2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<?xml version="1.0" encoding="ISO-8859-1"?>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" />

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<title>mod_authnz_fcgi - Apache HTTP Server Version 2.5</title>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="/style/css/prettify.css" />

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<script src="/style/scripts/prettify.min.js" type="text/javascript">

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher</script>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<link href="/images/favicon.ico" rel="shortcut icon" /></head>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<body>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<div id="page-header">

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<p class="apache">Apache HTTP Server Version 2.5</p>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<img alt="" src="/images/feather.gif" /></div>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="/images/left.gif" /></a></div>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<div id="path">

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs/">Documentation</a> &gt; <a href="../">Version 2.5</a> &gt; <a href="./">Modules</a></div>

e07d700ed9daf0cf96607fa2d72978cb2431b794Pavel Březina<div id="page-content">

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<div id="preamble"><h1>Apache Module mod_authnz_fcgi</h1>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<div class="toplang">

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<p><span>Available Languages: </span><a href="/en/mod/mod_authnz_fcgi.html" title="English">&nbsp;en&nbsp;</a></p>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher</div>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Allows a FastCGI authorizer application to handle Apache

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagherhttpd authentication and authorization</td></tr>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Extension</td></tr>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<tr><th><a href="module-dict.html#ModuleIdentifier">Module�Identifier:</a></th><td>authnz_fcgi_module</td></tr>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<tr><th><a href="module-dict.html#SourceFile">Source�File:</a></th><td>mod_authnz_fcgi.c</td></tr>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in version 2.4.10 and later</td></tr></table>

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov<h3>Summary</h3>

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <p>This module allows FastCGI authorizer applications to

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher authenticate users and authorize access to resources. It supports

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher generic FastCGI authorizers which participate in a single phase

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher for authentication and authorization as well as Apache httpd-specific

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher authenticators and authorizors which participate in one or both

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov phases.</p>

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <p>FastCGI authorizers can authenticate using user id and password,

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher such as for Basic authentication, or can authenticate using arbitrary

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher mechanisms.</p>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher</div>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<div id="quickview"><h3>Topics</h3>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<ul id="topics">

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<li><img alt="" src="/images/down.gif" /> <a href="#invocations">Invocation modes</a></li>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<li><img alt="" src="/images/down.gif" /> <a href="#examples">Additional examples</a></li>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<li><img alt="" src="/images/down.gif" /> <a href="#limitations">Limitations</a></li>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<li><img alt="" src="/images/down.gif" /> <a href="#logging">Logging</a></li>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher</ul><h3 class="directives">Directives</h3>

dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina<ul id="toc">

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<li><img alt="" src="/images/down.gif" /> <a href="#authnzfcgicheckauthnprovider">AuthnzFcgiCheckAuthnProvider</a></li>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<li><img alt="" src="/images/down.gif" /> <a href="#authnzfcgidefineprovider">AuthnzFcgiDefineProvider</a></li>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher</ul>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<h3>See also</h3>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<ul class="seealso">

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<li><a href="/howto/auth.html">Authentication, Authorization,

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagherand Access Control</a></li>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<li><code class="module"><a href="/mod/mod_auth_basic.html">mod_auth_basic</a></code></li>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<li><code class="program"><a href="/programs/fcgistarter.html">fcgistarter</a></code></li>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<li><code class="module"><a href="/mod/mod_proxy_fcgi.html">mod_proxy_fcgi</a></code></li>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<div class="section">

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<h2><a name="invocations" id="invocations">Invocation modes</a></h2>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <p>The invocation modes for FastCGI authorizers supported by this

dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina module are distinguished by two characteristics, <em>type</em> and

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher auth <em>mechanism</em>.</p>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <p><em>Type</em> is simply <code>authn</code> for authentication,

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <code>authz</code> for authorization, or <code>authnz</code> for

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher combined authentication and authorization.</p>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <p>Auth <em>mechanism</em> refers to the Apache httpd configuration

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher mechanisms and processing phases, and can be <code>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher AuthBasicProvider</code>, <code>Require</code>, or <code>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher check_user_id</code>. The first two of these

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher correspond to the directives used to enable participation in the

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher appropriate processing phase.</p>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <p>Descriptions of each mode:</p>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dl>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dt><em>Type</em> <code>authn</code>, <em>mechanism</em>

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov <code>AuthBasicProvider</code></dt>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dd>In this mode,

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <code>FCGI_ROLE</code> is set to <code>AUTHORIZER</code> and

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <code>FCGI_APACHE_ROLE</code> is set to <code>AUTHENTICATOR</code>.

