| blob | 35ba66223f7a3ffdb9c18ad716585fcee82c9a3b |
2 <html>
3 <!-- $Id: mod_fastcgi.html,v 1.17 2000/07/19 17:58:38 robs Exp $ -->
5 <head>
7 </head>
8 <!-- Background white, links blue (unvisited), navy (visited), red (active) -->
18 FastCGI is a language independent, scalable, open extension to CGI that provides high
19 performance and persistence without the limitations of server specific APIs.</p>
21 <p>FastCGI applications are not limited to a particular development language (the protocol
22 is open). FastCGI application libraries currently exist for Perl, C/C++, Java, Python,
23 and TCL.</p>
25 <p>FastCGI applications use (TCP or Unix) sockets to communicate with the web server.
26 This scalable architecture allows applications to run on the same platform as the
27 web server or on many machines scattered across an enterprise network.</p>
30 supported either directly or through commercial extensions by most popular web servers.</p>
33 startup and initialization overhead. This makes possible the development of
34 applications which would otherwise be impractical within the CGI paradigm (e.g. a huge
35 Perl script, or an application which requires a connection to one or more databases).
40 updates, send mail to <a href="mailto:fastcgi-announce-request@idle.com">fastcgi-announce-request@idle.com</a>
48 <p>For information about building and installing the module, see the <a href="../INSTALL">INSTALL</a>
49 document that came with the distribution.</p>
52 static, dynamic, or external. They're configured using the <a href="#fastcgiserver">FastCgiServer</a>,
53 <a href="#FastCgiConfig">FastCgiConfig</a>, and <a href="#FastCgiExternalServer">FastCgiExternalServer</a>
55 a FastCGI application and which hasn't been explicitly configured using a <a
56 href="#fastcgiserver">FastCgiServer</a> or <a href="#FastCgiExternalServer">FastCgiExternalServer</a>
57 directive is handled as a dynamic application (see the <a href="#FastCgiConfig">FastCgiConfig</a>
58 directive for more information).</p>
60 <p>FastCGI static and dynamic applications are spawned and managed by the FastCGI Process
61 Manager, fcgi-pm. The process manager is spawned by Apache at server initialization.
64 <p>Apache must be configured to identify requests for FastCGI URIs. <code>mod_fastcgi</code>
67 <p>To configure Apache to handle all files (within the scope of the directive) as FastCGI
68 applications (e.g. for a fcgi-bin directory):</p>
70 <blockquote>
72 fastcgi-script</code></p>
73 </blockquote>
76 the specified extension(s) as FastCGI applications:</p>
78 <blockquote>
80 fastcgi-script fcg fcgi fpl</code></p>
81 </blockquote>
83 <dl>
84 <p>Consult the Apache documentation for more information regarding these and other
85 directives which affect request handling (such as <code><a
88 (see the <a
90 directive) in the
94 log associated with the request. Errors reported by the FastCGI process manager,
95 fcgi-pm, are reported to the main server log (typically, logs/error_log).
97 loop or via a mechanism that is not FastCGI protocol aware will also be
98 directed to the main server log. If
101 logs, these messages may be especially helpful while debugging a
102 configuration..</p>
104 href="http://www.apache.org/docs/mod/mod_env.html"><code>mod_env</code></a> (<code>SetEnv</code>,
106 href="http://www.apache.org/docs/mod/mod_setenvif.html"><code>mod_setenvif</code></a> (<code>BrowserMatch</code>,
109 your feeling adventurous).</p>
112 option. Non-parsed header (nph-) scripts will be rejected by mod_fastcgi
113 simply as
114 warning the behavior is different (create a symbolic link to the script without the
119 <p>Session affinity (as well as distribution) should be achievable outside of <code>mod_fastcgi</code>
120 using <a
121 href="http://www.apache.org/docs/mod/mod_rewrite.html"><code>mod_rewrite</code></a>. If you get this working, please post the details to <a
123 included here.</p>
125 <p>The FastCGI specification is not implemented in its entirety and I've deviated a bit as
126 well resulting in some Apache specific features.</p>
128 prohibited by the specification. I can't see any reason to require that
129 they be closed, and leaving them open prevents FastCGI applications which were
130 not completely ported to FastCGI from failing miserably. This does not
131 mean the applications shouldn't be fixed such that this doesn't occur, but is
132 invaluable when using a 3rd party library (without source code) which expects
133 to be able to write to stderr. Anything written to stdout or stderr in
134 this manner will be directed to the main server log.</p>
136 little value in
137 Apache until the output of one handler can be piped into another (Apache 2.0 is expected
141 applications can't be multithreaded. It means that each request requires
142 its own independent connect()/accept(). The protocol supports the concept of a
143 connection simultaneously shared by multiple requests. The FastCGI application
144 library which provides the FastCGI protocol support within FastCGI applications does not
145 currently support it (and thus doesn't have to be supported here). This may become a
147 NT which makes shared persistent multiplexed connection more reasonable to
149 <p>The Authorizer Role has three variations corresponding to each three
150 specific Apache request handling phases: Authentication, Authorization, and Access Control.
