📄 fastcgi.htm
字号:
restricting access to the internal network, and internal databases and applications. </P> <P> </P> <DIV CLASS="c2"> <IMG ALT="error-file:TidyOut.log" SRC="img00001.gif"><A NAME="_Ref352505891">Figure 1</A> </DIV> <P> With CGI and vendor APIs, the application has to run on the Web server machine. This means the server administrator has to replicate the necessary database information onto the system hosting the Web server (which may be difficult to do in an automated way without compromising firewall security). Or, the administrator may build a "bridge" that allows access through the Web server to internal databases and applications (which is effectively re-inventing remote FastCGI). </P> <P> With remote FastCGI, the applications can run on the internal network, simplifying the administrator's job. When used with appropriate firewall configuration and auditing, this approach provides a secure, high-performance, scalable way to bring internal applications and data to the external network. </P> <H4> Load Distribution </H4> <P> For resource-intensive CGI and API applications, the Web server machine quickly becomes the bottleneck for overall throughput. The usual way to solve this performance problem is to buy a bigger, faster Web server machine, or to partition the Web site across several Web servers. </P> <P> With remote FastCGI, the resource-intensive applications can be moved off the Web server machine, giving the server administrator additional flexibility in configuring the Web server. The administrator can configure FastCGI applications "behind the scenes" without having to change any content links or the external view of the Web site. The administrator can use several smaller, inexpensive server machines for applications, and can tailor each machine to the application it is hosting. </P> <H4> Security Issues with Remote FastCGI </H4> <P> The two security issues with remote FastCGI connections are authentication and privacy. FastCGI applications should only accept connections from Web servers that they trust (the application library includes support for IP address validation). Future versions of the protocol will include support for applications authenticating Web servers, as well as support for running remote connections over secure transport protocols such as SSL or PCT.<!--This pargraph needs to be made stronger, going into the issues in a little more detail.--> </P> <H3> The FastCGI Protocol </H3> <P> This section offers a brief introduction to the protocol used on the connection between the Web server and FastCGI application. Most application developers will use the FastCGI application library and won't have to worry about the protocol details. However, specialized applications are free to implement the FastCGI protocol directly. </P> <P> FastCGI uses a simple packet record format on the connection between the application and the Web server. The same record format is used in both directions and is outlined in Figure 2. </P> <P> </P> <DIV CLASS="c2"> <IMG ALT="error-file:TidyOut.log" SRC="img00002.gif"><A NAME="_Ref352404075">Figure 2</A> </DIV> <P> The protocol version field specifies the version of the FastCGI protocol that is in use. The type field specifies the type of the record (described in the following section). The request ID identifies this record to a particular request, allowing multiple requests to be multiplexed over a single connection. The data length field specifies the number of data bytes that follow. </P> <P> The different FastCGI packet types are: </P> <TABLE> <TR> <TD WIDTH="186"> <TT CLASS="c3">FCGI_PARAMS</TT> </TD> <TD WIDTH="228"> Used for sending name/value pairs (CGI environment variables) from the Web server to the application. </TD> </TR> <TR> <TD WIDTH="186"> <TT CLASS="c3">FCGI_STDIN</TT> </TD> <TD WIDTH="228"> Used for sending the standard input from the Web server to the application. </TD> </TR> <TR> <TD WIDTH="186"> <TT CLASS="c3">FCGI_DATA</TT> </TD> <TD WIDTH="228"> Used for sending filter data to the application (for more information, see the filter role described on page 7.) </TD> </TR> <TR> <TD WIDTH="186"> <TT CLASS="c3">FCGI_STDOUT</TT> </TD> <TD WIDTH="228"> Used to send standard output from the application to the Web server. </TD> </TR> <TR> <TD WIDTH="186"> <TT CLASS="c3">FCGI_STDERR</TT> </TD> <TD WIDTH="228"> Used to send standard error information from the application to the Web server. </TD> </TR> <TR> <TD WIDTH="186"> <TT CLASS="c3">FCGI_END_REQUEST</TT> </TD> <TD WIDTH="228"> Ends the request (can be sent by either the server or the application). </TD> </TR> </TABLE> <P> </P> <P> For complete protocol details, see the <I>FastCGI Protocol Specification</I>, available from the Web site listed at the end of this paper. </P> <H2> 3. Application Roles </H2> <P> A major problem with CGI is its limited functionality: CGI programs can only provide simple responses to requests. FastCGI provides expanded functionality with support for three different application "roles": </P> <UL> <LI> <B>Responder.