compliance.xml revision 99bfe4427761b6bb735aa1dd6a24e72313da0820
6ae232055d4d8a97267517c5e50074c2c819941and<?xml-stylesheet type="text/xsl" href="/style/manual.en.xsl"?>
6ae232055d4d8a97267517c5e50074c2c819941and<!-- $LastChangedRevision$ -->
6ae232055d4d8a97267517c5e50074c2c819941and Licensed to the Apache Software Foundation (ASF) under one or more
96ad5d81ee4a2cc66a4ae19893efc8aa6d06fae7jailletc contributor license agreements. See the NOTICE file distributed with
6ae232055d4d8a97267517c5e50074c2c819941and this work for additional information regarding copyright ownership.
6ae232055d4d8a97267517c5e50074c2c819941and The ASF licenses this file to You under the Apache License, Version 2.0
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen (the "License"); you may not use this file except in compliance with
2e545ce2450a9953665f701bb05350f0d3f26275nd the License. You may obtain a copy of the License at
6ae232055d4d8a97267517c5e50074c2c819941and Unless required by applicable law or agreed to in writing, software
6ae232055d4d8a97267517c5e50074c2c819941and distributed under the License is distributed on an "AS IS" BASIS,
af33a4994ae2ff15bc67d19ff1a7feb906745bf8rbowen WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
3f08db06526d6901aa08c110b5bc7dde6bc39905nd See the License for the specific language governing permissions and
6ae232055d4d8a97267517c5e50074c2c819941and limitations under the License.
053bfa8a288528fafab2b7a032c15116bb5de711nd <p>This document describes the mechanism to set a policy for HTTP
6ae232055d4d8a97267517c5e50074c2c819941and protocol compliance for a given URL space by the origin servers or
f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung applications behind that URL space.</p>
b43f840409794ed298e8634f6284741f193b6c4ftakashi <p>For those who may have received an error message from a rejected
b43f840409794ed298e8634f6284741f193b6c4ftakashi policy, and need to know what the policy rejection means and what
b43f840409794ed298e8634f6284741f193b6c4ftakashi they might do to fix the error, each policy is described below.</p>
6ae232055d4d8a97267517c5e50074c2c819941and <title>Enforcing HTTP Protocol Compliance in Apache 2</title>
6ae232055d4d8a97267517c5e50074c2c819941and <modulelist>
6ae232055d4d8a97267517c5e50074c2c819941and </modulelist>
6ae232055d4d8a97267517c5e50074c2c819941and <directivelist>
6ae232055d4d8a97267517c5e50074c2c819941and <directive module="mod_policy">PolicyConditional</directive>
6ae232055d4d8a97267517c5e50074c2c819941and <directive module="mod_policy">PolicyKeepalive</directive>
6ae232055d4d8a97267517c5e50074c2c819941and <directive module="mod_policy">PolicyValidation</directive>
1d980e5489836e977ba59b419e27b0ec875c4bd3takashi </directivelist>
6ae232055d4d8a97267517c5e50074c2c819941and <p>The HTTP protocol follows the <strong>robustness principle</strong>
6ae232055d4d8a97267517c5e50074c2c819941and as described in <a href="http://tools.ietf.org/html/rfc1122">RFC1122</a>,
6ae232055d4d8a97267517c5e50074c2c819941and which states <strong>"Be liberal in what you accept, and conservative in
6ae232055d4d8a97267517c5e50074c2c819941and what you send"</strong>. As a result of this principle, HTTP clients will
6ae232055d4d8a97267517c5e50074c2c819941and compensate for and recover from incorrect or misconfigured responses, or
6ae232055d4d8a97267517c5e50074c2c819941and responses that are uncacheable.</p>
6ae232055d4d8a97267517c5e50074c2c819941and <p>As a website is scaled up to face greater and greater traffic loads,
6ae232055d4d8a97267517c5e50074c2c819941and suboptimal or misconfigured applications or server configurations can
6ae232055d4d8a97267517c5e50074c2c819941and threaten both the stability and scalability of the website, as well as
6ae232055d4d8a97267517c5e50074c2c819941and the hosting costs associated with it. A website can also scale up to face
6ae232055d4d8a97267517c5e50074c2c819941and greater configuration complexity, and it can be increasingly difficult to
6ae232055d4d8a97267517c5e50074c2c819941and detect and keep track of suboptimally configured URL spaces on a given
6ae232055d4d8a97267517c5e50074c2c819941and server.</p>
6ae232055d4d8a97267517c5e50074c2c819941and <p>Eventually a point is reached where the principle "conservative in
6ae232055d4d8a97267517c5e50074c2c819941and what you send" needs to be enforced by the server administrator.</p>
6ae232055d4d8a97267517c5e50074c2c819941and <p>The <module>mod_policy</module> module provides a set of filters
6ae232055d4d8a97267517c5e50074c2c819941and which can be applied to a server, allowing key features of the HTTP
6ae232055d4d8a97267517c5e50074c2c819941and protocol to be explicitly tested, and non compliant responses logged as
6ae232055d4d8a97267517c5e50074c2c819941and warnings, or rejected outright as an error. Each filter can be applied
6ae232055d4d8a97267517c5e50074c2c819941and separately, allowing the administrator to pick and choose which policies
6ae232055d4d8a97267517c5e50074c2c819941and should be enforced depending on the circumstances of their environment.
