Hi :-).

I read through your license file and noticed a couple of things:

1. It's spelled "LICENCE" instead of "LICENSE". This can make automatic LICENSE detectors miss your file
2. You (Yeung Shu Hung) share the copyright with "the Go Authors", but aren't you the sole author of this project?

It'd be nice if you can change the spelling from "LICENCE" to "LICENSE", as this may make it easier for automatic license detectors to find your license file.

Number 2 isn't a big deal, it's your project and you get to assign copyright to whoever you want of course. I just thought it was curious :-).

Cheers!

I made a script like this:

$ cat index.php 
<?php error_log('uh oh');

When I ran my gofast app with php-fpm on this script, and then hit it with curl localhost:8081, it issued the following error and then no longer responded to requests:

2018/07/05 03:23:39 gofast: error stream from application process PHP message: uh oh

Can you help? What's wrong with the code? The error is at the bottom as commented.

https://play.golang.org/p/IT3YNfP27Lp

The current library presume library-users are working on a proxy to application server (as described in the FastCGI specification). But some library (e.g. https://github.com/tomasen/fcgi_client) works as a simple request-response interface for the application server.

gofast should also support this.

Conceptually, it should probably look like this

...

address := os.Getenv("FASTCGI_ADDR")

// A client to directly connect FCGI backend
f := gofast.SimpleClientFactory(gofast.SimpleConnFactory("tcp", address), 0)
client := gofast.NewDirectClient(f, ...)

// Request specifying "SCRIPT_FILENAME" and
// a small subset of usual header by default
// (user can supply more parameters)
req := gofast.NewDirectRequest(...)

// make the direct request
var resp http.Response := client.Do(req)

...
...

Connections are closed by the end of every session. Should be pretty straightforward to use.

Its a nice thing that node-fastcgi implements all 3 roles of fastcgi application: Responder, Authorizer and Filter.

I would be great to have it in example collection.
And it is great to have full example on using all 3 roles in future.

Related to #2.

Add example server that works with Python 3 applications.

Reference:
https://docs.python.org/3/howto/webservers.html

There are 3 roles in FastCGI request:

1. Responder
2. Authorizer
3. Filter

Responder is the most common case around. Need to find an application framework that supports the other 2 roles. Then test all 3 cases against it.

Or, if there is no such thing, sit back and forget the 1.0 specification.

The testing on Authorizer and Filter depends on node-fastcgi.

It would be preferable to have golang native testing. We, however, cannot depend on the net/http/fcgi library because it only implemented the Responder role. Helps to resolve #2.

TODO

• expand the protocol, if needed, so we can write dummy fcgi application (probably without real socket connection).
• write dummy fcgi Authorizer application.
• write dummy fcgi Filter application.
• test Authorizer and Filter client implementations.

The current implementation of MapHeader only map the first value of any header field. If there are multiple values, some of the are lost.

According to a stackoverflow post, RFC 2616 stated that multiple header values should be concat with comma (,) before sending. In that spirit, I think we should use , for preserving multiple header value to get a better code compatibility.

I'm trying to decide whether to use a PoolClient, but pool.go doesn't say what benefit it has. I guess it's supposed to be for performance but I don't see any benchmarks that would give evidence for that.

I hope this isn't taken as too critical. I'm glad you wrote this library and I'm getting nice results from it.

Comparing fastcgi.go in the Caddy sources to session.go in gofast, I found the following fields in Caddy that are missing from gofast:

REMOTE_HOST
REMOTE_USER
REQUEST_SCHEME
HTTP_HOST

do u hv a version for fasthttp?

get := func(path string) (w *httptest.ResponseRecorder, err error) {
	h := php.NewHandler("", "tcp", "127.0.0.1:9000")
	r, err := http.NewRequest("GET", path, nil)
	if err != nil {
		return
	}
	w = httptest.NewRecorder()
	h.ServeHTTP(w, r)

	return
}

How to close ServeHTTP conn?

Hi there, love the work you are doing with this library!

Do you by chance have an example of a full blown MVC style framework like Laravel, Yii, or Symfony that is using this project? I would like to see a basic setup to make sure I am on the right path.

Need to have example to those in README.md example section.

Add Travis test that can test against PHP-FPM dummy site.

It is my understanding that MapHeader()'s intention is to map each request header into HTTP_<header name> param:

HTTP_HOST was listed as "No need to do" in #27 because "So if the request header has a Host field, it will be passed on as HTTP_HOST", but that's not true because Go removes ("promotes") the Host: ... header from http.Request.Header:

For incoming requests, the Host header is promoted to the Request.Host field and removed from the Header map.

(Source)

My proposal to fix this is to just add:

// we've to handle "Host: ..." header separately, because Go "promotes" (= removes) this from Header map
if r.Host != "" {
  req.Params["HTTP_HOST"] = r.Host
}

Please let me know, if you'd prefer for me to submit a PR for this!

