Using Fast Common Gateway Interface directives

This section provides information on Fast Common Gateway Interface (FastCGI) directives. The information includes specific directive syntax, scopes, defaults and associated notes . Links to related topics appear at the end of this section.

• Working with the FastCGI directives:
  • FastCgiAccessChecker
  • FastCgiAccessCheckerAuthoritative
  • FastCgiAuthenticator
  • FastCgiAuthenticatorAuthoritative
  • FastCgiAuthorizer
  • FastCgiAuthorizerAuthoritative
  • FastCgiConfig
  • FastCgiExternalServer
  • FastCgiIpcDir
  • FastCgiServer
  • FastCgiSuexec
• Finding related information

FastCgiAccessChecker

• Description: Defines a FastCGI application as a per-directory access validator.
• Default: Directory
• Module: mod_fastcgi
• Multiple instances in the configuration file: Yes
• Scope: Directory, Location
• Syntax: FastCgiAccessChecker file name [-compat]
• Values: File name

The Apache Access phase precedes user authentication and the HTTP headers submitted with the request determine the decision to enable access to the requested resource. Use FastCGI-based authorizers when a dynamic component exists as part of the access validation decision, like the time, or the status of a domain account.

If the FastCGI application file name does not have a corresponding static or external server definition, the application starts as a dynamic FastCGI application. If the file name does not begin with a slash (/), then the application assumes that the file name is relative to the ServerRoot.

Use the FastCgiAccessChecker directive within Directory or Location containers. For example:

<Directory htdocs/protected>
FastCgiAccessChecker fcgi-bin/access-checker
</Directory>

Mod_fastcgi sends nearly all of the standard environment variables typically available to CGI and FastCGI request handlers. All headers returned by a FastCGI access-checker application in a successful response (Status: 200), pass to subprocesses, or CGI and FastCGI invocations, as environment variables. All headers returned in an unsuccessful response pass to the client. Obtain FastCGI specification compliant behavior by using the -compat option.

Mod_fastcgi sets the environment variable FCGI_APACHE_ROLE to ACCESS_CHECKER, to indicate the Apache-specific authorizer phase performed.

The HTTP Server does not support custom failure responses from FastCGI authorizer applications. See the ErrorDocument directive for a workaround. A FastCGI application can serve the document.

FastCgiAccessCheckerAuthoritative

• Description: Enables access checking passing to lower level modules.
• Default: FastCgiAccessCheckerAuthoritative On
• Module: mod_fastcgi
• Multiple instances in the configuration file: Yes
• Scope: Directory
• Syntax: FastCgiAccessCheckerAuthoritative On | Off
• Values: On or Off

Setting the FastCgiAccessCheckerAuthoritative directive explicitly to Off, enables access checking passing to lower level modules, as defined in the Configuration and modules.c files, if the FastCGI application fails to enable access.

By default, control does not pass on and a failed access check results in a forbidden reply. Consider the implications carefully before disabling the default.

FastCgiAuthenticator

• Description: Defines a FastCGI application as a per-directory authenticator.
• Default: None
• Module: mod_fastcgi
• Multiple instances in the configuration file: Yes
• Scope: Directory
• Syntax: FastCgiAuthenticator file name [-compat]
• Values: File name

Authenticators verify the requester, by matching the provided user name and password against a list, or database of known users and passwords. Use FastCGI based authenticators when the user database gets maintained within an existing independent program, or resides on a machine other than the Web server.

If the FastCGI application file name does not have a corresponding static or external server definition, the application starts as a dynamic FastCGI application. If the file name does not begin with a slash (/), then the file name is assumed relative to the ServerRoot.

Use the FastCgiAuthenticator directive within Directory or Location containers,along with an AuthType and AuthName directive. This directive only supports the Basic user authentication type. This authentication type needs a Require, or FastCgiAuthorizer directive, to work correctly.

<Directory htdocs/protected>
AuthType Basic
AuthName ProtectedRealm
FastCgiAuthenticator fcgi-bin/authenticator
require valid-user
</Directory>

The Mod_fastcgi directive sends nearly all of the standard environment variables typically available to CGI and FastCGI request handlers. All headers returned by a FastCGI authentication application in a successful response (Status: 200) pass to subprocesses, or CGIand FastCGI invocations, as environment variables. All headers returned in an unsuccessful response pass to the client. Obtain FastCGI specification compliant behavior, by using the -compat option.

