| blob | 432decbda3cd60568948fa8d75301b6ce1474635 |
2 <html>
3 <!-- $Id: mod_fastcgi.html,v 1.20 2000/09/19 16:26:52 robs Exp $ -->
5 <head>
7 </head>
8 <!-- Background white, links blue (unvisited), navy (visited), red (active) -->
18 FastCGI is a language independent, scalable, open extension to CGI that provides high
19 performance and persistence without the limitations of server specific APIs.</p>
21 <p>FastCGI applications are not limited to a particular development language (the protocol
22 is open). FastCGI application libraries currently exist for Perl, C/C++, Java, Python,
23 and TCL.</p>
25 <p>FastCGI applications use (TCP or Unix) sockets to communicate with the web server.
26 This scalable architecture allows applications to run on the same platform as the
27 web server or on many machines scattered across an enterprise network.</p>
30 supported either directly or through commercial extensions by most popular web servers.</p>
33 startup and initialization overhead. This makes possible the development of
34 applications which would otherwise be impractical within the CGI paradigm (e.g. a huge
35 Perl script, or an application which requires a connection to one or more databases).
40 updates, send mail to <A href="mailto:fastcgi-announce-request@idle.com">fastcgi-announce-request@idle.com</a>
48 <p>For information about building and installing the module, see the <A href="../INSTALL">INSTALL</a>
49 document that came with the distribution.</p>
52 static, dynamic, or external. They're configured using the <A href="#fastcgiserver">FastCgiServer</a>,
53 <A href="#FastCgiConfig">FastCgiConfig</a>, and <A href="#FastCgiExternalServer">FastCgiExternalServer</a>
55 a FastCGI application and which hasn't been explicitly configured using a <A
56 href="#fastcgiserver" >FastCgiServer</a> or <A href="#FastCgiExternalServer">FastCgiExternalServer</a>
57 directive is handled as a dynamic application (see the <A href="#FastCgiConfig">FastCgiConfig</a>
58 directive for more information).</p>
60 <p>FastCGI static and dynamic applications are spawned and managed by the FastCGI Process
61 Manager, fcgi-pm. The process manager is spawned by Apache at server initialization.
64 <p>Apache must be configured to identify requests for FastCGI URIs. <code>mod_fastcgi</code>
67 <p>To configure Apache to handle all files (within the scope of the directive) as FastCGI
68 applications (e.g. for a fcgi-bin directory):</p>
70 <blockquote>
72 fastcgi-script</code></p>
73 </blockquote>
76 the specified extension(s) as FastCGI applications:</p>
78 <blockquote>
80 fastcgi-script fcg fcgi fpl</code></p>
81 </blockquote>
83 <dl>
84 <p>Consult the Apache documentation for more information regarding these and other
85 directives which affect request handling (such as <code><a
90 (see the <a
94 directive) in the
98 log associated with the request. Errors reported by the FastCGI process manager,
99 fcgi-pm, are reported to the main server log (typically, logs/error_log).
101 loop or via a mechanism that is not FastCGI protocol aware will also be
102 directed to the main server log. If
105 logs, these messages may be especially helpful while debugging a
106 configuration..</p>
109 href="http://www.apache.org/docs/mod/mod_env.html"><code>mod_env</code></a> (<code>SetEnv</code>,
118 your feeling adventurous).</p>
121 option. Non-parsed header (nph-) scripts will be rejected by mod_fastcgi
122 simply as
123 warning the behavior is different (create a symbolic link to the script without the
126 with "/" are treated as internal-redirects; otherwise, they are treated as
128 <p>Session affinity (as well as distribution) should be achievable outside of <code>mod_fastcgi</code>
129 using <a
134 included here.</p>
136 <p>The FastCGI specification is not implemented in its entirety and I've deviated a bit as
137 well resulting in some Apache specific features.</p>
139 prohibited by the specification. I can't see any reason to require that
140 they be closed, and leaving them open prevents FastCGI applications which were
141 not completely ported to FastCGI from failing miserably. This does not
142 mean the applications shouldn't be fixed such that this doesn't occur, but is
143 invaluable when using a 3rd party library (without source code) which expects
144 to be able to write to stderr. Anything written to stdout or stderr in
145 this manner will be directed to the main server log.</p>
147 little value in
148 Apache until the output of one handler can be piped into another (Apache 2.0 is expected
152 applications can't be multithreaded. It means that each request requires
153 its own independent connect()/accept(). The protocol supports the concept of a
154 connection simultaneously shared by multiple requests. The FastCGI application
155 library which provides the FastCGI protocol support within FastCGI applications does not
156 currently support it (and thus doesn't have to be supported here). This may become a
158 NT which makes shared persistent multiplexed connection more reasonable to
160 <p>The Authorizer Role has three variations corresponding to each three
161 specific Apache request handling phases: Authentication, Authorization, and Access Control.
