Simple CGI support for Nginx
Fcgiwrap is a simple server for running CGI applications over FastCGI. It hopes to provide clean CGI support to Nginx (and other web servers that may need it).
Features and limitations
Features
- very lightweight (84KB of private memory per instance)
- fixes broken CR/LF in headers
- handles environment in a sane way (CGI scripts get HTTP-related env. vars from FastCGI parameters and inherit all the others from fcgiwrap’s environment)
- no configuration, so you can run several sites off the same fcgiwrap pool
- passes CGI stderr output to fcgiwrap’s stderr (this is by design but stderr could be also passed to FastCGI stderr stream)
Limitations
- only one request at a time (but it’s cheap to run a bunch of them)
- passes the whole request to CGI before reading the reply (won’t work if you stream the request and expect streamed response back)
Download
You can download fcgiwrap from github, either as a tarball, or as a git repo:
tarball
http://github.com/gnosek/fcgiwrap/tarball/master
git repo
git://github.com/gnosek/fcgiwrap.git
Install
To run fcgiwrap, you need libfcgi headers and libraries. If you’re on Debian, apt-get install libfcgi-dev should be enough, as long as you already have a compiler.
Enter the directory where you downloaded (and unpacked) the sources and simply run make install. This will compile fcgiwrap and put it in /usr/local/bin. If you want a different location, run make without any arguments and copy the resulting fcgiwrap file manually.
Configure
fcgiwrap doesn’t have any configuration options. However, there are two FastCGI parameters that must be provided by Nginx (note that your CGI script will probably need them too). They are DOCUMENT_ROOT and SCRIPT_NAME.
A basic FastCGI configuration could look like this (mostly stolen from Nginx wiki: http://wiki.codemongers.com/NginxFcgiExample)
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param REMOTE_USER $remote_user;
You can then start fcgiwrap (possibly in several instances) using spawn-fcgi or a similar tool (you must pass an open socket as fd 0; my Spawner? will be very nice for this once I actually make it usable and publish it) and send requests to it using fastcgi_pass. That’s it.
Note: If you don’t have a FastCGI launcher handy, this Perl script should do the trick (not tested actually but compiles and basically works):
#!/usr/bin/perl
use strict;
use warnings FATAL => qw( all );
use IO::Socket::UNIX;
my $bin_path = '/usr/local/bin/fcgiwrap';
my $socket_path = $ARGV[0] || '/tmp/cgi.sock';
my $num_children = $ARGV[1] || 1;
close STDIN;
unlink $socket_path;
my $socket = IO::Socket::UNIX->new(
Local => $socket_path,
Listen => 100,
);
die "Cannot create socket at $socket_path: $!\n" unless $socket;
for (1 .. $num_children) {
my $pid = fork;
die "Cannot fork: $!" unless defined $pid;
next if $pid;
exec $bin_path;
die "Failed to exec $bin_path: $!\n";
}Security
fcgiwrap doesn’t chroot(), drop privileges or do anything like this. It is expected that you do this beforehand (after all, you know your setup, not me). If you run it as an unprivileged user, you’ll be fine. If you run it as root, you’re already insane 🙂
fcgiwrap doesn’t verify the SCRIPT_FILENAME passed to it and will happily traverse directories upwards. I consider this the responsibility of the web server (Nginx does this just fine) but feel free to bug me if you disagree.
What fcgiwrap does is to disallow requests to non-regular and non-executable files.
Debian start script
#!/bin/sh
### BEGIN INIT INFO
# Provides: fcgiwrap
# Required-Start: $remote_fs
# Required-Stop: $remote_fs
# Should-Start:
# Should-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: FastCGI wrapper
# Description: Simple server for running CGI applications over FastCGI
### END INIT INFO
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
SPAWN_FCGI="/usr/bin/spawn-fcgi"
DAEMON="/usr/sbin/fcgiwrap"
NAME="fcgiwrap"
DESC="FastCGI wrapper"
PIDFILE="/var/run/$NAME.pids"
test -x $SPAWN_FCGI || exit 0
test -x $DAEMON || exit 0
# FCGI_APP Variables
FCGI_CHILDREN="1"
FCGI_SOCKET="/var/run/$NAME.socket"
FCGI_USER="www-data"
FCGI_GROUP="www-data"
. /lib/lsb/init-functions
# Default options, these can be overriden by the information
# at /etc/default/$NAME
#DAEMON_OPTS="" # Additional options given to the server
DIETIME=10 # Time to wait for the server to die, in seconds
# If this value is set too low you might not
# let some servers to die gracefully and
# 'restart' will not work
#STARTTIME=2 # Time to wait for the server to start, in seconds
# If this value is set each time the server is
# started (on start or restart) the script will
# stall to try to determine if it is running
# If it is not set and the server takes time
# to setup a pid file the log message might
# be a false positive (says it did not start
# when it actually did)
# Include defaults if available
if [ -f /etc/default/$NAME ] ; then
. /etc/default/$NAME
fi
DAEMONUSER="$FCGI_USER"
# Check that the user exists (if we set a user)
# Does the user exist?
if [ -n "$DAEMONUSER" ] ; then
if getent passwd | grep -q "^$DAEMONUSER:"; then
# Obtain the uid and gid
DAEMONUID=`getent passwd |grep "^$DAEMONUSER:" | awk -F : '{print $3}'`
DAEMONGID=`getent passwd |grep "^$DAEMONUSER:" | awk -F : '{print $4}'`
else
log_failure_msg "The user $DAEMONUSER, required to run $NAME does not exist."