If I load the page five times or more, I run out of process managers.

php_1 | [31-Jan-2018 14:43:10] WARNING: [pool www] server reached pm.max_children setting (5), consider raising it

You can view the repo if you need to see what I'm doing.

Is gofast closing the FastCGI connections? Reusing them? Any help is appreciated :)

If you run gofast behind a loadbalancer that handles TLS, it will not properly check for HTTPS.

What would be the best way to solve this?

Need more test case in triggering FastCGI Stderr steam output. Make sure no read/write block.

like nginx X-Accel-Redirect will be intercept and remove before responed to client by nginx

ResponsePipe just write to http.Response

@hilyjiang,

Just found your fork by surprise.

You have fixed several issues in his forked version.
Would be glad to merge the changes if you care to make a pull request :-)

Have a simple way to generate all $_SERVER variables.

Reference:
http://php.net/manual/en/reserved.variables.server.php

The original libfcgi has:

libfcgi/fcgiapp.c, in ProcessBeginRecord():

if(requestId == 0 || data->contentLen != sizeof(body)) {
    return FCGX_PROTOCOL_ERROR;
}

Which means that it rejects requests with RequestID == 0.

Changing gofast/client.go line 101:
for i := uint16(0); i < maxID; i++ {

to:
for i := uint16(1); i < maxID; i++ {

will resolve this.

Additionally: I'm concerned because it appears that this will run out of ids at 65k and it's not clear what happens then.

Client doesn't work with empty stdin content. Need to inject artificial stdin in the proxy example in order to work properly.

Need fix.

The gofast is setup to interact with the php7.4-fpm and I get the crash of the app with the following log messages:

2021/09/22 11:24:31 gofast: error writing error buffer to response: gofast: copy error: write tcp 10.0.255.150:443->54.36.148.120:37375: write: connection reset by peer 2021/09/22 11:24:31 gofast: error stream from application process gofast: timeout or canceled panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x2939d4]

goroutine 72774 [running]:
github.com/yookoala/gofast.(*client).readResponse.func1(0x400051e000, 0x40003fa440, 0x40001a4a80, 0x400007aae0)
/root/go/pkg/mod/github.com/yookoala/[email protected]/client.go:213 +0x24
created by github.com/yookoala/gofast.(*client).readResponse
/root/go/pkg/mod/github.com/yookoala/[email protected]/client.go:210 +0x84
exit status 2

In the current version of client.go, @hilyjiang help added properly translated SCRIPT_FILENAME, PATH_TRANSLATED to fastcgi parameters.

The translation suits older PHP routing paradigm, where server route request to the PHP file that matches the directory-file path within a document root (i.e. root). PHP frameworks now in favour of routing all requests to same PHP file, where further routing logic is done by PHP code. Some examples,

• Symfony
• Laravel
• CakePHP
• FastRoute
• klein

To interoperate with PHP application of both paradigm we should decouple the path translation into a separated component (instead of a fix string parameter root). Then we should have sensible default implementation to route for both paradigm.

In session.go, CONTENT_TYPE and CONTENT_LENGTH environment variables are set (as empty) even if Content-Type and Content-Length request headers are not specified in the original HTTP request. This is likely to cause certain back ends to fail as these env vars would contain empty values.

Is it possible to set these headers if and only if these are supplied on the request?

I'm seeing this error in production in combination with skipper. Unfortunately I wasn't able to get the exact request yet.
Do you maybe have some pointers (pun intended) how to debug this?

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0xa9dcd9]
goroutine 57768117 [running]:
github.com/yookoala/gofast.(*client).readResponse.func1(0xc00ac4e000, 0xc00a84aea0, 0xc00a81d6c0, 0xc004484540)
	/go/pkg/mod/github.com/yookoala/[email protected]/client.go:211 +0x29
created by github.com/yookoala/gofast.(*client).readResponse
	/go/pkg/mod/github.com/yookoala/[email protected]/client.go:208 +0xad

Relevant code segment:
https://github.com/yookoala/gofast/blob/v0.4.0/client.go#L199-L239

Why no responsible disclosure

First off, I wanted to proceed with a responsible disclosure but:

• I didn't find a security policy for this repo
• The only contact info I found was a Twitter account that was restricted to only followers so I could not send a DM or tweet

The vulnerability

This line takes remote user controllable path from HTTP request and appends it via filepath.Join() (it does relative-to-absolute translation) to a file path, now making it a legit file path from now on.

Now, given user code:

	handler := gofast.NewHandler(
		gofast.NewPHPFS("/baikal/html/"),
		gofast.SimpleClientFactory(gofast.SimpleConnFactory("tcp", ":8080"), 0),
	)

And an attacker sending a HTTP request:

$ curl --path-as-is http://localhost/../../etc/passwd

(curl would normalize the path without --path-as-is)

Because the handler also serves static files, I am able to steal anything from the filesystem (even ENV vars from /proc/self/environ that sometimes are used to store secrets).

