Telling Apache to Serve CGI Scripts

To configure Apache to serve CGI scripts, you must do two things: Load the CGI module and tell Apache which directories may contain CGI scripts. Some approaches also require additional configuration steps. Telling Apache to support CGI is done via lines like the following:

LoadModule cgi_module modules/mod_cgi.so AddModule mod_cgi.c

The first line loads the CGI module, if it's compiled as a separate module. The module filename specification (modules/mod_cgi.so in this example) may need to be changed for your system. Use other LoadModule lines in your default configuration file as a guide. The second line may be required in Apache 1,3.x when the module is built into the main Apache binary, and sometimes when it's not. If your configuration file doesn't have other AddModule lines, chances are this second line is unnecessary. The default Apache installations of many distributions include the appropriate lines to enable Apache's CGI features, so you may not need to do anything.

Tip If you do not want to deliver CGI scripts, you may want to comment out the lines that enable Apache to deliver CGI scripts. Doing so will reduce the risk that an accidentally enabled CGI scripting directory could lead to abuse of your server's CGI capabilities.

Once you've enabled Apache's basic CGI scripting capabilities, you must tell it where to look for CGI scripts. This configuration is the equivalent of the DocumentRoot or

UserDir directives telling Apache where to look to deliver static content. Some ways which you can do this are:

ScriptAlias This directive is roughly equivalent to DocumentRootfor CGI scripts; it tells Apache to treat files in a specific directory as CGI scripts and to enable execution of CGI scripts within that directory. This directive takes two values: A name that's to appear in the URL's filename as a CGI script indicator and a local path. For instance, ScriptAlias /cgi/ "/home/httpd/cgi-bin/" tells Apache to look in /home/httpd/cgi-bin for CGI scripts when the requested filename begins with /cgi. For instance, if a user enters a URL such as http://www.threeroomco.com/cgi/info.pl, Apache on the server computer runs/home/httpd/cgi-bin/info.pl. This configuration also requires the presence of the mod_alias.so module (loaded as alias_module), so be sure it's present. Some distributions include a default ScriptAlias configuration, so check your existing configuration file for one.

Options +ExecCGI Including the Options +ExecCGI directive in a configuration file enables CGI script execution globally or within the specified directory. This approach is best used within a <Directory> directive block to limit its scope to the specified directory. Using Options +ExecCGI globally is potentially quite risky.

AllowOverride Options and .htaccess If you include the AllowOverride Options directive in your configuration file, Apache will examine the directories it serves for a file called .htaccess. (If this option is used within a <Directory> directive block, Apache looks for this file only in the specified directory.) If present, this file may contain options to override the configuration specified in the main Apache configuration file, including an Options +ExecCGI line. Using this approach may be helpful if you want to enable individuals to activate CGI scripting for the directories they control.

Warning The AllowOverride Options directive is potentially risky. When this directive in force, users may set up .htaccess options, including CGI script execution options, that result in security holes. For instance, a user might enable CGI scripting and then write a CGI script that results in a security breach. Of course, poor CGI scripts pose this risk no matter how they're run, but at least if you use ScriptAlias, you can firmly control the directories from which CGI scripts may be run.

No matter how you configure Apache to run CGI scripts, you should remember that these scripts are programs. They must have their execute permission bits set. If you obtain a script from a website that hosts such scripts, you may need to type chmod a+x scriptname, where scriptname is the name of the script, before the script will execute.

Warning Don't trust CGI scripts obtained from any random source. Try to evaluate the credentials and trustworthiness of any person or website that delivers CGI scripts, or study the script carefully to be sure it doesn't contain malicious code. The upcoming section, "CGI Scripting Perils," describes potential security problems with CGI scripts in more detail.

0 0

Post a comment