CGI outside of ScriptAlias directories

The example shown is from your default httpd.conf configuration file, if you installed Apache in the default - location. The ScriptAlias directive is much like the - Alias directive, which defines a URL prefix that - is to mapped to a particular directory. Alias - and ScriptAlias are usually used for directories - that are outside of the DocumentRoot directory. - The difference between Alias and - ScriptAlias is that ScriptAlias - has the added meaning that everything under that URL prefix - will be considered a CGI program. So, the example above tells - Apache that any request for a resource beginning with - /cgi-bin/ should be served from the directory - /usr/local/apache/cgi-bin/, and should be treated - as a CGI program.

For example, if the URL http://www.example.com/cgi-bin/test.pl is requested, Apache will attempt to execute the file /usr/local/apache/cgi-bin/test.pl @@ -97,66 +94,71 @@

CGI programs are often restricted to - ScriptAlias'ed directories for security reasons. - In this way, - administrators can tightly control who is allowed to use CGI - programs. However, if the proper security precautions are +

CGI programs are often restricted to ScriptAlias'ed directories for security reasons. + In this way, administrators can tightly control who is allowed to + use CGI programs. However, if the proper security precautions are taken, there is no reason why CGI programs cannot be run from arbitrary directories. For example, you may wish to let users have web content in their home directories with the - UserDir directive. If they want to have their own - CGI programs, but don't have access to the main - cgi-bin directory, they will need to be able to + UserDir directive. + If they want to have their own CGI programs, but don't have access to + the main cgi-bin directory, they will need to be able to run CGI programs elsewhere.

Explicitly using Options to permit CGI execution

You could explicitly use the Options - directive, inside your main server configuration file, to - specify that CGI execution was permitted in a particular +

You could explicitly use the Options directive, inside your main server configuration + file, to specify that CGI execution was permitted in a particular directory:

The above directive tells Apache to permit the execution of CGI files. You will also need to tell the server what - files are CGI files. The following - AddHandler - - directive tells the server to treat all files with the - cgi or pl extension as CGI programs:

.htaccess files

A .htaccess file is a way to set configuration - directives on a per-directory basis. When Apache serves a - resource, it looks in the directory from which it is serving +

A .htaccess file is a way + to set configuration directives on a per-directory basis. When Apache + serves a resource, it looks in the directory from which it is serving a file for a file called .htaccess, and, if it finds it, it will apply directives found therein. .htaccess files can be permitted with the - AllowOverride directive, which specifies what - types of directives can + AllowOverride directive, + which specifies what types of directives can appear in these files, or if they are not allowed at all. To permit the directive we will need for this purpose, the following configuration will be needed in your main server configuration:

which tells Apache that execution of CGI programs is permitted in this directory.

Secondly, your output needs to be in HTML, or some other format that a browser will be able to display. Most of the @@ -193,9 +197,10 @@ file called first.pl, and put it in your cgi-bin directory.


  @@ -232,35 +237,21 @@

The output of your CGI program: Great! That means everything worked fine. -; Great! That means everything worked fine.
The source code of your CGI program or a "POST Method Not Allowed" message: That means that you have not properly configured Apache to process your CGI program. Reread the section on configuring - Apache - - and try to find what you missed. -
A message starting with "Forbidden": That means that there is a permissions problem. Check the - - Apache error log - - and the section below on - file permissions. - -
-
A message saying "Internal Server Error"

STDIN and STDOUT

The "special format" is very simple. A field name and its value are joined together with an equals (=) sign, and pairs of values are joined together with an ampersand (&). Inconvenient characters like spaces, ampersands, and @@ -429,7 +423,7 @@ something like:

If you're writing CGI programs in Perl, modules are available on CPAN. The most - popular module for this purpose is CGI.pm. You might - also consider CGI::Lite, which implements a minimal set of - functionality, which is all you need in most programs.

If you're writing CGI programs in C, there are a variety of - options. One of these is the CGIC library, from - http://www.boutell.com/cgic/ -

For more information

@@ -471,20 +464,15 @@

There are a large number of CGI resources on the web. You can discuss CGI problems with other users on the Usenet group - comp.infosystems.www.authoring.cgi. And the -servers mailing + comp.infosystems.www.authoring.cgi. And the -servers mailing list from the HTML Writers Guild is a great source of answers to your questions. You can find out more at - - http://www.hwg.org/lists/hwg-servers/ -

+ http://www.hwg.org/lists/hwg-servers/.

And, of course, you should probably read the CGI specification, which has all the details on the operation of CGI programs. You can find the original version at the - - NCSA - - and there is an updated draft at the + NCSA and there is an updated draft at the Common Gateway Interface RFC project.