154 typically available to CGI/FastCGI request handlers including some explicitly precluded by
155 the FastCGI specification; I didn't see the point to leaving them out. All headers
156 returned by a FastCGI authentication application in a successful response (Status: 200)
157 are passed to subprocesses (CGI/FastCGI invocations) as environment variables rather than
159 calls for; I didn't see the point in leaving them out either. FastCGI specification
161 option to the Auth server directives.</p>
162 <p>Custom failure responses from FastCGI authorizer applications are not
163 supported (speak up if you need this). See the <a href="http://www.apache.org/docs/mod/core.html#errordocument">ErrorDocument</a>
164 directive for a workaround (hint: a CGI/FastCGI application can serve the
165 error document).</p>
167 <ul>
174 <li><a href="#FastCgiAuthenticatorAuthoritative"><code>FastCgiAuthenticatorAuthoritative</code></a></li>
176 <li><a href="#FastCgiAuthorizerAuthoritative"><code>FastCgiAuthorizerAuthoritative</code></a></li>
178 <li><a href="#FastCgiAccessCheckerAuthoritative"><code>FastCgiAccessCheckerAuthoritative</code></a></li>
179 </ul>
181 </dl>
183 <dl>
184 <hr>
186 <!-- %plaintext <?INDEX {\tt FastCgiServer} directive> -->
188 <tr>
189 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
191 </tr>
192 <tr>
193 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
195 </tr>
196 </table>
198 application. If the filename does not begin with a slash (/) then it is assumed to
199 be relative to the <a href="http://www.apache.org/docs/mod/core.html#serverroot">ServerRoot</a>.
200 </p>
201 <p>By default, the Process Manager will start one instance of the application with the
202 default configuration specified (in parenthesis) below. Should a static application
204 log the event (at the <code>warn</code> <a href="http://www.apache.org/docs/mod/core.html#loglevel"><code>LogLevel</code></a>).</p>
212 to write to the file descriptor returned by a non-blocking
214 on many platforms. See also -idle-timeout, it produces similar results
215 but in a more portable manner.<br>
217 based applications (static applications configured without the -port option
218 and dynamic applications) use this value successfully to limit the amount of
220 By default, this is 90 seconds (FCGI_NAMED_PIPE_CONNECT_TIMEOUT in
221 mod_fastcgi.h).</dd>
223 <dd>The number of seconds of FastCGI application inactivity allowed before the
224 request is aborted and the event is logged (at the <code>error</code> <a href="http://www.apache.org/docs/mod/core.html#loglevel"><code>LogLevel</code></a>).
225 The inactivity timer applies only as long as a connection is pending with
226 the FastCGI application. If a request is queued to an application, but
227 the application doesn't respond (by writing and flushing) within this
228 period, the request will be aborted. If communication is complete with
229 the application but incomplete with the client (the response is buffered),
230 the timeout does not apply.</dd>
231 <dt><code><b>-initial-env <em>name[=value</b><strong>]</strong> none</em></b><em><strong>]</strong> none</em></code></dt>
232 <dd>A name-value pair to be passed in the FastCGI application's <i> initial</i> environment. To pass a variable from Apache's environment, don't
234 defined without a value). To define a variable without a value, provide the
237 <dd>The minimum number of seconds between the spawning of instances of this application.
