1 <?xml version='1.0' encoding='UTF-8' ?>
2 <!DOCTYPE manualpage SYSTEM "../style/manualpage.dtd">
3 <?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
4 <!-- $LastChangedRevision$ -->
7 Licensed to the Apache Software Foundation (ASF) under one or more
8 contributor license agreements. See the NOTICE file distributed with
9 this work for additional information regarding copyright ownership.
10 The ASF licenses this file to You under the Apache License, Version 2.0
11 (the "License"); you may not use this file except in compliance with
12 the License. You may obtain a copy of the License at
14 http://www.apache.org/licenses/LICENSE-2.0
16 Unless required by applicable law or agreed to in writing, software
17 distributed under the License is distributed on an "AS IS" BASIS,
18 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 See the License for the specific language governing permissions and
20 limitations under the License.
23 <manualpage metafile="cgi.xml.meta">
24 <parentdocument href="./">How-To / Tutorials</parentdocument>
26 <title>Apache Tutorial: Dynamic Content with CGI</title>
29 <title>Introduction</title>
33 <module>mod_alias</module>
34 <module>mod_cgi</module>
35 <module>mod_cgid</module>
39 <directive module="mod_mime">AddHandler</directive>
40 <directive module="core">Options</directive>
41 <directive module="mod_alias">ScriptAlias</directive>
45 <p>The CGI (Common Gateway Interface) defines a way for a web
46 server to interact with external content-generating programs,
47 which are often referred to as CGI programs or CGI scripts. It
48 is a simple way to put dynamic content on
49 your web site, using whatever programming language you're most
50 familiar with. This document will be an introduction to setting
51 up CGI on your Apache web server, and getting started writing
55 <section id="configuring">
56 <title>Configuring Apache to permit CGI</title>
58 <p>In order to get your CGI programs to work properly, you'll
59 need to have Apache configured to permit CGI execution. There
60 are several ways to do this.</p>
62 <note type="warning">Note: If Apache has been built with shared module
63 support you need to ensure that the module is loaded; in your
64 <code>httpd.conf</code> you need to make sure the
65 <directive module="mod_so">LoadModule</directive>
66 directive has not been commented out. A correctly configured directive
69 <highlight language="config">
70 LoadModule cgid_module modules/mod_cgid.so
74 On Windows, or using a non-threaded MPM like prefork, A correctly
75 configured directive may look like this:
77 <highlight language="config">
78 LoadModule cgi_module modules/mod_cgi.so
82 <section id="scriptalias">
83 <title>ScriptAlias</title>
86 <directive module="mod_alias">ScriptAlias</directive>
88 directive tells Apache that a particular directory is set
89 aside for CGI programs. Apache will assume that every file in
90 this directory is a CGI program, and will attempt to execute
91 it, when that particular resource is requested by a
94 <p>The <directive module="mod_alias">ScriptAlias</directive>
95 directive looks like:</p>
97 <highlight language="config">
98 ScriptAlias "/cgi-bin/" "/usr/local/apache2/cgi-bin/"
101 <p>The example shown is from your default <code>httpd.conf</code>
102 configuration file, if you installed Apache in the default
103 location. The <directive module="mod_alias">ScriptAlias</directive>
104 directive is much like the <directive module="mod_alias"
105 >Alias</directive> directive, which defines a URL prefix that
106 is to mapped to a particular directory. <directive>Alias</directive>
107 and <directive>ScriptAlias</directive> are usually used for
108 directories that are outside of the <directive module="core"
109 >DocumentRoot</directive> directory. The difference between
110 <directive>Alias</directive> and <directive>ScriptAlias</directive>
111 is that <directive>ScriptAlias</directive> has the added meaning
112 that everything under that URL prefix will be considered a CGI
113 program. So, the example above tells Apache that any request for a
114 resource beginning with <code>/cgi-bin/</code> should be served from
115 the directory <code>/usr/local/apache2/cgi-bin/</code>, and should be
116 treated as a CGI program.</p>
118 <p>For example, if the URL
119 <code>http://www.example.com/cgi-bin/test.pl</code>
120 is requested, Apache will attempt to execute the file
121 <code>/usr/local/apache2/cgi-bin/test.pl</code>
122 and return the output. Of course, the file will have to
123 exist, and be executable, and return output in a particular
124 way, or Apache will return an error message.</p>
127 <section id="nonscriptalias">
128 <title>CGI outside of ScriptAlias directories</title>
130 <p>CGI programs are often restricted to <directive module="mod_alias"
131 >ScriptAlias</directive>'ed directories for security reasons.