The Mod_fastcgi directive sets the environment variable FCGI_APACHE_ROLE to AUTHENTICATOR, indicating the Apache-specific authorizer phase performed.

This directive does not support custom failure responses from FastCGI authorizer applications. See the ErrorDocument directive for a workaround. A FastCGI application can serve the document.

FastCgiAuthenticatorAuthoritative

• Description: Enables authentication passing to lower level modules defined in the Configuration and modules.c files, if explicitly set to off and the FastCGI application fails to authenticate the user.
• Default: FastCgiAuthenticatorAuthoritative On
• Module: mod_fastcgi
• Multiple instances in the configuration file: Yes
• Scope: Directory
• Syntax: FastCgiAuthenticatorAuthoritative On | Off
• Values: On or Off

Use this directive in conjunction with a well protected AuthUserFile directive, containing a few administration-related users.

By default, control does not pass on and an unknown user results in an Authorization Required reply. Consider implications carefully before disabling the default.

FastCgiAuthorizer

• Description: Defines a FastCGI application as a per-directory authorizer
• Default: None
• Module: mod_fastcgi
• Multiple instances in the configuration file: Yes
• Scope: Directory
• Syntax: FastCgiAuthorizer file name [-compat]
• Values: File name

Authorizers validate whether an authenticated user can access a requested resource. Use FastCGI-based authorizers when a dynamic component exists as part of the authorization decision, such as the time, or currency of the user's bills.

If the FastCGI application file name does not have a corresponding static or external server definition, the application starts as a dynamic FastCGI application. If the file name does not begin with a slash (/) then the file name is assumed relative to the ServerRoot.

Use FastCgiAuthorizer within Directory or Location containers. Include an AuthType and AuthName directive. This directive requires an authentication directive, such as FastCgiAuthenticator, AuthUserFile, AuthDBUserFile, or AuthDBMUserFile to work correctly.

 
<Directory htdocs/protected>
AuthType Basic
AuthName ProtectedRealm
AuthDBMUserFile conf/authentication-database
FastCgiAuthorizer fcgi-bin/authorizer
</Directory>

The Mod_fastcgi directive sends nearly all of the standard environment variables typically available to CGI and FastCGI request handlers. All headers returned by a FastCGI authentication application in a successful response (Status: 200) pass to subprocesses, or CGI and FastCGI invocations, as environment variables. All headers returned in an unsuccessful response pass on to the client. Obtain FastCGI specification compliant behavior by using the -compat option.

The Mod_fastcgi directive sets the environment variable FCGI_APACHE_ROLE to AUTHORIZER, to indicate the Apache-specific authorizer phase performed.

This directive does not support custom failure responses from FastCGI authorizer applications. See the ErrorDocument directive for a workaround. A FastCGI application can serve the document.

FastCgiAuthorizerAuthoritative

• Description: Enables authentication passing to lower level modules, as defined in the Configuration and modules.c files, when explicitly set to Off, if the FastCGI application fails to authenticate the user.
• Default: FastCgiAuthorizerAuthoritative On
• Module: mod_fastcgi
• Multiple instances in the configuration file: Yes
• Scope: Directory
• Syntax: FastCgiAuthorizerAuthoritative On | Off
• Values: On or Off

Use this directive in conjunction with a well protected AuthUserFile containing a few administration-related users.

By default, control does not pass on and an unknown user results in an Authorization Required reply. Consider the implications carefully before disabling the default.

FastCgiConfig

• Description: Defines the default parameters for all dynamic FastCGI applications.
• Default: None
• Module: mod_fastcgi
• Multiple instances in the configuration file: Yes
• Scope: Server configuration
• Syntax: FastCgiConfig option option ...

The FastCgiConfig directive does not affect static or external applications.

• Values: Dynamic applications start upon demand. Additional application instances start to accommodate heavy demand. As demand fades, the number of application instances decline. Many of the options govern this process.