6ae232055d4d8a97267517c5e50074c2c819941and <p>The filters might be placed in testing and staging environments for
6ae232055d4d8a97267517c5e50074c2c819941and the benefit of application and website developers, or may be applied
6ae232055d4d8a97267517c5e50074c2c819941and to production servers to protect infrastructure from systems outside
6ae232055d4d8a97267517c5e50074c2c819941and the administrator's direct control.</p>
6ae232055d4d8a97267517c5e50074c2c819941and <img src="images/compliance-reverse-proxy.png" width="666" height="239" alt=
6ae232055d4d8a97267517c5e50074c2c819941and "Enforcing HTTP protocol compliance for an application server"/>
6ae232055d4d8a97267517c5e50074c2c819941and <p>In the above example, an Apache httpd server has been placed between
6ae232055d4d8a97267517c5e50074c2c819941and the application server and the internet at large, and configured to cache
6ae232055d4d8a97267517c5e50074c2c819941and responses from the application server. The <module>mod_policy</module>
6ae232055d4d8a97267517c5e50074c2c819941and filters have been added to enforce support for cacheable content and
6ae232055d4d8a97267517c5e50074c2c819941and conditional requests, ensuring that both <module>mod_cache</module> and
6ae232055d4d8a97267517c5e50074c2c819941and public caches on the internet are fully able to cache content created
6ae232055d4d8a97267517c5e50074c2c819941and by the restful application server efficiently.</p>
6ae232055d4d8a97267517c5e50074c2c819941and <img src="images/compliance-static.png" width="469" height="239" alt=
f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung "Enforcing HTTP protocol compliance in a static server"/>
727872d18412fc021f03969b8641810d8896820bhumbedooh <p>In the above simpler example, a static server serving highly cacheable
cc7e1025de9ac63bd4db6fe7f71c158b2cf09fe4humbedooh content has a set of policies applied to ensure that the server configuration
0d0ba3a410038e179b695446bb149cce6264e0abnd conforms to a minimum level of compliance.</p>
0d0ba3a410038e179b695446bb149cce6264e0abnd <modulelist>
0d0ba3a410038e179b695446bb149cce6264e0abnd </modulelist>
727872d18412fc021f03969b8641810d8896820bhumbedooh <directivelist>
0d0ba3a410038e179b695446bb149cce6264e0abnd <directive module="mod_policy">PolicyConditional</directive>
0d0ba3a410038e179b695446bb149cce6264e0abnd </directivelist>
af33a4994ae2ff15bc67d19ff1a7feb906745bf8rbowen <p>This policy will be rejected if the server does not correctly respond
0d0ba3a410038e179b695446bb149cce6264e0abnd to a conditional request with the appropriate status code.</p>
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd <p>Conditional requests form the mechanism by which an HTTP cache makes
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd stale content fresh again, and particularly for content with short freshness
6ae232055d4d8a97267517c5e50074c2c819941and lifetimes, lack of support for conditional requests can add avoidable load