132 In this way, administrators can tightly control who is allowed to
133 use CGI programs. However, if the proper security precautions are
134 taken, there is no reason why CGI programs cannot be run from
135 arbitrary directories. For example, you may wish to let users
136 have web content in their home directories with the
137 <directive module="mod_userdir">UserDir</directive> directive.
138 If they want to have their own CGI programs, but don't have access to
139 the main <code>cgi-bin</code> directory, they will need to be able to
140 run CGI programs elsewhere.</p>
142 <p>There are two steps to allowing CGI execution in an arbitrary
143 directory. First, the <code>cgi-script</code> handler must be
144 activated using the <directive
145 module="mod_mime">AddHandler</directive> or <directive
146 module="core">SetHandler</directive> directive. Second,
147 <code>ExecCGI</code> must be specified in the <directive
148 module="core">Options</directive> directive.</p>
151 <section id="options">
152 <title>Explicitly using Options to permit CGI execution</title>
154 <p>You could explicitly use the <directive module="core"
155 >Options</directive> directive, inside your main server configuration
156 file, to specify that CGI execution was permitted in a particular
159 <highlight language="config">
160 <Directory "/usr/local/apache2/htdocs/somedir">
165 <p>The above directive tells Apache to permit the execution
166 of CGI files. You will also need to tell the server what
167 files are CGI files. The following <directive module="mod_mime"
168 >AddHandler</directive> directive tells the server to treat all
169 files with the <code>cgi</code> or <code>pl</code> extension as CGI
172 <highlight language="config">
173 AddHandler cgi-script .cgi .pl
177 <section id="htaccess">
178 <title>.htaccess files</title>
180 <p>The <a href="htaccess.html"><code>.htaccess</code> tutorial</a>
181 shows how to activate CGI programs if you do not have
182 access to <code>httpd.conf</code>.</p>
185 <section id="userdir">
186 <title>User Directories</title>
188 <p>To allow CGI program execution for any file ending in
189 <code>.cgi</code> in users' directories, you can use the
190 following configuration.</p>
192 <highlight language="config">
193 <Directory "/home/*/public_html">
195 AddHandler cgi-script .cgi
199 <p>If you wish designate a <code>cgi-bin</code> subdirectory of
200 a user's directory where everything will be treated as a CGI
201 program, you can use the following.</p>
203 <highlight language="config">
204 <Directory "/home/*/public_html/cgi-bin">
206 SetHandler cgi-script
214 <section id="writing">
215 <title>Writing a CGI program</title>
217 <p>There are two main differences between ``regular''
218 programming, and CGI programming.</p>
220 <p>First, all output from your CGI program must be preceded by
221 a <glossary>MIME-type</glossary> header. This is HTTP header that tells the client
222 what sort of content it is receiving. Most of the time, this
226 Content-type: text/html
229 <p>Secondly, your output needs to be in HTML, or some other
230 format that a browser will be able to display. Most of the
231 time, this will be HTML, but occasionally you might write a CGI
232 program that outputs a gif image, or other non-HTML
235 <p>Apart from those two things, writing a CGI program will look
236 a lot like any other program that you might write.</p>
238 <section id="firstcgi">
239 <title>Your first CGI program</title>
241 <p>The following is an example CGI program that prints one
242 line to your browser. Type in the following, save it to a
243 file called <code>first.pl</code>, and put it in your
244 <code>cgi-bin</code> directory.</p>
246 <highlight language="perl">
248 print "Content-type: text/html\n\n";
249 print "Hello, World.";
252 <p>Even if you are not familiar with Perl, you should be able
253 to see what is happening here. The first line tells Apache
254 (or whatever shell you happen to be running under) that this
255 program can be executed by feeding the file to the
256 interpreter found at the location <code>/usr/bin/perl</code>.