240 <dd>Force a write to the client as data is received from the application. By default, <code>mod_fastcgi</code>
241 buffers data in order to free the application as quickly as possible.</dd>
243 <dd>The depth of listen() queue (also known as the backlog) shared by all of the instances
244 of this application. A deeper listen queue allows the server to cope with transient
245 load fluctuations without rejecting requests; it does not increase throughput.
246 Adding additional application instances may increase throughput/performance, depending
247 upon the application and the host. </dd>
250 environment. This option makes available the contents of headers which
251 are normally not available (e.g. Authorization) to a CGI environment. </dd>
255 <dd>The process priority to be assigned to the application instances (using <code>setpriority()</code>).</dd>
258 server. This option makes the application accessible from other machines on the
260 options are mutually exclusive.</dd>
262 <dd>The minimum number of seconds between the respawning of failed instances of this
263 application. This delay prevents a broken application from soaking up too much of
264 the system.</dd>
266 <dd><b>Unix: </b>The filename of the Unix domain socket that the application will use for communication
267 with the web server. The module creates the socket within the directory specified by
270 application definition (<code>FastCgiExternalServer</code>). If neither the <code>-socket</code>
273 exclusive.</dd>
274 <DD>
276 use for communication with the web server. The module creates the
277 named pipe off the named pipe root specified by the FastCgiIpcDir.
278 . This option makes the application accessible to other applications (e.g.
283 mutually exclusive.</DD>
284 </dl>
286 <dl>
287 <hr>
289 <!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
291 <tr>
292 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
294 </tr>
295 <tr>
296 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
298 </tr>
299 </table>
302 FastCGI applications. This directive does not affect static or external
303 applications in any way.</p>
305 If the demand is heavy, additional application instances are started. As the demand
306 fades, application instances are killed off. Many of the options govern this
307 process.</p>
315 to write to the file descriptor returned by a non-blocking
317 on many platforms. See also -idle-timeout, it produces similar results
318 but in a more portable manner.<br>
320 based applications (static applications configured without the -port option
321 and dynamic applications) use this value successfully to limit the amount of
323 By default, this is 90 seconds (FCGI_NAMED_PIPE_CONNECT_TIMEOUT in
324 mod_fastcgi.h).</dd>
326 <dd>The number of seconds of FastCGI application inactivity allowed before the
327 request is aborted and the event is logged (at the <code>error</code> <a href="http://www.apache.org/docs/mod/core.html#loglevel"><code>LogLevel</code></a>).
328 The inactivity timer applies only as long as a connection is pending with
329 the FastCGI application. If a request is queued to an application, but
330 the application doesn't respond (by writing and flushing) within this
331 period, the request will be aborted. If communication is complete with
332 the application but incomplete with the client (the response is buffered),
333 the timeout does not apply.</dd>
335 <dd>This option causes mod_fastcgi to check the age of the application on disk before
336 processing each request. If the application is more recent, the process manager is
337 notified and all running instances of the application are killed off. In general,
338 its preferred that this type of functionality be built-in to the application (e.g. every
340 There may be an outstanding problem (bug) when this option is used with <code>-restart</code>.</dd>
343 the exponentially decayed connection times load factor of the currently running dynamic
345 making it smaller weights them more heavily compared to the current value, which is scaled
348 <dd>A name-value pair to be passed in the initial environment when instances of the
349 application are spawned. To pass a variable from the Apache environment, don't
351 defined without a value). To define a variable without a value, provide the
354 <dd>The minimum number of seconds between the spawning of instances of this application.
357 <dd>The killInterval determines how often the dynamic application instance killing policy is
358 implemented within the process manager. Lower numbers result in a more aggressive
359 policy, higher numbers a less aggressive policy.</dd>
361 <dd>The depth of listen() queue (also known as the backlog) shared by all of the instances
362 of this application. A deeper listen queue allows the server to cope with transient
363 load fluctuations without rejecting requests; it does not increase throughput.
