e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin<?xml-stylesheet type="text/xsl" href="/style/manual.en.xsl"?>
8e8e6d90e74a6646ed697edb7238862f708dd6f7nd<!-- $LastChangedRevision$ -->
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin Licensed to the Apache Software Foundation (ASF) under one or more
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin contributor license agreements. See the NOTICE file distributed with
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin this work for additional information regarding copyright ownership.
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin The ASF licenses this file to You under the Apache License, Version 2.0
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin (the "License"); you may not use this file except in compliance with
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin the License. You may obtain a copy of the License at
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin Unless required by applicable law or agreed to in writing, software
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin distributed under the License is distributed on an "AS IS" BASIS,
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin See the License for the specific language governing permissions and
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin limitations under the License.
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>This document describes the mechanism to set a policy for HTTP
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin protocol compliance for a given URL space by the origin servers or
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin applications behind that URL space.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>For those who may have received an error message from a rejected
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin policy, and need to know what the policy rejection means and what
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin they might do to fix the error, each policy is described below.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <seealso><a href="filter.html">Filters</a></seealso>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <title>Enforcing HTTP Protocol Compliance in Apache 2</title>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <modulelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin </modulelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directivelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directive module="mod_policy">PolicyConditional</directive>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directive module="mod_policy">PolicyLength</directive>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directive module="mod_policy">PolicyKeepalive</directive>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directive module="mod_policy">PolicyType</directive>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directive module="mod_policy">PolicyVary</directive>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directive module="mod_policy">PolicyValidation</directive>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directive module="mod_policy">PolicyNocache</directive>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directive module="mod_policy">PolicyMaxage</directive>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directive module="mod_policy">PolicyVersion</directive>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin </directivelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>The HTTP protocol follows the <strong>robustness principle</strong>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin as described in <a href="http://tools.ietf.org/html/rfc1122">RFC1122</a>,
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin which states <strong>"Be liberal in what you accept, and conservative in
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin what you send"</strong>. As a result of this principle, HTTP clients will
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin compensate for and recover from incorrect or misconfigured responses, or
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin responses that are uncacheable.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>As a website is scaled up to face greater and greater traffic loads,
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin suboptimal or misconfigured applications or server configurations can
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin threaten both the stability and scalability of the website, as well as
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin the hosting costs associated with it. A website can also scale up to face
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin greater configuration complexity, and it can be increasingly difficult to
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin detect and keep track of suboptimally configured URL spaces on a given
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin server.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>Eventually a point is reached where the principle "conservative in
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin what you send" needs to be enforced by the server administrator.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>The <module>mod_policy</module> module provides a set of filters
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin which can be applied to a server, allowing key features of the HTTP
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin protocol to be explicitly tested, and non compliant responses logged as
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin warnings, or rejected outright as an error. Each filter can be applied
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin separately, allowing the administrator to pick and choose which policies
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin should be enforced depending on the circumstances of their environment.
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>The filters might be placed in testing and staging environments for
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin the benefit of application and website developers, or may be applied
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin to production servers to protect infrastructure from systems outside
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin the administrator's direct control.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <img src="images/compliance-reverse-proxy.png" width="666" height="239" alt=
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin "Enforcing HTTP protocol compliance for an application server"/>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>In the above example, an Apache httpd server has been placed between
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin the application server and the internet at large, and configured to cache
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin responses from the application server. The <module>mod_policy</module>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin filters have been added to enforce support for cacheable content and
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin conditional requests, ensuring that both <module>mod_cache</module> and
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin public caches on the internet are fully able to cache content created
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin by the restful application server efficiently.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <img src="images/compliance-static.png" width="469" height="239" alt=
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin "Enforcing HTTP protocol compliance in a static server"/>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>In the above simpler example, a static server serving highly cacheable
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin content has a set of policies applied to ensure that the server configuration
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin conforms to a minimum level of compliance.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <modulelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin </modulelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directivelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directive module="mod_policy">PolicyConditional</directive>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin </directivelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>This policy will be rejected if the server does not correctly respond
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin to a conditional request with the appropriate status code.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>Conditional requests form the mechanism by which an HTTP cache makes
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin stale content fresh again, and particularly for content with short freshness
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin lifetimes, lack of support for conditional requests can add avoidable load
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin to the server.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>Most specifically, the existence of any of following headers in the
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin request makes the request conditional:</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <dd>If the provided ETag in the <code>If-Match</code> header does not match
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin the ETag of the response, the server should return
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <code>412 Precondition Failed</code>. Full details of how to handle an
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.24">
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <dd>If the provided ETag in the <code>If-None-Match</code> header matches
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin the ETag of the response, the server should return either
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <code>304 Not Modified</code> for GET/HEAD requests, or
