FastCGI authorizer support in lighttpd broken?

Question

I'm in the process of writing a webapp in C++ using FastCGI with lighttpd. The reason I'm doing this the painful way is because the end product will go on an embedded device. Originally, I didn't know about FCGI modes; I thought everything was basically a responder. Then I learned about authorizers, and I've been trying to enable support for it.

Lighttpd seems to have no trouble putting an authorizer in front of static content, but when I try to protect another FCGI script it gives me 403 forbidden.

I've done a lot of research, and come to some conclusions:

1. Lighttpd's support for the "Variable-VAR_NAME: value" passing from authorizer to subsequent FCGIs is broken.
2. The language in the first link implies that you can protect dynamic content with authorizers, but this bug report says otherwise.

For the record, I'm using lighttpd 1.4.28 (x86 and ARM) and custom authentication (password hashed on client with SHA-512), because (1) TLS is impossible/unnecessary for this application, (2) basic HTTP authentication is not good enough, (3) digest authentication is broken in lighttpd, and (4) this isn't really intended to be a secure system anyway.

Here's the relevant part of my lighttpd.conf file:

fastcgi.server = (
  "main.fcgi" =>
    (( "mode"         => "responder",
       "bin-path"     => "/var/fcgi/main.fcgi",
       "socket"       => "/tmp/fcgi.sock",
       "check-local"  => "disable",
       "max-procs"    => 1
    )),
  "/" =>
    (( "mode"         => "authorizer",
       "bin-path"     => "/var/fcgi/auth.fcgi",
       "socket"       => "/tmp/fcgi.sock",
       "check-local"  => "disable",
       "max-procs"    => 1,
       "docroot"      => "/var/fcgi"
    ))
)

To wrap it up, can anyone give me guidance on using an FCGI authorizer to control access to other FCGI scripts(/binaries), instead of just static files, on lighttpd? It would also be nice to get variable-passing working. Thanks for reading this far!

Answer 1

Update: lighttpd fixed this in lighttpd 1.4.42, released back in 2016.

https://redmine.lighttpd.net/issues/321

Answer 2

Everything I've seen seems to indicate that FastCGI authorizers do not work accroding to spec in lighttpd. What I've done is implemented my own authorization scheme inside my normal responder code. This is fine for my purposes, but more complex websites may really feel the pain from this one. :( If anyone comes up with a better answer for this, respond and I'll eventually get around to changing the answer to yours.