The Common Gateway Interface (CGI) is an interface for data exchange between a web server (application program) and third-party software that processes requests. CGI is a variant of making websites dynamic or interactive. The technology was developed at the National Center for Supercomputing Applications (NCSA) and has been used on the World Wide Web since 1993.
How CGI Works
Starting from an HTTP request, a process can be started by the web server via CGI. Information can be transferred to the process as parameters. These can be based on user input from a web form, for example. The output of the process is in turn passed to the web server, which can generate an HTTP response based on it. Optionally, data can also be exchanged between the process and the web server via the standard data streams while processes are running.
To use this function, web servers provide appropriate subroutines, libraries, scripts or programs, as well as some environment variables. The following nine environment variables must be present:
---
1 2 3 4 5 6 7 8 9 | GATEWAY_INTERFACE QUERY_STRING REMOTE_ADDR REQUEST_METHOD SCRIPT_NAME SERVER_NAME SERVER_PORT SERVER_PROTOCOL SERVER_SOFTWARE |
Pros
Instead of just loading static pages from a web server that are available there as a ready-to-use resource, CGI also makes it possible to dynamically generate web content (HTML pages or fragments, graphics, PDF documents, etc.). This means that they do not have to exist on the server at the time of the request, but can be generated by the CGI program.
Basically, CGI programs can be written in any programming language that the operating system supports, as long as the previously mentioned requirements are met.
Cons
A disadvantage of CGI execution, in addition to the security risk unless appropriate protection is in place, is its relatively slow speed, as a new process is started for each CGI call. In addition, many servers only support a limited number of CGI requests, which is why many requests remain in queues or are even rejected.
Alternatives that rely on CGI but can bypass the bootstrapping of the processes include FastCGI, ASP, PHP, and ColdFusion.
In addition, there are modules, e.g. for the Apache web server, that integrate the interpreter for various scripting languages (e.g. mod_perl for Perl, mod_python for Python, etc.) directly into the web server process. This means that it is only loaded once when the web server starts, instead of being loaded again with each request. Keeping the programs running as external processes, but passing the requests to them via FastCGI is the solution that is most likely to remain true to the CGI principle. In contrast to the above-mentioned integration as an Apache module, not only the interpreter of the programming language can run permanently. The application itself can also remain loaded all the time, allowing it to process incoming requests even more efficiently.
Security
The fact that programs created by a third party can be run on the web server is highly relevant to security. Therefore, it is important to ensure that a program launched via CGI is only allowed to execute certain restricted types of program routines (e.g., not deleting files from the web server, etc.).
In the case of the Apache web server, the execution of CGI programs is secured with the help of the module mod_suexec against such cracker attacks that aim to penetrate as a root user. The security measures are multi-level and so strict that many server administrators have switched to running other server-side languages via CGI.