165 typically available to CGI/FastCGI request handlers including some explicitly precluded by
166 the FastCGI specification; I didn't see the point to leaving them out. All headers
167 returned by a FastCGI authentication application in a successful response (Status: 200)
168 are passed to sub-processes (CGI/FastCGI invocations) as environment variables rather than
169 just those prefixed by "<code>Variable-</code>" as the FastCGI specification
170 calls for; I didn't see the point in leaving them out either. FastCGI specification
171 compliant authorizer behavior can be obtained by using the "<code>-compat</code>"
172 option to the Auth server directives.</p>
173 <p>Custom failure responses from FastCGI authorizer applications are not
174 supported (speak up if you need this). See the <a href="http://www.apache.org/docs/mod/core.html#errordocument">ErrorDocument</a>
175 directive for a workaround (hint: a CGI/FastCGI application can serve the
176 error document).</p>
178 <ul>
185 <li><A href="#FastCgiAuthenticatorAuthoritative"><code>FastCgiAuthenticatorAuthoritative</code></a>
189 <li><A href="#FastCgiAccessCheckerAuthoritative"><code>FastCgiAccessCheckerAuthoritative</code></a></li>
190 </ul>
191 <dd></dd>
192 </dl>
194 <dl>
195 <hr>
196 <h2><a name="FastCgiServer">FastCgiServer</a></h2><!-- %plaintext <?INDEX {\tt FastCgiServer} directive> -->
198 <tr>
199 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
201 </tr>
202 <tr>
203 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
205 </tr>
206 </table>
208 application. If the filename does not begin with a slash (/) then it is assumed to
209 be relative to the <a href="http://www.apache.org/docs/mod/core.html#serverroot">ServerRoot</a>.
210 </p>
211 <p>By default, the Process Manager will start one instance of the application with the
212 default configuration specified (in parenthesis) below. Should a static application
214 log the event (at the <code>warn</code> <a href="http://www.apache.org/docs/mod/core.html#loglevel"><code>LogLevel</code></a>).</p>
222 to write to the file descriptor returned by a non-blocking
224 on many platforms. See also -idle-timeout, it produces similar results
225 but in a more portable manner.<br>
227 applications (static applications configured without the -port option and
228 dynamic applications) use this value successfully to limit the amount of time
230 is 90 seconds (FCGI_NAMED_PIPE_CONNECT_TIMEOUT in mod_fastcgi.h).
232 <dd>The number of seconds of FastCGI application inactivity allowed before the
233 request is aborted and the event is logged (at the <code>error</code> <a href="http://www.apache.org/docs/mod/core.html#loglevel"><code>LogLevel</code></a>).
234 The inactivity timer applies only as long as a connection is pending with the
235 FastCGI application. If a request is queued to an application, but the
236 application doesn't respond (by writing and flushing) within this period, the
237 request will be aborted. If communication is complete with the
238 application but incomplete with the client (the response is buffered), the
239 timeout does not apply.
242 <dd>A name-value pair to be passed in the FastCGI application's <i> initial</i> environment. To
243 pass a variable from Apache's environment, don't provide the "=" (if the
244 variable isn't actually in the environment, it will be defined without a
246 any value. The option can be used repeatedly.
