| blob | b3bb3c4a89728ef0f25aa38e8220a6afd4d82b7b |
2 <html>
3 <!-- $Id: mod_fastcgi.html,v 1.22 2001/05/12 12:53:57 robs Exp $ -->
5 <head>
7 </head>
8 <!-- Background white, links blue (unvisited), navy (visited), red (active) -->
18 FastCGI is a language independent, scalable, open extension to CGI that provides high
19 performance and persistence without the limitations of server specific APIs.</p>
21 <p>FastCGI applications are not limited to a particular development language (the protocol
22 is open). FastCGI application libraries currently exist for Perl, C/C++, Java, Python,
23 and TCL.</p>
25 <p>FastCGI applications use (TCP or Unix) sockets to communicate with the web server.
26 This scalable architecture allows applications to run on the same platform as the
27 web server or on many machines scattered across an enterprise network.</p>
29 <p>FastCGI applications are portable to other web server platforms. FastCGI is
30 supported either directly or through commercial extensions by most popular web servers.</p>
32 <p>FastCGI applications are fast because they're persistent. There is no per-request
33 startup and initialization overhead. This makes possible the development of
34 applications which would otherwise be impractical within the CGI paradigm (e.g. a huge
35 Perl script, or an application which requires a connection to one or more databases).
36 </p>
39 website</a>. To receive FastCGI related announcements and notifications of module
40 updates, send mail to <A href="mailto:fastcgi-announce-request@fastcgi.com">fastcgi-announce-request@fastcgi.com</a>
41 with "subscribe" in the Subject field. To participate in the discussion of
43 <A href="mailto:fastcgi-developers-request@fastcgi.com" >fastcgi-developers-request@fastcgi.com</a>
48 <p>For information about building and installing the module, see the <A href="../INSTALL">INSTALL</a>
49 document that came with the distribution.</p>
52 static, dynamic, or external. They're configured using the <A href="#fastcgiserver">FastCgiServer</a>,
53 <A href="#FastCgiConfig">FastCgiConfig</a>, and <A href="#FastCgiExternalServer">FastCgiExternalServer</a>
55 a FastCGI application and which hasn't been explicitly configured using a
56 <A href="#fastcgiserver" >FastCgiServer</a> or <A href="#FastCgiExternalServer">FastCgiExternalServer</a>
57 directive is handled as a dynamic application (see the <A href="#FastCgiConfig">FastCgiConfig</a>
58 directive for more information).</p>
60 <p>FastCGI static and dynamic applications are spawned and managed by the FastCGI Process
61 Manager, fcgi-pm. The process manager is spawned by Apache at server initialization.
62 External applications are presumed to be started and managed independently.</p>
67 <p>To configure Apache to handle all files (within the scope of the directive) as FastCGI
68 applications (e.g. for a fcgi-bin directory):</p>
70 <blockquote>
72 fastcgi-script</code></p>
73 </blockquote>
75 <p>To configure Apache to handle files (within the scope of the directive) with
76 the specified extension(s) as FastCGI applications:</p>
78 <blockquote>
80 fastcgi-script fcg fcgi fpl</code></p>
81 </blockquote>
83 <dl>
84 <p>Consult the Apache documentation for more information regarding these and other
85 directives which affect request handling (such as <code>
89 directive) in the application's directory.</p>
92 log associated with the request. Errors reported by the FastCGI process manager,
93 fcgi-pm, are reported to the main server log (typically, logs/error_log).
