Untitled Document

Please see text links at bottom of page for navigation

A FastCGIExternalServer Directive Change for NetCloak

NetCloak uses the FastCGI module to interface between Apache2 and a NetCloak server running on localhost:9008.

Apache httpd.conf modifications to configure FastCGI for this are:

LoadModule fastcgi_module /usr/local/apache2/modules/mod_fastcgi.so
AddHandler fastcgi-script .nclk .fdml FastCgiExternalServer
/usr/local/apache2/htdocs -host localhost:9008 -pass-header
Authorization

The general expectation is that the use of AddHandler .nclk .fdml will
allow any URL that ends in .nclk or .fdml to be handed to netcloak for
processing. Also all other URLs will be processed normally. FastCGI,
however, doesn't quite work that way.

Alone, the AddHandler directive takes any URI ending in .fcgi or .fdml
and tries to execute it as a CGI script. The small number of .fcgi
files we were able to look at contained html and netcloak commands and not shell commands so the raw text contents was returned to a browser making the original request.

The FastCgiExternalServer directive causes mod_fastCGI to take any url that falls in the directory - /usr/local/apache2/htdocs - and hand that to the server running on the specified host - localhost:9008 - in this case NetCloak. So the FastCgiExternalServer directive is overriding the AddHandler directive and handing all urls inside htdocs to NetCloak. This works fine for content that contains NetCloak or html as NetCloak seems to process it correctly and return correct results. However, certain valid graphic or image content such as a gif file are not processed properly by NetCloak and appear as broken links to the requesting browser.

A lot of investigation was done to understand if there was some kind of fastCGI configuration that would honor the AddHandler directive in
concert with the FastCGIExternalServer so that only URI with AddHandler specified extensions would be handed to the FastCGIExternalServer. Unfortunately mod_fastCgi wasn't built this way. In fact there is commentary in the fastCGI change log that with release 2.4.0 the FastCgiExternalServer directive didn't need an AddHandler directive, so this is seen as a feature by the fastCGI developers and it was concluded that there are no configurations of the existing fastCGI module that will make it work properly for NetCloak.

Changing the fastCGI was investigated and a small change to the
FastCgiExternalServer directive implemented. The change has the goal of restricting the URL requests that are handed to the specified server. Obviously we could have just modified fastCGI to hand its
CgiExternalServer requests that ended with the suffix .fcgi and .fdml,
but this seemed too much like a hack. However the idea of generally
extending the CgiExternalServer directory specification as a generalized string matching pattern which could be used to match URLs with .fcgi and .fdml suffixes seemed to make sense.

It turns out that Apache has already been endowed with Perl regular
expression processing facilities internally so modifications to
conditionally treat the CgiExternalServer directory specification as a
fully formed regular expression were straightforward.

A new modFastCGI FastCgiExternalServer directive was created that has an optional '-re' parameter. When this parameter is specified, the
FastCgiExternalServer directory specification is treated as a fully
capable Perl regular expression -
< http://www.pcre.org>http://www.pcre.org. New versions of the
iTools8.2.0 and iTools8.2.0i will contain the updated mod_fastCGI.so.

This means then that the Apache httpd.conf directives for NetCloak
operation are:

LoadModule fastcgi_module modules/mod_fastcgi.so
FastCgiExternalServer /Library/Tenon/WebServer/Documents/.*(.nclk|.fdml) -re -host localhost:9008 -pass-header Authorization

With these directives, the new mod_fastCGI.so and NetCloak in place and everything seems to work well in that the proper URLs are handed to NetCloak and graphic and other URLs not matched by the regular expression are handled by Apache in the normal way.