1 <?xml version='1.0' encoding='UTF-8' ?>
2 <!DOCTYPE manualpage SYSTEM "../style/manualpage.dtd">
3 <?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
6 Copyright 2002-2004 Apache Software Foundation
8 Licensed under the Apache License, Version 2.0 (the "License");
9 you may not use this file except in compliance with the License.
10 You may obtain a copy of the License at
12 http://www.apache.org/licenses/LICENSE-2.0
14 Unless required by applicable law or agreed to in writing, software
15 distributed under the License is distributed on an "AS IS" BASIS,
16 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 See the License for the specific language governing permissions and
18 limitations under the License.
21 <manualpage metafile="cgi.xml.meta">
22 <parentdocument href="./">How-To / Tutorials</parentdocument>
24 <title>Apache Tutorial: Dynamic Content with CGI</title>
27 <title>Introduction</title>
31 <module>mod_alias</module>
32 <module>mod_cgi</module>
36 <directive module="mod_mime">AddHandler</directive>
37 <directive module="core">Options</directive>
38 <directive module="mod_alias">ScriptAlias</directive>
42 <p>The CGI (Common Gateway Interface) defines a way for a web
43 server to interact with external content-generating programs,
44 which are often referred to as CGI programs or CGI scripts. It
45 is the simplest, and most common, way to put dynamic content on
46 your web site. This document will be an introduction to setting
47 up CGI on your Apache web server, and getting started writing
51 <section id="configuring">
52 <title>Configuring Apache to permit CGI</title>
54 <p>In order to get your CGI programs to work properly, you'll
55 need to have Apache configured to permit CGI execution. There
56 are several ways to do this.</p>
58 <section id="scriptalias">
59 <title>ScriptAlias</title>
62 <directive module="mod_alias">ScriptAlias</directive>
64 directive tells Apache that a particular directory is set
65 aside for CGI programs. Apache will assume that every file in
66 this directory is a CGI program, and will attempt to execute
67 it, when that particular resource is requested by a
70 <p>The <directive module="mod_alias">ScriptAlias</directive>
71 directive looks like:</p>
74 ScriptAlias /cgi-bin/ /usr/local/apache/cgi-bin/
77 <p>The example shown is from your default <code>httpd.conf</code>
78 configuration file, if you installed Apache in the default
79 location. The <directive module="mod_alias">ScriptAlias</directive>
80 directive is much like the <directive module="mod_alias"
81 >Alias</directive> directive, which defines a URL prefix that
82 is to mapped to a particular directory. <directive>Alias</directive>
83 and <directive>ScriptAlias</directive> are usually used for
84 directories that are outside of the <directive module="core"
85 >DocumentRoot</directive> directory. The difference between
86 <directive>Alias</directive> and <directive>ScriptAlias</directive>
87 is that <directive>ScriptAlias</directive> has the added meaning
88 that everything under that URL prefix will be considered a CGI
89 program. So, the example above tells Apache that any request for a
90 resource beginning with <code>/cgi-bin/</code> should be served from
91 the directory <code>/usr/local/apache/cgi-bin/</code>, and should be
92 treated as a CGI program.</p>
94 <p>For example, if the URL
95 <code>http://www.example.com/cgi-bin/test.pl</code>
96 is requested, Apache will attempt to execute the file
97 <code>/usr/local/apache/cgi-bin/test.pl</code>
98 and return the output. Of course, the file will have to
99 exist, and be executable, and return output in a particular
100 way, or Apache will return an error message.</p>
103 <section id="nonscriptalias">
104 <title>CGI outside of ScriptAlias directories</title>
106 <p>CGI programs are often restricted to <directive module="mod_alias"
107 >ScriptAlias</directive>'ed directories for security reasons.
108 In this way, administrators can tightly control who is allowed to
109 use CGI programs. However, if the proper security precautions are
110 taken, there is no reason why CGI programs cannot be run from
111 arbitrary directories. For example, you may wish to let users
112 have web content in their home directories with the
113 <directive module="mod_userdir">UserDir</directive> directive.
114 If they want to have their own CGI programs, but don't have access to
115 the main <code>cgi-bin</code> directory, they will need to be able to
116 run CGI programs elsewhere.</p>
119 <section id="options">
120 <title>Explicitly using Options to permit CGI execution</title>
122 <p>You could explicitly use the <directive module="core"
123 >Options</directive> directive, inside your main server configuration
124 file, to specify that CGI execution was permitted in a particular
128 <Directory /usr/local/apache/htdocs/somedir><br />
130 Options +ExecCGI<br />
135 <p>The above directive tells Apache to permit the execution
136 of CGI files. You will also need to tell the server what
137 files are CGI files. The following <directive module="mod_mime"
138 >AddHandler</directive> directive tells the server to treat all
139 files with the <code>cgi</code> or <code>pl</code> extension as CGI
143 AddHandler cgi-script cgi pl
147 <section id="htaccess">
148 <title>.htaccess files</title>
150 <p>A <a href="htaccess.html"><code>.htaccess</code> file</a> is a way
151 to set configuration directives on a per-directory basis. When Apache
152 serves a resource, it looks in the directory from which it is serving
153 a file for a file called <code>.htaccess</code>, and, if it
154 finds it, it will apply directives found therein.
156 <code>.htaccess</code> files can be permitted with the
157 <directive module="core">AllowOverride</directive> directive,
158 which specifies what types of directives can
159 appear in these files, or if they are not allowed at all. To
160 permit the directive we will need for this purpose, the
161 following configuration will be needed in your main server
165 AllowOverride Options
168 <p>In the <code>.htaccess</code> file, you'll need the
169 following directive:</p>
175 <p>which tells Apache that execution of CGI programs is
176 permitted in this directory.</p>
180 <section id="writing">
181 <title>Writing a CGI program</title>
183 <p>There are two main differences between ``regular''
184 programming, and CGI programming.</p>
186 <p>First, all output from your CGI program must be preceded by
187 a MIME-type header. This is HTTP header that tells the client
188 what sort of content it is receiving. Most of the time, this
192 Content-type: text/html
195 <p>Secondly, your output needs to be in HTML, or some other
196 format that a browser will be able to display. Most of the
197 time, this will be HTML, but occasionally you might write a CGI
198 program that outputs a gif image, or other non-HTML
201 <p>Apart from those two things, writing a CGI program will look
202 a lot like any other program that you might write.</p>
204 <section id="firstcgi">
205 <title>Your first CGI program</title>
207 <p>The following is an example CGI program that prints one
208 line to your browser. Type in the following, save it to a
209 file called <code>first.pl</code>, and put it in your
210 <code>cgi-bin</code> directory.</p>
213 #!/usr/bin/perl<br />
214 print "Content-type: text/html\n\n";<br />
215 print "Hello, World.";
218 <p>Even if you are not familiar with Perl, you should be able
219 to see what is happening here. The first line tells Apache
220 (or whatever shell you happen to be running under) that this
221 program can be executed by feeding the file to the
222 interpreter found at the location <code>/usr/bin/perl</code>.
223 The second line prints the content-type declaration we
224 talked about, followed by two carriage-return newline pairs.
225 This puts a blank line after the header, to indicate the end
226 of the HTTP headers, and the beginning of the body. The third
227 line prints the string "Hello, World.". And that's the end
230 <p>If you open your favorite browser and tell it to get the
234 http://www.example.com/cgi-bin/first.pl
237 <p>or wherever you put your file, you will see the one line
238 <code>Hello, World.</code> appear in your browser window.
239 It's not very exciting, but once you get that working, you'll
240 have a good chance of getting just about anything working.</p>
244 <section id="troubleshoot">
245 <title>But it's still not working!</title>
247 <p>There are four basic things that you may see in your browser
248 when you try to access your CGI program from the web:</p>
251 <dt>The output of your CGI program</dt>
252 <dd>Great! That means everything worked fine.</dd>
254 <dt>The source code of your CGI program or a "POST Method Not
255 Allowed" message</dt>
256 <dd>That means that you have not properly configured Apache
257 to process your CGI program. Reread the section on
258 <a href="#configuringapachetopermitcgi">configuring
259 Apache</a> and try to find what you missed.</dd>
261 <dt>A message starting with "Forbidden"</dt>
262 <dd>That means that there is a permissions problem. Check the
263 <a href="#errorlogs">Apache error log</a> and the section below on
264 <a href="#permissions">file permissions</a>.</dd>
266 <dt>A message saying "Internal Server Error"</dt>
268 <a href="#errorlogs">Apache error log</a>, you will probably
269 find that it says "Premature end of
270 script headers", possibly along with an error message
271 generated by your CGI program. In this case, you will want to
272 check each of the below sections to see what might be
273 preventing your CGI program from emitting the proper HTTP
277 <section id="permissions">
278 <title>File permissions</title>
280 <p>Remember that the server does not run as you. That is,
281 when the server starts up, it is running with the permissions
282 of an unprivileged user - usually <code>nobody</code>, or
283 <code>www</code> - and so it will need extra permissions to
284 execute files that are owned by you. Usually, the way to give
285 a file sufficient permissions to be executed by <code>nobody</code>
286 is to give everyone execute permission on the file:</p>
292 <p>Also, if your program reads from, or writes to, any other
293 files, those files will need to have the correct permissions
296 <p>The exception to this is when the server is configured to
297 use <a href="../suexec.html">suexec</a>. This program allows
298 CGI programs to be run under different
299 user permissions, depending on which virtual host or user
300 home directory they are located in. Suexec has very strict
301 permission checking, and any failure in that checking will
302 result in your CGI programs failing with an "Internal Server
303 Error". In this case, you will need to check the suexec log
304 file to see what specific security check is failing.</p>
307 <section id="pathinformation">
308 <title>Path information</title>
310 <p>When you run a program from your command line, you have
311 certain information that is passed to the shell without you
312 thinking about it. For example, you have a path, which tells
313 the shell where it can look for files that you reference.</p>
315 <p>When a program runs through the web server as a CGI
316 program, it does not have that path. Any programs that you
317 invoke in your CGI program (like 'sendmail', for example)
318 will need to be specified by a full path, so that the shell
319 can find them when it attempts to execute your CGI
322 <p>A common manifestation of this is the path to the script
323 interpreter (often <code>perl</code>) indicated in the first
324 line of your CGI program, which will look something like:</p>
330 <p>Make sure that this is in fact the path to the
334 <section id="syntaxerrors">
335 <title>Syntax errors</title>
337 <p>Most of the time when a CGI program fails, it's because of
338 a problem with the program itself. This is particularly true
339 once you get the hang of this CGI stuff, and no longer make
340 the above two mistakes. Always attempt to run your program
341 from the command line before you test if via a browser. This
342 will eliminate most of your problems.</p>
345 <section id="errorlogs">
346 <title>Error logs</title>
348 <p>The error logs are your friend. Anything that goes wrong
349 generates message in the error log. You should always look
350 there first. If the place where you are hosting your web site
351 does not permit you access to the error log, you should
352 probably host your site somewhere else. Learn to read the
353 error logs, and you'll find that almost all of your problems
354 are quickly identified, and quickly solved.</p>
358 <section id="behindscenes">
359 <title>What's going on behind the scenes?</title>
361 <p>As you become more advanced in CGI programming, it will
362 become useful to understand more about what's happening behind
363 the scenes. Specifically, how the browser and server
364 communicate with one another. Because although it's all very
365 well to write a program that prints "Hello, World.", it's not
366 particularly useful.</p>
369 <title>Environment variables</title>
371 <p>Environment variables are values that float around you as
372 you use your computer. They are useful things like your path
373 (where the computer searches for the actual file
374 implementing a command when you type it), your username, your
375 terminal type, and so on. For a full list of your normal,
376 every day environment variables, type
377 <code>env</code> at a command prompt.</p>
379 <p>During the CGI transaction, the server and the browser
380 also set environment variables, so that they can communicate
381 with one another. These are things like the browser type
382 (Netscape, IE, Lynx), the server type (Apache, IIS, WebSite),
383 the name of the CGI program that is being run, and so on.</p>
385 <p>These variables are available to the CGI programmer, and
386 are half of the story of the client-server communication. The
387 complete list of required variables is at
388 <a href="http://hoohoo.ncsa.uiuc.edu/cgi/env.html"
389 >http://hoohoo.ncsa.uiuc.edu/cgi/env.html</a>.</p>
391 <p>This simple Perl CGI program will display all of the
392 environment variables that are being passed around. Two
393 similar programs are included in the
396 directory of the Apache distribution. Note that some
397 variables are required, while others are optional, so you may
398 see some variables listed that were not in the official list.
