httpd(8): patch to allow FastCGI chroots in sub-directories

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

httpd(8): patch to allow FastCGI chroots in sub-directories

Nazar Zhuk
httpd(8) expects FastCGI processes to have the same chroot as httpd. I
propose a feature that allows multiple FastCGI processes chrooted in
separate directories under /var/www (/var/www/site1, /var/www/site2,
etc.) This would better isolate multiple applications.

Configuration:

fastcgi strip <number>

strips <number> path components from the beginning of DOCUMENT_ROOT and
SCRIPT_FILENAME. So the FastCGI server gets /script instead of
/siteX/script.

I tested this with php-fpm.

Please consider including in httpd(8).


Index: httpd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
retrieving revision 1.107
diff -u -p -u -r1.107 httpd.conf.5
--- httpd.conf.5 8 May 2019 21:46:56 -0000 1.107
+++ httpd.conf.5 9 Jan 2020 05:01:57 -0000
@@ -300,6 +300,10 @@ Alternatively if
  the FastCGI handler is listening on a TCP socket,
  .Ar socket
  starts with a colon followed by the TCP port number.
+.It Ic strip Ar number
+Strip
+.Ar number
+path components from the beginning of DOCUMENT_ROOT and SCRIPT_FILENAME
before sending them to the FastCGI server. This allows FastCGI server
chroot to be a directory under httpd chroot.
  .It Ic param Ar variable value
  Sets a variable that will be sent to the FastCGI server.
  Each statement defines one variable.
Index: httpd.h
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v
retrieving revision 1.145
diff -u -p -u -r1.145 httpd.h
--- httpd.h 8 May 2019 19:57:45 -0000 1.145
+++ httpd.h 9 Jan 2020 05:01:57 -0000
@@ -547,6 +547,7 @@ struct server_config {
  uint8_t hsts_flags;

  struct server_fcgiparams fcgiparams;
+ int fcgistrip;

  TAILQ_ENTRY(server_config) entry;
  };
Index: parse.y
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/parse.y,v
retrieving revision 1.113
diff -u -p -u -r1.113 parse.y
--- parse.y 28 Jun 2019 13:32:47 -0000 1.113
+++ parse.y 9 Jan 2020 05:01:58 -0000
@@ -689,6 +689,13 @@ fcgiflags : SOCKET STRING {
     param->name, param->value);
  TAILQ_INSERT_HEAD(&srv_conf->fcgiparams, param, entry);
  }
+ | STRIP NUMBER {
+ if ($2 < 0 || $2 > INT_MAX) {
+ yyerror("invalid fastcgi strip number");
+ YYERROR;
+ }
+ srv_conf->fcgistrip = $2;
+ }
  ;

  connection : CONNECTION '{' optnl conflags_l '}'
Index: server_fcgi.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
retrieving revision 1.80
diff -u -p -u -r1.80 server_fcgi.c
--- server_fcgi.c 8 May 2019 21:41:06 -0000 1.80
+++ server_fcgi.c 9 Jan 2020 05:01:58 -0000
@@ -241,7 +241,9 @@ server_fcgi(struct httpd *env, struct cl
  errstr = "failed to encode param";
  goto fail;
  }
- if (fcgi_add_param(&param, "SCRIPT_FILENAME", script, clt) == -1) {
+ if (fcgi_add_param(&param, "SCRIPT_FILENAME",
+    server_root_strip(script, srv_conf->fcgistrip),
+    clt) == -1) {
  errstr = "failed to encode param";
  goto fail;
  }
@@ -257,7 +259,8 @@ server_fcgi(struct httpd *env, struct cl
  goto fail;
  }

- if (fcgi_add_param(&param, "DOCUMENT_ROOT", srv_conf->root,
+ if (fcgi_add_param(&param, "DOCUMENT_ROOT",
+    server_root_strip(srv_conf->root, srv_conf->fcgistrip),
     clt) == -1) {
  errstr = "failed to encode param";
  goto fail;

Reply | Threaded
Open this post in threaded view
|

Re: httpd(8): patch to allow FastCGI chroots in sub-directories

Florian Obser-2
I like the idea. Unfortunately the diff does not apply.