  Option can include one of the following (case insensitive):

  appConnTimeout n (0 seconds)
  The number of seconds to wait for a connection to the FastCGI application to complete or 0, to indicate use of a blocking connect(). If the timeout expires, a SERVER_ERROR results. For non-zero values, this amount of time used in a select() to write to the file descriptor returned by a non-blocking connect().  Non-blocking connect()s are troublesome on many platforms.  See also -idle-timeout; this option produces similar results, but in a more portable manner.
  idle-timeout n (30 seconds)
  The number of seconds of FastCGI application inactivity allowed before the request aborts and the event logs at the error LogLevel. The inactivity timer applies only when a pending connection with the FastCGI application exists. If an application does not respond to a queued request within this period, the request aborts. If communication completes with the application, but not with the client (a buffered response), the timeout does not apply.
  autoUpdate none
  This option causes the mod_fastcgi module to check the age of the application on disk before processing each request. For recent applications, this function notifies the process manager and stops all running instances of the application. Build this type of functionality into the application. A problem can occur when using this option with -restart.
  gainValue n (0.5)
  A floating point value between 0 and 1 that is used as an exponent in the computation of the exponentially decayed connection times load factor of the currently running dynamic FastCGI applications.  Old values are scaled by (1 - gainValue), so making values smaller, weights them more heavily compared to the current value, which is scaled by gainValue.
  initial-env name[=value] none
  A name-value pair passed in the initial environment when instances of the application spawn. To pass a variable from the Apache environment, do not provide the "=" (if the variable is not actually in the environment, it is defined without a value). To define a variable without a value, provide the "=" without any value. This option is repeatable.
  init-start-delay n (1 second)
  The minimum number of seconds between the spawning of instances of this application. This delay decreases the demand placed on the system at server initialization.
  killInterval n (300 seconds)
  The killInterval determines how often the dynamic application instance killing policy is implemented within the process manager.  Lower numbers result in a more aggressive policy, while higher numbers result in a less aggressive policy.
  listen-queue-depth n (100)
  The depth of the listen() queue, also known as the backlog, shared by all instances of this application.  A deeper listen queue allows the server to cope with transient load fluctuations without rejecting requests; it does not increase throughput.   Adding additional application instances can increase throughput and performance, depending upon the application and the host.
  maxClassProcesses n (10)
  The maximum number of dynamic FastCGI application instances allowed to run for any one FastCGI application.
  maxProcesses n (50)
  The maximum number of dynamic FastCGI application instances allowed to run at any time.
  minProcesses n (5)
  The minimum number of dynamic FastCGI application instances the process manager allows to run at any time, without killing them due to lack of demand.
  multiThreshhold n (50)
  An integer between 0 and 100 used to determine whether to terminate any instance of a FastCGI application.  If the application has more than one instance currently running, this attribute helps to decide whether to terminate one of them.  If only one instance remains, singleThreshhold is used instead.
  pass-header header none
  The name of an HTTP Request Header passed in the request environment.  This option makes the contents of headers available to a CGI environment.
  priority n (0)
  The process priority assigned to the application instances using setpriority().
  processSlack n (5 seconds)
  If the sum of all currently running dynamic FastCGI applications exceeds maxProcesses - processSlack, the process manager invokes the killing policy.  This action improves performance at higher loads, by killing some of  the most inactive application instances before reaching the maxProcesses value.
  restart none
  This option causes the process manager to restart dynamic applications upon failure, similar to static applications.
  Restart-delay n (5 seconds)
  The minimum number of seconds between the respawning of failed instances of this application.  This delay prevents a broken application from soaking up too much of the system.
  singleThreshhold n (0)
  An integer between 0 and 100, used to determine whether the last instance of a FastCGI application can terminate.  If the process manager computed load factor for the application is lower than the specified threshold, the last instance is terminated.   Specify a value closer to 1, to make your executables run in the idle mode for a long time. If memory or CPU time is a concern, a value closer to 100 is more applicable.  A value of 0, prevents the last instance of an application from terminating; this value is the default. Changing this default is not recommended, especially if you set the -appConnTimeout option.
  startDelay n (3 seconds)
  The number of seconds the Web server waits while trying to connect to a dynamic FastCGI application.  If the interval expires, the process manager is notified with hope that another instance of the application starts.  Set the startDelay value smaller than the appConnTimeout value, to be effective.
  updateInterval n  (300 seconds)
  The updateInterval decides how often statistical analysis is performed to determine the fate of dynamic FastCGI applications.

