|
Grex > Coop11 > #143: GREX web SSI policy. Whys and wherefores. | |
|
| Author |
Message |
other
|
|
GREX web SSI policy. Whys and wherefores.
| 
Dec 9 19:46 UTC 1999 |
I just recently learned how to link text and html chunks into webpages via
server side includes (SSI) commands. I tested one on grex and discovered that
it was not supported here.
I would like to be made aware of the security implications of SSI activation
on grex, and the options for limited activation, say for simplifying the
updating of pages by just updating linked chunk or text files.
I want to know the reasons for the current policy before i make the leap into
proposing a change to it.
Thanks.
|
| 20 responses total. |
hhsrat
|
|
response 1 of 20:
|
Dec 10 02:53 UTC 1999 |
SSI sounds interesting. Is there a good tutorial or HOWTO somewhere?
|
other
|
|
response 2 of 20:
|
Dec 10 18:23 UTC 1999 |
http://www.umich.edu/~websvcs/umweb/umich-www-faq.html#2.3
|
other
|
|
response 3 of 20:
|
Dec 10 18:24 UTC 1999 |
there's probably something at the apache website too. apache.com, i think.
|
remmers
|
|
response 4 of 20:
|
Dec 13 13:34 UTC 1999 |
Server-side includes are very nifty, but they do have CPU load
implications, since the "inclusion" process has to be carried out by the
server every time a web page is accessed. Offhand I don't know if the
impact on Grex is likely to be significant or not.
|
pfv
|
|
response 5 of 20:
|
Dec 13 14:21 UTC 1999 |
As I recall, SSI is an apache module.. Which means it should
"already be loaded" - but swapping probably occurs.
OTOH, that opens up a far "wider interface" than the 6-70
pty's grex has a queue for.
Offhand, I'd say the SSI can-o-worms is prolly comparable to
installing mod_perl for user purposes.
|
remmers
|
|
response 6 of 20:
|
Dec 13 16:19 UTC 1999 |
Right, in contrast to CGI's, you probably don't have process startup
overhead on every access. But the server would still have to execute
the code to carry out the inclusions.
|
pfv
|
|
response 7 of 20:
|
Dec 13 16:34 UTC 1999 |
Yeah, it's like adding (what?) another 32 users?
And, you also have to check the SSI for security-issues
(or, for some - the "lack of issues").
|
gull
|
|
response 8 of 20:
|
Dec 13 20:51 UTC 1999 |
There are ways around the CPU-load problem. I believe one scheme uses the
execute bit on the file to 'flag' it -- the server only checks files that
have the x bit set for includes, everything else goes through unexamined.
|
other
|
|
response 9 of 20:
|
Dec 16 22:37 UTC 1999 |
can't say i really understand all the comparisons being flung about in the
above responses, but i know that folks at u-m have modified ssi functionality
to suit their particular needs. i believe apache is open source, and i get
the impression that ssi functionality can be provided in very limited form
to limit its security implications...
|
remmers
|
|
response 10 of 20:
|
Dec 17 02:34 UTC 1999 |
Could be. I'm not sure that anyone on staff is that familiar with SSI.
|
srw
|
|
response 11 of 20:
|
Mar 5 17:00 UTC 2000 |
I just found this item. I know something about SSI. We have it turned
off probably because at one time you could not turn it on without also
getting SSI exec, which is equivalent to CGI in terms of security
remifications. I don't think CPU costs ever entered into the original
decision.
It can now be turned on without allowing SSI-exec, and this would cause
no security problems that I am aware of. No attempt has been made to
review this question because until now, no one has brought it up in
coop.
I have no objection to turning SSI on, without SSI-exec.
|
other
|
|
response 12 of 20:
|
Mar 6 01:34 UTC 2000 |
unless there is objection, i propose that you "make it so."
;)
|
srw
|
|
response 13 of 20:
|
Apr 30 18:39 UTC 2000 |
Well, we have allowed ample time for an objection to appear, and none
has appeared. Therefore, I have modified the Grex apache
configuration file, to add limited SSI support (no exec) both for Grex
system pages and user pages.
For information on how to use it, people who are curious should look at
http://www.apache.org/docs/mod/mod_include.html
remember to use .shtml instead of .html
I have placed the .shtml extension ahead of .html in searching for a
directory index.
|
srw
|
|
response 14 of 20:
|
Apr 30 18:41 UTC 2000 |
Now the WWW server FAQ is out of date. I have to go fix that when I have
time.
|
other
|
|
response 15 of 20:
|
May 1 05:45 UTC 2000 |
Thanks!!
|