These configuration parameters control the FastCGI feature in IBM HTTP Server.
The FastCGIAccessChecker directive defines a FastCGI application as a per-directory access validator.
Syntax | FastCGIAccessChecker file name [-compat] |
Scope | directory, location |
Default | Directory |
Module | mod_fastcgi |
Multiple instances in the configuration file | yes |
Values | File name |
The Apache Access phase precedes user authentication and the HTTP headers submitted with the request determine the decision to enable access to the requested resource. Use FastCGI-based authorizers when a dynamic component exists as part of the access validation decision, like the time, or the status of a domain account.
If the FastCGI application file name does not have a corresponding static or external server definition, the application starts as a dynamic FastCGI application. If the file name does not begin with a slash (/), then the application assumes that the file name is relative to the ServerRoot.
<Directory htdocs/protected> FastCgiAccessChecker fcgi-bin/access-checker </Directory>
Mod_fastcgi sends nearly all of the standard environment variables typically available to CGI and FastCGI request handlers. All headers returned by a FastCGI access-checker application in a successful response (Status: 200), pass to subprocesses, or CGI and FastCGI invocations, as environment variables. All headers returned in an unsuccessful response pass to the client. Obtain FastCGI specification compliant behavior by using the -compat option.
Mod_fastcgi sets the environment variable FCGI_APACHE_ROLE to ACCESS_CHECKER, to indicate the Apache-specific authorizer phase performed.
The HTTP Server does not support custom failure responses from FastCGI authorizer applications. See the ErrorDocument directive for a workaround. A FastCGI application can serve the document.
The FastCGIAccessCheckerAuthoritatve directive enables access checking passing to lower level modules.
Syntax | FastCGIAccessCheckerAuthoritative On | Off |
Scope | directory, location |
Default | FastCGIAccessCheckerAuthoritative On |
Module | mod_fastcgi |
Multiple instances in the configuration file | yes |
Values | On or off |
Setting the FastCgiAccessCheckerAuthoritative directive explicitly to Off, enables access checking passing to lower level modules, as defined in the Configuration and modules.c files, if the FastCGI application fails to enable access.
By default, control does not pass on and a failed access check results in a forbidden reply. Consider the implications carefully before disabling the default.
The FastCGIAuthenticator directive defines a FastCGI application as a per-directory authenticator.
Syntax | FastCGIAuthenticator file name [-compat] |
Scope | directory |
Default | None |
Module | mod_fastcgi |
Multiple instances in the configuration file | yes |
Values | File name |
Authenticators verify the requester by matching the user name and password that is provided against a list or database of known users and passwords. Use FastCGI-based authenticators when the user database is maintained within an existing independent program, or resides on a machine other than the Web server.
If the FastCGI application file name does not have a corresponding static or external server definition, the application starts as a dynamic FastCGI application. If the file name does not begin with a slash (/), then the file name is assumed to be relative to the ServerRoot.
Use the FastCgiAuthenticator directive within directory or location containers, along with an AuthType and AuthName directive. This directive only supports the basic user authentication type. This authentication type needs a require, or FastCgiAuthorizer directive, to work correctly.
/Directory htdocs/protected> AuthType Basic AuthName ProtectedRealm FastCgiAuthenticator fcgi-bin/authenticator require valid-user </Directory>
The Mod_fastcgi directive sends nearly all of the standard environment variables that are typically available to CGI and FastCGI request handlers. All headers returned by a FastCGI authentication application in a successful response (Status: 200) pass to subprocesses, or CGI and FastCGI invocations, as environment variables. All headers returned in an unsuccessful response are passed to the client. Obtain FastCGI specification compliant behavior by using the -compat option.
The Mod_fastcgi directive sets the FCGI_APACHE_ROLE environment variable to AUTHENTICATOR, indicating the Apache-specific authorizer phase performed.
This directive does not support custom failure responses from FastCGI authorizer applications. See the ErrorDocument directive for a workaround. A FastCGI application can serve the document.
The FastCGIAuthenticatorAuthoritative directive enables authentication passing to lower level modules defined in the configuration and modules.c files, if explicitly set to off and the FastCGI application fails to authenticate the user.
Syntax | FastCGIAuthenticatorAuthoritative On | Off |
Scope | directory |
Default | FastCgiAuthenticatorAuthoritative On |
Module | mod_fastcgi |
Multiple instances in the configuration file | yes |
Values | On or off |
Use this directive in conjunction with a well protected AuthUserFile directive, containing a few administration-related users.
By default, control does not pass on and an unknown user results in an Authorization Required reply. Consider implications carefully before disabling the default.
The FastCGIAuthorizer directives defines a FastCGI application as a per-directory authorizer.
Syntax | FastCgiAuthorizer file name [-compat] |
Scope | directory |
Default | None |
Module | mod_fastcgi |
Multiple instances in the configuration file | yes |
Values | File name |
Authorizers validate whether an authenticated user can access a requested resource. Use FastCGI-based authorizers when a dynamic component exists as part of the authorization decision, such as the time, or currency of the user's bills.
If the FastCGI application file name does not have a corresponding static or external server definition, the application starts as a dynamic FastCGI application. If the file name does not begin with a slash (/) then the file name is assumed relative to the ServerRoot.
Use FastCgiAuthorizer within Directory or Location containers. Include an AuthType and AuthName directive. This directive requires an authentication directive, such as FastCgiAuthenticator, AuthUserFile, AuthDBUserFile, or AuthDBMUserFile to work correctly.