FastCgiExternalServer

• Description: Defines file name as an external FastCGI application. Operates the same as the Fastcgiserver directive, except that the CGI application is running in another process, outside the Web server.
• Default: None
• Module: mod_fastcgi
• Multiple instances in the configuration file: Yes
• Scope: Server configuration
• Syntax: FastCgiExternalServer file name -host hostnameport [-appConnTimeout n]
  FastCgiExternalServer file name -socket file name [-appConnTimeout n]
• Values:
  appConnTimeout n (0 seconds)
  The number of seconds to wait for a connection to the FastCGI application to complete, or 0, to indicate use of a blocking connect().  If the timeout expires, a  SERVER_ERROR results.  For non-zero values, this indicator is the amount of time used in a select() to write to the file descriptor returned by a non-blocking connect().  Non-blocking connect()s are troublesome on many platforms.  See also -idle-timeout; this option produces similar results, but in a more portable manner.
  Idle-timeout n (30 seconds)
  The number of seconds of FastCGI application inactivity allowed before the request aborts and the event is logged (at the error LogLevel).  The inactivity timer applies only as long as a connection is pending with the FastCGI application.  If a request is queued to an application, but the application does not respond by writing and flushing within this period, the request aborts.  If communication is complete with the application but incomplete with the client (a buffered response), the timeout does not apply.
  flush none
  Force a write to the client as data is received from the application.  By default, the mod_fastcgi option buffers data to free the application quickly.
  host hostname:port none
  The hostname, or IP address and TCP port number (1-65535) the application uses for communication with the Web server. The -socket and -host options are mutually exclusive.
  Pass-header header none
  The name of an HTTP Request Header passed in the request environment. This option makes the header contents available, to a CGI environment.
  socket file name none

FastCgiIpcDir

• Description: Specifies directory as the place to store the UNIX socket files used for communication between the applications and the Web server.
• Default:None
• Module: mod_fastcgi
• Multiple instances in the configuration file: Yes
• Scope: Server configuration
• Syntax:
  • UNIX platform: FastCgiIpcDir directory
  • Windows NT and Windows 2000 operating systems: FastCgiIpcDir name
• Values: directory or name

UNIX platform: The FastCgiIpcDir directive specifies directory as the place to store and find, in the case of external FastCGI applications, the UNIX socket files used for communication between the applications and the Web server. If the directory does not begin with a slash (/) then it is assumed relative to the ServerRoot. If the directory does not exist, the function attempts to create the directive with appropriate permissions. Specify a directory on a local file system. If you use the default directory, or another directory within /tmp), mod_fastcgi breaks, if your system periodically deletes files from the /tmp directory.

Windows NT and Windows 2000 operating systems: The FastCgiIpcDir directive specifies name as the root for the named pipes used for communication between the application and the Web server. Put the name in the form >\\.\pipe\pipename. . The pipename part can contain any character, other than a backslash.

The FastCgiIpcDir directive must precede any FastCgiServer or FastCgiExternalServer directives, which make use of UNIX sockets. Ensure a readable, writeable, and executable directory by the Web server. No one should have access to this directory.

FastCgiServer

• Description: Defines file name as a static FastCGI application. The Process Manager starts one instance of the application with the default configuration specified in parentheses below. Should a static application instance die for any reason, the mod_fastcgi module spawns another instance for replacement and logs the event at the warn LogLevel.