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher The application must be defined as provider type <em>authn</em>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher using <code class="directive"><a href="#authnzfcgidefineprovider">

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher AuthnzFcgiDefineProvider</a></code> and enabled with

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <code class="directive"><a href="/mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code>.

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher When invoked, the application is

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher expected to authenticate the client using the provided user id and

a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov password. Example application:

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<pre class="prettyprint lang-perl">#!/usr/bin/perl

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagheruse FCGI;

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashovwhile (FCGI::accept &gt;= 0) {

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher die if $ENV{'FCGI_APACHE_ROLE'} ne "AUTHENTICATOR";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher die if $ENV{'FCGI_ROLE'} ne "AUTHORIZER";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher die if !$ENV{'REMOTE_PASSWD'};

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher die if !$ENV{'REMOTE_USER'};

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher print STDERR "This text is written to the web server error log.\n";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher if ( ($ENV{'REMOTE_USER' } eq "foo" || $ENV{'REMOTE_USER'} eq "foo1") &amp;&amp;

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher $ENV{'REMOTE_PASSWD'} eq "bar" ) {

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher print "Status: 200\n";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher print "Variable-AUTHN_1: authn_01\n";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher print "Variable-AUTHN_2: authn_02\n";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher print "\n";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher }

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher else {

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov print "Status: 401\n\n";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher }

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher}</pre>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher Example configuration:

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<pre class="prettyprint lang-config">AuthnzFcgiDefineProvider authn FooAuthn fcgi://localhost:10102/

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher&lt;Location "/protected/"&gt;

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher AuthType Basic

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher AuthName "Restricted"

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher AuthBasicProvider FooAuthn

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher Require ...

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher&lt;/Location&gt;</pre>

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov </dd>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dt><em>Type</em> <code>authz</code>, <em>mechanism</em>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <code>Require</code></dt>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dd>In this mode, <code>FCGI_ROLE</code> is set to <code>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher AUTHORIZER</code> and <code>FCGI_APACHE_ROLE</code> is set to

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <code>AUTHORIZER</code>. The application must be defined as

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher provider type <em>authz</em> using <code class="directive"><a href="#authnzfcgidefineprovider">

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher AuthnzFcgiDefineProvider</a></code>. When invoked, the application

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher is expected to authorize the client using the provided user id and other

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher request data. Example application:

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<pre class="prettyprint lang-perl">#!/usr/bin/perl

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagheruse FCGI;

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagherwhile (FCGI::accept &gt;= 0) {

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher die if $ENV{'FCGI_APACHE_ROLE'} ne "AUTHORIZER";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher die if $ENV{'FCGI_ROLE'} ne "AUTHORIZER";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher die if $ENV{'REMOTE_PASSWD'};

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher print STDERR "This text is written to the web server error log.\n";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher if ($ENV{'REMOTE_USER'} eq "foo1") {

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher print "Status: 200\n";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher print "Variable-AUTHZ_1: authz_01\n";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher print "Variable-AUTHZ_2: authz_02\n";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher print "\n";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher }

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher else {

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher print "Status: 403\n\n";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher }

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher}</pre>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher Example configuration:

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<pre class="prettyprint lang-config">AuthnzFcgiDefineProvider authz FooAuthz fcgi://localhost:10103/

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov&lt;Location "/protected/"&gt;

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher AuthType ...

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher AuthName ...

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher AuthBasicProvider ...

