iTP Secure WebServer System Administrators Guide (Version 7.5+)
Setting Up a Server-Side Include (SSI)
Use a server-side include (SSI) to insert real-time or updated information within any given document.
Examples of such information include:
• Another file
• Output from a CGI or /bin/sh script
• The current date
• A document's last modification date
• The size or last modification of other documents
You set up SSIs by instructing the server to parse the HTML output being sent to a Web client to
detect SSIs and act on them. Before you enable SSIs, consider that having the server parse
documents can be time-consuming for heavily loaded servers since the servers would have to parse
files in the process of sending them. Furthermore, SSIs can be a security risk since clients would
be executing commands on the server's host system. If you disable the exec option (described in
“Specifying SSI Use” (page 130)), this danger is mitigated. However, the performance issue remains.
NOTE: The iTP Secure WebServer does not support the <servlet< tag in .shtml-file server-side
includes, which is part of Sun Microsystems, Inc. implementation of the Servlet API 2.0. Other
implementations that are not supported are documented in NonStop Servlets for JavaServer Pages
(NSJSP) System Administrator's Guide.
Specifying SSI Use
Specifying SSI use with the iTP Secure WebServer involves enabling SSIs in specific regions,
partially enabling SSIs in specific regions, or disabling SSIs (the default).
HP recommends that you disable SSI usage in users' home directories and in directories in which
users can insert files without permission.
SSI usage is disabled by default. To enable SSI in a particular region (including exec), use the
EnableIncludes command. For example:
Region /* {
EnableIncludes -restricted
}
To enable SSI in a region while disabling exec usage, you simply specify the EnableIncludes
command using no arguments. For example:
Region /*{
EnableIncludes
}
You can control the amount of SSI document nesting by specifying the -nesting argument in the
EnableIncludes command. The default nesting level is 3. For example, the following command
limits the amount of document nesting to one level:
Region /include/* {
EnableIncludes -nesting 1
}
Therefore, if a set of documents is nested as follows:
Doc1.shtml: <!--#include virtual="/include/Doc2.shtml"-->
Doc2.shtml: <!--#include virtual="/include/Doc3.shtml"-->
Doc3.shtml: <!--#include virtual="/include/Doc4.shtml"-->
document inclusion stops after Doc2.shtml is included into Doc1.shtml, and an error will be
logged to the server's log files.
For more information about the EnableIncludes command, see “Region Commands” (page 234).
After specifying SSI usage for specific regions, you must tell the server the extension of the files
you want to be parsed for SSIs. Internally, the server uses the MIME type
130 Configuring the iTP Secure WebServer