<Directory htdocs/protected> AuthType Basic AuthName ProtectedRealm AuthDBMUserFile conf/authentication-database FastCgiAuthorizer fcgi-bin/authorizer </Directory>
The Mod_fastcgi directive sends nearly all of the standard environment variables typically available to CGI and FastCGI request handlers. All headers returned by a FastCGI authentication application in a successful response (Status: 200) pass to subprocesses, or CGI and FastCGI invocations, as environment variables. All headers returned in an unsuccessful response pass on to the client. Obtain FastCGI specification compliant behavior by using the -compat option.
The Mod_fastcgi directive sets the environment variable FCGI_APACHE_ROLE to AUTHORIZER, to indicate the Apache-specific authorizer phase performed.
This directive does not support custom failure responses from FastCGI authorizer applications. See the ErrorDocument directive for a workaround. A FastCGI application can serve the document.
The FastCGIAuthorizerAuthoritative directive enables authentication passing to lower level modules, as defined in the configuration and modules.c files, when explicitly set to Off, if the FastCGI application fails to authenticate the user.
Syntax | FastCgiAuthorizerAuthoritative file name On | Off |
Scope | directory |
Default | FastCgiAuthorizerAuthoritative file name On |
Module | mod_fastcgi |
Multiple instances in the configuration file | yes |
Values | On or off |
Use this directive in conjunction with a well protected AuthUserFile containing a few administration-related users.
By default, control does not pass on and an unknown user results in an Authorization Required reply. Consider the implications carefully before disabling the default.
The FastCGIConfig directive defines the default parameters for all dynamic FastCGI applications.
Syntax | FastCgiConfig option option... The FastCgiConfig directive does not affect static or external applications. |
Scope | directory |
Default | None |
Module | mod_fastcgi |
Multiple instances in the configuration file | yes |
Values | Dynamic applications start upon demand. Additional application instances start to accommodate heavy demand. As demand fades, the number of application instances decline. Many of the options govern this process. |
The FastCGIExternalServer defines file name as an external FastCGI application.
It operates the same as the Fastcgiserver directive, except that the CGI application is running in another process outside of the Web server.
Syntax | FastCgiExternalServer file name -host hostnameport [-appConnTimeout n] FastCgiExternalServer file name -socket file name [-appConnTimeout n] |
Scope | Server configuration |
Default | None |
Module | mod_fastcgi |
Multiple instances in the configuration file | yes |
Values |
|
The FastCGIIpcDir directive specifies directory as the place to store the UNIX socket files used for communication between the applications and the Web server.
Syntax |
|
Scope | Server configuration |
Default | None |
Module | mod_fastcgi |
Multiple instances in the configuration file | yes |
Values | directory or name |
The FastCgiIpcDir directive
specifies directory as the place to store and find, in the case of external
FastCGI applications, the UNIX socket files that are used for communication
between the applications and the Web server. If the directory does not begin
with a slash (/) then it is assumed to be relative to the ServerRoot. If the
directory does not exist, the function attempts to create the directive with
appropriate permissions. Specify a directory on a local file system. If you
use the default directory, or another directory within /tmp, mod_fastcgi breaks
if your system periodically deletes files from the /tmp directory.
The FastCgiIpcDir directive specifies name as
the root for the named pipes used for communication between the application
and the Web server. Define the name in the form >\\.\pipe\pipename. .
The pipename syntax can contain any character other than a backslash.
The FastCgiIpcDir directive must precede any FastCgiServer or FastCgiExternalServer directives, which make use of UNIX sockets. Ensure a readable, writeable, and executable directory by the Web server. No one should have access to this directory.
The FastCGIServer directive defines file name as a static FastCGI application.
The Process Manager starts one instance of the application with the default configuration specified in parentheses below. Should a static application instance die for any reason, the mod_fastcgi module spawns another instance for replacement and logs the event at the warn LogLevel.
Syntax | FastCgiServer file name [options] |
Scope | Server configuration |
Default | None |
Module | mod_fastcgi |
Multiple instances in the configuration file | yes |
Values | directory or name |
The FastCGIsuEXEC directive supports the suEXEC-wrapper.
Syntax | FastCgiSuexec On | Off file name |
Scope | Server configuration |
Default | FastCgiSuexec Off |
Module | mod_fastcgi |
Multiple instances in the configuration file | yes |
Values | The FastCgiSuexec directive requires suEXEC enabling in Apache for CGI. To use the same suEXEC-wrapper used by Apache, set FastCgiSuexec to On. To use a different suEXEC-wrapper, specify the file name of the suEXEC-wrapper. If the file name does not begin with a slash (/), then the file name is assumed relative to the ServerRoot. |
When you enable the FastCgiSuexec directive, the location of static or external FastCGI application definitions becomes important. These differences inherit their user and group from the User and Group directives in the virtual server in which they were defined. User and Group directives should precede FastCGI application definitions. This function does not limit the FastCGI application to the virtual server in which it was defined. The application can service requests from any virtual server with the same user and group. If a request is received for a FastCGI application, without an existing matching definition running with the correct user and group, a dynamic instance of the application starts with the correct user and group. This action can lead to multiple copies of the same application running with a different user and group. If this causes a problem, preclude navigation to the application from other virtual servers, or configure the virtual servers with the same user and group.
See the Apache documentation for more information about suEXEC and the security implications.