Server Side Includes

Last updated October 23, 2024

Server Side Includes (SSI) is a simple interpreted server-side scripting language used almost exclusively for the World Wide Web. It is most useful for including the contents of one or more files into a web page on a web server (see below), using its #include directive. This could commonly be a common piece of code throughout a site, such as a page header, a page footer and a navigation menu. SSI also contains control directives for conditional features and directives for calling external programs. It is supported by Apache, LiteSpeed, nginx, IIS as well as W3C's Jigsaw.^[1] It has its roots in NCSA HTTPd.^[2]

Design

As a simple programming language, SSI supports only one type: text. Its control flow is rather simple, choice is supported, but loops are not natively supported and can only be done by recursion using include or using HTTP redirect.^{[lower-alpha 1]} The simple design of the language makes it easier to learn and use than most server-side scripting languages, while complicated server-side processing is often done with one of the more feature-rich programming languages. SSI is Turing complete.^[4]

SSI has a simple syntax: . Directives are placed in HTML comments so that if SSI is not enabled, users will not see the SSI directives on the page, unless they look at its source. Note that the syntax does not allow spaces between the leading "" that closes the element.^[5]

Examples

A web page containing a daily quotation could include the quotation by placing the following code into the file of the web page:

<!--#include virtual="../quote.txt" -->

With one change of the quote.txt file, all pages that include the file will display the latest daily quotation. The inclusion is not limited to files, and may also be the text output from a program, or the value of a system variable such as the current time.

Directives

Common

The following are SSI directives from the times of NCSA HTTPd (the 1990s).^[2] Some implementations do not support all of them.^[6]

NCSA HTTPd SSI directives
Directive	Parameters	Description	Example
`include`	file or virtual	This is probably the most used SSI directive. It allows the content of one document to be transcluded in another. The included document can itself be another SSI-enabled file. The `file` or `virtual` parameters specify the file (HTML page, text file, script, etc.) to be included. NCSA HTTPd did not support CGI via `include`,^[2] but later Apache HTTPd does.^[7] If the process does not have access to read the file or execute the script, the include will fail. The parameter "`virtual`" handles any directory paths as if part of the URL, while "`file`" handles any directory paths as in the underlying filesystem. When using "`file`" it is forbidden to reference absolute paths or `../` to access a parent directory. The Apache documentation recommends using "`virtual`" in preference to "`file`".^[7]	<!--#include virtual="menu.cgi" --> <!--#include file="footer.html" -->
`exec`	cgi or cmd	This directive executes a program, script, or shell command on the server. The cmd parameter specifies a server-side command; the cgi parameter specifies the path to a CGI script. The `PATH_INFO` and `QUERY_STRING` of the current SSI script will be passed to the CGI script, as a result "exec cgi" should be used instead of "include virtual".^{[ citation needed ]}	<!--#exec cgi="/cgi-bin/foo.cgi" --> <!--#exec cmd="ls -l" -->
`echo`	var	This directive displays the contents of a specified HTTP environment variable. Variables include `HTTP_USER_AGENT`, `LAST_MODIFIED`, and `HTTP_ACCEPT`.^{[ citation needed ]}	Your IP address is: <!--#echo var="REMOTE_ADDR" -->
`config`	timefmt, sizefmt, or errmsg	This directive configures the display formats for the date, time, filesize, and error message (returned when an SSI command fails).	<!--#config timefmt="%y %m %d" --> <!--#config sizefmt="bytes" --> <!--#config errmsg="SSI command failed!" -->
`flastmod` and `fsize`	file or virtual	These directives display the date when the specified document was last modified, or the specified document's size. The file or virtual parameters specify the document to use. The file parameter defines the document as relative to the document path; the virtual parameter defines the document as relative to the document root.	<!--#flastmod virtual="index.html" --> <!--#fsize file="script.pl" -->

Control directives

Control directives are later added to SSI. They include the ubiquitous if-elif-else-endif flow control and variable writing as well as more exotic features like loops only found in some implementations.

