fcgiwrap can usually be installed on other systems by directly typing the command, but OracleLinux9 will prompt that the software package cannot be found. After successful installation, selinux will also block nginx calls.
reason
This software package for OracleLinux9 is located in the developer repository that is not enabled by default.
Install fcgiwrap
- Edit the configuration and enable repo
sudo vi /etc/yum.repos.d/oracle-epel-ol9.repo
sudo dnf update
- Successfully installed
sudo dnf install fcgiwrap
Manually configure the fcgiwrap service
The installed fcgiwrap does not have systemd service, so manual configuration is required
- new construction
/var/run/nginxmeme
cd /var/run
sudo mkdir nginx
sudo chown nginx:nginx nginx
- Create fcgiwrap service (need to install nginx first)
sudo dnf install nginx
sudo nano /etc/systemd/system/fcgiwrap.service
Write the following content
[Unit]
Description=Simple CGI Server
After=network.target
[Service]
ExecStart=/usr/sbin/fcgiwrap -s unix:/run/nginx/fcgiwrap.socket
User=nginx
Group=nginx
[Install]
WantedBy=multi-user.target
- Refresh and start the service to check the running status
sudo systemctl daemon-reload
sudo systemctl start fcgiwrap
sudo systemctl status fcgiwrap
- After the startup is normal, set the startup
sudo systemctl enable fcgiwrap
Configure nginx CGI
- Enter the configuration of a website
sudo vi /etc/nginx/conf.d/yourweb.conf
- Write cgi configuration
location /cgi-bin/yourcgi {
include fastcgi_params;
fastcgi_pass unix:/var/run/nginx/fcgiwrap.socket;
fastcgi_param SCRIPT_FILENAME /path/to/your/cgi/file;
# 继续传递其他参数...
}
Solve selinux problems
After this step, nginx's access to cgi will still be intercepted by selinux, so access still needs to be allowed. Please follow the steps below
- Create audit rules folder
sudo mkdir /etc/selinux/audit2allow
cd /etc/selinux/audit2allow
- Access to target cgi path, access denied
- View audit interception status
sudo cat /var/log/audit/audit.log | grep nginx | grep denied
The output example is as follows
type=AVC msg=audit(1699720883.997:1431781): avc: denied {
connectto } for pid=2205472 comm="nginx" path="/var/run/nginx/fcgiwrap.socket" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0
- Create a release rule based on this
sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M allow_nginx_proxy_fcgiwrap
Normally the output is:
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i allow_nginx_proxy_fcgiwrap.pp
- Load release rules
sudo semodule -i allow_nginx_proxy_fcgiwrap.pp
- Check whether cgi can be accessed normally. If not, repeat steps 2 to 6 until access is successful.
- You're done!