</B> This is the basic FastCGI role, and corresponds to the simple functionality offered by CGI today. </LI> <LI> <B>Filter.</B> The FastCGI application filters the requested Web server file before sending it to the client. </LI> <LI> <B>Authorizer.</B> The FastCGI program performs an access control decision for the request (such as performing a username/password database lookup). </LI> </UL> <P> Other roles will be defined in the future. For instance, a "logger" role would be useful, where the FastCGI program would receive the server's log entries for real-time processing and analysis. </P> <P> The roles are described in more detail in the following sections. </P> <H3> Responder Role </H3> <P> FastCGI's Responder role is identical to the functionality provided by CGI today. When a request comes into the server, the FastCGI program generates the response that's returned to the client (typically an HTML page). </P> <H3> <A NAME="_Ref352404524">Filter Role</A> </H3> <P> The Filter role allows a FastCGI application to process a requested file before it is returned to the client. </P> <P> Let's assume that the Web server is configured so that all files with the .<TT CLASS="c3">sgml</TT> extension are processed by a SGML-to-HTML FastCGI filter application, and the user accesses the following URL: </P> <P> <TT CLASS="c3">/document.sgml</TT> </P> <P> After the Web server makes an access control decision and maps this URL to a content file, it invokes the FastCGI filter application with this file available as input. The FastCGI program's HTML output is sent back to the client, just as in the responder role. The process is outlined in Figure 3. </P> <P> </P> <DIV CLASS="c2"> <IMG ALT="error-file:TidyOut.log" SRC="img00003.gif"><A NAME="_Ref352560526">Figure 3</A> </DIV> <P> Filter applications can significantly improve performance by caching filter results (the server provides the modification time in the request information so that applications can flush the cache when the server file has been modified). </P> <P> The Filter role is useful for: </P> <UL> <LI> On-the-fly format conversions </LI> <LI> Dynamic documents (such as documents with embedded SQL queries, or dynamic advertisement insertion) </LI> <LI> Applying a standard template: headers, footers, and backgrounds </LI> </UL> <H3> Authorizer Role </H3> <P> The Authorizer role allows a FastCGI application to make an access control decision for a request. The FastCGI application is invoked with all of the request information, just as in the Responder role. If the authorizer application generates a "200 OK" HTTP result, the Web server assumes that access is allowed and proceeds with the request. (The Web server may process other access checks, including other FastCGI authorizers, before access is ultimately allowed.) If the application generates any other response, that response is returned to the client and the request is ended. The response can be any valid HTTP response, including "Access Denied" or "Redirect". </P> <P> The Authorizer role is useful for: </P> <UL> <LI> Access control based on username and password, where the user information is looked up in an external database. </LI> <LI> Complex access policies, such as time-of-day based access. </LI> <LI> Smart-card challenge/response authentication. </LI> <LI> Dynamic redirects, where the user is sent to different pages based on the request profile. </LI> </UL> <H2> <A NAME="_Ref352251764">4. FastCGI Application Library</A> </H2> <P> Open Market has developed a FastCGI application library that implements the FastCGI protocol (hiding the protocol details from the developer). This library makes implementing FastCGI programs as easy as writing CGI applications. </P> <P> The application library provides a replacement for the C language standard I/O (stdio) routines, such as <TT CLASS="c3">printf()</TT> and <TT CLASS="c3">gets()</TT>. The library converts references to standard input, standard output, and standard error to the FastCGI protocol. References to other files "fall through" to the underlying operating system standard I/O routines. </P> <P> This approach has several benefits: </P> <UL> <LI> Developers don't have to learn a new API to develop FastCGI applications. </LI> <LI> Existing CGI programs can be migrated with minimal source changes (CGI migration is described in more detail in the following section). </LI> <LI> FastCGI interpreters for Perl, Tcl, and other interpreted languages can be built without modifying the interpreter source code. </LI> </UL> <P> Here's a simple FastCGI application: </P> <BR> <BR><PRE> #include <fcgi_stdio.h> void main(void) { int count = 0;⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -