Modules

Apache is highly configurable and extensible with modules.
The most popular are, in order:
1. PHP
2. OpenSSL
3. mod_ssl
4. FrontPage
5. perl
See Security Space's 4/1/2003 survey of Apache module users.
Write modules using the Apache module application programming interface (API).
There is a third-party module registry at http://modules.apache.org/.
Lincoln Stein wrote a good overview of the API.
Some modules are bundled with the standard distribution.
- See http://localhost/manual/mod/.

Lab

Go to the C:\Program Files\Apache Group\Apache\conf directory.
Peruse httpd.conf.
Of the modules included with the standard distribution, which are enabled in the default configuration?

Lab
Go to the `C:\Program Files\Apache Group\Apache\conf` directory. Peruse `httpd.conf`. Of the modules included with the standard distribution, which are enabled in the default configuration?

HTTP headers can include many different pieces of control information.
In the following lab, we use an HTTP header called Expires.
It is an instruction to the client about a document's validity and persistence.
Until it expires, a document may be fetched from the cache.
After that, the cached copy is considered invalid, and a new copy must be requested.
The expiration timestamp can be relative either to the time the source file was last modified or to the time of the client access.
Apache's mod_expires module controls the generation of Expires headers.
In this lab we cause Apache to generate Expires headers.
This is useful for data that changes rapidly, such as stock prices and airline seat availability.

Lab

Connect to your server with telnet. The command is:
telnet localhost 80

Ask the server for a file. The HTTP request is:
GET / HTTP/1.0

Study the header that's returned.
Observe that there is no expiration timestamp.

Lab
Connect to your server with `telnet`. The command is: `telnet localhost 80` Ask the server for a file. The HTTP request is: `GET / HTTP/1.0` Study the header that's returned. Observe that there is no expiration timestamp.

How modules become enabled:
- Either by being statically linked into the server when it's compiled, or
- By being activated with a LoadModule directive.
Tradeoffs: A few modules carry a significant resource footprint. Even if they aren't used they consume memory or CPU cycles. Hence, it's a good idea to comment out the LoadModule and AddModule lines in your configuration files for modules you don't need.

Lab

In httpd.conf, enable the mod_expires module: uncomment both its LoadModule and its AddModule directives.
Add the following directives:
ExpiresDefault "access plus 5 seconds" ExpiresActive on

Stop and restart your server.
As above, connect to your server with telnet.
As above, ask the server for a file.
Study the header that's returned.
Observe that there is now an expiration timestamp.

Lab
In `httpd.conf`, enable the `mod_expires` module: uncomment both its `LoadModule` and its `AddModule` directives. Add the following directives: `ExpiresDefault "access plus 5 seconds" ExpiresActive on` Stop and restart your server. As above, connect to your server with `telnet`. As above, ask the server for a file. Study the header that's returned. Observe that there is now an expiration timestamp.

Request processing is handled in a series of phases:

post_read_request

Once Apache has received the request and read the header, all modules registered for this phase are invoked in order. Things like the client's User-Agent field are examined, since they're not dependent upon transformations the server might apply to the request.

translate_handler (URI translation)

This is the point at which manipulations of the URL are done. For example, it might be rewritten by mod_rewrite to redirect the request. This is also the phase during which any mapping of the URI to a filesystem location takes place; Alias, ScriptAlias and similar directives are applied at this point.

header_parser

This phase was originally designed to be used for analysing the request header, but became obsolete as the server evolved and the post_read_request phase was added.

access_checker

Strong authentication checks are applied, if appropriate.

ap_check_user_id (authentication)

This phase checks for weak authentication.

auth_checker (authorization)

If weak authentication was applied and the client credentials passed the check, this phase performs the authorisation aspect of the checking -- seeing if the user actually has access to the requested document. Now the Require directive is checked.

type_checker (MIME type checking)

This phase is used to determine the content-type of the response, if it can be determined. Sometimes it cannot be determined when the document is dynamically generated.

fixer_upper

This phase provides an opportunity for modules to perform any last-millisecond cleanup, correction, or fixup operations.

content generation

At last, the response header and response body are actually sent back to the client.

logger

By the time this phase begins, the request is essentially complete; the client has received its response, and the server just needs to do some bookkeeping. Logging demands I/O, which may be delayed or blocked on a busy server. By deferring this phase until after all the others, service to the client isn't delayed or blocked.

Each module can register to participate in one or more phases.

As the server moves through the handling of the request, all modules registered for each phase in turn are invoked in order.

The order of the LoadModule directives is significant. Apache manages its modules with a stack. Each LoadModule pushes a module onto the top of the stack. Modules that should be executed first, such as those upon which others depend, should be loaded last.

The module order can be changed by the ClearModuleList and AddModule directives. Following a ClearModuleList directive, only modules that are subsequently added by AddModule directives will be available.