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <code>412 Precondition Failed</code> for other methods. Full details of how
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin to handle an <code>If-None-Match</code> header can be found in
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.26">
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <dd>If the provided date in the <code>If-Modified-Since</code> header is
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin older than the <code>Last-Modified</code> header of the response, the server
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin should return <code>304 Not Modified</code>. Full details of how to handle an
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <code>If-Modified-Since</code> header can be found in
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.25">
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <dd>If the provided date in the <code>If-Modified-Since</code> header is
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin newer than the <code>Last-Modified</code> header of the response, the server
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin should return <code>412 Precondition Failed</code>. Full details of how to
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin handle an <code>If-Unmodified-Since</code> header can be found in
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.28">
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <dd>If the provided ETag or date in the <code>If-Range</code> header matches
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin the ETag or Last-Modified of the response, and a valid <code>Range</code>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin is present, the server should return
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <code>206 Partial Response</code>. Full details of how to handle an
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.27">
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>If the response is detected to have been successful (a 2xx response),
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin but was conditional and one of the responses above was expected instead,
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin this policy will be rejected. Responses that indicate a redirect or a
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin failure of some kind (3xx, 4xx, 5xx) will be ignored by this policy.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>This policy is implemented by the <strong>POLICY_CONDITIONAL</strong>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin filter.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <modulelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin </modulelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directivelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directive module="mod_policy">PolicyLength</directive>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin </directivelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>This policy will be rejected if the server response does not contain
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>There are a number of ways of determining the length of a response
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin body, described in full in
99bfe4427761b6bb735aa1dd6a24e72313da0820jailletc <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.4">
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>When the <code>Content-Length</code> header is present, the size of
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin the body is declared at the start of the response. If this information
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin is missing, an HTTP cache might choose to ignore the response, as it
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin does not know in advance whether the response will fit within the
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin cache's defined limits.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>HTTP/1.1 defines the <code>Transfer-Encoding</code> header as an
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin alternative to <code>Content-Length</code>, allowing the end of the
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin response to be indicated to the client without the client having to
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin know the length beforehand. However, when HTTP/1.0 requests are
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin processed, and no <code>Content-Length</code> is specified, the only
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin mechanism available to the server to indicate the end of the request
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin is to drop the connection. In an environment containing load
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin balancers, this can cause the keepalive mechanism to be bypassed.
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>If the response is detected to have been successful (a 2xx response),
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin and has a response body (this excludes <code>204 No Content</code>), and
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin the <code>Content-Length</code> header is missing, this policy will be
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin rejected. Responses that indicate a redirect or a failure of some kind
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin (3xx, 4xx, 5xx) will be ignored by this policy.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <note type="warning">It should be noted that some modules, such as
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <module>mod_proxy</module>, add their own <code>Content-Length</code>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin header should the response be small enough for it to have been possible
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin to read the response lacking such a header in one go. This may cause
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin small responses to pass this policy, while larger responses may
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin fail for the same URL.</note>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>This policy is implemented by the <strong>POLICY_LENGTH</strong>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin filter.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <modulelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin </modulelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directivelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directive module="mod_policy">PolicyType</directive>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin </directivelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>This policy will be rejected if the server response does not contain
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin an explicit and syntactically correct <code>Content-Type</code> header
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin that matches the server defined pattern.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>The media type of the body is placed in the <code>Content-Type</code>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin header, and the format of the header is described in full in
99bfe4427761b6bb735aa1dd6a24e72313da0820jailletc <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7">
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>A syntactically valid content type might look as follows:</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin # invalid<br />
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin Content-Type: foo<br />
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin # blank<br />
a99c5d4cc3cab6a62b04d52000dbc22ce1fa2d94coar Content-Type:
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>The server administrator has the option to restrict the policy to one
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin or more specific types, or could specify a general wildcard type such as
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>This policy is implemented by the <strong>POLICY_TYPE</strong>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin filter.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <modulelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin </modulelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directivelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directive module="mod_policy">PolicyKeepalive</directive>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin </directivelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>This policy will be rejected if the server response does not contain
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin an explicit <code>Content-Length</code> header, or a
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>There are a number of ways of determining the length of a response
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin body, described in full in
99bfe4427761b6bb735aa1dd6a24e72313da0820jailletc <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.4">
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>When the <code>Content-Length</code> header is present, the size of
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin the body is declared at the start of the response. HTTP/1.1 defines the
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <code>Transfer-Encoding</code> header as an alternative to
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <code>Content-Length</code>, allowing the end of the response to be
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin indicated to the client without the client having to know the length
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin beforehand. In the absence of these two mechanisms, the only way for
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin a server to indicate the end of the request is to drop the connection.
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin In an environment containing load balancers, this can cause the keepalive
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin mechanism to be bypassed.