248 <dd>The minimum number of seconds between the spawning of
249 instances of this application. This delay decreases the demand placed
250 on the system at server initialization.
252 <dd>Force a write to the client as data is received from the application. By default, <code>mod_fastcgi</code> buffers data in order to free the
253 application as quickly as possible.
255 <dd>The depth of listen() queue (also known as the
256 backlog) shared by all of the instances of this application. A deeper
257 listen queue allows the server to cope with transient load fluctuations
258 without rejecting requests; it does not increase throughput. Adding
259 additional application instances may increase throughput/performance,
260 depending upon the application and the host.
262 <dd>The name of an HTTP Request Header to be passed in the <i>request</i> environment. This option makes
263 available the contents of headers which are normally not available (e.g.
264 Authorization) to a CGI environment.
266 <dd>The number of instances of the application to spawn
267 at server initialization.
269 <dd>The process priority to be assigned to the application instances (using <code>setpriority()</code>).
273 server. This option makes the application accessible from other machines on the
274 network (as well as this one). The <code>-socket</code> and <code>-port</code> options are mutually exclusive.
276 <dd>The minimum number of seconds between the respawning
277 of failed instances of this application. This delay prevents a broken
278 application from soaking up too much of the system.
280 <dd><b>Unix: </b>The filename of the Unix domain socket that the application will use for communication
281 with the web server. The module creates the socket within the directory specified by
284 application definition (<code>FastCgiExternalServer</code>). If neither the <code>-socket</code>
288 <DD>
290 use for communication with the web server. The module creates the
291 named pipe off the named pipe root specified by the FastCgiIpcDir.
292 . This option makes the application accessible to other applications (e.g.
297 mutually exclusive.</DD>
298 </dl>
300 <dl>
301 <hr>
302 <h2><a NAME="FastCgiConfig">FastCgiConfig</a></h2><!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
304 <tr>
305 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
307 </tr>
308 <tr>
309 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
311 </tr>
312 </table>
315 FastCGI applications. This directive does not affect static or external
316 applications in any way.</p>
318 If the demand is heavy, additional application instances are started. As the demand
319 fades, application instances are killed off. Many of the options govern this
320 process.</p>
328 to write to the file descriptor returned by a non-blocking
330 on many platforms. See also -idle-timeout, it produces similar results
331 but in a more portable manner.<br>
333 applications (static applications configured without the -port option and
334 dynamic applications) use this value successfully to limit the amount of time
336 is 90 seconds (FCGI_NAMED_PIPE_CONNECT_TIMEOUT in mod_fastcgi.h).
338 <dd>The number of seconds of FastCGI application inactivity allowed before the
339 request is aborted and the event is logged (at the <code>error</code> <a href="http://www.apache.org/docs/mod/core.html#loglevel"><code>LogLevel</code></a>).
340 The inactivity timer applies only as long as a connection is pending with the
341 FastCGI application. If a request is queued to an application, but the
342 application doesn't respond (by writing and flushing) within this period, the
343 request will be aborted. If communication is complete with the
344 application but incomplete with the client (the response is buffered), the
345 timeout does not apply.
347 <dd>This option causes mod_fastcgi to check the age of the application on disk before
348 processing each request. If the application is more recent, the process manager is
349 notified and all running instances of the application are killed off. In general,
350 its preferred that this type of functionality be built-in to the application (e.g. every
355 the exponentially decayed connection times load factor of the currently running dynamic
357 making it smaller weights them more heavily compared to the current value, which is scaled
360 none</EM></code>
361 <dd>A name-value pair to be passed in the initial
362 environment when instances of the application are spawned. To pass a
363 variable from the Apache environment, don't provide the "=" (if the variable
364 isn't actually in the environment, it will be defined without a value).
366 The option can be used repeatedly.
368 <dd>The minimum number of seconds between the spawning of
369 instances of this application. This delay decreases the demand placed
370 on the system at server initialization.