364 Adding additional application instances may increase throughput/performance, depending
365 upon the application and the host. </dd>
367 <dd>The maximum number of dynamic FastCGI application instances allowed to run for any one
368 FastCGI application.</dd>
370 <dd>The maximum total number of dynamic FastCGI application instances allowed to run at any
371 one time.</dd>
373 <dd>The minimum total number of dynamic FastCGI application instances allowed to run at any
374 one time without being killed off by the process manager (due to lack of demand).</dd>
377 application should be terminated. If the application has more than one instance
378 currently running, this attribute will be used to decide whether one of them should be
380 instead.</dd>
383 environment. This option makes available the contents of headers which
384 are normally not available (e.g. Authorization) to a CGI environment. </dd>
386 <dd>The process priority to be assigned to the application instances (using <code>setpriority()</code>).</dd>
388 <dd>If the sum of all currently running dynamic FastCGI applications and exceeds <code>maxProcesses
390 improve performance at higher loads by killing the some of the most inactive
393 <dd>This option causes the process manager to restart dynamic applications upon failure
394 (similar to static applications).</dd>
396 <dd>The minimum number of seconds between the respawning of failed instances of this
397 application. This delay prevents a broken application from soaking up too much of
398 the system.</dd>
401 application can be terminated. If the process manager computed load factor for the
402 application is lower than the specified threshold, the last instance is terminated.
404 would specify value closer to 1, however if memory or CPU time is of primary concern, a
406 prevent the last instance of an application from being terminated; this is
407 the default value, changing it is not recommended (especially if -appConnTimeout
408 is set).</dd>
410 <dd>The number of seconds the web server waits patiently while trying to connect to a
411 dynamic FastCGI application. If the interval expires, the process manager is
412 notified with hope it will start another instance of the application. The <code>startDelay</code>
415 <dd>The updateInterval determines how often statistical analysis is performed to determine
416 the fate of dynamic FastCGI applications.</dd>
418 <hr>
420 <!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
422 <tr>
423 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
425 n]</em></code></td>
426 </tr>
427 <tr>
428 <td></td>
429 <td><code>FastCgiExternalServer <em>filename</em> <em>-socket filename [-appConnTimeout n]</em></code></td>
430 </tr>
431 <tr>
432 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
434 </tr>
435 </table>
437 external FastCGI application. If the filename does not begin with a slash (/) then
438 it is assumed to be relative to the <a
440 <p>External FastCGI applications are not started by the process manager, they are presumed
442 FastCGI devkit provides a simple tool, <code>cgi-fcgi</code>, for starting FastCGI applications independent of the
450 to write to the file descriptor returned by a non-blocking
452 on many platforms. See also -idle-timeout, it produces similar results
453 but in a more portable manner.<br>
455 based applications (static applications configured without the -port option
456 and dynamic applications) use this value successfully to limit the amount of
458 By default, this is 90 seconds (FCGI_NAMED_PIPE_CONNECT_TIMEOUT in
459 mod_fastcgi.h).</dd>
461 <dd>The number of seconds of FastCGI application inactivity allowed before the
462 request is aborted and the event is logged (at the <code>error</code> <a href="http://www.apache.org/docs/mod/core.html#loglevel"><code>LogLevel</code></a>).
463 The inactivity timer applies only as long as a connection is pending with
464 the FastCGI application. If a request is queued to an application, but
465 the application doesn't respond (by writing and flushing) within this
466 period, the request will be aborted. If communication is complete with
467 the application but incomplete with the client (the response is buffered),
468 the timeout does not apply.</dd>
470 <dd>Force a write to the client as data is received from the application. By default, <code>mod_fastcgi</code>
471 buffers data in order to free the application as quickly as possible.</dd>
475 are mutually exclusive.</dd>
478 environment. This option makes available the contents of headers which
479 are normally not available (e.g. Authorization) to a CGI environment. </dd>
481 <dd><b>Unix: </b>The filename of the Unix domain socket the application uses for communication with the
