KFCGI(8) System Manager's Manual KFCGI(8)

kfcgiFastCGI server for kcgi applications

kfcgi [-drv] [-l backlog] [-n workers] [-N maxworkers] [-p chroot] [-s sockpath] [-u sockuser] [-U procuser] [-w waittime] prog [arg0...]

The kfcgi server starts up workers processes of prog to handle FastCGI connections. It can handle any FastCGI worker implementing the FastCGI v1.0 Specification as well as those implementing the FastCGI Extensions for Management Control (see -r, -N, and -w).

By default, it opens the socket /var/www/run/httpd.sock in mode 0660 under the current user and group, changes to a file-system jail in /var/www, daemonises and opens its system log, then starts 3 workers executing prog, which must exist relative to the file-system jail root. The back-log is twice the worker pool size (-n) or, in the event of variable-sized pools, twice the maximum worker size (-N).

The arguments are as follows:

Do not daemonise and, in addition to syslog, print messages to standard error.
Be more verbose in output. This can produce a of output.
The connection backlog. If this is too small, connections will be refused and cause the request to error out. The operating system will usually truncate this.
The initial number of workers >1.
The maximum number of workers in a variable-sized pool. By default, this is twice -n.
Location of file-system jail. This is mandatory: use the root directory if you insist on being insecure.
Use a variable-sized pool of workers. This can be used for workers implementing the FastCGI Extensions for Management Control. The pool will be at least (and initially) size -n, maximum size -N with a release policy dictated by -w.
Alternative socket path.
The user in whose name (user and group) the socket is created.
The user in whose name the process is dropped.
The amount of time in seconds a worker must be idle before being released from a variable-sized pool. By default, this is five minutes.

To properly stop a kfcgi server, send it a SIGTERM. If you send a SIGHUP to the process, it will restart all workers.

The kfcgi utility exits 0 on success, and >0 if an error occurs.

On OpenBSD, the default user for the web server is “www”. Assuming we have a server that doesn't need any files, we can run the following to keep it in a safe jail:

# kfcgi -u www -U www -- /fcgi-bin/prog

This will execute /fcgi-bin/prog within the default file-system jail of /var/www as user “www”. It will create the default socket /var/www/run/httpd.sock in mode 0660 as user “www”.

This can also be extended to run a variable-sized pool of workers that responds to system load.

# kfcgi -r -n 2 -N 100 -w 10 -u www -U www -- /fcgi-bin/prog

This will start with only two servers, but scale it to 100 in the event of a burst of communication. Workers started to handle the burst will be terminated after 10 seconds.


kfcgi implements the “FastCGI Specification”, version 1.0, published 29 April 1996, for properly passing connections to the workers. It also implements the FastCGI Extensions for Management Control for variable-sized worker pools.

December 2, 2023 OpenBSD 7.4