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher Require FooAuthz

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher&lt;/Location&gt;</pre>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

1a7529bf5f867b43e0475f7f9ac0cd8671fb16f1Pavel Březina </dd>

1a7529bf5f867b43e0475f7f9ac0cd8671fb16f1Pavel Březina

47db32cd9cb2147bb40909352569d7c8274365dbPavel Březina <dt><em>Type</em> <code>authnz</code>, <em>mechanism</em>

1a7529bf5f867b43e0475f7f9ac0cd8671fb16f1Pavel Březina <code>AuthBasicProvider</code> <em>+</em> <code>Require</code></dt>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dd>In this mode, which supports the web server-agnostic FastCGI

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <code>AUTHORIZER</code> protocol, <code>FCGI_ROLE</code> is set to

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov <code>AUTHORIZER</code> and <code>FCGI_APACHE_ROLE</code> is not set.

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher The application must be defined as provider type <em>authnz</em>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher using <code class="directive"><a href="#authnzfcgidefineprovider">

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher AuthnzFcgiDefineProvider</a></code>. The application is expected to

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov handle both authentication and authorization in the same invocation

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov using the user id, password, and other request data. The invocation

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher occurs during the Apache httpd API authentication phase. If the

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher application returns 200 and the same provider is invoked during the

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher authorization phase (via <code class="directive">Require</code>), mod_authnz_fcgi

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher will return success for the authorization phase without invoking the

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov application. Example application:

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov<pre class="prettyprint lang-perl">#!/usr/bin/perl

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagheruse FCGI;

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagherwhile (FCGI::accept &gt;= 0) {

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher die if $ENV{'FCGI_APACHE_ROLE'};

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher die if $ENV{'FCGI_ROLE'} ne "AUTHORIZER";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher die if !$ENV{'REMOTE_PASSWD'};

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher die if !$ENV{'REMOTE_USER'};

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher print STDERR "This text is written to the web server error log.\n";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov if ( ($ENV{'REMOTE_USER' } eq "foo" || $ENV{'REMOTE_USER'} eq "foo1") &amp;&amp;

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov $ENV{'REMOTE_PASSWD'} eq "bar" &amp;&amp;

a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov $ENV{'REQUEST_URI'} =~ m%/bar/.*%) {

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher print "Status: 200\n";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher print "Variable-AUTHNZ_1: authnz_01\n";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher print "Variable-AUTHNZ_2: authnz_02\n";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher print "\n";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher }

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher else {

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher print "Status: 401\n\n";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher }

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher}</pre>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

df233bce93c6e6752cf22cd4244c85c94d68b17bLukas Slebodnik

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher Example configuration:

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<pre class="prettyprint lang-config">AuthnzFcgiDefineProvider authnz FooAuthnz fcgi://localhost:10103/

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov&lt;Location "/protected/"&gt;

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher AuthType Basic

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher AuthName "Restricted"

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher AuthBasicProvider FooAuthnz

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher Require FooAuthnz

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher&lt;/Location&gt;</pre>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher </dd>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dt><em>Type</em> <code>authn</code>, <em>mechanism</em>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <code>check_user_id</code></dt>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dd>In this mode, <code>FCGI_ROLE</code> is set to <code>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher AUTHORIZER</code> and <code>FCGI_APACHE_ROLE</code> is set to

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <code>AUTHENTICATOR</code>. The application must be defined as

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher provider type <em>authn</em> using <code class="directive"><a href="#authnzfcgidefineprovider">

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher AuthnzFcgiDefineProvider</a></code>. <code class="directive"><a href="#authnzfcgicheckauthnprovider">AuthnzFcgiCheckAuthnProvider</a></code>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher specifies when it is called. Example application:

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<pre class="prettyprint lang-perl">#!/usr/bin/perl

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagheruse FCGI;

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagherwhile (FCGI::accept &gt;= 0) {

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher die if $ENV{'FCGI_APACHE_ROLE'} ne "AUTHENTICATOR";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher die if $ENV{'FCGI_ROLE'} ne "AUTHORIZER";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher # This authorizer assumes that the RequireBasicAuth option of

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher # AuthnzFcgiCheckAuthnProvider is On:

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher die if !$ENV{'REMOTE_PASSWD'};

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher die if !$ENV{'REMOTE_USER'};

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher print STDERR "This text is written to the web server error log.\n";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher if ( ($ENV{'REMOTE_USER' } eq "foo" || $ENV{'REMOTE_USER'} eq "foo1") &amp;&amp;

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher $ENV{'REMOTE_PASSWD'} eq "bar" ) {

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher print "Status: 200\n";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher print "Variable-AUTHNZ_1: authnz_01\n";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher print "Variable-AUTHNZ_2: authnz_02\n";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher print "\n";

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher }

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher else {

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher print "Status: 401\n\n";

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov # If a response body is written here, it will be returned to

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov # the client.

