Wandering Thoughts archives


CGIs combine well with Apache location-based access control

One of the things that we do every so often is put together some little 'web application' that has to be under some sort of access control or access restrictions. Even today, CGI scripts remain the easiest way to write and deploy a simple web application; you write a script in the language of your choice and (with the right Apache configuration) put it in an appropriate place with an appropriate filename extension, and you're done. That leaves the access control.

For the access control, Apache (and probably other web servers) have the quite convenient feature that you can specify the access control type and settings by location. In Apache, this can be either the filesystem location or by URL. So it's very easy to set up a directory on your web server where all CGIs in the directory will be protected by some standard access control (perhaps HTTP Basic Authentication, perhaps some SAML-based single sign on system, partly depending on availability needs). Often you can use the same authentication mechanism across multiple locations but give them different access restrictions.

(For HTTP Basic Authentication, you need the 'realm' to be the same across all locations.)

In Apache, you can often get a similar combination with PHP; if you have a simple single-file PHP web application, you can drop its .php file into a suitable directory and then use the same idea of location based access control. Other ways of having Apache run server side code for you generally require more work to deploy (or un-deploy; you can turn off a CGI very easily). We use CGIs rather than PHP for various reasons including simply our background as system administrators, where we work a lot more with shell scripts and Python than with PHP.

(I'm not particularly familiar with other web servers. I think location based access control is reasonably common, but I don't know if any of them normally have as simple a deployment story for little web applications as 'stick a CGI program in a directory'.)

web/ApacheCGIsAndLocationACLs written at 22:28:39; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.