1.2.2.1 +111 -116 httpd-2.0/docs/manual/howto/cgi.xml Index: cgi.xml =================================================================== RCS file: /home/cvs/httpd-2.0/docs/manual/howto/cgi.xml,v retrieving revision 1.2 retrieving revision 1.2.2.1 diff -u -r1.2 -r1.2.2.1 --- cgi.xml 17 Nov 2002 06:28:39 -0000 1.2 +++ cgi.xml 22 Dec 2002 15:24:57 -0000 1.2.2.1 @@ -13,15 +13,12 @@ mod_alias - mod_cgi AddHandler - Options - ScriptAlias @@ -54,32 +51,31 @@ it, when that particular resource is requested by a client.

The - ScriptAlias - +

The ScriptAlias directive looks like:

- ScriptAlias /cgi-bin/ /usr/local/apache/cgi-bin/ - -

The example shown is from your default - httpd.conf + + ScriptAlias /cgi-bin/ /usr/local/apache/cgi-bin/ + +

+ location. The ScriptAlias + directive is much like the Alias directive, which defines a URL prefix that + is to mapped to a particular directory. Alias + and ScriptAlias are usually used for + directories that are outside of the DocumentRoot directory. The difference between + Alias and ScriptAlias + is that ScriptAlias has the added meaning + that everything under that URL prefix will be considered a CGI + program. So, the example above tells Apache that any request for a + resource beginning with /cgi-bin/ should be served from + the directory /usr/local/apache/cgi-bin/, and should be + treated as a CGI program.

For example, if the URL +

For example, if the URL http://www.example.com/cgi-bin/test.pl is requested, Apache will attempt to execute the file /usr/local/apache/cgi-bin/test.pl @@ -91,66 +87,74 @@

CGI outside of ScriptAlias directories -

CGI programs are often restricted to ScriptAlias'ed directories for security reasons. + In this way, administrators can tightly control who is allowed to + use CGI programs. However, if the proper security precautions are taken, there is no reason why CGI programs cannot be run from arbitrary directories. For example, you may wish to let users have web content in their home directories with the - UserDir directive. If they want to have their own - CGI programs, but don't have access to the main - cgi-bin directory, they will need to be able to + UserDir directive. + If they want to have their own CGI programs, but don't have access to + the main cgi-bin directory, they will need to be able to run CGI programs elsewhere.

Explicitly using Options to permit CGI execution -

You could explicitly use the Options - directive, inside your main server configuration file, to - specify that CGI execution was permitted in a particular +

You could explicitly use the Options directive, inside your main server configuration + file, to specify that CGI execution was permitted in a particular directory:

- <Directory /usr/local/apache/htdocs/somedir>
- Options +ExecCGI
- </Directory> + + <Directory /usr/local/apache/htdocs/somedir>
+ + Options +ExecCGI
+ + </Directory> +

+ files are CGI files. The following AddHandler directive tells the server to treat all + files with the cgi or pl extension as CGI + programs:

- AddHandler cgi-script cgi pl + + AddHandler cgi-script cgi pl +

.htaccess files -

A .htaccess file is a way to set configuration - directives on a per-directory basis. When Apache serves a - resource, it looks in the directory from which it is serving +

A .htaccess file is a way + to set configuration directives on a per-directory basis. When Apache + serves a resource, it looks in the directory from which it is serving a file for a file called .htaccess, and, if it finds it, it will apply directives found therein. .htaccess files can be permitted with the - AllowOverride directive, which specifies what - types of directives can + AllowOverride directive, + which specifies what types of directives can appear in these files, or if they are not allowed at all. To permit the directive we will need for this purpose, the following configuration will be needed in your main server configuration:

- AllowOverride Options + + AllowOverride Options +

In the .htaccess file, you'll need the following directive:

- Options +ExecCGI + + Options +ExecCGI +

which tells Apache that execution of CGI programs is permitted in this directory.

@@ -168,7 +172,9 @@ what sort of content it is receiving. Most of the time, this will look like:

- Content-type: text/html + + Content-type: text/html +

Secondly, your output needs to be in HTML, or some other format that a browser will be able to display. Most of the @@ -187,9 +193,10 @@ file called first.pl, and put it in your cgi-bin directory.

