FreeBSD Ruby issues with 2.3.0-devel

[xm74]

I got these errors in the H2O error log with the lastest h2o-devel port. As result server is not responding to requests.
The last previous working version was h2o-devel-2.3.0.d.20220519.

# uname -a
FreeBSD eprove.net 13.2-RELEASE-p3 FreeBSD 13.2-RELEASE-p3 GENERIC amd64
# pkg info | grep -E 'h2o|ruby'
h2o-devel-2.3.0.d.20231010     Optimized HTTP/2 server including support for TLS 1.3 and HTTP/1.x
ruby-3.1.4_1,1                 Object-oriented interpreted scripting language
ruby31-gems-3.4.20             Package management framework for the Ruby language
rubygem-rake-13.0.6            Ruby Make
# tail -f /var/log/h2o/h2o-error.log
mruby raised: stack level too deep (SystemStackError)
mruby raised: stack level too deep (SystemStackError)
^C

H2O config which doesn't works with the recent versions but works just fine with h2o-devel-2.3.0.d.20220519.

# cat /usr/local/etc/h2o/h2o.conf
user: www
pid-file: /var/run/h2o.pid
access-log:
    path: /var/log/h2o/h2o-access.log
    format: "%h %v %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\""
error-log: /var/log/h2o/h2o-error.log

expires: off
compress: on
file.dirlisting: off
file.send-compressed: on

file.index: [ 'index.html', 'index.php' ]

file.custom-handler:
    extension: .php
    fastcgi.connect:
        host: 127.0.0.1
        port: 9000
        type: tcp

listen:
    port: 80
listen:
    port: 443
    ssl: &default_ssl
        cipher-suite: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-P>
        cipher-preference: server
        dh-file: /etc/ssl/dhparams.pem
        certificate-file: /usr/local/etc/letsencrypt/live/xxx/fullchain.pem
        key-file: /usr/local/etc/letsencrypt/live/xxx/privkey.pem

hosts:
# --- kostikov.co
    "kostikov.co:80":
        paths: &kostikov_301
            "/":
                redirect:
                    status: 301
                    url: https://kostikov.co/
    "www.kostikov.co:80":
        paths: *kostikov_301
    "kostikov.co:443":
        listen:
            port: 443
            ssl:
                 <<: *default_ssl
                 certificate-file: /usr/local/etc/letsencrypt/live/kostikov.co/fullchain.cur.pem
                 key-file: /usr/local/etc/letsencrypt/live/kostikov.co/privkey.cur.pem
        paths:
            "/":
                header.add: "Strict-Transport-Security: max-age=15768000; includeSubDomains; preload"
                mruby.handler: |
                    acl {
                        deny { path.match("^/bl-content/(databases|backup|workspaces|pages|tmp)/.*$") }
                    }
                file.dir: /usr/local/www/kostikov.co
                redirect:
                    url: /index.php
                    internal: yes
                    status: 307

[dch]

@xm74 can you try and reduce this down further, and what request seems to trigger it? I've not been able to reproduce this

[xm74]

@dch It's a simple https://kostikov.co
The CMS is Bludit. In addition, similar behavior is evident on some other sites as well. I just chose the simplest example.

[utrenkner]

I think @dch wanted to know what the simplest config was, that triggered the error. E.g. does it happen even without the acl? And if only a static page was served (no PHP)?

N.B. I have used H2O on FreeBSD for years, with quite a bit of mruby. But I have never encountered this error message. Therefore, I, too, am puzzled by this error.

[xm74]

@dch @utrenkner

E.g. does it happen even without the acl?

Yes, without mruby ACL it works fine.

And if only a static page was served (no PHP)?

I just tried replacing the PHP index file with plain HTML and got the same result with mruby ACL enabled.

[utrenkner]

I have never used the acl feature - I will give it a try later this week. But for the moment, you could easily replace this deny rule with something like this:

mruby.handler: |
  lambda do |env|
    if /^/bl-content/(databases|backup|workspaces|pages|tmp)/.*$/.match(env["PATH_INFO"])
      return [403, {'content-type' => 'text/plain'}, ["access forbidden\n"]]
    end
    [399, {}, []]
  end
file.dir: /usr/local/www/kostikov.co

Does this also trigger the error?

[xm74]

@utrenkner

Unfortunately this doesn't work.

# service h2o restart
h2o not running? (check /var/run/h2o.pid).
Starting h2o.
failed to parse configuration file /usr/local/etc/h2o/h2o.conf line 105: could not find expected ':'
/usr/local/etc/rc.d/h2o: WARNING: failed to start h2o

....
    "kostikov.co:443":
        listen:
            port: 443
            ssl:
                 <<: *default_ssl
                 certificate-file: /usr/local/etc/letsencrypt/live/kostikov.co/fullchain.cur.pem
                 key-file: /usr/local/etc/letsencrypt/live/kostikov.co/privkey.cur.pem
        paths:
            "/":
                mruby.handler: |
                    lambda do |env|
                        if /^/bl-content/(databases|backup|workspaces|pages|tmp)/.*$/.match(env["PATH_INFO"])
                        return [ 403, { 'content-type' => 'text/plain' }, [ "access forbidden\n" ]]
                    end
                    [ 399, {}, [] ]
                end
                file.dir: /usr/local/www/kostikov.co

[utrenkner]

Sorry, I assume this is line 105? Then it's probably because I forgot to escape the slashes in the path:

if /^\/bl-content\/(databases|backup|workspaces|pages|tmp)\/.*$/.match(env["PATH_INFO"])

[xm74]

@utrenkner

It finally worked.
That is, it seems that the problem is localized somewhere in the Ruby libraries included in the H2O distribution.

...
                mruby.handler: |
                   lambda do |env|
                        if /^\/bl-content\/(databases|backup|workspaces|pages|tmp)\/.*$/.match(env['PATH_INFO'])
                            return [ 403, { 'content-type' => 'text/plain' }, [ 'access forbidden' ] ]
                        end
                        [ 399, {}, [] ]
                   end
                file.dir: /usr/local/www/kostikov.co
                redirect:
                    url: /index.php
                    internal: yes
                    status: 307

[utrenkner]

I tried your acl code and encountered the same error. But I think I also identified the problem: You need to replace the double-quotes around the pattern with slashes (and then escape the slashes in your path):

...
  deny { path.match(/^\/bl-content\/(databases|backup|workspaces|pages|tmp)\/.*$/) }
...

This works here.

[xm74]

Yes! It works!
Thanks a lot.
But I wonder why it worked with quotes before...

But I think I also identified the problem: You need to replace the double-quotes around the pattern with slashes

[dch]

"yaml" differences between ruby versions?

…

On Tue, 14 Nov 2023, at 14:02, Max Kostikov wrote: Yes! It works! Thanks a lot. But I wonder why it worked with quotes before... > But I think I also identified the problem: You need to replace the double-quotes around the pattern with slashes > — Reply to this email directly, view it on GitHub <#3304 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACFNUGEJHHFWICS3BMR4CDYEN2WRAVCNFSM6AAAAAA63UZNPGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMJQGI3DAOJQGA>. You are receiving this because you were mentioned.Message ID: ***@***.***>