[systemd-devel] Socket activation (for GitWeb)?

Mantas Mikulėnas grawity at gmail.com
Wed Apr 4 20:38:32 UTC 2018


On Wed, Apr 4, 2018, 22:18 Alex Ivanov <gnidorah at ya.ru> wrote:

> Hi.
> I want to use systemd as fastcgi spawner for gitweb + nginx.
> The traffic is low and number of users is limited + traversal bots. For
> that reason I've decided to use following mimimal services
>
> gitweb.socket:
> [Unit]
> Description=GitWeb Socket
>
> [Socket]
> ListenStream=/run/gitweb.sock
> Accept=false
>
> [Install]
> WantedBy=sockets.target
>
> gitweb.service:
> [Unit]
> Description=GitWeb Service
>
> [Service]
> Type=simple
> ExecStart=/path/to/gitweb.cgi --fcgi
> StandardInput=socket
>
> However this scheme is not resistant to simple DDOS.
> E.g. traversal bots often kill the service by opening non existing path
> (e.g http://host/?p=repo;a=blob;f=nonexisting/path;hb=HEAD showing in
> browser 404 - Cannot find file) many times consecutively, which leads to
> Apr 03 21:32:10 host systemd[1]: gitweb.service: Start request repeated
> too quickly.
> Apr 03 21:32:10 host systemd[1]: gitweb.service: Failed with result
> 'start-limit-hit'.
> Apr 03 21:32:10 host systemd[1]: Failed to start GitWeb service.
> in journal and 502 Bad Gateway in browser.
>
> Could someone please show me how to correct this issue?
>

I don't quite understand how gitweb.cgi is designed and how it's supposed
to behave here.

You use Accept=no, which implies that gitweb.cgi should start *once* and
keep accepting connections in a loop forever. So why does it keep exiting
and restarting *at all*? Why does a simple 404 make it exit the whole event
loop?

If it doesn't accept connections on its own, but needs to be passed in an
already-accepted connection, that'd be Accept=yes... And I'm not sure if
systemd activation like this is suitable for very high request rates.

> --

Mantas Mikulėnas <grawity at gmail.com>
Sent from my phone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20180404/54903dc8/attachment.html>


More information about the systemd-devel mailing list