372 <dd>The killInterval determines how often the dynamic
373 application instance killing policy is implemented within the process
374 manager. Lower numbers result in a more aggressive policy, higher
375 numbers a less aggressive policy.
377 <dd>The depth of listen() queue (also known as the
378 backlog) shared by all of the instances of this application. A deeper
379 listen queue allows the server to cope with transient load fluctuations
380 without rejecting requests; it does not increase throughput. Adding
381 additional application instances may increase throughput/performance,
382 depending upon the application and the host.
384 <dd>The maximum number of dynamic FastCGI application
385 instances allowed to run for any one FastCGI application.
387 <dd>The maximum total number of dynamic FastCGI
388 application instances allowed to run at any one time.
390 <dd>The minimum total number of dynamic FastCGI
391 application instances allowed to run at any one time without being killed off
392 by the process manager (due to lack of demand).
396 application should be terminated. If the application has more than one instance
397 currently running, this attribute will be used to decide whether one of them should be
400 <dd>The name of an HTTP Request Header to be passed in the <i>request</i> environment. This option makes
401 available the contents of headers which are normally not available (e.g.
402 Authorization) to a CGI environment.
404 <dd>The process priority to be assigned to the application instances (using <code>setpriority()</code>).
407 <dd>If the sum of all currently running dynamic FastCGI applications and exceeds <code>maxProcesses
409 improve performance at higher loads by killing the some of the most inactive
412 <dd>This option causes the process manager to restart
413 dynamic applications upon failure (similar to static applications).
415 <dd>The minimum number of seconds between the respawning
416 of failed instances of this application. This delay prevents a broken
417 application from soaking up too much of the system.
420 whether the last instance of a FastCGI application can be terminated. If
421 the process manager computed load factor for the application is lower than the
422 specified threshold, the last instance is terminated. In order to make
423 your executables run in the "idle" mode for the long time, you would specify
424 value closer to 1, however if memory or CPU time is of primary concern, a
426 the last instance of an application from being terminated; this is the default
427 value, changing it is not recommended (especially if -appConnTimeout is set).
429 <dd>The number of seconds the web server waits patiently while trying to connect to a
430 dynamic FastCGI application. If the interval expires, the process manager is
431 notified with hope it will start another instance of the application. The <code>startDelay</code>
434 <dd>The updateInterval determines how often statistical
435 analysis is performed to determine the fate of dynamic FastCGI applications.
437 <hr>
438 <h2><a name="FastCgiExternalServer">FastCgiExternalServer</a></h2><!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
440 <tr>
441 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
443 [option ...]</em></code></td>
444 </tr>
445 <tr>
446 <td></td>
447 <td><code>FastCgiExternalServer <em>filename</em> <em>-socket filename [option ...]</em></code></td>
448 </tr>
449 <tr>
450 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
452 </tr>
453 </table>
454 <p>The <code>FastCgiExternalServer</code> directive defines <em>filename</em> as an external FastCGI application.
456 does not begin with a slash (/) then
457 it is assumed to be relative to the <a
458 href="http://www.apache.org/docs/mod/core.html#serverroot">ServerRoot</a>. The <EM>filename</EM> does
461 FastCGI application.. </p>
462 <p>External FastCGI applications are not started by the process manager, they are presumed
464 FastCGI devkit provides a simple tool, <code>cgi-fcgi</code>, for starting FastCGI applications independent of the
472 to write to the file descriptor returned by a non-blocking
474 on many platforms. See also -idle-timeout, it produces similar results
475 but in a more portable manner.<br>
477 applications (static applications configured without the -port option and
478 dynamic applications) use this value successfully to limit the amount of time
480 is 90 seconds (FCGI_NAMED_PIPE_CONNECT_TIMEOUT in mod_fastcgi.h).
482 <dd>The number of seconds of FastCGI application inactivity allowed before the
483 request is aborted and the event is logged (at the <code>error</code> <a href="http://www.apache.org/docs/mod/core.html#loglevel"><code>LogLevel</code></a>).
