Basics of the
HTTP Protocol and
Apache Web Server
Brandon Checketts
At first there was HTTP 0.9
This is as simple as it can get
GET http://www.somedomain.com/hello.txt
Hello


Created by Tim Berners-Lee in 1989(?)
The 0.9 version number was actually created after the 1.0 spec
HTTP 1.0







The first really practical revision of the HTTP
protocol
HTTP Request Headers and Response Headers
Simple caching
Authentication
Content-Type
Sending data via POST
HTTP Status codes (200, 404, etc)
HTTP 1.1 (in use today)





Includes everything from HTTP 1.0
Host header is required
Defines more status codes, more request
methods
Much more flexible caching available
Digest Authentication
Sample HTTP Request / Response
GET / HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
HTTP/1.x 200 OK
X-TR: 1
Date: Thu, 15 Oct 2009 17:50:12 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Set-Cookie: __utmv=; expires=Mon, 01-Jan-1990 00:00:00 GMT; path=/;
domain=www.google.com
Set-Cookie: __utmv=; expires=Mon, 01-Jan-1990 00:00:00 GMT; path=/;
domain=.google.com
Server: gws
X-XSS-Protection: 0
Content-Length: 9256
Headers of Interest

Referer
Says which page referred you to the current URL
 Note the misspelling
 Used in Analytics to provide a lot of useful metrics


User Agent


Specifies OS and Browser (often faked)
Cookie / Set-Cookie (more on this later)
HTTP Cookies

Cookies are generally good! They provide some
incredibly useful functionality.



Demonstrate a cookie



Server sends a Set-Cookie
Client sends back a Cookie
http://web01.roundsphere.com/cookie_test.php
http://web01.roundsphere.com/cookie_test.php?set=123
Be careful what you put in a cookie!

Don’t store user ID’s, authentication credentials, etc
Using Cookies to create sessions






Without cookies, all HTTP requests are completely independent
Cookies allow the server to add some persistence to multiple
requests and create a session
Most programming languages have some built-in support for
sessions. (PHPSESSID, JSESSIONID, etc)
Session information can be stored in file system, database,
memcache, etc.
Don’t pass Session ID through GET requests
Demo some simple session examples:



http://web01.roundsphere.com/session_test.php
http://web01.roundsphere.com/session_test.php?add
http://web01.roundsphere.com/session_test.php?reset
Apache
Apache Web Server




Apache is the most popular web server
Wikipedia says it powers 55% of all websites and 66% of the
biggest websites
Derived from patches to NCSA httpd … ‘A Patchy’ Server
Modules provide a lot of extra functionality



High Performance, very configurable, easily available.
Virtual Hosts allow granular control of almost everything



Some people complain that the modules add a lot of bloat
Hundreds and thousands of virtual hosts per physical host
Worker (multi-threaded) versus Prefork (separate processes)
Version 2.2 is in wide use today
Sample Apache VirtualHost Config
NameVirtualHost 76.74.250.21:80
<VirtualHost 76.74.250.21:80>
ServerName
mydomain.com
ServerAlias
www.mydomain.com *.mydomain.com
DocumentRoot
CustomLog
CustomLog
ErrorLog
ScriptAlias
/home/mydomain.com/www
/home/mydomain.com/logs/access_log combined
/home/mydomain.com/logs/deflate_log deflate
/home/mydomain.com/logs/error_log
/cgi-bin/ /home/mydomain.com/cgi-bin/
php_admin_flag engine on
php_admin_value open_basedir "/home/mydomain.com/"
RewriteEngine On
</VirtualHost>
Apache Modules

Authentication











(mod_auth_*)
Via MySQL (multiple applications single password database)
http://www.brandonchecketts.com/webpasswd.demo/
Proxying (HTTP, AJP, load balancing)
Programs (mod_php, mod_python, mod_perl, passenger)
SSL
URL rewriting (mod_rewrite)
CGI and Fast-CGI, SCGI
WebDav
SVN
Practically anything
….mod_security…
Apache Proxying

Load Balancing
<Proxy balancer://mycluster>
BalancerMember http://192.168.1.50:80
BalancerMember http://192.168.1.51:80
</Proxy>
ProxyPass /test balancer://mycluster/

Proxying Tomcat
ProxyPass /myapp ajp://127.0.0.1:8009/myapp/
ProxyPassReverse /myapp ajp://127.0.0.1:8009/myapp/
mod_rewrite

Used to create ‘pretty’ url’s
RewriteRule (.*).html /realpage.php?name=$1

Redirect any non-existant request to some page:
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
Useful Apache Tricks

/server-status/


apachectl –t –D DUMP_VHOSTS


Shows all of the virtual hosts configured
Debian style setup with a2ensite, a2enmod


http://sb1.roundsphere.com/server-status/
Symlinks to enable/disable sites and modules
Documentation is very good

http://httpd.apache.org/docs/2.2
Apache Alternatives

Nginx (Engine X)


Supposed to be very good at proxying
Lighttpd (Lighty)
Descargar

HTTP and Web Servers