482 web server. The filename is relative to the <code>FastCgiIpcDir</code>. The <code>-socket</code>
485 for communitcating with the web server. the name is relative to the <TT><A HREF="#FastCgiIpcDir">
489 <hr>
491 <!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
493 <tr>
494 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
496 </tr>
497 <tr>
498 <td></td>
500 </tr>
501 <tr>
502 <td><a href="http://www.apache.org/docs/mod/directive-dict.html#Default"><strong>Default:</strong></a></td>
504 </tr>
505 <tr>
506 <td></td>
508 </tr>
509 <tr>
510 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
512 </tr>
513 </table>
514 <p><b>Unix: </b>The <code>FastCgiIpcDir</code> directive specifies <em>directory</em> as the place to
515 store (and find, in the case of external FastCGI applications) the Unix socket files used
516 for communication between the applications and the web server. If the directory does
517 not begin with a slash (/) then it is assumed to be relative to the <a
519 directory doesn't exist, an attempt is made to create it with appropriate
521 you use the default directory (or another directory within <code>/tmp</code>), <code>mod_fastcgi</code>
524 </i>as the root for the named pipes used for communication between the
527 any charater other than a backslash,/p>
528 <p>The <code>FastCgiIpcDir</code> directive must precede any <a href="#FastCgiServer"><code>FastCgiServer</code></a>
530 (which make use of Unix sockets). The directory must be readable, writeable, and
531 executable (searchable) by the web server, but otherwise should not be accessible to
532 anyone.</p>
533 <hr>
535 <!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
537 <tr>
538 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
540 </tr>
541 <tr>
542 <td><a href="http://www.apache.org/docs/mod/directive-dict.html#Default"><strong>Default:</strong></a></td>
544 </tr>
545 <tr>
546 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
548 </tr>
549 </table>
554 the suexec-wrapper. If the filename does not begin with a slash (/) then it is
555 assumed to be relative to the <a
558 application definitions is important. They inherit their user and group from the <code>User</code>
559 and <code>Group</code> directives in the virtual server in which they were defined. <code>User</code>
562 which they were defined, the application is allowed to service requests from any virtual
563 server with the same user and group. If a request is received for a FastCGI
564 application without an existing matching definition running with the correct user and
565 group, a dynamic instance of the application is started with the correct user and group.
566 This can lead to multiple copies of the same application running with different
567 user/group. If this is a problem, preclude navigation to the application from other
568 virtual servers or configure the virtual servers with the same User and Group.</p>
569 <p>See the Apache documentation for more information about suexec (make sure you fully
570 understand the security implications).</p>
571 <hr>
573 <!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
575 <tr>
576 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
578 </tr>
579 <tr>
580 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
582 </tr>
583 </table>
585 as a per-directory authenticator. Authenticators verify the requestor is who he says
586 he is by matching the provided username and password against a list or database of known
587 users and passwords. FastCGI based authenticators are useful primarily when the user
588 database is maintained within an existing independent program or resides on a machine
591 external server definition, it is started as a dynamic FastCGI application. If the
592 filename does not begin with a slash (/) then it is assumed to be relative to the <a
597 containers and must include an <a href="http://www.apache.org/docs/mod/core.html#authtype"><code>AuthType</code></a>
600 It must be accompanied by a <a href="http://www.apache.org/docs/mod/core.html#require"><code>require</code></a>
602 work correctly.</p>
603 </dl>
605 <blockquote>
607 AuthType Basic<br>
608 AuthName ProtectedRealm<br>
609 FastCgiAuthenticator fcgi-bin/authenticator<br>
610 require valid-user<br>
612 </blockquote>
615 typically available to CGI/FastCGI request handlers. All headers returned by a
616 FastCGI authentication application in a successful response (Status: 200) are passed to
617 subprocesses (CGI/FastCGI invocations) as environment variables. All headers
618 returned in an unsuccessful response are passed on to the client. FastCGI
620 option.</p>
624 performed.</p>
626 <p>Custom failure responses from FastCGI authorizer applications are not (yet?)