484 The inactivity timer applies only as long as a connection is pending with the
485 FastCGI application. If a request is queued to an application, but the
486 application doesn't respond (by writing and flushing) within this period, the
487 request will be aborted. If communication is complete with the
488 application but incomplete with the client (the response is buffered), the
489 timeout does not apply.
491 <dd>Force a write to the client as data is received from the application. By default, <code>mod_fastcgi</code> buffers data in order to free the
492 application as quickly as possible.
494 none</EM></code>
496 communication with the web server. The <code>-socket</code> and <code>-host</code> options are mutually exclusive.
498 <dd>The name of an HTTP Request Header to be passed in the <i>request</i> environment. This option makes
499 available the contents of headers which are normally not available (e.g.
500 Authorization) to a CGI environment.
502 <dd><b>Unix: </b>The filename of the Unix domain socket the application uses for communication with the
503 web server. The filename is relative to the <code>FastCgiIpcDir</code>. The <code>-socket</code>
506 for communicating with the web server. the name is relative to the <TT><A href="#FastCgiIpcDir">
510 <hr>
511 <h2><a name="FastCgiIpcDir">FastCgiIpcDir</a></h2><!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
513 <tr>
514 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
516 </tr>
517 <tr>
518 <td></td>
520 </tr>
521 <tr>
522 <td><a href="http://www.apache.org/docs/mod/directive-dict.html#Default"><strong>Default:</strong></a></td>
524 </tr>
525 <tr>
526 <td></td>
528 </tr>
529 <tr>
530 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
532 </tr>
533 </table>
534 <p><b>Unix: </b>The <code>FastCgiIpcDir</code> directive specifies <em>directory</em> as the place to
535 store (and find, in the case of external FastCGI applications) the Unix socket files used
536 for communication between the applications and the web server. If the directory does
537 not begin with a slash (/) then it is assumed to be relative to the <a
539 directory doesn't exist, an attempt is made to create it with appropriate
541 you use the default directory (or another directory within <code>/tmp</code>), <code>mod_fastcgi</code>
544 </i>as the root for the named pipes used for communication between the
547 any character other than a backslash,/p>
548 <p>The <code>FastCgiIpcDir</code> directive must precede any <A href="#FastCgiServer"><code>FastCgiServer</code></a>
550 (which make use of Unix sockets). The directory must be readable, writeable, and
551 executable (searchable) by the web server, but otherwise should not be accessible to
552 anyone.</p>
553 <hr>
554 <h2><a name="FastCgiWrapper">FastCgiWrapper</a></h2><!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
556 <tr>
557 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
559 </tr>
560 <tr>
561 <td><a href="http://www.apache.org/docs/mod/directive-dict.html#Default"><strong>Default:</strong></a></td>
563 </tr>
564 <tr>
565 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
567 </tr>
568 </table>
570 wrapper such as suexec or cgiwrap. To use the same wrapper used by Apache, set <code>FastCgiWrapper</code>
572 used by Apache when built as a DSO). The <i>On</i> argument requires suexec be enabled in Apache (for
573 CGI). To use a specific wrapper, specify
575 assumed to be relative to the <a
579 (in the future this directive will have directory context).</p>
581 the target application and thus presence and permissions checks cannot be
583 <p>The wrapper is invoked with the following arguments: username, group,
584 application. The username and group are determined as described
586 requested URI to (dynamic) or the filename provided as an argument to another
587 FastCGI (server or authorizer) directive. These arguments may or may not
588 be used by the wrapper (e.g. suexec uses them, cgiwrap parses the URI and
589 ignores them). The environment passed to the wrapper is identical to the
590 environment passed when a wrapper is not in use.</p>
592 application directives can be important. They inherit their user and group from the <code>User</code>
593 and <code>Group</code> of the virtual server in which they were defined. <code>User</code>
596 which they were defined, the application is allowed to service requests from any virtual
597 server with the same user and group. If a request is received for a FastCGI
598 application without an existing matching definition running with the correct user and
599 group, a dynamic instance of the application is started with the correct user and group.
