Some thoughts, especially about $_SERVER['PATH_INFO']

[jm009]

I would like to run Nextcloud with jFastCGI. Nextcloud handles everything with only a few PHP CGI scripts. These "dispatcher scripts" then call the "real" scripts. For example index.php may be called by URL https://my.host/nextcloud/index.php/apps/files/

I got aware, that jFastCGI doesn't properly set $_SERVER['PATH_INFO'] (should be /apps/files/ for the above example).

Now I am reading the code FastCGIHandler.java [1], method setEnvironment.

• From reading [2], I suppose that REQUEST_URI should never contain the URL part behind the '?'.
• Because from my experience it is quite frequent, to have web services behind a reverse proxy, I suggest to in addition to set REMOTE_ADDR and REMOTE_HOST (what is useless if the CGI sits behind a reverse proxy), it would be a good thing to also set X_FORWARDED_FOR, if an X-Forwarded-For header comes in with the request.
• Is it by accident or by purpose, that there is addHeader(ws, "REMOTE_HOST", req.getRemoteAddr()); instead of addHeader(ws, "REMOTE_HOST", req.getRemoteHost()); in the code?
• req.getServletPath() does not return the expected value, if the servlet is mapped to a subdir like in

  <servlet-mapping>
     <servlet-name>php-fpm</servlet-name>
     <url-pattern>/subdir/*</url-pattern>
  </servlet-mapping>

  In that case req.getServletPath() will always return /subdir. That is my experience with Tomcat, the "Same as the value of the CGI variable SCRIPT_NAME." from [3] is - from my experience with Tomcat - not true...

• If one trutsts the Javadoc [3]

  if (!scriptPath.startsWith("/")) {
     scriptPath = "/" + scriptPath
  }

  and the following .replaceAll("//", "/")) is not needed, because req.getContextPath() and req.getServletPath() should always be an empty string ("") or start with exactly one slash ("/").

• The

  else if(key.equalsIgnoreCase("PROXY")) {
     //Avoid to pass HTTP_PROXY to the script (https://github.com/jFastCGI/jfastcgi/issues/21)
     addHeader(ws, "CGI_HTTP_PROXY", value);
  }

  should not be needed, because no web client except from a malicious hacker should ever send a request header named "proxy".

Now the things that really matter (especially for Nextcloud and the like) :-) The tomcat CGIServlet determines SCRIPT_NAME and PATH_INFO by really searching the script in the file system [4].

• SCRIPT_NAME should be the part from the URL after the server up to the (including the) name of the php file.
• PATH_INFO should be the part after the php file name up to the "?". For the Tomcat CGI script, that can not be determined without really searching for the CGI script in the file system. [4] In the case of jFastCGI a simpler thing could be implemented by searching for ".php$" or ".php/" in the URL... (this will fail, if the script is called with extra path information [5] containing ".php$" or ".php/".

Maybe (if I find the time) I am going to implement a patch with proper creation of SCRIPT_NAME and PATH_INFO these days...

[1] https://github.com/jFastCGI/jfastcgi/blob/master/client/core/src/main/java/org/jfastcgi/client/FastCGIHandler.java [2] https://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html#getRequestURI-- [3] https://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html#getServletPath-- [4] https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/servlets/CGIServlet.java [5] https://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html#getPathInfo-- (Keep in mind, that this is talking about servlets, not about CGI scripts - for CGI scripts I think "follows the servlet" should read "follows the file name".)

[jrialland]

Thanks for you're improvements, I've just merged your modifications

[jm009]

Thank you. Great.