?view=revision&revision=488751 (e.g. updated pkg-message, patching example configs, adding a more detailed local.json.sample), but not all. A few comments on things I didn't include: - nginx.conf: The phabricator web page already has a working/best practice example configuration that is maintained there. Maintaining something similar as an example (especially given the many different ways of configuring this) that is secure and best practice doesn't make much sense. We already link to the phabricator configuration page, which has all the details. - Changes to phd.in: + Making this REQUIRE mysql isn't good, as in many cases mysql-server isn't running within the same instance/vm/jail, but on a different host or as a cloud service. + Parsing values from local.json should be done using a safer mechanism (e.g. depending on textproc/jq or by using lib/php/phabricator/bin/config) + It's not entirely clear why prestart is removing all pid files (getting rid of leftovers?) + The poll command is killing processes. This is not the purpose of poll, one should be able to run "service poll phd" and it should hang until phd has been stopped (see also https://www.freebsd.org/cgi/man.cgi?query=rc&sektion=8)
On mine system /var/run - tmpfs, so service should create dir before use. /usr/local/lib/php/phabricator/bin/config get "phd.pid-directory" - returns json. I clean pids dir before start to prevent situations where service fail to start or die and system try to stop non existent pids on even worse - that pids reused by another processes/services. Killing on poll - mine error.
(In reply to rozhuk.im from comment #4) I think I applied all changes from this PR I'm comfortable with. Would you object to me closing this bug?
(In reply to Michael Gmelin from comment #5) Ok, close it.