Common Gateway Interface (CGI current version 1.1) a standard for external applications to interface with information servers such as HTTP servers http://hoohoo.ncsa.uiuc.edu/docs/cgi/overview.html These external applications typically help to relay info between httpd and other software systems,e.g., DB. This is how CGI gets its gateway name. They are called CGI programs and can be written in any language that follows the CGI spec. PERL, PERL, Unix shell, C/C+, Fortran, TCL, Visual Basic It is executed dynamically, provides dynamic content. 12/31/2018 C. Edward Chow

CGI Security Concerns CGI program runs with ID of the httpd (webuser in our case, nobody in many other web servers) It can retrieve and overwrite files in directories which it has access permission! “Security by Obscurity” Kept at different directory than that for web pages so bad guys can’t read, edit, analyze them for security holes. Example on why apache by default does not allow to follow soft link (ln -s). Bad guy set up ln -s to a script. Then use web browser, through httpd (new permission as webuser) to retrieve the text of the script. 12/31/2018 C. Edward Chow

Apache CGI Configuration Allow read and execute access of the CGI programs, and possible write access to the data directories used by them. ScriptAlias URLpath directory e.g., ScriptAlias /cgi-bin /mpc/home/<login>/sites/cgi-bin Incoming url with /cgi-bin/echoorder.pl cause /mpc/home/<login>/sites/cgi-bin/echoorder.pl to run. 12/31/2018 C. Edward Chow

Apache CGI Exercise 1 cd /mpc/home/<login>/site.cgi/conf Run sub.pl <your port#>. It will modify the go script and conf/httpd.conf Start web server with go On browser, retrieve http://bilbo:<port#>/form_summer.html Fill the form and submit the query. Observe the environment variables returned. 12/31/2018 C. Edward Chow

Apache CGI Exercise 2 The myecho is the object code for Freebsd. Recompile myecho with “make”. cp form_summer.html form_summer2.html Edit the form_summer2.html by replacing /cgi-bin/mycgi with /cgi-bin/myecho in <FORM> tag rename it as form_summer2.html On browser, retrieve http://bilbo:<port#>/form_summer2.html Observe the return web page. 12/31/2018 C. Edward Chow

CGI.pm: A Perl5 CGI Library Echoorder.pl and process.pl are written with the recent version 2.36 of CGI.pm by Lincoln Stein http://www-genome.wi.mit.edu/ftp/pub/software/WWW/cgi_docs.html It provides functions for parsing the querying string creating web pages/fill-out forms saving/retrieving the querying string to files HTTP session variables cookie, frame, javascript, and NPH support Debug the perl script by ./<script>.pl enter the query string, e.g., order1=3&order2=4 12/31/2018 C. Edward Chow

Passing Variables to CGI Program SetEnv variable value SetEnv VHOST customers, set env variable value. PassEnv <host env variable> pass host environment variables to CGI program Find out the browser and version number BrowserMatch browserRE env[=val1] env2[=val2] browserRE regular expression match the value in User-Agent header, when matched env var. are set. e.g., BrowserMatch ^Mozilla/[23] tables=3 java frame 12/31/2018 C. Edward Chow

Apache Built-in Handlers Perform certain actions when a file with particular MIME or handler type is called. server-status: Get server’s current status server-info: Get server’s configuration server-parse: Parses server-side includes AddHandler handler-name extension map filename extension to handler-name and wake up an existing handler. e.g., AddHandler cgi-script cgi treat files with .cgi extension as executable CGI script 12/31/2018 C. Edward Chow

SetHandler: Site.status Include “SetHandler <handler-name>“ in block directives, such as <directory> <location> <files> Apply the transformation specified by handler-name to all files in the block. ExtendedStatus On <Location /status> <Limit GET> order deny, allow allow from 128.198 deny from all </Limit> SetHandler server-status </Location> Require mod_access. Method in <limit> must be upper case, e.g., GET instead of get in Apache 1.2.5 <limit get> is ok but not in Apache 1.3.3. allow from 128.198.0.0 is wrong resulting in forbidden access. Append the above in httpd.conf, try http://bilbo:<portno>/status?refresh=5 12/31/2018 C. Edward Chow

Perform Filtering on Certain File Type Site.filter demonstrates the compress of .html using gzip and save it as .zhtml file. How much storage we save in a web site by using this? Overheadcompression, modification of web pages! decompression on retrieval Actually there is an error on index.zhtml The httpd.conf include AddHandler peter-gzipped-html ghtml Action peter-gzipped-html /cgi-bin/unziphtml Action <type> <cgi-script> pass file with type=<type> through <cgi-script> 12/31/2018 C. Edward Chow

Site.Filter unziphtml: #!/bin/sh echo "content-type: text/html" echo gzip -S .zhtml -d -c $PATH_TRANSLATED gzip option: -c write output to stdout. -d decompress -S .zhtml use suffix .zhtml instead of .gz Note that the .ghtml files got garbled. mime.types file format does not allow .html.gz 12/31/2018 C. Edward Chow

Compressing/Modifying Web Pages The web pages provided in site.filter from CD-ROM is not correct. Please regenerate them with the following instruction. Note that before you compressed, you need modify the links to the compressed .zhtml files. mv htdocs to htdoc.orig mkdir htdocs; cd htdocs cp ../../site.virtual/htdocs/customers/* . Replace the <li><A href="catalog_summer.html">Summer catalog </A> <li><A href="catalog_autumn.html">Autumn catalog </A> WITH <li><A href="catalog_summer.zhtml">Summer catalog </A> <li><A href="catalog_autumn.zhtml">Autumn catalog </A> Gzip *.html Rename *.html.gz with *.zhtml 12/31/2018 C. Edward Chow

Homework#4 Exercise 1: Setup site.cgi Exercise 2: Setup site.status Exercise 3: Setup site.filter. 12/31/2018 C. Edward Chow