95 loop or via a mechanism that is not FastCGI protocol aware will also be
96 directed to the main server log. If
99 logs, these messages may be especially helpful while debugging a
100 configuration..</p>
101 <p>To pass per-request environment variables to FastCGI applications, have a look at:
108 you're feeling adventurous).</p>
109 <p>FastCGI application output is buffered by default. This is not the case for CGI
111 option (not available for dynamic applications). Non-parsed header (nph-) scripts will be rejected by mod_fastcgi simply as
112 warning the behavior is different (create a symbolic link to the script without the
114 <p>Redirects are handled similarly to CGI. Location headers with values that begin
115 with "/" are treated as internal-redirects; otherwise, they are treated as
117 <p>Session affinity (as well as distribution) should be achievable outside of <code>mod_fastcgi</code>
119 If you get this working, please post the details to
121 so they can be included here.</p>
123 <p>The FastCGI specification is not implemented in its entirety and I've deviated a bit as
124 well resulting in some Apache specific features.</p>
125 <p>The file descriptors for stdout and stderr are left open. This is
126 prohibited by the specification. I can't see any reason to require that
127 they be closed, and leaving them open prevents FastCGI applications which were
128 not completely ported to FastCGI from failing miserably. This does not
129 mean the applications shouldn't be fixed such that this doesn't occur, but is
131 to be able to write to stderr. Anything written to stdout or stderr in
132 this manner will be directed to the main server log.</p>
133 <p>The Filter and Log Roles are not supported. The Filter Role has
134 little value in
135 Apache until the output of one handler can be piped into another (Apache 2.0 is expected
136 to support this). The Log Role has some value, but Apache's "piped
138 <p>Multiplexed requests are not supported. This does NOT mean FastCGI
139 applications can't be multithreaded. It means that each request requires
140 its own independent connect()/accept(). The protocol supports the concept of a
141 connection simultaneously shared by multiple requests. The FastCGI application
142 library which provides the FastCGI protocol support within FastCGI applications does not
143 currently support it (and thus doesn't have to be supported here). This may become a
145 NT which makes shared persistent multiplexed connection more reasonable to
146 consider).</p>
147 <p>The Authorizer Role has three variations corresponding to each three
148 specific Apache request handling phases: Authentication, Authorization, and Access Control.
152 typically available to CGI/FastCGI request handlers including some explicitly precluded by
153 the FastCGI specification; I didn't see the point in leaving them out. All headers
154 returned by a FastCGI authentication application in a successful response (Status: 200)
155 are passed to sub-processes (CGI/FastCGI invocations) as environment variables rather than
157 calls for; I didn't see the point in leaving them out either. FastCGI specification
159 option to the Auth server directives.</p>
160 <p>Custom failure responses from FastCGI authorizer applications are not
161 supported (speak up if you need this). See the <a href="http://www.apache.org/docs/mod/core.html#errordocument">ErrorDocument</a>
162 directive for a workaround (hint: a CGI/FastCGI application can serve the
163 error document).</p>
165 <ul>
172 <li><A href="#FastCgiAuthenticatorAuthoritative"><code>FastCgiAuthenticatorAuthoritative</code></a>
176 <li><A href="#FastCgiAccessCheckerAuthoritative"><code>FastCgiAccessCheckerAuthoritative</code></a></li>
177 </ul>
178 <dd></dd>
179 </dl>
181 <dl>
182 <hr>
183 <h2><a name="FastCgiServer">FastCgiServer</a></h2><!-- %plaintext <?INDEX {\tt FastCgiServer} directive> -->
185 <tr>
186 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
188 </tr>
189 <tr>
190 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
192 </tr>
193 </table>
195 application. If the filename does not begin with a slash (/) then it is assumed to
196 be relative to the <a href="http://www.apache.org/docs/mod/core.html#serverroot">ServerRoot</a>.
197 </p>
198 <p>By default, the Process Manager will start one instance of the application with the
199 default configuration specified (in parentheses) below. Should a static application
201 log the event (at the <code>warn</code> <a href="http://www.apache.org/docs/mod/core.html#loglevel"><code>LogLevel</code></a>).</p>
205 <dd><b>Unix: </b>The number of seconds to wait for a connection to the FastCGI application to
210 to write to the file descriptor returned by a non-blocking
213 but in a more portable manner.<br>
216 dynamic applications) use this value successfully to limit the amount of time
217 to wait for a connection (i.e. it's not "troublesome"). By default, this
218 is 90 seconds (FCGI_NAMED_PIPE_CONNECT_TIMEOUT in mod_fastcgi.h).