- #!/usr/bin/perl
- print "Content-type: text/html\n\n";
- print "Hello, World."; + + #!/usr/bin/perl
+ print "Content-type: text/html\n\n";
+ print "Hello, World.";

Even if you are not familiar with Perl, you should be able @@ -201,20 +208,20 @@ talked about, followed by two carriage-return newline pairs. This puts a blank line after the header, to indicate the end of the HTTP headers, and the beginning of the body. The third - line prints the string ``Hello, World.'' And that's the end + line prints the string "Hello, World.". And that's the end of it.

If you open your favorite browser and tell it to get the address

- http://www.example.com/cgi-bin/first.pl + + http://www.example.com/cgi-bin/first.pl +

or wherever you put your file, you will see the one line - Hello, World. - - appear in your browser window. It's not very exciting, but - once you get that working, you'll have a good chance of - getting just about anything working.

+ Hello, World. appear in your browser window. + It's not very exciting, but once you get that working, you'll + have a good chance of getting just about anything working.

@@ -226,35 +233,21 @@

The output of your CGI program

Great! That means everything worked fine. -

Great! That means everything worked fine.

The source code of your CGI program or a "POST Method Not Allowed" message

That means that you have not properly configured Apache to process your CGI program. Reread the section on configuring - Apache - - and try to find what you missed. -

A message starting with "Forbidden"

That means that there is a permissions problem. Check the - - Apache error log - - and the section below on - file permissions. - -
-

A message saying "Internal Server Error"

Apache error logfile permissionsIf you check the Apache error log, you will probably find that it says "Premature end of @@ -270,22 +263,23 @@

Remember that the server does not run as you. That is, when the server starts up, it is running with the permissions - of an unprivileged user - usually ``nobody'', or ``www'' - - and so it will need extra permissions to execute files that - are owned by you. Usually, the way to give a file sufficient - permissions to be executed by ``nobody'' is to give everyone - execute permission on the file:

+ of an unprivileged user - usually nobody, or + www - and so it will need extra permissions to + execute files that are owned by you. Usually, the way to give + a file sufficient permissions to be executed by nobody + is to give everyone execute permission on the file:

- chmod a+x first.pl + + chmod a+x first.pl +

Also, if your program reads from, or writes to, any other files, those files will need to have the correct permissions to permit this.

The exception to this is when the server is configured to - use suexec. - - This program allows CGI programs to be run under different + use suexec. This program allows + CGI programs to be run under different user permissions, depending on which virtual host or user home directory they are located in. Suexec has very strict permission checking, and any failure in that checking will @@ -313,7 +307,9 @@ interpreter (often perl) indicated in the first line of your CGI program, which will look something like:

- #!/usr/bin/perl + + #!/usr/bin/perl +

Make sure that this is in fact the path to the interpreter.

@@ -350,7 +346,7 @@ become useful to understand more about what's happening behind the scenes. Specifically, how the browser and server communicate with one another. Because although it's all very - well to write a program that prints ``Hello, World.'', it's not + well to write a program that prints "Hello, World.", it's not particularly useful.

@@ -373,9 +369,8 @@

These variables are available to the CGI programmer, and are half of the story of the client-server communication. The complete list of required variables is at - - http://hoohoo.ncsa.uiuc.edu/cgi/env.html -

+ http://hoohoo.ncsa.uiuc.edu/cgi/env.html.

This simple Perl CGI program will display all of the environment variables that are being passed around. Two @@ -387,15 +382,17 @@ see some variables listed that were not in the official list. In addition, Apache provides many different ways for you to add your own environment variables - to the basic ones provided by default.

- #!/usr/bin/perl
- print "Content-type: text/html\n\n";
- foreach $key (keys %ENV) {
- print "$key --> $ENV{$key}<br>";
- } + #!/usr/bin/perl
+ print "Content-type: text/html\n\n";
+ foreach $key (keys %ENV) {
+ + print "$key --> $ENV{$key}<br>";
+ + } +

@@ -414,7 +411,7 @@ The program then can process that data as though it was coming in from the keyboard, or from a file

The ``special format'' is very simple. A field name and +

- name=Rich%20Bowen&city=Lexington&state=KY&sidekick=Squirrel%20Monkey + name=Rich%20Bowen&city=Lexington&state=KY&sidekick=Squirrel%20Monkey

You'll sometimes also see this type of string appended to @@ -450,14 +447,14 @@

+ popular module for this purpose is CGI.pm. You might + also consider CGI::Lite, which implements a minimal + set of functionality, which is all you need in most programs.

If you're writing CGI programs in C, there are a variety of - options. One of these is the CGIC library, from - http://www.boutell.com/cgic/ -

+ options. One of these is the CGIC library, from + http://www.boutell.com/cgic/.

@@ -465,20 +462,18 @@

+ http://www.hwg.org/lists/hwg-servers/.