exit 1
fi
fi
set -e
running_pid() {
# Check if a given process pid's cmdline matches a given name
pid=$1
name=$2
[ -z "$pid" ] && return 1
[ ! -d /proc/$pid ] && return 1
cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1`
# Is this the expected server
[ "$cmd" != "$name" ] && return 1
return 0
}
running() {
# Check if the process is running looking at /proc
# (works for all users)
# No pidfile, probably no daemon present
[ ! -f "$PIDFILE" ] && return 1
PIDS="$(cat "$PIDFILE")"
for pid in $PIDS; do
if [ -n "$pid" ]; then
running_pid $pid $DAEMON && return 0 || true
fi
done
return 1
}
start_server() {
ARGS="-P $PIDFILE"
# Adjust NUMBER of processes
if [ -n "$FCGI_CHILDREN" ]; then
ARGS="$ARGS -F '$FCGI_CHILDREN'"
fi
# Adjust SOCKET or PORT and ADDR
if [ -n "$FCGI_SOCKET" ]; then
ARGS="$ARGS -s '$FCGI_SOCKET'"
elif [ -n "$FCGI_PORT" ]; then
if [ -n "$FCGI_ADDR" ]; then
ARGS="$ARGS -a '$FCGI_ADDR'"
fi
ARGS="$ARGS -p '$FCGI_PORT'"
fi
# Adjust user
if [ -n "$FCGI_USER" ]; then
ARGS="$ARGS -u '$FCGI_USER'"
if [ -n "$FCGI_SOCKET" ]; then
ARGS="$ARGS -U '$FCGI_USER'"
fi
fi
# Adjust group
if [ -n "$FCGI_GROUP" ]; then
ARGS="$ARGS -g '$FCGI_GROUP'"
if [ -n "$FCGI_SOCKET" ]; then
ARGS="$ARGS -G '$FCGI_GROUP'"
fi
fi
eval `echo $SPAWN_FCGI $ARGS $DAEMON` > /dev/null
errcode="$?"
return $errcode
}
stop_server() {
# Force the process to die killing it manually
[ ! -e "$PIDFILE" ] && return
PIDS="$(cat "$PIDFILE")"
for pid in $PIDS; do
if running_pid '$pid' '$DAEMON'; then
kill -15 $pid
# Is it really dead?
sleep "$DIETIME"s
if running_pid $pid $DAEMON; then
kill -9 $pid
sleep "$DIETIME"s
if running_pid $pid $DAEMON; then
echo "Cannot kill $NAME (pid=$pid)!"
exit 1
fi
fi
fi
done
rm -f "$PIDFILE"
if [ -n "$FCGI_SOCKET" ]; then
rm -f "$FCGI_SOCKET"
fi
}
case "$1" in
start)
log_daemon_msg "Starting $DESC" "$NAME"
# Check if it's running first
if running ; then
log_progress_msg "apparently already running"
log_end_msg 0
exit 0
fi
if start_server ; then
# NOTE: Some servers might die some time after they start,
# this code will detect this issue if STARTTIME is set
# to a reasonable value
[ -n "$STARTTIME" ] && sleep $STARTTIME # Wait some time
if running ; then
# It's ok, the server started and is running
log_end_msg 0
else
# It is not running after we did start
log_end_msg 1
fi
else
# Either we could not start it
log_end_msg 1
fi
;;
stop|force-stop)
log_daemon_msg "Stopping $DESC" "$NAME"
if running ; then
# Only stop the server if we see it running
errcode=0
stop_server || errcode=$?
log_end_msg $errcode
else
# If it's not running don't do anything
log_progress_msg "apparently not running"
log_end_msg 0
exit 0
fi
;;
restart|force-reload)
log_daemon_msg "Restarting $DESC" "$NAME"
errcode=0
stop_server || errcode=$?
# Wait some sensible amount, some server need this
[ -n "$DIETIME" ] && sleep $DIETIME
start_server || errcode=$?
[ -n "$STARTTIME" ] && sleep $STARTTIME
running || errcode=$?
log_end_msg $errcode
;;
status)
log_daemon_msg "Checking status of $DESC" "$NAME"
if running ; then
log_progress_msg "running"
log_end_msg 0
else
log_progress_msg "apparently not running"
log_end_msg 1
exit 1
fi
;;
# Use this if the daemon cannot reload
reload)
log_warning_msg "Reloading $NAME daemon: not implemented, as the daemon"
log_warning_msg "cannot re-read the config file (use restart)."
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|force-stop|restart|force-reload|status}" >&2
exit 1
;;
esac
exit 0
Performance
Come on, it’s CGI, what do you expect? 🙂
