Basics of the Basics of the HTTP Protocol and HTTP Protocol and Apache Web ServerApache Web Server

Brandon CheckettsBrandon Checketts

At first there was HTTP At first there was HTTP 0.90.9

This is as simple as it can getThis is as simple as it can get

GET http://www.somedomain.com/hello.txtGET http://www.somedomain.com/hello.txt

HelloHello

Created by Tim Berners-Lee in 1989(?)Created by Tim Berners-Lee in 1989(?) The 0.9 version number was actually created after the 1.0 The 0.9 version number was actually created after the 1.0

specspec

HTTP 1.0HTTP 1.0

The first really practical revision of The first really practical revision of the HTTP protocolthe HTTP protocol

HTTP Request Headers and HTTP Request Headers and Response HeadersResponse Headers

Simple cachingSimple caching AuthenticationAuthentication Content-TypeContent-Type Sending data via POSTSending data via POST HTTP Status codes (200, 404, etc)HTTP Status codes (200, 404, etc)

HTTP 1.1 (in use today)HTTP 1.1 (in use today)

Includes everything from HTTP 1.0Includes everything from HTTP 1.0 Host header is requiredHost header is required Defines more status codes, more Defines more status codes, more

request methodsrequest methods Much more flexible caching Much more flexible caching

availableavailable Digest AuthenticationDigest Authentication

Sample HTTP Request / Sample HTTP Request / ResponseResponse

GET / HTTP/1.1GET / HTTP/1.1Host: www.google.comHost: www.google.comUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;

rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Accept: Accept:

text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-us,en;q=0.5Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Keep-Alive: 300Connection: keep-aliveConnection: keep-alive

HTTP/1.x 200 OKHTTP/1.x 200 OKX-TR: 1X-TR: 1Date: Thu, 15 Oct 2009 17:50:12 GMTDate: Thu, 15 Oct 2009 17:50:12 GMTExpires: -1Expires: -1Cache-Control: private, max-age=0Cache-Control: private, max-age=0Content-Type: text/html; charset=UTF-8Content-Type: text/html; charset=UTF-8Set-Cookie: __utmv=; expires=Mon, 01-Jan-1990 00:00:00 GMT; path=/; Set-Cookie: __utmv=; expires=Mon, 01-Jan-1990 00:00:00 GMT; path=/;

domain=www.google.comdomain=www.google.comSet-Cookie: __utmv=; expires=Mon, 01-Jan-1990 00:00:00 GMT; path=/; Set-Cookie: __utmv=; expires=Mon, 01-Jan-1990 00:00:00 GMT; path=/;

domain=.google.comdomain=.google.comServer: gwsServer: gwsX-XSS-Protection: 0X-XSS-Protection: 0Content-Length: 9256Content-Length: 9256

Headers of InterestHeaders of Interest

RefererReferer Says which page referred you to the Says which page referred you to the

current URLcurrent URL Note the misspellingNote the misspelling Used in Analytics to provide a lot of useful Used in Analytics to provide a lot of useful

metricsmetrics User AgentUser Agent

Specifies OS and Browser (often faked)Specifies OS and Browser (often faked) Cookie / Set-Cookie (more on this later)Cookie / Set-Cookie (more on this later)

HTTP CookiesHTTP Cookies

Cookies are generally good! They provide Cookies are generally good! They provide some incredibly useful functionality.some incredibly useful functionality. Server sends a Set-CookieServer sends a Set-Cookie Client sends back a CookieClient sends back a Cookie

Demonstrate a cookieDemonstrate a cookie http://web01.roundsphere.com/cookie_test.phphttp://web01.roundsphere.com/cookie_test.php http://web01.roundsphere.com/cookie_test.php?sehttp://web01.roundsphere.com/cookie_test.php?se

t=t=123123

Be careful what you put in a cookie!Be careful what you put in a cookie! Don’t store user ID’s, authentication credentials, Don’t store user ID’s, authentication credentials,

etcetc

Using Cookies to create Using Cookies to create sessionssessions

Without cookies, all HTTP requests are completely Without cookies, all HTTP requests are completely independentindependent

Cookies allow the server to add some persistence to Cookies allow the server to add some persistence to multiple requests and create a sessionmultiple requests and create a session

Most programming languages have some built-in Most programming languages have some built-in support for sessions. (PHPSESSID, JSESSIONID, etc)support for sessions. (PHPSESSID, JSESSIONID, etc)

Session information can be stored in file system, Session information can be stored in file system, database, memcache, etc.database, memcache, etc.