627 supported. See the <a href="http://www.apache.org/docs/mod/core.html#errordocument">ErrorDocument</a>
628 directive for a workaround (a FastCGI application can serve the document).</p>
630 <hr>
633 <!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
636 <tr>
637 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
639 </tr>
640 <tr>
641 <td><a href="http://www.apache.org/docs/mod/directive-dict.html#Default"><strong>Default:</strong></a></td>
643 </tr>
644 <tr>
645 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
647 </tr>
648 </table>
650 <p>Setting the <code>FastCgiAuthenticatorAuthoritative</code> directive explicitly to <em>Off</em>
651 allows authentication to be passed on to lower level modules (as defined in the <code>Configuration</code>
653 user. </p>
659 <p>By default, control is not passed on and an unknown user will result in an
662 <hr>
665 <!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
668 <tr>
669 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
671 </tr>
672 <tr>
673 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
675 </tr>
676 </table>
678 <dl>
680 a per-directory authorizer. Authorizers validate whether an authenticated requestor
681 is allowed access to the requested resource. FastCGI based authorizers are useful
682 primarily when there is a dynamic component to the authorization decision such as a time
685 external server definition, it is started as a dynamic FastCGI application. If the
686 filename does not begin with a slash (/) then it is assumed to be relative to the <a
691 containers and must include an <a href="http://www.apache.org/docs/mod/core.html#authtype"><code>AuthType</code></a>
696 <a href="http://www.apache.org/docs/mod/mod_auth_db.html#authdbuserfile"><code>AuthDBUserFile</code></a>
697 or <a href="http://www.apache.org/docs/mod/mod_auth_dbm.html#authdbmuserfile"><code>AuthDBMUserFile</code></a>
698 in order to work correctly.</p>
699 </dl>
701 <blockquote>
703 AuthType Basic<br>
704 AuthName ProtectedRealm<br>
705 AuthDBMUserFile conf/authentication-database<br>
706 FastCgiAuthorizer fcgi-bin/authorizer<br>
708 </blockquote>
711 typically available to CGI/FastCGI request handlers. All headers returned by a
712 FastCGI authorizer application in a successful response (Status: 200) are passed to
713 subprocesses (CGI/FastCGI invocations) as environment variables. All headers
714 returned in an unsuccessful response are passed on to the client. FastCGI
716 option.</p>
720 performed.</p>
722 <p>Custom failure responses from FastCGI authorizer applications are not (yet?)
723 supported. See the <a href="http://www.apache.org/docs/mod/core.html#errordocument">ErrorDocument</a>
724 directive for a workaround (a FastCGI application can serve the document).</p>
726 <hr>
729 <!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
732 <tr>
733 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
735 </tr>
736 <tr>
737 <td><a href="http://www.apache.org/docs/mod/directive-dict.html#Default"><strong>Default:</strong></a></td>
739 </tr>
740 <tr>
741 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
743 </tr>
744 </table>
747 allows authorization to be passed on to lower level modules (as defined in the <code>Configuration</code>
750 <p>By default, control is not passed on and an unauthorized user will result in an
753 <hr>
756 <!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
759 <tr>
760 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
762 </tr>
763 <tr>
764 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
766 </tr>
767 </table>
769 <dl>
771 directive is used to define a FastCGI application as a per-directory access
772 validator. The Apache Access phase precede user authentication and thus the decision
773 to (dis)allow access to the requested resource is based on the HTTP headers submitted with
774 the request. FastCGI based authorizers are useful primarily when there is a dynamic
775 component to the access validation decision such as a time of day or whether or not a
778 external server definition, it is started as a dynamic FastCGI application. If the
779 filename does not begin with a slash (/) then it is assumed to be relative to the <a
784 containers.</p>
785 </dl>
787 <blockquote>
789 FastCgiAccessChecker fcgi-bin/access-checker<br>
791 </blockquote>
794 typically available to CGI/FastCGI request handlers. All headers returned by a
795 FastCGI access-checker application in a successful response (Status: 200) are passed to
796 subprocesses (CGI/FastCGI invocations) as environment variables. All headers
797 returned in an unsuccessful response are passed on to the client. FastCGI
799 option.</p>
803 performed.</p>
805 <p>Custom failure responses from FastCGI authorizer applications are not (yet?)
806 supported. See the <a href="http://www.apache.org/docs/mod/core.html#errordocument">ErrorDocument</a>
807 directive for a workaround (a FastCGI application can serve the document).</p>
809 <hr>
812 <!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
815 <tr>
816 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
818 </tr>
819 <tr>
820 <td><a href="http://www.apache.org/docs/mod/directive-dict.html#Default"><strong>Default:</strong></a></td>
822 </tr>
823 <tr>
824 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
826 </tr>
827 </table>
829 <p>Setting the <code>FastCgiAccessCheckerAuthoritative</code> directive explicitly to <em>Off</em>
830 allows access checking to be passed on to lower level modules (as defined in the <code>Configuration</code>
833 <p>By default, control is not passed on and a failed access check will result in a
836 <hr>
839 </body>
840 </html>