600 This can lead to multiple copies of the same application running with different
601 user/group. If this is a problem, preclude navigation to the application from other
602 virtual servers or configure the virtual servers with the same User and Group.</p>
603 <p>See the Apache documentation for more information about suexec (make sure you fully
604 understand the security implications).</p>
605 <hr>
606 <h2><a name="FastCgiAuthenticator">FastCgiAuthenticator</a></h2><!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
608 <tr>
609 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
611 </tr>
612 <tr>
613 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
615 </tr>
616 </table>
618 as a per-directory authenticator. Authenticators verify the requestor is who he says
619 he is by matching the provided username and password against a list or database of known
620 users and passwords. FastCGI based authenticators are useful primarily when the user
621 database is maintained within an existing independent program or resides on a machine
624 external server definition, it is started as a dynamic FastCGI application. If the
625 filename does not begin with a slash (/) then it is assumed to be relative to the <a
634 containers and must include an <a href="http://www.apache.org/docs/mod/core.html#authtype"><code>AuthType</code></a>
637 It must be accompanied by a <a href="http://www.apache.org/docs/mod/core.html#require"><code>require</code></a>
639 work correctly.</p>
640 </dl>
642 <blockquote>
644 AuthType Basic<br>
645 AuthName ProtectedRealm<br>
646 FastCgiAuthenticator fcgi-bin/authenticator<br>
647 require valid-user<br>
649 </blockquote>
652 typically available to CGI/FastCGI request handlers. All headers returned by a
653 FastCGI authentication application in a successful response (Status: 200) are passed to
654 sub-processes (CGI/FastCGI invocations) as environment variables. All headers
655 returned in an unsuccessful response are passed on to the client. FastCGI
656 specification compliant behavior can be obtained by using the "<code>-compat</code>"
657 option.</p>
660 "AUTHENTICATOR" to indicate which (Apache specific) authorizer phase is being
661 performed.</p>
663 <p>Custom failure responses from FastCGI authorizer applications are not (yet?)
664 supported. See the <a href="http://www.apache.org/docs/mod/core.html#errordocument">ErrorDocument</a>
665 directive for a workaround (a FastCGI application can serve the document).</p>
667 <hr>
669 <h2><a name="FastCgiAuthenticatorAuthoritative">FastCgiAuthenticatorAuthoritative</a></h2><!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
672 <tr>
673 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
675 </tr>
676 <tr>
677 <td><a href="http://www.apache.org/docs/mod/directive-dict.html#Default"><strong>Default:</strong></a></td>
679 </tr>
680 <tr>
681 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
683 </tr>
684 </table>
686 <p>Setting the <code>FastCgiAuthenticatorAuthoritative</code> directive explicitly to <em>Off</em>
687 allows authentication to be passed on to lower level modules (as defined in the <code>Configuration</code>
689 user. </p>
695 <p>By default, control is not passed on and an unknown user will result in an
698 <hr>
700 <h2><a name="FastCgiAuthorizer">FastCgiAuthorizer</a></h2><!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
703 <tr>
704 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
706 </tr>
707 <tr>
708 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
710 </tr>
711 </table>
713 <dl>
715 a per-directory authorizer. Authorizers validate whether an authenticated requestor
716 is allowed access to the requested resource. FastCGI based authorizers are useful
717 primarily when there is a dynamic component to the authorization decision such as a time
720 external server definition, it is started as a dynamic FastCGI application. If the
721 filename does not begin with a slash (/) then it is assumed to be relative to the <a
730 containers and must include an <a href="http://www.apache.org/docs/mod/core.html#authtype"><code>AuthType</code></a>
737 <a href="http://www.apache.org/docs/mod/mod_auth_db.html#authdbuserfile"><code>AuthDBUserFile</code></a>
738 or <a href="http://www.apache.org/docs/mod/mod_auth_dbm.html#authdbmuserfile"><code>AuthDBMUserFile</code></a>
739 in order to work correctly.</p>
740 </dl>
742 <blockquote>
744 AuthType Basic<br>
745 AuthName ProtectedRealm<br>
746 AuthDBMUserFile conf/authentication-database<br>
747 FastCgiAuthorizer fcgi-bin/authorizer<br>
749 </blockquote>
752 typically available to CGI/FastCGI request handlers. All headers returned by a
753 FastCGI authorizer application in a successful response (Status: 200) are passed to
754 sub-processes (CGI/FastCGI invocations) as environment variables. All headers
755 returned in an unsuccessful response are passed on to the client. FastCGI
756 specification compliant behavior can be obtained by using the "<code>-compat</code>"
757 option.</p>
760 "AUTHORIZER" to indicate which (Apache specific) authorizer phase is being
761 performed.</p>
763 <p>Custom failure responses from FastCGI authorizer applications are not (yet?)