257 The second line prints the content-type declaration we
258 talked about, followed by two carriage-return newline pairs.
259 This puts a blank line after the header, to indicate the end
260 of the HTTP headers, and the beginning of the body. The third
261 line prints the string "Hello, World.". And that's the end
264 <p>If you open your favorite browser and tell it to get the
268 http://www.example.com/cgi-bin/first.pl
271 <p>or wherever you put your file, you will see the one line
272 <code>Hello, World.</code> appear in your browser window.
273 It's not very exciting, but once you get that working, you'll
274 have a good chance of getting just about anything working.</p>
278 <section id="troubleshoot">
279 <title>But it's still not working!</title>
281 <p>There are four basic things that you may see in your browser
282 when you try to access your CGI program from the web:</p>
285 <dt>The output of your CGI program</dt>
286 <dd>Great! That means everything worked fine. If the output is correct,
287 but the browser is not processing it correctly, make sure you have the
288 correct <code>Content-Type</code> set in your CGI program.</dd>
290 <dt>The source code of your CGI program or a "POST Method Not
291 Allowed" message</dt>
292 <dd>That means that you have not properly configured Apache
293 to process your CGI program. Reread the section on
294 <a href="#configuring">configuring
295 Apache</a> and try to find what you missed.</dd>
297 <dt>A message starting with "Forbidden"</dt>
298 <dd>That means that there is a permissions problem. Check the
299 <a href="#errorlogs">Apache error log</a> and the section below on
300 <a href="#permissions">file permissions</a>.</dd>
302 <dt>A message saying "Internal Server Error"</dt>
304 <a href="#errorlogs">Apache error log</a>, you will probably
305 find that it says "Premature end of
306 script headers", possibly along with an error message
307 generated by your CGI program. In this case, you will want to
308 check each of the below sections to see what might be
309 preventing your CGI program from emitting the proper HTTP
313 <section id="permissions">
314 <title>File permissions</title>
316 <p>Remember that the server does not run as you. That is,
317 when the server starts up, it is running with the permissions
318 of an unprivileged user - usually <code>nobody</code>, or
319 <code>www</code> - and so it will need extra permissions to
320 execute files that are owned by you. Usually, the way to give
321 a file sufficient permissions to be executed by <code>nobody</code>
322 is to give everyone execute permission on the file:</p>
328 <p>Also, if your program reads from, or writes to, any other
329 files, those files will need to have the correct permissions
334 <section id="pathinformation">
335 <title>Path information and environment</title>
337 <p>When you run a program from your command line, you have
338 certain information that is passed to the shell without you
339 thinking about it. For example, you have a <code>PATH</code>,
340 which tells the shell where it can look for files that you
343 <p>When a program runs through the web server as a CGI program,
344 it may not have the same <code>PATH</code>. Any programs that you
345 invoke in your CGI program (like <code>sendmail</code>, for
346 example) will need to be specified by a full path, so that the
347 shell can find them when it attempts to execute your CGI
350 <p>A common manifestation of this is the path to the script
351 interpreter (often <code>perl</code>) indicated in the first
352 line of your CGI program, which will look something like:</p>
354 <highlight language="perl">
358 <p>Make sure that this is in fact the path to the
360 <note type="warning">
361 When editing CGI scripts on Windows, end-of-line characters may be
362 appended to the interpreter path. Ensure that files are then
363 transferred to the server in ASCII mode. Failure to do so may
364 result in "Command not found" warnings from the OS, due to the
365 unrecognized end-of-line character being interpreted as a part of
366 the interpreter filename.