On Thu, Jan 09, 2020 at 06:10:24AM +0100, Nazar Zhuk wrote:

> httpd(8) expects FastCGI processes to have the same chroot as httpd. I
> propose a feature that allows multiple FastCGI processes chrooted in
> separate directories under /var/www (/var/www/site1, /var/www/site2, etc.)
> This would better isolate multiple applications.
>
> Configuration:
>
> fastcgi strip <number>
>
> strips <number> path components from the beginning of DOCUMENT_ROOT and
> SCRIPT_FILENAME. So the FastCGI server gets /script instead of
> /siteX/script.
>
> I tested this with php-fpm.
>
> Please consider including in httpd(8).
>
>
> Index: httpd.conf.5
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
> retrieving revision 1.107
> diff -u -p -u -r1.107 httpd.conf.5
> --- httpd.conf.5 8 May 2019 21:46:56 -0000 1.107
> +++ httpd.conf.5 9 Jan 2020 05:01:57 -0000
> @@ -300,6 +300,10 @@ Alternatively if
>  the FastCGI handler is listening on a TCP socket,
>  .Ar socket
>  starts with a colon followed by the TCP port number.
> +.It Ic strip Ar number
> +Strip
> +.Ar number
> +path components from the beginning of DOCUMENT_ROOT and SCRIPT_FILENAME
> before sending them to the FastCGI server. This allows FastCGI server chroot
> to be a directory under httpd chroot.
>  .It Ic param Ar variable value
>  Sets a variable that will be sent to the FastCGI server.
>  Each statement defines one variable.
> Index: httpd.h
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v
> retrieving revision 1.145
> diff -u -p -u -r1.145 httpd.h
> --- httpd.h 8 May 2019 19:57:45 -0000 1.145
> +++ httpd.h 9 Jan 2020 05:01:57 -0000
> @@ -547,6 +547,7 @@ struct server_config {
>   uint8_t hsts_flags;
>
>   struct server_fcgiparams fcgiparams;
> + int fcgistrip;
>
>   TAILQ_ENTRY(server_config) entry;
>  };
> Index: parse.y
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/parse.y,v
> retrieving revision 1.113
> diff -u -p -u -r1.113 parse.y
> --- parse.y 28 Jun 2019 13:32:47 -0000 1.113
> +++ parse.y 9 Jan 2020 05:01:58 -0000
> @@ -689,6 +689,13 @@ fcgiflags : SOCKET STRING {
>      param->name, param->value);
>   TAILQ_INSERT_HEAD(&srv_conf->fcgiparams, param, entry);
>   }
> + | STRIP NUMBER {
> + if ($2 < 0 || $2 > INT_MAX) {
> + yyerror("invalid fastcgi strip number");
> + YYERROR;
> + }
> + srv_conf->fcgistrip = $2;
> + }
>   ;
>
>  connection : CONNECTION '{' optnl conflags_l '}'
> Index: server_fcgi.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
> retrieving revision 1.80
> diff -u -p -u -r1.80 server_fcgi.c
> --- server_fcgi.c 8 May 2019 21:41:06 -0000 1.80
> +++ server_fcgi.c 9 Jan 2020 05:01:58 -0000
> @@ -241,7 +241,9 @@ server_fcgi(struct httpd *env, struct cl
>   errstr = "failed to encode param";
>   goto fail;
>   }
> - if (fcgi_add_param(&param, "SCRIPT_FILENAME", script, clt) == -1) {
> + if (fcgi_add_param(&param, "SCRIPT_FILENAME",
> +    server_root_strip(script, srv_conf->fcgistrip),
> +    clt) == -1) {
>   errstr = "failed to encode param";
>   goto fail;
>   }
> @@ -257,7 +259,8 @@ server_fcgi(struct httpd *env, struct cl
>   goto fail;
>   }
>
> - if (fcgi_add_param(&param, "DOCUMENT_ROOT", srv_conf->root,
> + if (fcgi_add_param(&param, "DOCUMENT_ROOT",
> +    server_root_strip(srv_conf->root, srv_conf->fcgistrip),
>      clt) == -1) {
>   errstr = "failed to encode param";
>   goto fail;
>


--
I'm not entirely sure you are real.

