Discussion:
Lighttpd fastcgi authorizers
Cody Pisto
2005-10-06 00:10:25 UTC
Permalink
Hi all,

Ive got two questions regarding lighttpd's fastcgi support,

1.) How does one enable a fastcgi authorizer to protect other fastcgis?
I tried the following, to protect /fcgi/streamer.fcgi, and it does
execute the authorizer, but 403 is always returned even though
the authorizer is returning 200, (the authorizer works as is on apache
and zeus)

fastcgi.server = (
"/fcgi/" =>
( "streamerauth" =>
(
"mode" => "authorizer",
"docroot" => "/opt/nmxs/app",
"check-local" => "disable",
"socket" => "/tmp/streamerauth.sock"
)
),
"/fcgi/streamer.fcgi" =>
( "streamer" =>
(
"mode" => "responder",
"check-local" => "disable",
"socket" => "/tmp/streamer.sock"
)
)
)
)


2.) Does lighttpd not support authorizers setting variables for later
fastcgi processes to see as per the fastcgi spec?
IE the authorizer adding a header to its output like "Variable-name:
value", and all authorized later fastcgi processes seeing an environment
variable "name"..

Thanks in advance,

-Cody
Cody Pisto
2005-10-06 00:42:06 UTC
Permalink
I apologize for replying to my own post, but I've just dug into the
source and found some possible answers to my questions,

I see that Variable- support is not available at all, but it seems it
would be fairly easy to add for fastcgi subrequests ( not easy for
adding to all sub requests as it seems environments are plugin specific
and not part of the general structure passed around in lighttpd.. :-( )

I also see that fastcgi authorizers can only support protecting static
files at the moment, I don't know how difficult this would be to fix as
I don't see any obvious way to initiate a new subrequest (that could be
potentially a fastcgi under the directory protected by the authorizer
that just executed). Can anyone more familiar with lighttpd internals
point me in the right direction regarding new sub/request handling?

Thanks in advance,

-Cody
Post by Cody Pisto
Hi all,
Ive got two questions regarding lighttpd's fastcgi support,
1.) How does one enable a fastcgi authorizer to protect other fastcgis?
I tried the following, to protect /fcgi/streamer.fcgi, and it does
execute the authorizer, but 403 is always returned even though
the authorizer is returning 200, (the authorizer works as is on apache
and zeus)
fastcgi.server = (
"/fcgi/" =>
( "streamerauth" =>
(
"mode" => "authorizer",
"docroot" => "/opt/nmxs/app",
"check-local" => "disable",
"socket" => "/tmp/streamerauth.sock"
)
),
"/fcgi/streamer.fcgi" =>
( "streamer" =>
(
"mode" => "responder",
"check-local" => "disable",
"socket" => "/tmp/streamer.sock"
)
)
)
)
2.) Does lighttpd not support authorizers setting variables for later
fastcgi processes to see as per the fastcgi spec?
value", and all authorized later fastcgi processes seeing an
environment variable "name"..
Thanks in advance,
-Cody
Aled Gest
2005-10-07 19:12:18 UTC
Permalink
I'm fairly novice when it comes to lighty's internals however i do
believe it should be possible to make mod_fcgi support authorizers for
fcgi requests. I haven't looked into this too deeply, but for an idea
on how lighty triggers a new subrequest for dynamic content have a
look at the mod_cml* code. I appologise if i've missed something
obvious here but i'm more familiar with the mod_cml code than the
mod_fcgi code.

Regards,
Al.
Post by Cody Pisto
I apologize for replying to my own post, but I've just dug into the
source and found some possible answers to my questions,
I see that Variable- support is not available at all, but it seems it
would be fairly easy to add for fastcgi subrequests ( not easy for
adding to all sub requests as it seems environments are plugin specific
and not part of the general structure passed around in lighttpd.. :-( )
I also see that fastcgi authorizers can only support protecting static
files at the moment, I don't know how difficult this would be to fix as
I don't see any obvious way to initiate a new subrequest (that could be
potentially a fastcgi under the directory protected by the authorizer
that just executed). Can anyone more familiar with lighttpd internals
point me in the right direction regarding new sub/request handling?
Thanks in advance,
-Cody
Post by Cody Pisto
Hi all,
Ive got two questions regarding lighttpd's fastcgi support,
1.) How does one enable a fastcgi authorizer to protect other fastcgis?
I tried the following, to protect /fcgi/streamer.fcgi, and it does
execute the authorizer, but 403 is always returned even though
the authorizer is returning 200, (the authorizer works as is on apache
and zeus)
fastcgi.server = (
"/fcgi/" =>
( "streamerauth" =>
(
"mode" => "authorizer",
"docroot" => "/opt/nmxs/app",
"check-local" => "disable",
"socket" => "/tmp/streamerauth.sock"
)
),
"/fcgi/streamer.fcgi" =>
( "streamer" =>
(
"mode" => "responder",
"check-local" => "disable",
"socket" => "/tmp/streamer.sock"
)
)
)
)
2.) Does lighttpd not support authorizers setting variables for later
fastcgi processes to see as per the fastcgi spec?
value", and all authorized later fastcgi processes seeing an
environment variable "name"..
Thanks in advance,
-Cody
Loading...