If I add logging, the above request would show up as:

incoming URL path=/../../etc/passwd SCRIPT_FILENAME=/etc/passwd

More on this vulnerability: https://owasp.org/www-community/attacks/Path_Traversal

Other observations

Ineffectual code

This is ineffectual, as req.Params["SCRIPT_FILENAME"] is overwritten a few lines later

Performance observation

This compiles a regex on every request. It might be more performant to compile the regex only once (outside of this function). There's another place also that compiles a regex on every request.

Potential problem here is that the idpool channel in these "disposable" clients never got proper GC and recovery.

As reported by @adri in this comment about this usage of the library:

I'm not working often in Golang, please forgive me if what I say makes no sense. I've been looking for potential memory that is not cleaned up.

1. Maybe c.ids.Release(reqID) is not called in certain error cases
   The ID is allocated and later released. What if there is an error like this, will the ID be released back in the pool?

2. Looking at one Skipper pod I see the typical saw-tooth graph of a memory leak.
   I'm not sure if this has anything to do with the gofast usage or something in Skipper. If you have a tip how I can find out more please let me know.
   
   I can see goroutines increasing:
   
   And live objects:
   

And in this comment:

The design of gofast is to have the ClientFactory reused, not the Client.

@yookoala mentioned that the ClientFactory should be reused in the comment.

However, if I read it right, the ClientFactory is created on every request.

@yookoala @ruudk Should this not be changed in Skipper to only create the ClientFactory once?
See this line in skipper.

---

I think the problem is with creating new request IDs. When the ClientFactory is not reused, I guess that there are new ID pools created on every request?

Explanation
When getting a diff between two goroutine dumps I see many goroutines in newIDs.func1:

goroutine 75451 [chan send, 10 minutes]:
github.com/yookoala/gofast.newIDs.func1(0xc001323020, 0xffff)
	/go/pkg/mod/github.com/yookoala/[email protected]/client.go:102 +0x43
created by github.com/yookoala/gofast.newIDs
	/go/pkg/mod/github.com/yookoala/[email protected]/client.go:100 +0x78

goroutine 68511 [chan send, 11 minutes]:
github.com/yookoala/gofast.newIDs.func1(0xc002043500, 0xffff)
	/go/pkg/mod/github.com/yookoala/[email protected]/client.go:102 +0x43
created by github.com/yookoala/gofast.newIDs
	/go/pkg/mod/github.com/yookoala/[email protected]/client.go:100 +0x78

goroutine 53003 [chan send, 12 minutes]:
github.com/yookoala/gofast.newIDs.func1(0xc001f52f60, 0xffff)
	/go/pkg/mod/github.com/yookoala/[email protected]/client.go:102 +0x43
created by github.com/yookoala/gofast.newIDs
	/go/pkg/mod/github.com/yookoala/[email protected]/client.go:100 +0x78

goroutine 120002 [chan send, 6 minutes]:
github.com/yookoala/gofast.newIDs.func1(0xc001a0cba0, 0xffff)
	/go/pkg/mod/github.com/yookoala/[email protected]/client.go:102 +0x43
created by github.com/yookoala/gofast.newIDs
	/go/pkg/mod/github.com/yookoala/[email protected]/client.go:100 +0x78

goroutine 169080 [chan send, 2 minutes]:
github.com/yookoala/gofast.newIDs.func1(0xc000039bc0, 0xffff)
	/go/pkg/mod/github.com/yookoala/[email protected]/client.go:102 +0x43
created by github.com/yookoala/gofast.newIDs
	/go/pkg/mod/github.com/yookoala/[email protected]/client.go:100 +0x78

How to dump

1. Configure -enable-profile for Skipper
2. Proxy to a Skipper pod kubectl port-forward skipper-ingress-pzx2b 9911:9911
3. Go to http://127.0.0.1:9911/debug/pprof/ and download a dump full goroutine stack dump, wait a few minutes, and download another dump
4. Install goroutine-inspect and run it $GOPATH/bin/goroutine-inspect
5. Make a diff, (l = only in original, c = in both, r = in original 2)

   original = load("goroutine.dump")
   original2 = load("goroutine2.dump")
   l, c, r = original.diff(original2)
   c.show()
   

I used this:

    cf := gofast.SimpleConnFactory("unix", pathToPhpFpmSocket)
    var h http.Handler = gofast.NewHandler(
            gofast.NewFileEndpoint(router)(gofast.BasicSession),
            gofast.SimpleClientFactory(cf, 0),
    )

In my script called index.php I had

 <?php
 echo $_SERVER['REQUEST_URI']

Expected output:

/

Actual output:

/index.php/