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher }

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher}</pre>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher Example configuration:

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<pre class="prettyprint lang-config">AuthnzFcgiDefineProvider authn FooAuthn fcgi://localhost:10103/

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov&lt;Location "/protected/"&gt;

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher AuthType ...

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher AuthName ...

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher AuthnzFcgiCheckAuthnProvider FooAuthn \

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher Authoritative On \

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher RequireBasicAuth Off \

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher UserExpr "%{reqenv:REMOTE_USER}"

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov Require ...

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov&lt;/Location&gt;</pre>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov </dd>

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher </dl>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov<div class="section">

a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov<h2><a name="examples" id="examples">Additional examples</a></h2>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <ol>

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov <li>If your application supports the separate authentication and

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov authorization roles (<code>AUTHENTICATOR</code> and <code>AUTHORIZER</code>), define

a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov separate providers as follows, even if they map to the same

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher application:

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<pre class="prettyprint lang-config">AuthnzFcgiDefineProvider authn FooAuthn fcgi://localhost:10102/

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai KondrashovAuthnzFcgiDefineProvider authz FooAuthz fcgi://localhost:10102/</pre>

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov

a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher Specify the authn provider on

5085d263f2f084778b1314fc5e808668c3758d82Lukas Slebodnik <code class="directive"><a href="/mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code>

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov and the authz provider on

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov <code class="directive"><a href="/mod/mod_authz_core.html#require">Require</a></code>:

a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<pre class="prettyprint lang-config">AuthType Basic

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai KondrashovAuthName "Restricted"

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai KondrashovAuthBasicProvider FooAuthn

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen GallagherRequire FooAuthz</pre>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher </li>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <li>If your application supports the generic <code>AUTHORIZER</code> role

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher (authentication and authorizer in one invocation), define a

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher single provider as follows:

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<pre class="prettyprint lang-config">AuthnzFcgiDefineProvider authnz FooAuthnz fcgi://localhost:10103/</pre>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov Specify the authnz provider on both <code class="directive">AuthBasicProvider</code>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher and <code class="directive">Require</code>:

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<pre class="prettyprint lang-config">AuthType Basic

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen GallagherAuthName "Restricted"

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen GallagherAuthBasicProvider FooAuthnz

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen GallagherRequire FooAuthnz</pre>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher </li>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher</ol>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<div class="section">

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<h2><a name="limitations" id="limitations">Limitations</a></h2>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <p>The following are potential features which are not currently

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher implemented:</p>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dl>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dt>Apache httpd access checker</dt>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dd>The Apache httpd API <em>access check</em> phase is a separate

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher phase from authentication and authorization. Some other FastCGI

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher implementations implement this phase, which is denoted by the

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher setting of <code>FCGI_APACHE_ROLE</code> to <code>ACCESS_CHECKER</code>.</dd>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dt>Local (Unix) sockets or pipes</dt>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dd>Only TCP sockets are currently supported.</dd>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dt>Support for mod_authn_socache</dt>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dd>mod_authn_socache interaction should be implemented for

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher applications which participate in Apache httpd-style

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher authentication.</dd>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dt>Support for digest authentication using AuthDigestProvider</dt>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dd>This is expected to be a permanent limitation as there is

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher no authorizer flow for retrieving a hash.</dd>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dt>Application process management</dt>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dd>This is expected to be permanently out of scope for

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher this module. Application processes must be controlled by

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher other means. For example, <code class="program"><a href="/programs/fcgistarter.html">fcgistarter</a></code> can be used to