221 <dd>The number of seconds of FastCGI application inactivity allowed before the
222 request is aborted and the event is logged (at the <code>error</code> <a href="http://www.apache.org/docs/mod/core.html#loglevel"><code>LogLevel</code></a>).
223 The inactivity timer applies only as long as a connection is pending with the
224 FastCGI application. If a request is queued to an application, but the
225 application doesn't respond (by writing and flushing) within this period, the
226 request will be aborted. If communication is complete with the
227 application but incomplete with the client (the response is buffered), the
228 timeout does not apply.
232 pass a variable from Apache's environment, don't provide the "=" (if the
233 variable isn't actually in the environment, it will be defined without a
234 value). To define a variable without a value, provide the "=" without
235 any value. The option can be used repeatedly.
238 <dd>The minimum number of seconds between the spawning of
239 instances of this application. This delay decreases the demand placed
240 on the system at server initialization.
243 <dd>Force a write to the client as data is received from the application. By default, <code>mod_fastcgi</code> buffers data in order to free the
244 application as quickly as possible.
248 backlog) shared by all of the instances of this application. A deeper
249 listen queue allows the server to cope with transient load fluctuations
250 without rejecting requests; it does not increase throughput. Adding
251 additional application instances may increase throughput/performance,
252 depending upon the application and the host.
255 <dd>The name of an HTTP Request Header to be passed in the <i>request</i> environment. This option makes
256 available the contents of headers which are normally not available (e.g.
257 Authorization) to a CGI environment.
261 server. This option makes the application accessible from other machines on the
262 network (as well as this one). The <code>-socket</code> and <code>-port</code> options are mutually exclusive.
265 <dd>The process priority to be assigned to the application instances (using <code>setpriority()</code>).
268 <dd>The number of instances of the application to spawn
269 at server initialization.
272 <dd>The minimum number of seconds between the respawning
273 of failed instances of this application. This delay prevents a broken
274 application from soaking up too much of the system.
277 <dd><b>Unix: </b>The filename of the Unix domain socket that the application will use for communication
278 with the web server. The module creates the socket within the directory specified by
279 <code><A href="#FastCgiIpcDir">FastCgiIpcDir</A></code>. This option makes the application accessible to other
281 application definition (<code><A href="#FastCgiExternalServer">FastCgiExternalServer</A></code>). If neither the <code>-socket</code>
285 <DD>
287 use for communication with the web server. The module creates the
288 named pipe under the named pipe root specified by <code><A href="#FastCgiIpcDir">FastCgiIpcDir</A></code>.
289 This option makes the application accessible to other applications (e.g.
291 definition (<code><A href="#FastCgiExternalServer">FastCgiExternalServer</A></code>). If neither the <code>-socket</code>
294 mutually exclusive.</DD>
295 </dl>
297 <dl>
298 <hr>
300 <!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
302 <tr>
303 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
305 </tr>
306 <tr>
307 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
309 </tr>
310 </table>
313 or external applications in any way.</p>
314 <p>Dynamic applications are not started at server initialization, but upon demand.
315 If the demand is heavy, additional application instances are started. As the
316 demand fades, application instances are killed off. Many of the options govern
317 this process.</p>
323 timeout. If the timeout expires, a SERVER_ERROR results. For non-zero values,
327 it produces similar results but in a more portable manner.<br>
330 option and dynamic applications) use this value successfully to limit the
331 amount of time to wait for a connection (i.e. it's not "troublesome"). By
332 default, this is 90 seconds (FCGI_NAMED_PIPE_CONNECT_TIMEOUT in mod_fastcgi.h).
334 <dd>Causes mod_fastcgi to check the modification time of the application on
335 disk before processing each request. If the application on disk has been changed,
336 the process manager is notified and all running instances of the application
337 are killed off. In general, it's preferred that this type of functionality
338 be built-in to the application (e.g. every 100th request it checks to see
339 if there's a newer version on disk and exits if so). There may be an outstanding
343 of the exponentially decayed connection times load factor of the currently
344 running dynamic FastCGI applications. Old values are scaled by (<code>1 - gainValue</code>),
345 so making it smaller weights old values more than the current value (which
348 <dd>The number of seconds of FastCGI application inactivity allowed before the
349 request is aborted and the event is logged (at the <code>error</code> <a href="http://www.apache.org/docs/mod/core.html#loglevel"><code>LogLevel</code></a>).
350 The inactivity timer applies only as long as a connection is pending with
351 the FastCGI application. If a request is queued to an application, but the
352 application doesn't respond (by writing and flushing) within this period,
353 the request will be aborted. If communication is complete with the application
354 but incomplete with the client (the response is buffered), the timeout does
355 not apply.
357 <dd>A name-value pair to be passed in the initial environment when instances
358 of applications are spawned. To pass a variable from the Apache environment,
359 don't provide the "=" (if the variable isn't actually in the environment,
360 it will be defined without a value). To define a variable without a value,
361 provide the "=" without any value. The option can be used repeatedly.
363 <dd>The minimum number of seconds between the spawning of instances of applications.
364 This delay decreases the demand placed on the system at server initialization.
366 <dd>Determines how often the dynamic application instance killing policy is
367 implemented within the process manager. Smaller numbers result in a more aggressive
368 policy, larger numbers a less aggressive policy.
371 by all instances of applications. A deeper listen queue allows the server
372 to cope with transient load fluctuations without rejecting requests; it does
373 not increase throughput. Adding additional application instances may increase
374 throughput/performance, depending upon the application and the host.
376 <dd>The maximum number of dynamic FastCGI application instances allowed to run
377 for any one FastCGI application.
379 <dd>The maximum total number of dynamic FastCGI application instances allowed
380 to run at any one time.
382 <dd>The minimum total number of dynamic FastCGI application instances allowed
383 to run at any one time without being killed off by the process manager (due
384 to lack of demand).
387 of a FastCGI application should be terminated. If the application has more
388 than one instance currently running, this attribute will be used to decide
389 whether one of them should be terminated. If only one instance remains, <code>singleThreshold</code>
390 is used instead. <br>
392 accepted.
395 This option makes available the contents of headers which are normally not
396 available (e.g. Authorization) to a CGI environment.
398 <dd>The process priority to be assigned to the application instances (using
401 <dd>If the sum of the number of all currently running dynamic FastCGI applications
403 manager invokes the killing policy. This is to improve performance at higher
404 loads by killing some of the most inactive application instances before reaching
407 <dd>Causes the process manager to restart dynamic applications upon failure
408 (similar to static applications).
410 <dd>The minimum number of seconds between the respawning of failed instances
411 of applications. This delay prevents a broken application from soaking up
412 too much of the system.
415 of a FastCGI application can be terminated. If the process manager computed
416 load factor for the application is lower than the specified threshold, the
417 last instance is terminated. In order to make your executables run in the
419 if memory or CPU time is of primary concern, a value closer to 100 would be
420 more applicable. A value of 0 will prevent the last instance of an application
421 from being terminated; this is the default value, changing it is not recommended
424 accepted.
426 <dd>The number of seconds the web server waits patiently while trying to connect
427 to a dynamic FastCGI application. If the interval expires, the process manager
428 is notified with hope it will start another instance of the application. The
430 effective.
432 <dd>The updateInterval determines how often statistical analysis is performed
433 to determine the fate of dynamic FastCGI applications.
435 <hr>
437 <!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
439 <tr>
440 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
442 [option ...]</em></code></td>
443 </tr>
444 <tr>
445 <td></td>
447 [option ...]</em></code></td>
448 </tr>
449 <tr>
450 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
452 </tr>
453 </table>
456 with a slash (/) then it is assumed to be relative to the <a
460 FastCGI application.. </p>
461 <p>External FastCGI applications are not started by the process manager, they
462 are presumed to be started and managed "external" to Apache and mod_fastcgi.