Directive	Parameters	Description	Example	Found in
if elif else endif	expr	The if statement. Used for condition tests that may determine and generate multiple logical pages from one single physical page. `elif` is a shorthand for nested else-if. `else` and `endif` do not accept parameters. Expression syntax vary among implementations. Variable existence and equality/regex checks are commonly supported. Jigsaw uses expressions split over multiple attributes instead.^[1]	<!--#if expr="${Sec_Nav}" --> <!--#include virtual="secondary_nav.txt" --> <!--#elif expr="${Pri_Nav}" --> <!--#include virtual="primary_nav.txt" --> <!--#else --> <!--#include virtual="article.txt" --> <!--#endif -->	Ubiquitous.
set	var, value	Sets the value of a SSI variable. Apache provides additional parameters for encodings.^[8]	<!--#set var="foo" value="bar" -->	Apache,^[8] Nginx^[9]
`printenv`		This directive outputs a list of all SSI variables and their values, including environmental and user-defined variables. It has no attributes.	<!--#printenv -->	Apache^[8]

Notes

↑ Nevertheless found in some implementations, including Jigsaw.

Related Research Articles

The Apache HTTP Server is a free and open-source cross-platform web server software, released under the terms of Apache License 2.0. It is developed and maintained by a community of developers under the auspices of the Apache Software Foundation.

In computing, Common Gateway Interface (CGI) is an interface specification that enables web servers to execute an external program to process HTTP or HTTPS user requests.

A web server is computer software and underlying hardware that accepts requests via HTTP or its secure variant HTTPS. A user agent, commonly a web browser or web crawler, initiates communication by making a request for a web page or other resource using HTTP, and the server responds with the content of that resource or an error message. A web server can also accept and store resources sent from the user agent if configured to do so.

In web applications, a rewrite engine is a software component that performs rewriting on URLs, modifying their appearance. This modification is called URL rewriting. It is a way of implementing URL mapping or routing within a web application. The engine is typically a component of a web server or web application framework. Rewritten URLs are used to provide shorter and more relevant-looking links to web pages. The technique adds a layer of abstraction between the files used to generate a web page and the URL that is presented to the outside world.

An .htaccess file is a directory-level configuration file supported by several web servers, used for configuration of website-access issues, such as URL redirection, URL shortening, access control, and more. The 'dot' before the file name makes it a hidden file in Unix-based environments.

URL redirection, also called URL forwarding, is a World Wide Web technique for making a web page available under more than one URL address. When a web browser attempts to open a URL that has been redirected, a page with a different URL is opened. Similarly, domain redirection or domain forwarding is when all pages in a URL domain are redirected to a different domain, as when wikipedia.com and wikipedia.net are automatically redirected to wikipedia.org.

A query string is a part of a uniform resource locator (URL) that assigns values to specified parameters. A query string commonly includes fields added to a base URL by a Web browser or other client application, for example as part of an HTML document, choosing the appearance of a page, or jumping to positions in multimedia content.

The Web Server Gateway Interface is a simple calling convention for web servers to forward requests to web applications or frameworks written in the Python programming language. The current version of WSGI, version 1.0.1, is specified in Python Enhancement Proposal (PEP) 3333.

Web server software allows computers to act as web servers. The first web servers supported only static files, such as HTML, but now they commonly allow embedding of server side applications.

For computer log management, the Common Log Format, also known as the NCSA Common log format, is a standardized text file format used by web servers when generating server log files. Because the format is standardized, the files can be readily analyzed by a variety of web analysis programs, for example Webalizer and Analog.

A file inclusion vulnerability is a type of web vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time. A file include vulnerability is distinct from a generic directory traversal attack, in that directory traversal is a way of gaining unauthorized file system access, and a file inclusion vulnerability subverts how an application loads code for execution. Successful exploitation of a file inclusion vulnerability will result in remote code execution on the web server that runs the affected web application. An attacker can use remote code execution to create a web shell on the web server, which can be used for website defacement.

Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Russian developer Igor Sysoev and publicly released in 2004. Nginx is free and open-source software, released under the terms of the 2-clause BSD license. A large fraction of web servers use Nginx, often as a load balancer.

Web2py is an open-source web application framework written in the Python programming language. Web2py allows web developers to program dynamic web content using Python. Web2py is designed to help reduce tedious web development tasks, such as developing web forms from scratch, although a web developer may build a form from scratch if required.

When an HTTP client requests a URL that points to a directory structure instead of an actual web page within the directory structure, the web server will generally serve a default page, which is often referred to as a main or "index" page.

Slowloris is a type of denial of service attack tool which allows a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports.

<span class="mw-page-title-main">CERN httpd</span> Early web server

CERN httpd is an early, now discontinued, web server (HTTP) daemon originally developed at CERN from 1990 onwards by Tim Berners-Lee, Ari Luotonen and Henrik Frystyk Nielsen. Implemented in C, it was the first web server software.

