Webserver use, configuration and management

Unit WUCM1

Server-side includes

(For more reference material see Laurie (2003), Chapter 14 & 16 or Arnold (2000), Chapter 4)

Server Side Includes (SSI or the newer extended SSI, xSSI) was the original, very simple, way of generating pages ‘on the fly’. In Apache, the functionality of SSI is provided by the module mod_include (part of the default set, as discussed in an earlier practical). It does offer a handler, server-parsed, and defines a MIME type application/x-server-parsed that triggers the handler on any file recognised as being of that type.

Server-side includes are generally held to be inefficient, inflexible and (most significantly) insecure. It is therefore little used.

Enabling SSI

To enable the server side includes, you need to add appropriate options (Includes or IncludesNOEXEC). The Options directive only works in a container, so would normally be part of either a <Directory ….> or a <Location ……> block. Normally you would only enable SSI on particular directories and/or with particular file extensions (usually .shtml). If you enable SSI for the whole site you are slowing down the server process, and potentially introducing greater scope for hackers – any feature globally set up is generally not a good idea unless it is needed globally.

Arnold (2000) sets out the three steps that enabling SSI requires:

  1. Instruct Apache how to recognise which files need to be parsed.
  2. Grant permission for SSI parsing, usually within a limited scope, e.g. a directory.
  3. Communicate to the browser the content-type of the parsed result.

Examples

To make all files on the server that have the .shtml extension server parsed (and assuming +includes option setup) use:

 

AddHandler server-parsed .shtml

 

Alternatively, and perhaps better, is to set up the handler with the relevant directory, e.g.

 

<Directory ”/WebRoot/Roger/htdocs/parsed”>

    Options +Includes

    SetHandler server-parsed

</Directory>

 

The IncludesNOEXEC option permits the use of SSI but stops the execution of an included CGI script.   The last task is to assign a MIME content type to files of the identified SSI content, e.g.

 

AddType text/html .shtml

 

The above would tell Apache to output a Content-Type: text/html header with files having the .shtml file name extension.    SSI commands are included in the .shtml files to be served as a specially formatted comment, much like the use of ASP, JScript, etc.

There are a number of methods that can be employed with SSI, but perhaps the most obvious is the use of the include command, e.g.

 

<!--#include file=”header.inc”  -->

 

All SSI commands are embedded within an HTML comment tags.   The ‘#’ is an important prefix to the command, no spaces, the parameter file in the case is assigned a value ”header.inc” , the following space before the close comment tags is also an important syntax element.

Other commands include: set (to give a value to a variable), echo (to output the contents of a variable), config (to define the contents of an SSI configuration variable such as errmsg – an error message), exec (to execute a CGI script) etc, see Arnold (2000) or Wainwright (1999) for more details.   The important question is: ‘When is it sensible to use SSI?’   - do jot down your thoughts.

 

Last updated by Prof Jim Briggs of the School of Computing at the University of Portsmouth