764 supported. See the <a href="http://www.apache.org/docs/mod/core.html#errordocument">ErrorDocument</a>
765 directive for a workaround (a FastCGI application can serve the document).</p>
767 <hr>
769 <h2><a name="FastCgiAuthorizerAuthoritative">FastCgiAuthorizerAuthoritative</a></h2><!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
772 <tr>
773 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
775 </tr>
776 <tr>
777 <td><a href="http://www.apache.org/docs/mod/directive-dict.html#Default"><strong>Default:</strong></a></td>
779 </tr>
780 <tr>
781 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
783 </tr>
784 </table>
787 allows authorization to be passed on to lower level modules (as defined in the <code>Configuration</code>
790 <p>By default, control is not passed on and an unauthorized user will result in an
793 <hr>
795 <h2><a name="FastCgiAccessChecker">FastCgiAccessChecker</a></h2><!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
798 <tr>
799 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
801 </tr>
802 <tr>
803 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
805 </tr>
806 </table>
808 <dl>
810 directive is used to define a FastCGI application as a per-directory access
811 validator. The Apache Access phase precede user authentication and thus the decision
812 to (dis)allow access to the requested resource is based on the HTTP headers submitted with
813 the request. FastCGI based authorizers are useful primarily when there is a dynamic
814 component to the access validation decision such as a time of day or whether or not a
817 external server definition, it is started as a dynamic FastCGI application. If the
818 filename does not begin with a slash (/) then it is assumed to be relative to the <a
827 containers.</p>
828 </dl>
830 <blockquote>
832 FastCgiAccessChecker fcgi-bin/access-checker<br>
834 </blockquote>
837 typically available to CGI/FastCGI request handlers. All headers returned by a
838 FastCGI access-checker application in a successful response (Status: 200) are passed to
839 sub-processes (CGI/FastCGI invocations) as environment variables. All headers
840 returned in an unsuccessful response are passed on to the client. FastCGI
841 specification compliant behavior can be obtained by using the "<code>-compat</code>"
842 option.</p>
845 "ACCESS_CHECKER" to indicate which (Apache specific) authorizer phase is being
846 performed.</p>
848 <p>Custom failure responses from FastCGI authorizer applications are not (yet?)
849 supported. See the <a href="http://www.apache.org/docs/mod/core.html#errordocument">ErrorDocument</a>
850 directive for a workaround (a FastCGI application can serve the document).</p>
852 <hr>
854 <h2><a name="FastCgiAccessCheckerAuthoritative">FastCgiAccessCheckerAuthoritative</a></h2><!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
857 <tr>
858 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
860 </tr>
861 <tr>
862 <td><a href="http://www.apache.org/docs/mod/directive-dict.html#Default"><strong>Default:</strong></a></td>
864 </tr>
865 <tr>
866 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
868 </tr>
869 </table>
871 <p>Setting the <code>FastCgiAccessCheckerAuthoritative</code> directive explicitly to <em>Off</em>
872 allows access checking to be passed on to lower level modules (as defined in the <code>Configuration</code>
875 <p>By default, control is not passed on and a failed access check will result in a
878 <hr>
881 </body>
882 </html>