Reply | Threaded
Open this post in threaded view
|

Re: httpd(8): patch to allow FastCGI chroots in sub-directories

Nazar Zhuk
On Tue, Jan 14, 2020 at 03:07:05PM +0100, Florian Obser wrote:
> I like the idea. Unfortunately the diff does not apply.
Looks like I had formatting issues there. This should apply cleanly now.


Index: usr.sbin/httpd/httpd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
retrieving revision 1.107
diff -u -p -u -r1.107 httpd.conf.5
--- usr.sbin/httpd/httpd.conf.5 8 May 2019 21:46:56 -0000 1.107
+++ usr.sbin/httpd/httpd.conf.5 17 Jan 2020 06:20:14 -0000
@@ -300,6 +300,10 @@ Alternatively if
 the FastCGI handler is listening on a TCP socket,
 .Ar socket
 starts with a colon followed by the TCP port number.
+.It Ic strip Ar number
+Strip
+.Ar number
+path components from the beginning of DOCUMENT_ROOT and SCRIPT_FILENAME before sending them to the FastCGI server. This allows FastCGI server chroot to be a directory under httpd chroot.
 .It Ic param Ar variable value
 Sets a variable that will be sent to the FastCGI server.
 Each statement defines one variable.
Index: usr.sbin/httpd/httpd.h
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v
retrieving revision 1.145
diff -u -p -u -r1.145 httpd.h
--- usr.sbin/httpd/httpd.h 8 May 2019 19:57:45 -0000 1.145
+++ usr.sbin/httpd/httpd.h 17 Jan 2020 06:20:14 -0000
@@ -547,6 +547,7 @@ struct server_config {
  uint8_t hsts_flags;
 
  struct server_fcgiparams fcgiparams;
+ int fcgistrip;
 
  TAILQ_ENTRY(server_config) entry;
 };
Index: usr.sbin/httpd/parse.y
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/parse.y,v
retrieving revision 1.113
diff -u -p -u -r1.113 parse.y
--- usr.sbin/httpd/parse.y 28 Jun 2019 13:32:47 -0000 1.113
+++ usr.sbin/httpd/parse.y 17 Jan 2020 06:20:15 -0000
@@ -689,6 +689,13 @@ fcgiflags : SOCKET STRING {
     param->name, param->value);
  TAILQ_INSERT_HEAD(&srv_conf->fcgiparams, param, entry);
  }
+ | STRIP NUMBER {
+ if ($2 < 0 || $2 > INT_MAX) {
+ yyerror("invalid fastcgi strip number");
+ YYERROR;
+ }
+ srv_conf->fcgistrip = $2;
+ }
  ;
 
 connection : CONNECTION '{' optnl conflags_l '}'
Index: usr.sbin/httpd/server_fcgi.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
retrieving revision 1.80
diff -u -p -u -r1.80 server_fcgi.c
--- usr.sbin/httpd/server_fcgi.c 8 May 2019 21:41:06 -0000 1.80
+++ usr.sbin/httpd/server_fcgi.c 17 Jan 2020 06:20:15 -0000
@@ -241,7 +241,9 @@ server_fcgi(struct httpd *env, struct cl
  errstr = "failed to encode param";
  goto fail;
  }
- if (fcgi_add_param(&param, "SCRIPT_FILENAME", script, clt) == -1) {
+ if (fcgi_add_param(&param, "SCRIPT_FILENAME",
+    server_root_strip(script, srv_conf->fcgistrip),
+    clt) == -1) {
  errstr = "failed to encode param";
  goto fail;
  }
@@ -257,7 +259,8 @@ server_fcgi(struct httpd *env, struct cl
  goto fail;
  }
 