• Default:None
• Module: mod_fastcgi
• Multiple instances in the configuration file: Yes
• Scope: Server configuration
• Syntax:FastCgiServer file name [options]
• Values:

You can use one of the following case insensitive options:

appConnTimeout n(0 seconds)
The number of seconds to wait for a connection to the FastCGI application to complete, or 0, to indicate use of a blocking connect().   If the timeout expires, a SERVER_ERROR results. For non-zero values, this indicator is the amount of time used in a select() to write to the file descriptor returned by a non-blocking connect().  Non-blocking connect()s prove troublesome on many platforms.  See the -idle-timeout option; it produces similar results but in a more portable manner.
Idle-timeout n(30 seconds)
The number of seconds of FastCGI application inactivity allowed before the request aborts and the event logs at the error LogLevel. The inactivity timer applies only when a pending connection with the FastCGI application exists. If an application does not respond to a queued request within this period, the request aborts. If communication completes with the application, but does not complete with the client (a buffered response), the timeout does not apply.
initial-env name[=value] none] none
A name-value pair passed in the FastCGI application  initial environment.  To pass a variable from the Apache environment, do not provide the "=" (variables not actually in the environment, are defined without a value).  To define a variable without a value, provide the "=" without a value.  You can repeat this option.
init-start-delay n(1 second)
The minimum number of seconds between the spawning of instances of this application.   This delay decreases the demand placed on the system at server initialization.
Flush none
Force a write to the client as data arrives from the application.  By default, mod_fastcgi buffers data to free the application quickly.
Listen-queue-depth n (100)
The depth of the listen() queue, also known as the backlog, shared by all of the instances of this application.  A deeper listen queue enables the server to cope with transient load fluctuations, without rejecting requests; this option does not increase throughput.   Adding additional application instances can increase throughput and performance, depending upon the application and the host.
Pass-header header none
The name of an HTTP Request Header passed in the request environment.  This option makes the contents of headers available to a CGI environment.
processes n (1)
The number of application instances to spawn at server initialization.
Priority n (0)
The process priority assigned to the application instances, using setpriority().
port n none
The TCP port number (1-65535) the application uses for communication with the Web server. This option makes the application accessible from other machines on the network. The -socket and -port options are mutually exclusive.
Restart-delay n (5 seconds)
The minimum number of seconds between the respawning of failed instances of this application.  This delay prevents a broken application from using too many system resources.
Socket file name (gen'd)

UNIX platform: The file name of the UNIX domain socket that the application uses for communication with the Web server. The module creates the socket within the directory specified by FastCgiIpcDir. This option makes the application accessible to other applications, for example, cgi-fcgi on the same machine, or through an external FastCGI application definition, FastCgiExternalServer. If neither the -socket nor the -port options are given, the module generates a UNIX domain socket file name. The -socket and -port options are mutually exclusive.

Windows NT and Windows 2000 operating systems: The name of the pipe for the application to use for communication with the Web server.  The module creates the named pipe off the named pipe root specified by the FastCgiIpcDir directive. This option makes the application accessible to other applications, like cgi-fcgi on the same machine or through an external FastCGI application definition, FastCgiExternalServer. If neither the -socket nor the -port options are given, the module generates a name for the named pipe. The -socket and -port options are mutually exclusive.

If the file name does not begin with a slash (/), then this file name is assumed relative to the ServerRoot.

FastCgiSuexec

• Description: Supports the suexec-wrapper
• Default: FastCgiSuexec Off
• Module: mod_fastcgi
• Multiple instances in the configuration file: Yes
• Scope: Server configuration
• Syntax: FastCgiSuexec On | Off | file name
• Values: The FastCgiSuexec directive requires suexec enabling in Apache for CGI. To use the same suexec-wrapper used by Apache, set FastCgiSuexec to On. To use a different suexec-wrapper, specify the file name of the suexec-wrapper. If the file name does not begin with a slash (/), then the file name is assumed relative to the ServerRoot.

When you enable the FastCgiSuexec directive, the location of static or external FastCGI application definitions becomes important. These differences inherit their user and group from the User and Group directives in the virtual server in which they were defined.  User and Group directives should precede FastCGI application definitions.   This function does not limit the FastCGI application to the virtual server in which it was defined. The application can service requests from any virtual server with the same user and group. If a request is received for a FastCGI application, without an existing matching definition running with the correct user and group, a dynamic instance of the application starts with the correct user and group. This action can lead to multiple copies of the same application running with a different user and group. If this causes a problem, preclude navigation to the application from other virtual servers, or configure the virtual servers with the same user and group.

See the Apache documentation for more information about suexec and the security implications.

     (Back to the top)