Configuring Apache for Server Side Includes

"Server-side include" (SSI) refers to a feature of the Apache Web server whereby it can include a file or the value of an environment variable in an HTML document. The feature is like the include files in many programming languages such as C and C++. Just as a preprocessor processes the include files in a programming language, the Web browser reads the HTML file and parses the server-side includes before returning the document to the Web browser.

Server-side includes provide a convenient way to include date, file size, and any file into an HTML document. The SSI directives look like special comments in the HTML file. For example, you can show the size of a graphics file by placing the following SSI directive in the HTML file:

File size = <!--#fsize file="nbphoto.jpg"-->

The Web server replaces everything to the right of the equal sign with the size of the file nbphoto.gif.

Similarly, to display today's date, you can use the following SSI directive:

Today is <!--#echo var="DATE_LOCAL" -->

To enable SSI on the Apache Web server, place the following directive in the

/etc/httpd/conf/httpd.conf file:

Options +Includes

Apache directives can apply to specific directories. Therefore, it's best if you place this directive in the block of directives that apply to the directory where you want to allow SSI.

You also have to tell Apache which files to parse for SSI. The convention is to use the .shtml extension for SSI files. To instruct Apache about the .shtml files, you need the following directives in /etc/httpd/conf/httpd.conf:

AddType text/html .shtml AddOutputFilter INCLUDES .shtml

The only drawback of using the .shtml extension for SSI files is that you need to change the file extension if you decide to give SSI directives to a plain HTML file. Unfortunately, changing a file's extension requires all links to that file to be updated. A way out of this quandary is to use the XBitHack directive. To use XBitHack, add the following line to the httpd.conf file:

XBitHack on

Then, use the chmod command to make those HTML files with SSI directives executable. For example, if the file welcome.html contains SSI directives, type the following command to make that file executable:

chmod +x welcome.html

When the XBitHack is turned on, Apache parses HTML files for SSI directives if they have the execute bit set (which is what happens when you make the file executable with the chmod +x command).

From the standpoint of security, one problem of server-side includes is the ability to execute a command on the server. For example, the following line of HTML includes the contents of the /etc/passwd file in the document returned to the browser:

<!--#exec cmd="/bin/cat /etc/passwd"-->

If you want to retain some of the benefits of server-side includes but minimize the security risks, you can turn off the #exec keyword with the following directive on an Options line in httpd.conf:

Options IncludesNoExec

Was this article helpful?

0 0
Make Money Writing

Make Money Writing

This Report Will Show You How To Make Money By Providing Writing Services To Other Internet Marketers. Learn how to make money by writing the right way. Grab your copy of this report now and learn. Why writing is a great way to earn money. How to compete with cheap writers, even if you charge a lot more money.

Get My Free Ebook

Post a comment