399 In addition, Apache provides many different ways for you to
400 <a href="../env.html">add your own environment variables</a>
401 to the basic ones provided by default.</p>
404 #!/usr/bin/perl<br />
405 print "Content-type: text/html\n\n";<br />
406 foreach $key (keys %ENV) {<br />
408 print "$key --> $ENV{$key}<br>";<br />
415 <title>STDIN and STDOUT</title>
417 <p>Other communication between the server and the client
418 happens over standard input (<code>STDIN</code>) and standard
419 output (<code>STDOUT</code>). In normal everyday context,
420 <code>STDIN</code> means the keyboard, or a file that a
421 program is given to act on, and <code>STDOUT</code>
422 usually means the console or screen.</p>
424 <p>When you <code>POST</code> a web form to a CGI program,
425 the data in that form is bundled up into a special format
426 and gets delivered to your CGI program over <code>STDIN</code>.
427 The program then can process that data as though it was
428 coming in from the keyboard, or from a file</p>
430 <p>The "special format" is very simple. A field name and
431 its value are joined together with an equals (=) sign, and
432 pairs of values are joined together with an ampersand
433 (&). Inconvenient characters like spaces, ampersands, and
434 equals signs, are converted into their hex equivalent so that
435 they don't gum up the works. The whole data string might look
439 name=Rich%20Bowen&city=Lexington&state=KY&sidekick=Squirrel%20Monkey
442 <p>You'll sometimes also see this type of string appended to
443 a URL. When that is done, the server puts that string
444 into the environment variable called
445 <code>QUERY_STRING</code>. That's called a <code>GET</code>
446 request. Your HTML form specifies whether a <code>GET</code>
447 or a <code>POST</code> is used to deliver the data, by setting the
448 <code>METHOD</code> attribute in the <code>FORM</code> tag.</p>
450 <p>Your program is then responsible for splitting that string
451 up into useful information. Fortunately, there are libraries
452 and modules available to help you process this data, as well
453 as handle other of the aspects of your CGI program.</p>
457 <section id="libraries">
458 <title>CGI modules/libraries</title>
460 <p>When you write CGI programs, you should consider using a
461 code library, or module, to do most of the grunt work for you.
462 This leads to fewer errors, and faster development.</p>
464 <p>If you're writing CGI programs in Perl, modules are
465 available on <a href="http://www.cpan.org/">CPAN</a>. The most
466 popular module for this purpose is <code>CGI.pm</code>. You might
467 also consider <code>CGI::Lite</code>, which implements a minimal
468 set of functionality, which is all you need in most programs.</p>
470 <p>If you're writing CGI programs in C, there are a variety of
471 options. One of these is the <code>CGIC</code> library, from
472 <a href="http://www.boutell.com/cgic/"
473 >http://www.boutell.com/cgic/</a>.</p>
476 <section id="moreinfo">
477 <title>For more information</title>
479 <p>There are a large number of CGI resources on the web. You
480 can discuss CGI problems with other users on the Usenet group
481 <a href="news:comp.infosystems.www.authoring.cgi"
482 >comp.infosystems.www.authoring.cgi</a>. And the -servers mailing
483 list from the HTML Writers Guild is a great source of answers
484 to your questions. You can find out more at
485 <a href="http://www.hwg.org/lists/hwg-servers/"
486 >http://www.hwg.org/lists/hwg-servers/</a>.</p>
488 <p>And, of course, you should probably read the CGI
489 specification, which has all the details on the operation of
490 CGI programs. You can find the original version at the
491 <a href="http://hoohoo.ncsa.uiuc.edu/cgi/interface.html"
492 >NCSA</a> and there is an updated draft at the
493 <a href="http://web.golux.com/coar/cgi/">Common Gateway
494 Interface RFC project</a>.</p>
496 <p>When you post a question about a CGI problem that you're
497 having, whether to a mailing list, or to a newsgroup, make sure
498 you provide enough information about what happened, what you
499 expected to happen, and how what actually happened was
500 different, what server you're running, what language your CGI
501 program was in, and, if possible, the offending code. This will
502 make finding your problem much simpler.</p>
504 <p>Note that questions about CGI problems should <strong>never</strong>
505 be posted to the Apache bug database unless you are sure you
506 have found a problem in the Apache source code.</p>