464 FastCGI applications independent of the server (applications can also be
471 timeout. If the timeout expires, a SERVER_ERROR results. For non-zero values,
475 it produces similar results but in a more portable manner.<br>
478 option and dynamic applications) use this value successfully to limit the
479 amount of time to wait for a connection (i.e. it's not "troublesome"). By
480 default, this is 90 seconds (FCGI_NAMED_PIPE_CONNECT_TIMEOUT in mod_fastcgi.h).
482 <dd>The number of seconds of FastCGI application inactivity allowed before the
483 request is aborted and the event is logged (at the <code>error</code> <a href="http://www.apache.org/docs/mod/core.html#loglevel"><code>LogLevel</code></a>).
484 The inactivity timer applies only as long as a connection is pending with
485 the FastCGI application. If a request is queued to an application, but the
486 application doesn't respond (by writing and flushing) within this period,
487 the request will be aborted. If communication is complete with the application
488 but incomplete with the client (the response is buffered), the timeout does
489 not apply.
491 <dd>Force a write to the client as data is received from the application. By
493 as quickly as possible.
497 options are mutually exclusive.
500 This option makes available the contents of headers which are normally not
501 available (e.g. Authorization) to a CGI environment.
504 uses for communication with the web server. The filename is relative to the
508 for communicating with the web server. the name is relative to the <code><A href="#FastCgiIpcDir">
510 options are mutually exclusive.
511 <dt>
512 <hr>
514 <!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
516 <tr>
517 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
519 </tr>
520 <tr>
521 <td></td>
523 </tr>
524 <tr>
525 <td><a href="http://www.apache.org/docs/mod/directive-dict.html#Default"><strong>Default:</strong></a></td>
527 </tr>
528 <tr>
529 <td></td>
531 </tr>
532 <tr>
533 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
535 </tr>
536 </table>
538 as the place to store (and in the case of external FastCGI applications,
539 find) the Unix socket files used for communication between the applications
540 and the web server. If the directory does not begin with a slash (/) then
541 it is assumed to be relative to the <a
543 the directory doesn't exist, an attempt is made to create it with appropriate
544 permissions. Do not specify a directory that is not on a local filesystem!
552 any character other than a backslash</p>
553 <p>The <code>FastCgiIpcDir</code> directive must precede any <A href="#FastCgiServer"><code>FastCgiServer</code></a>
555 directives (which make use of Unix sockets). The directory must be readable,
556 writeable, and executable (searchable) by the web server, but otherwise
557 should not be accessible to anyone.</p>
558 <hr>
560 <!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
562 <tr>
563 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
565 </tr>
566 <tr>
567 <td><a href="http://www.apache.org/docs/mod/directive-dict.html#Default"><strong>Default:</strong></a></td>
569 </tr>
570 <tr>
571 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
573 </tr>
574 </table>
577 (included with Apache in the support directory) or <a href="http://cgiwrap.sourceforge.net/">cgiwrap</a>.
582 If the filename does not begin with a slash (/) then it is assumed to be
583 relative to the <a
587 future this directive will have directory context).</p>
589 the target application and thus presence and permissions checks cannot be
590 made. This is the responsibility of the wrapper.</p>
591 <p>The wrapper is invoked with the following arguments: username, group, application.