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher start them.</dd>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dt>AP_AUTH_INTERNAL_PER_URI</dt>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dd>All providers are currently registered as

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher AP_AUTH_INTERNAL_PER_CONF, which means that checks are not

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher performed again for internal subrequests with the same

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher access control configuration as the initial request.</dd>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dt>Protocol data charset conversion</dt>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dd>If mod_authnz_fcgi runs in an EBCDIC compilation

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher environment, all FastCGI protocol data is written in EBCDIC

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher and expected to be received in EBCDIC.</dd>

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dt>Multiple requests per connection</dt>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dd>Currently the connection to the FastCGI authorizer is

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher closed after every phase of processing. For example, if the

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher authorizer handles separate <em>authn</em> and <em>authz</em>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher phases then two connections will be used.</dd>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dt>URI Mapping</dt>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dd>URIs from clients can't be mapped, such as with the <code class="directive">

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher ProxyPass</code> used with FastCGI responders.</dd>

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher </dl>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<div class="section">

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<h2><a name="logging" id="logging">Logging</a></h2>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <ol>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <li>Processing errors are logged at log level <code>error</code>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher and higher.</li>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <li>Messages written by the application are logged at log

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher level <code>warn</code>.</li>

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov <li>General messages for debugging are logged at log level

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <code>debug</code>.</li>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <li>Environment variables passed to the application are

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher logged at log level <code>trace2</code>. The value of the

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <code>REMOTE_PASSWD</code> variable will be obscured,

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher but <strong>any other sensitive data will be visible in the

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher log</strong>.</li>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <li>All I/O between the module and the FastCGI application,

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher including all environment variables, will be logged in printable

df233bce93c6e6752cf22cd4244c85c94d68b17bLukas Slebodnik and hex format at log level <code>trace5</code>. <strong>All

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher sensitive data will be visible in the log.</strong></li>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher </ol>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov <p><code class="directive"><a href="/mod/core.html#loglevel">LogLevel</a></code> can be used

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher to configure a log level specific to mod_authnz_fcgi. For

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher example:</p>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<pre class="prettyprint lang-config">LogLevel info authnz_fcgi:trace8</pre>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher</div>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<div class="directive-section"><h2><a name="AuthnzFcgiCheckAuthnProvider" id="AuthnzFcgiCheckAuthnProvider">AuthnzFcgiCheckAuthnProvider</a> <a name="authnzfcgicheckauthnprovider" id="authnzfcgicheckauthnprovider">Directive</a></h2>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<table class="directive">

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enables a FastCGI application to handle the check_authn

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagherauthentication hook.</td></tr>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthnzFcgiCheckAuthnProvider <em>provider-name</em>|<code>None</code>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<em>option</em> ...</code></td></tr>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory</td></tr>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_fcgi</td></tr>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher</table>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <p>This directive is used to enable a FastCGI authorizer to

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher handle a specific processing phase of authentication or

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher authorization.</p>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <p>Some capabilities of FastCGI authorizers require enablement

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher using this directive instead of

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <code class="directive">AuthBasicProvider</code>:</p>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <ul>

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov <li>Non-Basic authentication; generally, determining the user

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov id of the client and returning it from the authorizer; see the

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <code>UserExpr</code> option below</li>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <li>Selecting a custom response code; for a non-200 response

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher from the authorizer, the code from the authorizer will be the

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher status of the response</li>

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov <li>Setting the body of a non-200 response; if the authorizer

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher provides a response body with a non-200 response, that body

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher will be returned to the client; up to 8192 bytes of text are

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher supported</li>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher </ul>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dl>

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov <dt><em>provider-name</em></dt>

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov <dd>This is the name of a provider defined with <code class="directive">

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher AuthnzFcgiDefineProvider</code>.</dd>

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov <dt><code>None</code></dt>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dd>Specify <code>None</code> to disable a provider enabled

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher with this directive in an outer scope, such as in a parent

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov directory.</dd>

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov

a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov <dt><em>option</em></dt>

5085d263f2f084778b1314fc5e808668c3758d82Lukas Slebodnik <dd>The following options are supported:

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov <dl>

a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov <dt>Authoritative On|Off (default On)</dt>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dd>This controls whether or not other modules are allowed

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher to run when this module has a FastCGI authorizer configured

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov and it fails the request.</dd>

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov

a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov <dt>DefaultUser <em>userid</em></dt>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dd>When the authorizer returns success and <code>UserExpr</code>

5085d263f2f084778b1314fc5e808668c3758d82Lukas Slebodnik is configured and evaluates to an empty string (e.g., authorizer

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov didn't return a variable), this value will be used as the user

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov id. This is typically used when the authorizer has a concept of

a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov guest, or unauthenticated, users and guest users are mapped to

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher some specific user id for logging and other purposes.</dd>

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov <dt>RequireBasicAuth On|Off (default Off)</dt>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dd>This controls whether or not Basic auth is required

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher before passing the request to the authorizer. If required,

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher the authorizer won't be invoked without a user id and

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher password; 401 will be returned for a request without that.</dd>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov <dt>UserExpr <em>expr</em> (no default)</dt>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dd>When Basic authentication isn't provided by the client

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher and the authorizer determines the user, this expression,

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher evaluated after calling the authorizer, determines the

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher user. The expression follows <a href="/expr.html">

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher ap_expr syntax</a> and must resolve to a string. A typical

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher use is to reference a <code>Variable-<em>XXX</em></code>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher setting returned by the authorizer using an option like

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <code>UserExpr "%{reqenv:<em>XXX</em>}"</code>. If

274fe6a4f8bcb23e31929430110c0b52e9ce233aJakub Hrozek this option is specified and the user id can't be retrieved

83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov using the expression after a successful authentication, the

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher request will be rejected with a 500 error.</dd>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher </dl>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher </dd>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher </dl>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher</div>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<div class="directive-section"><h2><a name="AuthnzFcgiDefineProvider" id="AuthnzFcgiDefineProvider">AuthnzFcgiDefineProvider</a> <a name="authnzfcgidefineprovider" id="authnzfcgidefineprovider">Directive</a></h2>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<table class="directive">

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Defines a FastCGI application as a provider for

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagherauthentication and/or authorization</td></tr>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthnzFcgiDefineProvider <em>type</em> <em>provider-name</em>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<em>backend-address</em></code></td></tr>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_fcgi</td></tr>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher</table>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <p>This directive is used to define a FastCGI application as

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher a provider for a particular phase of authentication or

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher authorization.</p>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dl>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dt><em>type</em></dt>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dd>This must be set to <em>authn</em> for authentication,

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <em>authz</em> for authorization, or <em>authnz</em> for

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher a generic FastCGI authorizer which performs both checks.</dd>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dt><em>provider-name</em></dt>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dd>This is used to assign a name to the provider which is

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher used in other directives such as

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <code class="directive"><a href="/mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher and

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <code class="directive"><a href="/mod/mod_authz_core.html#require">Require</a></code>.</dd>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dt><em>backend-address</em></dt>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <dd>This specifies the address of the application, in the form

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <em>fcgi://hostname:port/</em>. The application process(es)

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher must be managed independently, such as with

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher <code class="program"><a href="/programs/fcgistarter.html">fcgistarter</a></code>.</dd>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher </dl>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher</div>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher</div>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<div class="bottomlang">

e07d700ed9daf0cf96607fa2d72978cb2431b794Pavel Březina<p><span>Available Languages: </span><a href="/en/mod/mod_authnz_fcgi.html" title="English">&nbsp;en&nbsp;</a></p>

e07d700ed9daf0cf96607fa2d72978cb2431b794Pavel Březina</div><div class="top"><a href="#page-header"><img src="/images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&amp;A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div>

e07d700ed9daf0cf96607fa2d72978cb2431b794Pavel Březina<script type="text/javascript"><!--//--><![CDATA[//><!--

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher//--><!]]></script></div><div id="footer">

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<p class="apache">Copyright 2015 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher//--><!]]></script>

2dd3faebcd3cfd00efda38ffd2585d675e696b12Stephen Gallagher</body></html>