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <dd>we have not marked this connection as errored;</dd>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <dd>the response status does not require a close;</dd>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <dd>the response body has a defined length due to the status code
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin being 304 or 204, the request method being HEAD, already having defined
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin Content-Length or Transfer-Encoding: chunked, or the request version
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin being HTTP/1.1 and thus capable of being set as chunked</dd>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <note type="warning">The server may choose to turn off keepalive for
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin various reasons, such as an imminent shutdown, or a Connection: close from
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin the client, or an HTTP/1.0 client request with a response with no
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <code>Content-Length</code>, but for our purposes we only care that
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin keepalive was possible from the application, not that keepalive actually
a99c5d4cc3cab6a62b04d52000dbc22ce1fa2d94coar took place.</note>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>It should also be noted that the Apache httpd server includes a filter
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin that adds chunked encoding to responses without an explicit content
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin length. This policy catches those cases where this filter is bypassed or
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin not in effect.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>This policy is implemented by the <strong>POLICY_KEEPALIVE</strong>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin filter.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <modulelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin </modulelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directivelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directive module="mod_policy">PolicyMaxage</directive>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin </directivelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>This policy will be rejected if the server response does not have
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin an explicit <strong>freshness lifetime</strong> at least as long
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin as the server defined limit, or if the freshness lifetime is
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin calculated based on a heuristic.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>Full details of how a freshness lifetime is calculated is described in
99bfe4427761b6bb735aa1dd6a24e72313da0820jailletc <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html#sec13.2">
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>During the freshness lifetime, a cache does not need to contact the
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin origin server at all, it can simply pass the cached content as is back
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin to the client.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>When the freshness lifetime is reached, the cache should contact the
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin origin server in an effort to check whether the content is still fresh,
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin and if not, replace the content.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>When the freshness lifetime is too short, it can result in excessive
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin load on the server. In addition, should an outage occur that is as long
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin or longer than the freshness lifetime, all cached content will become
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin stale, which could cause a thundering herd of traffic when the
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin server or network returns.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>This policy is implemented by the <strong>POLICY_MAXAGE</strong>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin filter.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <modulelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin </modulelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directivelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directive module="mod_policy">PolicyNocache</directive>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin </directivelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>This policy will be rejected if the server response declares itself
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin uncacheable using either the <code>Cache-Control</code> or
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>Full details of how content may be declared uncacheable is described in
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.1">
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin RFC2616 section 14.9.1 What is Cacheable</a>, and within the definition
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.32">
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>Most specifically, should any of the following header combinations
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin exist in the response headers, the response will be rejected:</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>When unexpected, uncacheable content may produce unacceptable levels
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin of server load, or may incur significant cost. When this policy is enabled,
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin all server defined uncacheable content will be rejected.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>This policy is implemented by the <strong>POLICY_NOCACHE</strong>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin filter.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <modulelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin </modulelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directivelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directive module="mod_policy">PolicyValidation</directive>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin </directivelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>This policy will be rejected if the server response does not contain
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>The <code>ETag</code> header is described in full in
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.19">
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin RFC2616 section 14.19 Etag</a>, and the <code>Last-Modified</code> header
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin is described in full in
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.29">
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>In addition to being checked present, the headers are checked for
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin syntax.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>An <code>ETag</code> that is not surrounded with quotes, or is not
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin declared "weak" by prefixing it with a "W/" will cause the policy to be
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin rejected. A <code>Last-Modified</code> that is not parsed as a valid date
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin will cause the policy to be rejected.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>This policy is implemented by the <strong>POLICY_VALIDATION</strong>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin filter.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <modulelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin </modulelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directivelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directive module="mod_policy">PolicyVary</directive>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin </directivelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>This policy will be rejected if the server response contains a
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <code>Vary</code> header, and that header in turn contains a header
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin blacklisted by the administrator.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>The <code>Vary</code> header is described in full in
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.44">
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>Some client provided headers, such as <code>User-Agent</code>,
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin can contain thousands or millions of combinations of values over a period
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin of time, and if the response is declared cacheable, a cache might attempt
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin to cache each of these responses separately, filling up the cache and
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin crowding out other entries in the cache. In this scenario, if so
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin configured, the policy will reject the response.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>This policy is implemented by the <strong>POLICY_VARY</strong>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin filter.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <modulelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin </modulelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directivelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <directive module="mod_policy">PolicyVersion</directive>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin </directivelist>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>This policy will be rejected if the client request was made with a
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin version number lower than the version of HTTP specified.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>This policy is typically used with restful applications where
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin control over the type of client is desired. This policy can be used
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin alongside the <code>POLICY_KEEPALIVE</code> filter to ensure that
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin HTTP/1.0 clients don't cause keepalive connections to be dropped.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>Possible minimum versions that could be specified are:</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin <p>This policy is implemented by the <strong>POLICY_VERSON</strong>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin filter.</p>
e81d1e4f661023c964899abcbf2a60c2f8278f4aminfrin</manualpage>