592 The username and group are determined as described below. The application
594 or the filename provided as an argument to another FastCGI (server or authorizer)
595 directive. These arguments may or may not be used by the wrapper (e.g. suexec
596 uses them, cgiwrap parses the URI and ignores them). The environment passed
597 to the wrapper is identical to the environment passed when a wrapper is
598 not in use.</p>
600 external FastCGI application directives can be important. They inherit their
603 directives should precede FastCGI application definitions. Note that this
605 which they were defined, the application is allowed to service requests
606 from any virtual server with the same user and group. If a request is received
607 for a FastCGI application without an existing matching definition running
608 with the correct user and group, a dynamic instance of the application is
609 started with the correct user and group. This can lead to multiple copies
610 of the same application running with different user/group. If this is a
611 problem, preclude navigation to the application from other virtual servers
612 or configure the virtual servers with the same User and Group.</p>
613 <p>See the Apache documentation for more information about suexec (make sure
614 you fully understand the security implications).</p>
615 <hr>
617 <!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
619 <tr>
620 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
622 </tr>
623 <tr>
624 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
626 </tr>
627 </table>
629 application as a per-directory authenticator. Authenticators verify the
630 requestor is who he says he is by matching the provided username and password
631 against a list or database of known users and passwords. FastCGI based authenticators
632 are useful primarily when the user database is maintained within an existing
633 independent program or resides on a machine other than the web server.</p>
635 static or external server definition, it is started as a dynamic FastCGI
636 application. If the filename does not begin with a slash (/) then it is
637 assumed to be relative to the <a
643 or <a
646 ><code>Location</code></a> containers and must include an <a href="http://www.apache.org/docs/mod/core.html#authtype"><code>AuthType</code></a>
649 It must be accompanied by a <a href="http://www.apache.org/docs/mod/core.html#require"><code>require</code></a>
651 in order to work correctly.</p>
652 </dl>
654 <blockquote>
656 AuthType Basic<br>
657 AuthName ProtectedRealm<br>
658 FastCgiAuthenticator fcgi-bin/authenticator<br>
659 require valid-user<br>
661 </blockquote>
664 typically available to CGI/FastCGI request handlers. All headers returned by a
665 FastCGI authentication application in a successful response (Status: 200) are passed to
666 sub-processes (CGI/FastCGI invocations) as environment variables. All headers
667 returned in an unsuccessful response are passed on to the client. FastCGI
669 option.</p>
672 "AUTHENTICATOR" to indicate which (Apache specific) authorizer phase is being
673 performed.</p>
675 <p>Custom failure responses from FastCGI authorizer applications are not (yet?)
676 supported. See the <a href="http://www.apache.org/docs/mod/core.html#errordocument">ErrorDocument</a>
677 directive for a workaround (a FastCGI application can serve the document).</p>
679 <hr>
681 <h2><a name="FastCgiAuthenticatorAuthoritative">FastCgiAuthenticatorAuthoritative</a></h2><!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
684 <tr>
685 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
687 </tr>
688 <tr>
689 <td><a href="http://www.apache.org/docs/mod/directive-dict.html#Default"><strong>Default:</strong></a></td>
691 </tr>
692 <tr>
693 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
695 </tr>
696 </table>
698 <p>Setting the <code>FastCgiAuthenticatorAuthoritative</code> directive explicitly to <em>Off</em>
699 allows authentication to be passed on to lower level modules (as defined in the <code>Configuration</code>
701 user. </p>
705 containing a few (administration related) users.</p>
707 <p>By default, control is not passed on and an unknown user will result in an
708 Authorization Required reply. Disabling the default should be carefully considered.</p>
710 <hr>
712 <h2><a name="FastCgiAuthorizer">FastCgiAuthorizer</a></h2><!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
715 <tr>
716 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
718 </tr>
719 <tr>
720 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
722 </tr>
723 </table>
725 <dl>
727 a per-directory authorizer. Authorizers validate whether an authenticated requestor
728 is allowed access to the requested resource. FastCGI based authorizers are useful
729 primarily when there is a dynamic component to the authorization decision such as a time
730 of day or whether or not the user has paid his bills.</p>
732 external server definition, it is started as a dynamic FastCGI application. If the
733 filename does not begin with a slash (/) then it is assumed to be relative to the <a
742 containers and must include an <a href="http://www.apache.org/docs/mod/core.html#authtype"><code>AuthType</code></a>
744 directive. It must be accompanied by an authentication directive such as <A
749 <a href="http://www.apache.org/docs/mod/mod_auth_db.html#authdbuserfile"><code>AuthDBUserFile</code></a>
750 or <a href="http://www.apache.org/docs/mod/mod_auth_dbm.html#authdbmuserfile"><code>AuthDBMUserFile</code></a>
751 in order to work correctly.</p>
752 </dl>
754 <blockquote>
756 AuthType Basic<br>
757 AuthName ProtectedRealm<br>
758 AuthDBMUserFile conf/authentication-database<br>
759 FastCgiAuthorizer fcgi-bin/authorizer<br>
761 </blockquote>
764 typically available to CGI/FastCGI request handlers. All headers returned by a
765 FastCGI authorizer application in a successful response (Status: 200) are passed to
766 sub-processes (CGI/FastCGI invocations) as environment variables. All headers
767 returned in an unsuccessful response are passed on to the client. FastCGI
769 option.</p>
772 "AUTHORIZER" to indicate which (Apache specific) authorizer phase is being
773 performed.</p>
775 <p>Custom failure responses from FastCGI authorizer applications are not (yet?)
