fastcgi.htm

FastCGI,语言无关的、可伸缩架构的CGI开放扩展

<HTML>
   <HEAD>
      <TITLE>
         FastCGI
      </TITLE>
      <META NAME="GENERATOR" CONTENT="Internet Assistant for Microsoft Word 2.0z">
<STYLE TYPE="text/css">
 div.c5 {font-family: Arial Narrow; font-size: 80%; text-align: center}
 span.c4 {font-family: Courier}
 tt.c3 {font-family: Courier}
 div.c2 {text-align: center}
 div.c1 {color: #FFFFFF; font-family: Impact; font-size: 120%; text-align: center}
</STYLE>
   </HEAD>
   <!--Copyright (c) 1996 Open Market, Inc.                                    -->
   <!--See the file "LICENSE.TERMS" for information on usage and redistribution-->
   <!--of this file, and for a DISCLAIMER OF ALL WARRANTIES.                   -->
   <!-- $Id: fastcgi.htm,v 1.4 2002/02/25 00:45:06 robs Exp $ -->
   <BODY>
      <P>
         Open Market, Inc.
      </P>
      <P>
      </P>
      <DIV CLASS="c1">
         Technical White Paper<BR>
      </DIV>
      <H1>
         FastCGI:<BR>
          A High-Performance Web Server Interface
      </H1>
      <P>
         April 1996<!--Please send comments to:-->
      </P>
      <HR>
      <!-- payne@openmarket.com-->
      <H2>
         1. Introduction
      </H2>
      <P>
         The surge in the use of the Web by business has created a tremendous need for server extension applications
         that create dynamic content. These are the applications that will allow businesses to deliver products,
         services, and messages whose shape and content are in part determined by the interaction with, and knowledge
         of, the customers to which they are delivered.
      </P>
      <P>
         This important movement away from static Web content is pushing the limits and exposing the weaknesses of the
         environment in which these applications are currently bound: CGI (Common Gateway Interface). Most importantly
         it does not offer the performance these applications require. A new communication infrastructure is needed to
         connect Web servers with these new applications. This is what led Open Market to develop FastCGI.
      </P>
      <P>
         FastCGI is a fast, open, and secure Web server interface that solves the performance problems inherent in CGI,
         without introducing the overhead and complexity of proprietary APIs (Application Programming Interfaces).
      </P>
      <P>
         This paper assumes that the reader has basic familiarity with Web technology and developing Web applications.
      </P>
      <H3>
         Common Gateway Interface
      </H3>
      <P>
         The de facto standard interface for Web server applications is CGI, which was first implemented in the NCSA
         server. CGI has many benefits:
      </P>
      <UL>
         <LI>
            <B>Simplicity.</B> <SPAN>It is easy to understand.</SPAN>
         </LI>
         <LI>
            <B>Language independence.</B> CGI applications can be written in nearly any language.
         </LI>
         <LI>
            <B>Process isolation.</B> Since applications run in separate processes, buggy applications cannot crash the
            Web server or access the server&#39;s private internal state.
         </LI>
         <LI>
            <B>Open standard.</B> Some form of CGI has been implemented on every Web server.
         </LI>
         <LI>
            <B>Architecture independence.</B> CGI is not tied to any particular server architecture (single threaded,
            multi-threaded, etc.).
         </LI>
      </UL>
      <P>
         CGI also has some significant drawbacks. The leading problem is performance: Since a new process is created
         for each request and thrown away when the request is done, efficiency is poor.
      </P>
      <P>
         CGI also has limited functionality: It only supports a simple &quot;responder&quot; role, where the
         application generates the response that is returned to the client. CGI programs can&#39;t link into other
         stages of Web server request processing, such as authorization and logging.
      </P>
      <H3>
         Server APIs
      </H3>
      <P>
         In response to the performance problems for CGI, several vendors have developed APIs for their servers. The
         two most notable are NSAPI from Netscape and ISAPI from Microsoft. The freely available Apache server also has
         an API.
      </P>
      <P>
         Applications linked into the server API may be significantly faster than CGI programs. The CGI
         startup/initialization problem is improved, because the application runs in the server process and is
         persistent across requests. Web server APIs also offer more functionality than CGI: you can write extensions
         that perform access control, get access to the server&#39;s log file, and link in to other stages in the
         server&#39;s request processing.
      </P>
      <P>
         However, APIs sacrifice all of CGI&#39;s benefits. Vendor APIs have the following problems:
      </P>
      <UL>
         <LI>
            <B>Complexity.</B> Vendor APIs introduce a steep learning curve, with increased implementation and
            maintenance costs.
         </LI>
         <LI>
            <B>Language dependence.</B> Applications have to be written in a language supported by the vendor API
            (usually C/C++). Perl, the most popular language for CGI programs, can&#39;t be used with any existing
            vendor API.
         </LI>
         <LI>
            <B>No process isolation.</B> <SPAN>Since the applications run in the server&#39;s address space, buggy
            applications can corrupt the core server (or each other). A malicious or buggy application can compromise
            server security, and bugs in the core server can corrupt applications.</SPAN>
         </LI>
         <LI>
            <B>Proprietary.</B> Coding your application to a particular API locks you into a particular vendor&#39;s
            server.
         </LI>
         <LI>
            <B>Tie-in to server architecture.</B> API applications have to share the same architecture as the server:
            If the Web server is multi-threaded, the application has to be thread-safe. If the Web server has
            single-threaded processes, multi-threaded applications don&#39;t gain any performance advantage. Also, when
            the vendor changes the server&#39;s architecture, the API will usually have to change, and applications
            will have to be adapted or rewritten.