Don’t pass Session ID through GET requests Don’t pass Session ID through GET requests Demo some simple session examples:Demo some simple session examples:

http://web01.roundsphere.com/session_test.phphttp://web01.roundsphere.com/session_test.php http://web01.roundsphere.com/session_test.php?addhttp://web01.roundsphere.com/session_test.php?add http://web01.roundsphere.com/session_test.php?resethttp://web01.roundsphere.com/session_test.php?reset

ApacheApache

Apache Web ServerApache Web Server Apache is the most popular web server Apache is the most popular web server Wikipedia says it powers 55% of all websites and 66% of Wikipedia says it powers 55% of all websites and 66% of

the biggest websitesthe biggest websites Derived from patches to NCSA httpd … ‘A Patchy’ ServerDerived from patches to NCSA httpd … ‘A Patchy’ Server Modules provide a lot of extra functionalityModules provide a lot of extra functionality

Some people complain that the modules add a lot of bloatSome people complain that the modules add a lot of bloat High Performance, very configurable, easily available.High Performance, very configurable, easily available. Virtual Hosts allow granular control of almost everythingVirtual Hosts allow granular control of almost everything

Hundreds and thousands of virtual hosts per physical hostHundreds and thousands of virtual hosts per physical host Worker (multi-threaded) versus Prefork (separate Worker (multi-threaded) versus Prefork (separate

processes)processes) Version 2.2 is in wide use todayVersion 2.2 is in wide use today

Sample Apache VirtualHost Sample Apache VirtualHost ConfigConfig

NameVirtualHost 76.74.250.21:80NameVirtualHost 76.74.250.21:80<VirtualHost 76.74.250.21:80><VirtualHost 76.74.250.21:80> ServerName mydomain.comServerName mydomain.com ServerAlias www.mydomain.com *.mydomain.comServerAlias www.mydomain.com *.mydomain.com

DocumentRoot /home/mydomain.com/wwwDocumentRoot /home/mydomain.com/www CustomLog /home/mydomain.com/logs/access_log combinedCustomLog /home/mydomain.com/logs/access_log combined CustomLog /home/mydomain.com/logs/deflate_log deflateCustomLog /home/mydomain.com/logs/deflate_log deflate ErrorLog /home/mydomain.com/logs/error_logErrorLog /home/mydomain.com/logs/error_log ScriptAlias /cgi-bin/ /home/mydomain.com/cgi-bin/ScriptAlias /cgi-bin/ /home/mydomain.com/cgi-bin/

php_admin_flag engine onphp_admin_flag engine on php_admin_value open_basedir "/home/mydomain.com/"php_admin_value open_basedir "/home/mydomain.com/"

RewriteEngine OnRewriteEngine On</VirtualHost></VirtualHost>

Apache ModulesApache Modules Authentication Authentication (mod_auth_*)(mod_auth_*)

Via MySQL (multiple applications single password Via MySQL (multiple applications single password database)database)

http://www.brandonchecketts.com/webpasswd.demo/http://www.brandonchecketts.com/webpasswd.demo/ Proxying (HTTP, AJP, load balancing)Proxying (HTTP, AJP, load balancing) Programs (mod_php, mod_python, mod_perl, Programs (mod_php, mod_python, mod_perl,

passenger)passenger) SSLSSL URL rewriting (mod_rewrite)URL rewriting (mod_rewrite) CGI and Fast-CGI, SCGICGI and Fast-CGI, SCGI WebDavWebDav SVNSVN Practically anythingPractically anything …….mod_security….mod_security…

Apache ProxyingApache Proxying Load BalancingLoad Balancing <Proxy balancer://mycluster><Proxy balancer://mycluster> BalancerMember http://192.168.1.50:80 BalancerMember http://192.168.1.50:80 BalancerMember http://192.168.1.51:80 BalancerMember http://192.168.1.51:80

</Proxy></Proxy> ProxyPass /test balancer://mycluster/ ProxyPass /test balancer://mycluster/

Proxying TomcatProxying Tomcat ProxyPass /myapp ajp://127.0.0.1:8009/myapp/ProxyPass /myapp ajp://127.0.0.1:8009/myapp/

ProxyPassReverse /myapp ajp://127.0.0.1:8009/myapp/ProxyPassReverse /myapp ajp://127.0.0.1:8009/myapp/

mod_rewritemod_rewrite

Used to create ‘pretty’ url’sUsed to create ‘pretty’ url’sRewriteRule (.*).html /realpage.php?name=$1RewriteRule (.*).html /realpage.php?name=$1

Redirect any non-existant request to Redirect any non-existant request to some page:some page:

RewriteEngine OnRewriteEngine On

RewriteBase /RewriteBase /

RewriteCond %{REQUEST_FILENAME} !-fRewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-dRewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]RewriteRule . /index.php [L]

Useful Apache TricksUseful Apache Tricks

/server-status//server-status/ http://sb1.roundsphere.com/server-status/http://sb1.roundsphere.com/server-status/

apachectl –t –D DUMP_VHOSTSapachectl –t –D DUMP_VHOSTS Shows all of the virtual hosts configuredShows all of the virtual hosts configured

Debian style setup with a2ensite, Debian style setup with a2ensite, a2enmoda2enmod Symlinks to enable/disable sites and modulesSymlinks to enable/disable sites and modules

Documentation is very goodDocumentation is very good http://httpd.apache.org/docs/2.2http://httpd.apache.org/docs/2.2

Apache AlternativesApache Alternatives

Nginx (Engine X)Nginx (Engine X) Supposed to be very good at proxyingSupposed to be very good at proxying

Lighttpd (Lighty)Lighttpd (Lighty)