776 supported. See the <a href="http://www.apache.org/docs/mod/core.html#errordocument">ErrorDocument</a>
777 directive for a workaround (a FastCGI application can serve the document).</p>
779 <hr>
781 <h2><a name="FastCgiAuthorizerAuthoritative">FastCgiAuthorizerAuthoritative</a></h2><!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
784 <tr>
785 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
787 </tr>
788 <tr>
789 <td><a href="http://www.apache.org/docs/mod/directive-dict.html#Default"><strong>Default:</strong></a></td>
791 </tr>
792 <tr>
793 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
795 </tr>
796 </table>
799 allows authorization to be passed on to lower level modules (as defined in the <code>Configuration</code>
802 <p>By default, control is not passed on and an unauthorized user will result in an
803 Authorization Required reply. Disabling the default should be carefully considered.</p>
805 <hr>
807 <h2><a name="FastCgiAccessChecker">FastCgiAccessChecker</a></h2><!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
810 <tr>
811 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
813 </tr>
814 <tr>
815 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
817 </tr>
818 </table>
820 <dl>
822 directive is used to define a FastCGI application as a per-directory access
823 validator. The Apache Access phase precede user authentication and thus the decision
824 to (dis)allow access to the requested resource is based on the HTTP headers submitted with
825 the request. FastCGI based authorizers are useful primarily when there is a dynamic
826 component to the access validation decision such as a time of day or whether or not a
827 domain has paid his bills.</p>
829 external server definition, it is started as a dynamic FastCGI application. If the
830 filename does not begin with a slash (/) then it is assumed to be relative to the <a
839 containers.</p>
840 </dl>
842 <blockquote>
844 FastCgiAccessChecker fcgi-bin/access-checker<br>
846 </blockquote>
849 typically available to CGI/FastCGI request handlers. All headers returned by a
850 FastCGI access-checker application in a successful response (Status: 200) are passed to
851 sub-processes (CGI/FastCGI invocations) as environment variables. All headers
852 returned in an unsuccessful response are passed on to the client. FastCGI
854 option.</p>
857 "ACCESS_CHECKER" to indicate which (Apache specific) authorizer phase is being
858 performed.</p>
860 <p>Custom failure responses from FastCGI authorizer applications are not (yet?)
861 supported. See the <a href="http://www.apache.org/docs/mod/core.html#errordocument">ErrorDocument</a>
862 directive for a workaround (a FastCGI application can serve the document).</p>
864 <hr>
866 <h2><a name="FastCgiAccessCheckerAuthoritative">FastCgiAccessCheckerAuthoritative</a></h2><!-- %plaintext <?INDEX {\tt FastCgiConfig} directive> -->
869 <tr>
870 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Syntax" REL="Help"><strong>Syntax:</strong></a></td>
872 </tr>
873 <tr>
874 <td><a href="http://www.apache.org/docs/mod/directive-dict.html#Default"><strong>Default:</strong></a></td>
876 </tr>
877 <tr>
878 <td><a HREF="http://www.apache.org/docs/mod/directive-dict.html#Context" REL="Help"><strong>Context:</strong></a></td>
880 </tr>
881 </table>
883 <p>Setting the <code>FastCgiAccessCheckerAuthoritative</code> directive explicitly to <em>Off</em>
884 allows access checking to be passed on to lower level modules (as defined in the <code>Configuration</code>
887 <p>By default, control is not passed on and a failed access check will result in a
888 Forbidden reply. Disabling the default should be carefully considered.</p>
890 <hr>
893 </body>
894 </html>