CS401%20Page%201

1
Common Gateway Interface (CGI current version
1.1)

• a standard for external applications to interface
  with information servers such as HTTP servers
• http//hoohoo.ncsa.uiuc.edu/docs/cgi/overview.html
  
• These external applications typically help to
  relay info between httpd and other software
  systems,e.g., DB. This is how CGI gets its
  gateway name.
• They are called CGI programs and can be written
  in any language that follows the CGI spec. PERL,
  PERL, Unix shell, C/C, Fortran, TCL, Visual
  Basic
• It is executed dynamically, provides dynamic
  content.

2
CGI Security Concerns

• CGI program runs with ID of the httpd (webuser in
  our case, nobody in many other web servers)
• It can retrieve and overwrite files in
  directories which it has access permission!
• Security by Obscurity Kept at different
  directory than that for web pages so bad guys
  cant read, edit, analyze them for security
  holes.
• Example on why apache by default does not allow
  to follow soft link (ln -s). Bad guy set up ln -s
  to a script.Then use web browser, through httpd
  (new permission as webuser) to retrieve the text
  of the script.

3
Apache CGI Configuration

• Allow read and execute access of the CGI
  programs, and possible write access to the data
  directories used by them.
• ScriptAlias URLpath directorye.g., ScriptAlias
  /cgi-bin /mpc/home/ltlogingt/sites/cgi-bin
• Incoming url with /cgi-bin/echoorder.pl cause
  /mpc/home/ltlogingt/sites/cgi-bin/echoorder.pl to
  run.

4
Apache CGI Exercise 1

• cd /mpc/home/ltlogingt/site.cgi/conf
• Run sub.pl ltyour portgt. It will modify the go
  script and conf/httpd.conf
• Start web server with go
• On browser, retrieve http//bilboltportgt/form_sum
  mer.html
• Fill the form and submit the query.
• Observe the environment variables returned.

5
Apache CGI Exercise 2

• The myecho is the object code for Freebsd.
  Recompile myecho with make.
• cp form_summer.html form_summer2.html
• Edit the form_summer2.html by replacing
  /cgi-bin/mycgi with /cgi-bin/myecho in ltFORMgt
  tagrename it as form_summer2.html
• On browser, retrieve http//bilboltportgt/form_su
  mmer2.html
• Observe the return web page.

6
CGI.pm A Perl5 CGI Library

• Echoorder.pl and process.pl are written with the
  recent version 2.36 of CGI.pm by Lincoln
  Steinhttp//www-genome.wi.mit.edu/ftp/pub/softwar
  e/WWW/cgi_docs.html
• It provides functions for
• parsing the querying string
• creating web pages/fill-out forms
• saving/retrieving the querying string to files
• HTTP session variables
• cookie, frame, javascript, and NPH support
• Debug the perl script by ./ltscriptgt.plenter the
  query string, e.g., order13order24

7
Passing Variables to CGI Program

• SetEnv variable valueSetEnv VHOST customers, set
  env variable value.
• PassEnv lthost env variablegtpass host environment
  variables to CGI program
• Find out the browser and version
  numberBrowserMatch browserRE envval1
  env2val2browserRE regular expression match
  the value in User-Agent header, when matched env
  var. are set.
• e.g., BrowserMatch Mozilla/23 tables3 java
  frame

8
Apache Built-in Handlers

• Perform certain actions when a file with
  particular MIME or handler type is called.
• server-status Get servers current status
• server-info Get servers configuration
• server-parse Parses server-side includes
• AddHandler handler-name extensionmap filename
  extension to handler-name and wake up an existing
  handler.
• e.g., AddHandler cgi-script cgitreat files with
  .cgi extension as executable CGI script

9
SetHandler Site.status

• Include SetHandler lthandler-namegt in block
  directives, such as ltdirectorygt ltlocationgt
  ltfilesgtApply the transformation specified by
  handler-nameto all files in the
  block.ExtendedStatus OnltLocation
  /statusgtltLimit GETgtorder deny, allowallow from
  128.198deny from alllt/LimitgtSetHandler
  server-statuslt/Locationgt
• Require mod_access.
• Method in ltlimitgt must be upper case, e.g., GET
  instead of getin Apache 1.2.5 ltlimit getgt is ok
  but not in Apache 1.3.3.
• allow from 128.198.0.0 is wrong resulting in
  forbidden access.
• Append the above in httpd.conf, try
  http//bilboltportnogt/status?refresh5

10
Perform Filtering on Certain File Type

• Site.filter demonstrates the compress of .html
  using gzip and save it as .zhtml file.
• How much storage we save in a web site by using
  this?
• Overhead?compression, modification of web pages!
  decompression on retrieval
• Actually there is an error on index.zhtml
• The httpd.conf includeAddHandler
  peter-gzipped-html ghtmlAction
  peter-gzipped-html /cgi-bin/unziphtml
• Action lttypegt ltcgi-scriptgtpass file with
  typelttypegt through ltcgi-scriptgt

11
Site.Filter

• unziphtml
• !/bin/sh
• echo "content-type text/html"
• echo
• gzip -S .zhtml -d -c PATH_TRANSLATED
• gzip option -c write output to stdout.-d
  decompress-S .zhtml use suffix .zhtml instead of
  .gz
• Note that the .ghtml files got garbled.
• mime.types file format does not allow .html.gz

12
Compressing/Modifying Web Pages

• The web pages provided in site.filter from CD-ROM
  is not correct. Please regenerate them with the
  following instruction. Note that before you
  compressed, you need modify the links to the
  compressed .zhtml files.
• mv htdocs to htdoc.orig
• mkdir htdocs cd htdocs
• cp ../../site.virtual/htdocs/customers/ .
• Replace the ltligtltA href"catalog_summer.html"gtSum
  mer catalog lt/AgtltligtltA href"catalog_autumn.html"
  gtAutumn catalog lt/AgtWITHltligtltA
  href"catalog_summer.zhtml"gtSummer catalog
  lt/AgtltligtltA href"catalog_autumn.zhtml"gtAutumn
  catalog lt/Agt
• Gzip .html
• Rename .html.gz with .zhtml

13
Homework4

• Exercise 1 Setup site.cgi
• Exercise 2 Setup site.status
• Exercise 3 Setup site.filter.