You are not logged in. Login Now
 0-20          
 
Author Message
other
GREX web SSI policy. Whys and wherefores. Mark Unseen   Dec 9 19:46 UTC 1999

I just recently learned how to link text and html chunks into webpages via
server side includes (SSI) commands.  I tested one on grex and discovered that
it was not supported here.

I would like to be made aware of the security implications of SSI activation
on grex, and the options for limited activation, say for simplifying the
updating of pages by just updating linked chunk or text files.

I want to know the reasons for the current policy before i make the leap into
proposing a change to it.

Thanks.
20 responses total.
hhsrat
response 1 of 20: Mark Unseen   Dec 10 02:53 UTC 1999

SSI sounds interesting.  Is there a good tutorial or HOWTO somewhere?
other
response 2 of 20: Mark Unseen   Dec 10 18:23 UTC 1999

         http://www.umich.edu/~websvcs/umweb/umich-www-faq.html#2.3

other
response 3 of 20: Mark Unseen   Dec 10 18:24 UTC 1999

there's probably something at the apache website too.  apache.com, i think.
remmers
response 4 of 20: Mark Unseen   Dec 13 13:34 UTC 1999

Server-side includes are very nifty, but they do have CPU load
implications, since the "inclusion" process has to be carried out by the
server every time a web page is accessed.  Offhand I don't know if the
impact on Grex is likely to be significant or not.
pfv
response 5 of 20: Mark Unseen   Dec 13 14:21 UTC 1999

        As I recall, SSI is an apache module.. Which means it should
        "already be loaded" - but swapping probably occurs.

        OTOH, that opens up a far "wider interface" than the 6-70
        pty's grex has a queue for.

        Offhand, I'd say the SSI can-o-worms is prolly comparable to 
        installing mod_perl for user purposes.
remmers
response 6 of 20: Mark Unseen   Dec 13 16:19 UTC 1999

Right, in contrast to CGI's, you probably don't have process startup
overhead on every access.  But the server would still have to execute
the code to carry out the inclusions.
pfv
response 7 of 20: Mark Unseen   Dec 13 16:34 UTC 1999

        Yeah, it's like adding (what?) another 32 users?

        And, you also have to check the SSI for security-issues
        (or, for some - the "lack of issues").
gull
response 8 of 20: Mark Unseen   Dec 13 20:51 UTC 1999

There are ways around the CPU-load problem.  I believe one scheme uses the
execute bit on the file to 'flag' it -- the server only checks files that
have the x bit set for includes, everything else goes through unexamined.
other
response 9 of 20: Mark Unseen   Dec 16 22:37 UTC 1999

can't say i really understand all the comparisons being flung about in the
above responses, but i know that folks at u-m have modified ssi functionality
to suit their particular needs.  i believe apache is open source, and i get
the impression that ssi functionality can be provided in very limited form
to limit its security implications...
remmers
response 10 of 20: Mark Unseen   Dec 17 02:34 UTC 1999

Could be. I'm not sure that anyone on staff is that familiar with SSI.
srw
response 11 of 20: Mark Unseen   Mar 5 17:00 UTC 2000

I just found this item. I know something about SSI. We have it turned 
off probably because at one time you could not turn it on without also 
getting SSI exec, which is equivalent to CGI in terms of security 
remifications. I don't think CPU costs ever entered into the original 
decision.

It can now be turned on without allowing SSI-exec, and this would cause 
no security problems that I am aware of. No attempt has been made to 
review this question because until now, no one has brought it up in 
coop.

I have no objection to turning SSI on, without SSI-exec.
other
response 12 of 20: Mark Unseen   Mar 6 01:34 UTC 2000

unless there is objection, i propose that you "make it so."
  ;)
srw
response 13 of 20: Mark Unseen   Apr 30 18:39 UTC 2000

Well, we have allowed ample time for an objection to appear, and none 
has appeared. Therefore, I have modified the Grex apache 
configuration file, to add limited SSI support (no exec) both for Grex 
system pages and user pages.

For information on how to use it, people who are curious should look at 
http://www.apache.org/docs/mod/mod_include.html

remember to use .shtml instead of .html
I have placed the .shtml extension ahead of .html in searching for a 
directory index. 
srw
response 14 of 20: Mark Unseen   Apr 30 18:41 UTC 2000

Now the WWW server FAQ is out of date. I have to go fix that when I have 
time.
other
response 15 of 20: Mark Unseen   May 1 05:45 UTC 2000

Thanks!!
jep
response 16 of 20: Mark Unseen   May 1 19:00 UTC 2000

Would it be possible for someone to give a general non-technical 
explanation of what this means?  Does this give additional capabilities 
to Grex users?  What capabilities?
other
response 17 of 20: Mark Unseen   May 1 23:05 UTC 2000

What it allows at a basic level is the linking of text or html code into files
the same way (in terms of end result -- not coded the same way) that graphics
files can appear inline within a web page.

For instance, if you have a header that you want to appear on all your pages
within a site, you can code it as an html chunk in a separate file, and link
it using SSI (server side includes) to all the pages.  that way, if you want
to change every page's header, you just change the one file.

SSI is not perceptible by the person browsing the site.  The commands to do
it are included in the original html file, and the server software parses the
command by replacing it with the text of the referenced file, hence *server*
side include.  This means you can even do nested includes, though the
subtleties of that can get confusing.
remmers
response 18 of 20: Mark Unseen   May 2 15:35 UTC 2000

Technical digression:  I think of SSI as a work-around for an
oversight in the HTML spec., which has the concept of "inline
images" but should also have "inline other-kinds-of-stuff".
It would save on both server processing and network bandwidth
if the latter were part of HTML.  Then browsers could do the
assembling of the pieces instead of putting that load on the
server.  Also, browsers could cache the pieces so they wouldn't
have to downloaded continually.

This remark has no particular bearing on Grex's decision to
support SSI, which I think was a good one.
jep
response 19 of 20: Mark Unseen   May 2 17:27 UTC 2000

Thanks for the explanation!
srw
response 20 of 20: Mark Unseen   May 6 02:49 UTC 2000

So anyone on Grex can now use SSI directives in their web pages. if you 
don't know about SSI directives, see that URL I posted in resp:13
(remember exec is disabled on grex)

To see an practical example take a look at the last modified date on 
http://www.cyberspace.org/~srw/index.shtml
in your web browser and compare it to /a/s/r/srw/www/index.shtml
 0-20          
Response Not Possible: You are Not Logged In
 

- Backtalk version 1.3.30 - Copyright 1996-2006, Jan Wolter and Steve Weiss