FastCGI is a binary protocol for interfacing interactive programs with a web server. It is a variation on the earlier Common Gateway Interface (CGI). FastCGI's main aim is to reduce the overhead related to interfacing between web server and CGI programs, allowing a server to handle more web page requests per unit of time.

Diazo, previously named xdv, is a general-purpose, open source website theming tool. It is written in Python and generates XSLT. Diazo creates a separation between theme pages and transformation rules, allowing web designers to work on templates in plain HTML, without knowledge of XSLT or special template-related codes.

HTTP/2 is a major revision of the HTTP network protocol used by the World Wide Web. It was derived from the earlier experimental SPDY protocol, originally developed by Google. HTTP/2 was developed by the HTTP Working Group of the Internet Engineering Task Force (IETF). HTTP/2 is the first new version of HTTP since HTTP/1.1, which was standardized in RFC 2068 in 1997. The Working Group presented HTTP/2 to the Internet Engineering Steering Group (IESG) for consideration as a Proposed Standard in December 2014, and IESG approved it to publish as Proposed Standard on February 17, 2015. The initial HTTP/2 specification was published as RFC 7540 on May 14, 2015.

Brotli is a lossless data compression algorithm developed by Google. It uses a combination of the general-purpose LZ77 lossless compression algorithm, Huffman coding and 2nd-order context modelling. Brotli is primarily used by web servers and content delivery networks to compress HTTP content, making internet websites load faster. A successor to gzip, it is supported by all major web browsers and has become increasingly popular, as it provides better compression than gzip.

References

1 2 "SSI Commands". W3C. Retrieved 24 March 2019.
1 2 3 "Server Side Includes (SSI)". NCSA HTTPd Tutorial. Archived from the original on 3 March 1997. Retrieved 24 March 2019.
↑ "Configuring your server to permit SSI". Apache Tutorial: Introduction to Server Side Includes. The Apache Software Foundation. Retrieved 24 June 2015.
↑ "Server Side Includes Turing machine, Jan Schejbal". Janschejbal.de. Retrieved 2012-12-06.
↑ "Basic SSI Directives and Syntax". 2018-02-09. Retrieved 2018-02-09.
↑ "Module ngx_http_ssi_module". nginx documentation. Retrieved 16 November 2021.
1 2 "Apache Module mod_include". Apache HTTP Server Version 2.4 Documentation. Apache Software Foundation. Retrieved 2021-09-07.
1 2 3 "mod_include". Apache HTTP Server. Retrieved 25 March 2019.
↑ "ngx_http_ssi_module". nginx.org. Retrieved 25 March 2019.

External links

Language reference from implementations:
- Apache: Apache mod_include Reference. Calls directives "elements".
- Nginx: Module ngx_http_ssi_module. Calls directives "commands".
- NCSA HTTPd: Original NCSA HTTPd SSI Reference. Calls directives "commands".
- W3C Jigsaw: Server Side Include commands. Calls directives "elements". Highly expanded with servlets, JDBC, HTTP cookie, and loops.
Tutorials:

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[4] Nevertheless found in some implementations, including Jigsaw.

[jig-1] 1 2 "SSI Commands". W3C. Retrieved 24 March 2019.

[ncsa-ssi-2] 1 2 3 "Server Side Includes (SSI)". NCSA HTTPd Tutorial. Archived from the original on 3 March 1997. Retrieved 24 March 2019.

[3] "Configuring your server to permit SSI". Apache Tutorial: Introduction to Server Side Includes. The Apache Software Foundation. Retrieved 24 June 2015.

[5] "Server Side Includes Turing machine, Jan Schejbal". Janschejbal.de. Retrieved 2012-12-06.

[6] "Basic SSI Directives and Syntax". 2018-02-09. Retrieved 2018-02-09.

[nginx-ssi-7] "Module ngx_http_ssi_module". nginx documentation. Retrieved 16 November 2021.

[apache-httpd-doc-mod-include-8] 1 2 "Apache Module mod_include". Apache HTTP Server Version 2.4 Documentation. Apache Software Foundation. Retrieved 2021-09-07.

[apache-inc-9] 1 2 3 "mod_include". Apache HTTP Server. Retrieved 25 March 2019.

[nginx-10] "ngx_http_ssi_module". nginx.org. Retrieved 25 March 2019.

[1]

[2]

[3]

[lower-alpha 1]

[4]

[5]

[6]

[7]

[8]

[9]