         </LI>
      </UL>
      <H3>
         FastCGI
      </H3>
      <P>
         The FastCGI interface combines the best aspects of CGI and vendor APIs. Like CGI, FastCGI applications run in
         separate, isolated processes. FastCGI&#39;s advantages include:
      </P>
      <UL>
         <LI>
            <B>Performance.</B> FastCGI processes are persistent-they are reused to handle multiple requests. This
            solves the CGI performance problem of creating new processes for each request.
         </LI>
         <LI>
            <B>Simplicity, with easy migration from CGI.</B> The FastCGI application library (described on page 9)
            simplifies the migration of existing CGI applications. Applications built with the application library can
            also run as CGI programs, for backward compatibility with old Web servers.
         </LI>
         <LI>
            <B>Language independence.</B> Like CGI, FastCGI applications can be written in any language, not just
            languages supported by the vendor API.
         </LI>
         <LI>
            <B>Process isolation.</B> A buggy FastCGI application cannot crash or corrupt the core server or other
            applications. A malicious FastCGI application cannot steal any secrets (such as session keys for
            encryption) from the Web server.
         </LI>
         <LI>
            <B>Non-proprietary.</B> FastCGI is supported in all of Open Market&#39;s server products, and support is
            under development for other Web servers, including the freely available Apache and NCSA servers, as well as
            commercial servers from Microsoft and Netscape.
         </LI>
         <LI>
            <B>Architecture independence.</B> The FastCGI interface is not tied to a particular server architecture.
            Any Web server can implement the FastCGI interface. Also, FastCGI does not impose any architecture on the
            application: applications can be single or multi-threaded, regardless of the threading architecture of the
            Web server.
         </LI>
         <LI>
            <B>Support for distributed computing.</B> FastCGI provides the ability to run applications remotely, which
            is useful for distributing load and managing external Web sites.
         </LI>
      </UL>
      <P>
         The following sections describe the FastCGI interface, protocol, application library, and support in Open
         Market&#39;s WebServer products.
      </P>
      <H2>
         2. FastCGI Interface
      </H2>
      <P>
         The functionality provided by the FastCGI interface is very similar to that provided by CGI. To best
         understand the FastCGI protocol, we review the CGI interface here. Basic CGI request processing proceeds as
         follows:
      </P>
      <OL>
         <LI>
            For each request, the server creates a new process and the process initializes itself.
         </LI>
         <LI>
            The Web server passes the request information (such as remote host, username, HTTP headers, etc.) to the
            CGI program in environment variables.
         </LI>
         <LI>
            The Web server sends any client input (such as user-entered field values from an HTML form) to the CGI
            program&#39;s standard input.
         </LI>
         <LI>
            The CGI program writes any output to be returned to the client on standard output. Error information
            written to standard error is logged by the Web server.
         </LI>
         <LI>
            When the CGI process exits, the request is complete.
         </LI>
      </OL>
      <P>
         FastCGI is conceptually very similar to CGI, with two major differences:
      </P>
      <UL>
         <LI>
            FastCGI processes are persistent: after finishing a request, they wait for a new request instead of
            exiting.
         </LI>
         <LI>
            Instead of using operating system environment variables and pipes, the FastCGI protocol multiplexes the
            environment information, standard input, output and error over a single full-duplex connection. This allows
            FastCGI programs to run on remote machines, using TCP connections between the Web server and the FastCGI
            application.
         </LI>
      </UL>
      <P>
         Request processing in a single-threaded FastCGI application proceeds as follows:
      </P>
      <OL>
         <LI>
            The Web server creates FastCGI application processes to handle requests. The processes may be created at
            startup, or created on demand.
         </LI>
         <LI>
            The FastCGI program initializes itself, and waits for a new connection from the Web server.
         </LI>
         <LI>
            When a client request comes in, the Web server opens a connection to the FastCGI process. The server sends
            the CGI environment variable information and standard input over the connection.
         </LI>
         <LI>
            The FastCGI process sends the standard output and error information back to the server over the same
            connection.
         </LI>
         <LI>
            When the FastCGI process closes the connection, the request is complete. The FastCGI process then waits for
            another connection from the Web server.
         </LI>
      </OL>
      <P>
         FastCGI applications can run locally (on the same machine as the Web server) or remotely. For local
         applications, the server uses a full-duplex pipe to connect to the FastCGI application process. For remote
         applications, the server uses a TCP connection.
      </P>
      <P>
         FastCGI applications can be single-threaded or multi-threaded. For single threaded applications, the Web
         server maintains a pool of processes (if the application is running locally) to handle client requests. The
         size of the pool is user configurable. Multi-threaded FastCGI applications may accept multiple connections
         from the Web server and handle them simultaneously in a single process. (For example, Java&#39;s built-in
         multi-threading, garbage collection, synchronization primitives, and platform independence make it a natural
         implementation language for multi-threaded FastCGI applications.)
      </P>
      <H3>
         Remote FastCGI
      </H3>
      <P>
         FastCGI&#39;s ability to run applications remotely (over a TCP connection) provides some major benefits. These
         benefits are described in this section, along with some of the security issues that affect remote FastCGI
         applications.
      </P>
      <H4>
         FastCGI with Firewalls
      </H4>
      <P>
         Applications that run on organizational (external) Web servers and depend on internal databases can be a
         challenge to administer. Figure 1 shows a typical organization, with an external Web server, a firewall