[systemd-devel] Socket activation (for GitWeb)?
Alex Ivanov
gnidorah at ya.ru
Wed Apr 4 19:10:02 UTC 2018
Hi.
I want to use systemd as fastcgi spawner for gitweb + nginx.
The traffic is low and number of users is limited + traversal bots. For that reason I've decided to use following mimimal services
gitweb.socket:
[Unit]
Description=GitWeb Socket
[Socket]
ListenStream=/run/gitweb.sock
Accept=false
[Install]
WantedBy=sockets.target
gitweb.service:
[Unit]
Description=GitWeb Service
[Service]
Type=simple
ExecStart=/path/to/gitweb.cgi --fcgi
StandardInput=socket
However this scheme is not resistant to simple DDOS.
E.g. traversal bots often kill the service by opening non existing path (e.g http://host/?p=repo;a=blob;f=nonexisting/path;hb=HEAD showing in browser 404 - Cannot find file) many times consecutively, which leads to
Apr 03 21:32:10 host systemd[1]: gitweb.service: Start request repeated too quickly.
Apr 03 21:32:10 host systemd[1]: gitweb.service: Failed with result 'start-limit-hit'.
Apr 03 21:32:10 host systemd[1]: Failed to start GitWeb service.
in journal and 502 Bad Gateway in browser.
Could someone please show me how to correct this issue?
More information about the systemd-devel
mailing list