- if (fcgi_add_param(&param, "DOCUMENT_ROOT", srv_conf->root,
+ if (fcgi_add_param(&param, "DOCUMENT_ROOT",
+    server_root_strip(srv_conf->root, srv_conf->fcgistrip),
     clt) == -1) {
  errstr = "failed to encode param";
  goto fail;

Reply | Threaded
Open this post in threaded view
|

Re: httpd(8): patch to allow FastCGI chroots in sub-directories

Florian Obser-2
Slightly tweaked diff by me, fixing "new sentence new line" in the man
page.

This is OK florian@ if someone wants to commit it or I can commit it
if someone OKs it.

diff --git httpd.conf.5 httpd.conf.5
index f4ea2e55766..494271672ea 100644
--- httpd.conf.5
+++ httpd.conf.5
@@ -300,6 +300,12 @@ Alternatively if
 the FastCGI handler is listening on a TCP socket,
 .Ar socket
 starts with a colon followed by the TCP port number.
+.It Ic strip Ar number
+Strip
+.Ar number
+path components from the beginning of DOCUMENT_ROOT and
+SCRIPT_FILENAME before sending them to the FastCGI server.
+This allows FastCGI server chroot to be a directory under httpd chroot.
 .It Ic param Ar variable value
 Sets a variable that will be sent to the FastCGI server.
 Each statement defines one variable.
diff --git httpd.h httpd.h
index b1f17af8cd7..b22586974a5 100644
--- httpd.h
+++ httpd.h
@@ -547,6 +547,7 @@ struct server_config {
  uint8_t hsts_flags;
 
  struct server_fcgiparams fcgiparams;
+ int fcgistrip;
 
  TAILQ_ENTRY(server_config) entry;
 };
diff --git parse.y parse.y
index 054302269f4..109efd36a9f 100644
--- parse.y
+++ parse.y
@@ -689,6 +689,13 @@ fcgiflags : SOCKET STRING {
     param->name, param->value);
  TAILQ_INSERT_HEAD(&srv_conf->fcgiparams, param, entry);
  }
+ | STRIP NUMBER {
+ if ($2 < 0 || $2 > INT_MAX) {
+ yyerror("invalid fastcgi strip number");
+ YYERROR;
+ }
+ srv_conf->fcgistrip = $2;
+ }
  ;
 
 connection : CONNECTION '{' optnl conflags_l '}'
diff --git server_fcgi.c server_fcgi.c
index 864ce6b16d5..a85b5b44804 100644
--- server_fcgi.c
+++ server_fcgi.c
@@ -241,7 +241,8 @@ server_fcgi(struct httpd *env, struct client *clt)
  errstr = "failed to encode param";
  goto fail;
  }
- if (fcgi_add_param(&param, "SCRIPT_FILENAME", script, clt) == -1) {
+ if (fcgi_add_param(&param, "SCRIPT_FILENAME", server_root_strip(script,
+    srv_conf->fcgistrip), clt) == -1) {
  errstr = "failed to encode param";
  goto fail;
  }
@@ -257,8 +258,8 @@ server_fcgi(struct httpd *env, struct client *clt)
  goto fail;
  }
 
- if (fcgi_add_param(&param, "DOCUMENT_ROOT", srv_conf->root,
-    clt) == -1) {
+ if (fcgi_add_param(&param, "DOCUMENT_ROOT", server_root_strip(
+    srv_conf->root, srv_conf->fcgistrip), clt) == -1) {
  errstr = "failed to encode param";
  goto fail;
  }


On Sat, Jan 18, 2020 at 07:19:33AM +0100, Nazar Zhuk wrote:

> On Tue, Jan 14, 2020 at 03:07:05PM +0100, Florian Obser wrote:
> > I like the idea. Unfortunately the diff does not apply.
> Looks like I had formatting issues there. This should apply cleanly now.
>
>
> Index: usr.sbin/httpd/httpd.conf.5
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
> retrieving revision 1.107
> diff -u -p -u -r1.107 httpd.conf.5
> --- usr.sbin/httpd/httpd.conf.5 8 May 2019 21:46:56 -0000 1.107
> +++ usr.sbin/httpd/httpd.conf.5 17 Jan 2020 06:20:14 -0000
> @@ -300,6 +300,10 @@ Alternatively if
>  the FastCGI handler is listening on a TCP socket,
>  .Ar socket
>  starts with a colon followed by the TCP port number.
> +.It Ic strip Ar number
> +Strip
> +.Ar number
> +path components from the beginning of DOCUMENT_ROOT and SCRIPT_FILENAME before sending them to the FastCGI server. This allows FastCGI server chroot to be a directory under httpd chroot.
>  .It Ic param Ar variable value
>  Sets a variable that will be sent to the FastCGI server.
>  Each statement defines one variable.
> Index: usr.sbin/httpd/httpd.h
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v
> retrieving revision 1.145
> diff -u -p -u -r1.145 httpd.h
> --- usr.sbin/httpd/httpd.h 8 May 2019 19:57:45 -0000 1.145
> +++ usr.sbin/httpd/httpd.h 17 Jan 2020 06:20:14 -0000
> @@ -547,6 +547,7 @@ struct server_config {
>   uint8_t hsts_flags;
>  
>   struct server_fcgiparams fcgiparams;
> + int fcgistrip;
>  
>   TAILQ_ENTRY(server_config) entry;
>  };
> Index: usr.sbin/httpd/parse.y
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/parse.y,v
> retrieving revision 1.113
> diff -u -p -u -r1.113 parse.y
> --- usr.sbin/httpd/parse.y 28 Jun 2019 13:32:47 -0000 1.113
> +++ usr.sbin/httpd/parse.y 17 Jan 2020 06:20:15 -0000
> @@ -689,6 +689,13 @@ fcgiflags : SOCKET STRING {
>      param->name, param->value);
>   TAILQ_INSERT_HEAD(&srv_conf->fcgiparams, param, entry);
>   }
> + | STRIP NUMBER {
> + if ($2 < 0 || $2 > INT_MAX) {
> + yyerror("invalid fastcgi strip number");
> + YYERROR;
> + }
> + srv_conf->fcgistrip = $2;
> + }
>   ;
>  
>  connection : CONNECTION '{' optnl conflags_l '}'
> Index: usr.sbin/httpd/server_fcgi.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
> retrieving revision 1.80
> diff -u -p -u -r1.80 server_fcgi.c
> --- usr.sbin/httpd/server_fcgi.c 8 May 2019 21:41:06 -0000 1.80
> +++ usr.sbin/httpd/server_fcgi.c 17 Jan 2020 06:20:15 -0000
> @@ -241,7 +241,9 @@ server_fcgi(struct httpd *env, struct cl
>   errstr = "failed to encode param";
>   goto fail;
>   }
> - if (fcgi_add_param(&param, "SCRIPT_FILENAME", script, clt) == -1) {
> + if (fcgi_add_param(&param, "SCRIPT_FILENAME",
> +    server_root_strip(script, srv_conf->fcgistrip),
> +    clt) == -1) {
>   errstr = "failed to encode param";
>   goto fail;
>   }
> @@ -257,7 +259,8 @@ server_fcgi(struct httpd *env, struct cl
>   goto fail;
>   }
>  
> - if (fcgi_add_param(&param, "DOCUMENT_ROOT", srv_conf->root,
> + if (fcgi_add_param(&param, "DOCUMENT_ROOT",
> +    server_root_strip(srv_conf->root, srv_conf->fcgistrip),
>      clt) == -1) {
>   errstr = "failed to encode param";
>   goto fail;
>

--
I'm not entirely sure you are real.