370 <section id="missingenv">
371 <title>Missing environment variables</title>
373 <p>If your CGI program depends on non-standard <a
374 href="#env">environment variables</a>, you will need to
375 assure that those variables are passed by Apache.</p>
377 <p>When you miss HTTP headers from the environment, make
378 sure they are formatted according to
379 <a href="http://tools.ietf.org/html/rfc2616">RFC 2616</a>,
380 section 4.2: Header names must start with a letter,
381 followed only by letters, numbers or hyphen. Any header
382 violating this rule will be dropped silently.</p>
386 <section id="syntaxerrors">
387 <title>Program errors</title>
389 <p>Most of the time when a CGI program fails, it's because of
390 a problem with the program itself. This is particularly true
391 once you get the hang of this CGI stuff, and no longer make
392 the above two mistakes. The first thing to do is to make
393 sure that your program runs from the command line before
394 testing it via the web server. For example, try:</p>
397 cd /usr/local/apache2/cgi-bin<br/>
401 <p>(Do not call the <code>perl</code> interpreter. The shell
402 and Apache should find the interpreter using the <a
403 href="#pathinformation">path information</a> on the first line of
406 <p>The first thing you see written by your program should be
407 a set of HTTP headers, including the <code>Content-Type</code>,
408 followed by a blank line. If you see anything else, Apache will
409 return the <code>Premature end of script headers</code> error if
410 you try to run it through the server. See <a
411 href="#writing">Writing a CGI program</a> above for more
415 <section id="errorlogs">
416 <title>Error logs</title>
418 <p>The error logs are your friend. Anything that goes wrong
419 generates message in the error log. You should always look
420 there first. If the place where you are hosting your web site
421 does not permit you access to the error log, you should
422 probably host your site somewhere else. Learn to read the
423 error logs, and you'll find that almost all of your problems
424 are quickly identified, and quickly solved.</p>
427 <section id="suexec">
428 <title>Suexec</title>
430 <p>The <a href="../suexec.html">suexec</a> support program
431 allows CGI programs to be run under different user permissions,
432 depending on which virtual host or user home directory they are
433 located in. Suexec has very strict permission checking, and any
434 failure in that checking will result in your CGI programs
435 failing with <code>Premature end of script headers</code>.</p>
437 <p>To check if you are using suexec, run <code>apachectl
438 -V</code> and check for the location of <code>SUEXEC_BIN</code>.
439 If Apache finds an <program>suexec</program> binary there on startup,
440 suexec will be activated.</p>
442 <p>Unless you fully understand suexec, you should not be using it.
443 To disable suexec, simply remove (or rename) the <program>suexec</program>
444 binary pointed to by <code>SUEXEC_BIN</code> and then restart the
445 server. If, after reading about <a href="../suexec.html">suexec</a>,
446 you still wish to use it, then run <code>suexec -V</code> to find
447 the location of the suexec log file, and use that log file to
448 find what policy you are violating.</p>
452 <section id="behindscenes">
453 <title>What's going on behind the scenes?</title>
455 <p>As you become more advanced in CGI programming, it will
456 become useful to understand more about what's happening behind
457 the scenes. Specifically, how the browser and server
458 communicate with one another. Because although it's all very
459 well to write a program that prints "Hello, World.", it's not
460 particularly useful.</p>
463 <title>Environment variables</title>
465 <p>Environment variables are values that float around you as
466 you use your computer. They are useful things like your path
467 (where the computer searches for the actual file
468 implementing a command when you type it), your username, your
469 terminal type, and so on. For a full list of your normal,
470 every day environment variables, type
471 <code>env</code> at a command prompt.</p>
473 <p>During the CGI transaction, the server and the browser
474 also set environment variables, so that they can communicate
475 with one another. These are things like the browser type
476 (Netscape, IE, Lynx), the server type (Apache, IIS, WebSite),
477 the name of the CGI program that is being run, and so on.</p>
479 <p>These variables are available to the CGI programmer, and
480 are half of the story of the client-server communication. The
481 complete list of required variables is at
482 <a href="http://www.ietf.org/rfc/rfc3875">Common Gateway
483 Interface RFC</a>.</p>
485 <p>This simple Perl CGI program will display all of the
486 environment variables that are being passed around. Two
487 similar programs are included in the
490 directory of the Apache distribution. Note that some
491 variables are required, while others are optional, so you may
492 see some variables listed that were not in the official list.
