Bug 233183 - [PATCH] devel/phabricator: add config examples, instructions and upd rc sript
Summary: [PATCH] devel/phabricator: add config examples, instructions and upd rc sript
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Michael Gmelin
Depends on:
Reported: 2018-11-12 23:42 UTC by rozhuk.im
Modified: 2019-11-03 05:47 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (grembo)

patch (6.92 KB, patch)
2018-11-12 23:42 UTC, rozhuk.im
no flags Details | Diff
use single quotes in egrep (7.01 KB, patch)
2018-11-14 09:20 UTC, rozhuk.im
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description rozhuk.im 2018-11-12 23:42:17 UTC
Created attachment 199186 [details]
Comment 1 rozhuk.im 2018-11-12 23:50:45 UTC
Probably we should also add nginx config, mine:
	server {
		listen		*:80;
		listen		[::]:80;
		server_name	%%PHABRICATOR_DOMAIN_NAME%%;

		root		/usr/local/lib/php/phabricator/webroot/;

		# When serving user-supplied content, include this header along with
		# the Content-Type: header, to disable content-type sniffing on some browsers.
		add_header		X-Content-Type-Options 'nosniff';
		# Enables the Cross-site scripting (XSS) filter built into most recent web browsers.
		add_header		X-XSS-Protection "1; mode=block";
		# Don't allow the browser to render the page inside an frame or iframe
		# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
		add_header		X-Frame-Options 'SAMEORIGIN';
		# Tell the browser that it can only download content from the domains you explicitly allow
		add_header		Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; object-src 'none'; worker-src 'none'";

		# php for: phabricator
		location ~* / {
			if ( !-f $request_filename) {
				rewrite ^/(.*)$		/index.php?__path__=/$1 break;

			# php
			fastcgi_pass		unix:%%PATH_TO_PHP_FCGI_SOCK%%;
			fastcgi_connect_timeout	30s;
			fastcgi_read_timeout	600s;
			fastcgi_send_timeout	600s;
			fastcgi_ignore_client_abort off;
			fastcgi_intercept_errors on;
			fastcgi_index		index.php;
			fastcgi_pass_header	X-Accel-Redirect;
			include			fastcgi_params;
			fastcgi_param		SCRIPT_FILENAME $document_root$fastcgi_script_name;
			fastcgi_param		PATH_INFO $uri; #necessary for URL rewrite

		# serve static files directly
		location ~* ^.+\.(jpg|jpeg|gif|css|png|js|ico)$ {
			access_log	off;
			expires		30d;
			add_header	Last-Modified $date_gmt;

Comment 2 rozhuk.im 2018-11-14 09:20:08 UTC
Created attachment 199228 [details]
use single quotes in egrep
Comment 3 Michael Gmelin freebsd_committer 2018-12-31 00:24:16 UTC
(In reply to rozhuk.im from comment #2)

I incorporated some of these changes into https://svnweb.freebsd.org/ports?view=revision&revision=488751 (e.g. updated pkg-message, patching example configs, adding a more detailed local.json.sample), but not all.

A few comments on things I didn't include:
- nginx.conf: The phabricator web page already has a working/best practice example configuration that is maintained there. Maintaining something similar as an example (especially given the many different ways of configuring this) that is secure and best practice doesn't make much sense. We already link to the phabricator configuration page, which has all the details.
- Changes to phd.in:
  + Making this REQUIRE mysql isn't good, as in many cases mysql-server isn't running within the same instance/vm/jail, but on a different host or as a cloud service.
  + Parsing values from local.json should be done using a safer mechanism (e.g. depending on textproc/jq or by using lib/php/phabricator/bin/config)
  + It's not entirely clear why prestart is removing all pid files (getting rid of leftovers?)
  + The poll command is killing processes. This is not the purpose of poll, one should be able to run "service poll phd" and it should hang until phd has been stopped (see also https://www.freebsd.org/cgi/man.cgi?query=rc&sektion=8)
Comment 4 rozhuk.im 2019-01-02 00:28:34 UTC
On mine system /var/run - tmpfs, so service should create dir before use.
/usr/local/lib/php/phabricator/bin/config get "phd.pid-directory" - returns json.

I clean pids dir before start to prevent situations where service fail to start or die and system try to stop non existent pids on even worse - that pids reused by another processes/services.

Killing on poll - mine error.
Comment 5 Michael Gmelin freebsd_committer 2019-09-03 14:36:44 UTC
(In reply to rozhuk.im from comment #4)

I think I applied all changes from this PR I'm comfortable with. Would you object to me closing this bug?
Comment 6 rozhuk.im 2019-09-08 16:33:34 UTC
(In reply to Michael Gmelin from comment #5)

Ok, close it.