Reply | Threaded
Open this post in threaded view
|

Re: httpd(8): patch to allow FastCGI chroots in sub-directories

Sebastian Benoit-3
ok

Florian Obser([hidden email]) on 2020.02.07 16:49:08 +0100:

> Slightly tweaked diff by me, fixing "new sentence new line" in the man
> page.
>
> This is OK florian@ if someone wants to commit it or I can commit it
> if someone OKs it.
>
> diff --git httpd.conf.5 httpd.conf.5
> index f4ea2e55766..494271672ea 100644
> --- httpd.conf.5
> +++ httpd.conf.5
> @@ -300,6 +300,12 @@ Alternatively if
>  the FastCGI handler is listening on a TCP socket,
>  .Ar socket
>  starts with a colon followed by the TCP port number.
> +.It Ic strip Ar number
> +Strip
> +.Ar number
> +path components from the beginning of DOCUMENT_ROOT and
> +SCRIPT_FILENAME before sending them to the FastCGI server.
> +This allows FastCGI server chroot to be a directory under httpd chroot.
>  .It Ic param Ar variable value
>  Sets a variable that will be sent to the FastCGI server.
>  Each statement defines one variable.
> diff --git httpd.h httpd.h
> index b1f17af8cd7..b22586974a5 100644
> --- httpd.h
> +++ httpd.h
> @@ -547,6 +547,7 @@ struct server_config {
>   uint8_t hsts_flags;
>  
>   struct server_fcgiparams fcgiparams;
> + int fcgistrip;
>  
>   TAILQ_ENTRY(server_config) entry;
>  };
> diff --git parse.y parse.y
> index 054302269f4..109efd36a9f 100644
> --- parse.y
> +++ parse.y
> @@ -689,6 +689,13 @@ fcgiflags : SOCKET STRING {
>      param->name, param->value);
>   TAILQ_INSERT_HEAD(&srv_conf->fcgiparams, param, entry);
>   }
> + | STRIP NUMBER {
> + if ($2 < 0 || $2 > INT_MAX) {
> + yyerror("invalid fastcgi strip number");
> + YYERROR;
> + }
> + srv_conf->fcgistrip = $2;
> + }
>   ;
>  
>  connection : CONNECTION '{' optnl conflags_l '}'
> diff --git server_fcgi.c server_fcgi.c
> index 864ce6b16d5..a85b5b44804 100644
> --- server_fcgi.c
> +++ server_fcgi.c
> @@ -241,7 +241,8 @@ server_fcgi(struct httpd *env, struct client *clt)
>   errstr = "failed to encode param";
>   goto fail;
>   }
> - if (fcgi_add_param(&param, "SCRIPT_FILENAME", script, clt) == -1) {
> + if (fcgi_add_param(&param, "SCRIPT_FILENAME", server_root_strip(script,
> +    srv_conf->fcgistrip), clt) == -1) {
>   errstr = "failed to encode param";
>   goto fail;
>   }
> @@ -257,8 +258,8 @@ server_fcgi(struct httpd *env, struct client *clt)
>   goto fail;
>   }
>  
> - if (fcgi_add_param(&param, "DOCUMENT_ROOT", srv_conf->root,
> -    clt) == -1) {
> + if (fcgi_add_param(&param, "DOCUMENT_ROOT", server_root_strip(
> +    srv_conf->root, srv_conf->fcgistrip), clt) == -1) {
>   errstr = "failed to encode param";
>   goto fail;
>   }
>
>
> On Sat, Jan 18, 2020 at 07:19:33AM +0100, Nazar Zhuk wrote:
> > On Tue, Jan 14, 2020 at 03:07:05PM +0100, Florian Obser wrote:
> > > I like the idea. Unfortunately the diff does not apply.
> > Looks like I had formatting issues there. This should apply cleanly now.
> >
> >
> > Index: usr.sbin/httpd/httpd.conf.5
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