493 In addition, Apache provides many different ways for you to
494 <a href="../env.html">add your own environment variables</a>
495 to the basic ones provided by default.</p>
497 <highlight language="perl">
502 print "Content-type: text/html\n\n";
503 foreach my $key (keys %ENV) {
504 print "$key --> $ENV{$key}<br>";
510 <title>STDIN and STDOUT</title>
512 <p>Other communication between the server and the client
513 happens over standard input (<code>STDIN</code>) and standard
514 output (<code>STDOUT</code>). In normal everyday context,
515 <code>STDIN</code> means the keyboard, or a file that a
516 program is given to act on, and <code>STDOUT</code>
517 usually means the console or screen.</p>
519 <p>When you <code>POST</code> a web form to a CGI program,
520 the data in that form is bundled up into a special format
521 and gets delivered to your CGI program over <code>STDIN</code>.
522 The program then can process that data as though it was
523 coming in from the keyboard, or from a file</p>
525 <p>The "special format" is very simple. A field name and
526 its value are joined together with an equals (=) sign, and
527 pairs of values are joined together with an ampersand
528 (&). Inconvenient characters like spaces, ampersands, and
529 equals signs, are converted into their hex equivalent so that
530 they don't gum up the works. The whole data string might look
534 name=Rich%20Bowen&city=Lexington&state=KY&sidekick=Squirrel%20Monkey
537 <p>You'll sometimes also see this type of string appended to
538 a URL. When that is done, the server puts that string
539 into the environment variable called
540 <code>QUERY_STRING</code>. That's called a <code>GET</code>
541 request. Your HTML form specifies whether a <code>GET</code>
542 or a <code>POST</code> is used to deliver the data, by setting the
543 <code>METHOD</code> attribute in the <code>FORM</code> tag.</p>
545 <p>Your program is then responsible for splitting that string
546 up into useful information. Fortunately, there are libraries
547 and modules available to help you process this data, as well
548 as handle other of the aspects of your CGI program.</p>
552 <section id="libraries">
553 <title>CGI modules/libraries</title>
555 <p>When you write CGI programs, you should consider using a
556 code library, or module, to do most of the grunt work for you.
557 This leads to fewer errors, and faster development.</p>
559 <p>If you're writing CGI programs in Perl, modules are
560 available on <a href="http://www.cpan.org/">CPAN</a>. The most
561 popular module for this purpose is <code>CGI.pm</code>. You might
562 also consider <code>CGI::Lite</code>, which implements a minimal
563 set of functionality, which is all you need in most programs.</p>
565 <p>If you're writing CGI programs in C, there are a variety of
566 options. One of these is the <code>CGIC</code> library, from
567 <a href="http://www.boutell.com/cgic/"
568 >http://www.boutell.com/cgic/</a>.</p>
571 <section id="moreinfo">
572 <title>For more information</title>
574 <p>The current CGI specification is available in the
575 <a href="http://www.ietf.org/rfc/rfc3875">Common Gateway
576 Interface RFC</a>.</p>
578 <p>When you post a question about a CGI problem that you're
579 having, whether to a mailing list, or to a newsgroup, make sure
580 you provide enough information about what happened, what you
581 expected to happen, and how what actually happened was
582 different, what server you're running, what language your CGI
583 program was in, and, if possible, the offending code. This will
584 make finding your problem much simpler.</p>
586 <p>Note that questions about CGI problems should <strong>never</strong>
587 be posted to the Apache bug database unless you are sure you
588 have found a problem in the Apache source code.</p>