> > retrieving revision 1.107
> > diff -u -p -u -r1.107 httpd.conf.5
> > --- usr.sbin/httpd/httpd.conf.5 8 May 2019 21:46:56 -0000 1.107
> > +++ usr.sbin/httpd/httpd.conf.5 17 Jan 2020 06:20:14 -0000
> > @@ -300,6 +300,10 @@ Alternatively if
> >  the FastCGI handler is listening on a TCP socket,
> >  .Ar socket
> >  starts with a colon followed by the TCP port number.
> > +.It Ic strip Ar number
> > +Strip
> > +.Ar number
> > +path components from the beginning of DOCUMENT_ROOT and SCRIPT_FILENAME before sending them to the FastCGI server. This allows FastCGI server chroot to be a directory under httpd chroot.
> >  .It Ic param Ar variable value
> >  Sets a variable that will be sent to the FastCGI server.
> >  Each statement defines one variable.
> > Index: usr.sbin/httpd/httpd.h
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v
> > retrieving revision 1.145
> > diff -u -p -u -r1.145 httpd.h
> > --- usr.sbin/httpd/httpd.h 8 May 2019 19:57:45 -0000 1.145
> > +++ usr.sbin/httpd/httpd.h 17 Jan 2020 06:20:14 -0000
> > @@ -547,6 +547,7 @@ struct server_config {
> >   uint8_t hsts_flags;
> >  
> >   struct server_fcgiparams fcgiparams;
> > + int fcgistrip;
> >  
> >   TAILQ_ENTRY(server_config) entry;
> >  };
> > Index: usr.sbin/httpd/parse.y
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/httpd/parse.y,v
> > retrieving revision 1.113
> > diff -u -p -u -r1.113 parse.y
> > --- usr.sbin/httpd/parse.y 28 Jun 2019 13:32:47 -0000 1.113
> > +++ usr.sbin/httpd/parse.y 17 Jan 2020 06:20:15 -0000
> > @@ -689,6 +689,13 @@ fcgiflags : SOCKET STRING {
> >      param->name, param->value);
> >   TAILQ_INSERT_HEAD(&srv_conf->fcgiparams, param, entry);
> >   }
> > + | STRIP NUMBER {
> > + if ($2 < 0 || $2 > INT_MAX) {
> > + yyerror("invalid fastcgi strip number");
> > + YYERROR;
> > + }
> > + srv_conf->fcgistrip = $2;
> > + }
> >   ;
> >  
> >  connection : CONNECTION '{' optnl conflags_l '}'
> > Index: usr.sbin/httpd/server_fcgi.c
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
> > retrieving revision 1.80
> > diff -u -p -u -r1.80 server_fcgi.c
> > --- usr.sbin/httpd/server_fcgi.c 8 May 2019 21:41:06 -0000 1.80
> > +++ usr.sbin/httpd/server_fcgi.c 17 Jan 2020 06:20:15 -0000
> > @@ -241,7 +241,9 @@ server_fcgi(struct httpd *env, struct cl
> >   errstr = "failed to encode param";
> >   goto fail;
> >   }
> > - if (fcgi_add_param(&param, "SCRIPT_FILENAME", script, clt) == -1) {
> > + if (fcgi_add_param(&param, "SCRIPT_FILENAME",
> > +    server_root_strip(script, srv_conf->fcgistrip),
> > +    clt) == -1) {
> >   errstr = "failed to encode param";
> >   goto fail;
> >   }
> > @@ -257,7 +259,8 @@ server_fcgi(struct httpd *env, struct cl
> >   goto fail;
> >   }
> >  
> > - if (fcgi_add_param(&param, "DOCUMENT_ROOT", srv_conf->root,
> > + if (fcgi_add_param(&param, "DOCUMENT_ROOT",
> > +    server_root_strip(srv_conf->root, srv_conf->fcgistrip),
> >      clt) == -1) {
> >   errstr = "failed to encode param";
> >   goto fail;
> >
>
> --
> I'm not entirely sure you are real.
>