HTTP

Technical overview
HTTP functions as a request-response protocol in the client-server computing model. In HTTP, a web browser, for example, acts as a client, while an application running on a computer hosting a web site functions as a server. The client submits an HTTP request message to the server. The server, which stores content, or provides resources, such as HTML files, or performs other functions on behalf of the client, returns a response message to the client. A response contains completion status information about the request and may contain any content requested by the client in its message body. A web browser (or client) is often referred to as a user agent (UA). Other user agents can include the indexing software used by search providers, known as web crawlers, or variations of the web browser such as voice browsers, which present an interactive voice user interface. HTTP is designed to permit intermediate network elements to improve or enable communications between clients and servers. High-traffic websites often benefit from web cache servers that deliver content on behalf of the original, so-called origin server, to improve response time. HTTP proxy servers at network boundaries facilitate communication when clients without a globally routable address are located in private networks by relaying the requests and responses between clients and servers. HTTP is an Application Layer protocol designed within the framework of the Internet Protocol Suite. The protocol definitions presume a reliable Transport Layer protocol for host-to-host data transfer.[2] The Transmission Control Protocol (TCP) is the dominant protocol in use for this purpose. However, HTTP has found application even with unreliable protocols, such as the User Datagram Protocol (UDP) in methods such as the Simple Service Discovery Protocol (SSDP). HTTP Resources are identified and located on the network by Uniform Resource Identifiers (URIs)or, more specifically, Uniform Resource Locators (URLs)using the http or https URI schemes. URIs and the Hypertext Markup Language (HTML), form a system of inter-linked resources, called hypertext documents, on the Internet, that led to the establishment of the World Wide Web in 1990 by English computer scientist and innovator Tim Berners-Lee. The original version of HTTP (HTTP/1.0) was revised in HTTP/1.1. HTTP/1.0 uses a separate connection to the same server for every request-response transaction, while HTTP/1.1 can reuse a connection multiple times, to download, for instance, images for a just delivered page. Hence HTTP/1.1 communications experience less latency as the establishment of TCP connections presents considerable overhead.

Request methods

An HTTP request made using telnet. The request, response headers and response body are highlighted. HTTP defines nine methods (sometimes referred to as "verbs") indicating the desired action to be performed on the identified resource. What this resource represents, whether pre-existing data or data that is generated dynamically, depends on the implementation of the server. Often, the resource corresponds to a file or the output of an executable residing on the server. HEAD Asks for the response identical to the one that would correspond to a GET request, but without the response body. This is useful for retrieving meta-information written in response headers, without having to transport the entire content. GET Requests a representation of the specified resource. Requests using GET should only retrieve data and should have no other effect. (This is also true of some other HTTP methods.)[1] The W3C has published guidance principles on this distinction, saying, "Web application design should be informed by the above principles, but also by the relevant limitations."[10] See safe methods below. POST Submits data to be processed (e.g., from an HTML form) to the identified resource. The data is included in the body of the request. This may result in the creation of a new resource or the updates of existing resources or both. PUT Uploads a representation of the specified resource. DELETE Deletes the specified resource. TRACE Echoes back the received request, so that a client can see what (if any) changes or additions have been made by intermediate servers. OPTIONS

Returns the HTTP methods that the server supports for specified URL. This can be used to check the functionality of a web server by requesting '*' instead of a specific resource. CONNECT Converts the request connection to a transparent TCP/IP tunnel, usually to facilitate SSL-encrypted communication (HTTPS) through an unencrypted HTTP proxy.[11] PATCH Is used to apply partial modifications to a resource.[12] HTTP servers are required to implement at least the GET and HEAD methods[13] and, whenever possible, also the OPTIONS method.[citation needed]

List of HTTP status codes

1xx Informational
Request received, continuing process.[2] This class of status code indicates a provisional response, consisting only of the Status-Line and optional headers, and is terminated by an empty line. Since HTTP/1.0 did not define any 1xx status codes, servers must not send a 1xx response to an HTTP/1.0 client except under experimental conditions. 100 Continue This means that the server has received the request headers, and that the client should proceed to send the request body (in the case of a request for which a body needs to be sent; for example, a POST request). If the request body is large, sending it to a server when a request has already been rejected based upon inappropriate headers is inefficient. To have a server check if the request could be accepted based on the request's headers alone, a client must send Expect: 100-continue as a header in its initial request[2] and check if a 100 Continue status code is received in response before continuing (or receive 417 Expectation Failed and not continue).[2] 101 Switching Protocols This means the requester has asked the server to switch protocols and the server is acknowledging that it will do so.[2] 102 Processing (WebDAV; RFC 2518) As a WebDAV request may contain many sub-requests involving file operations, it may take a long time to complete the request. This code indicates that the server has received and is processing the request, but no response is available yet.[3] This prevents the client from timing out and assuming the request was lost.

2xx Success
This class of status codes indicates the action requested by the client was received, understood, accepted and processed successfully. 200 OK Standard response for successful HTTP requests. The actual response will depend on the request method used. In a GET request, the response will contain an entity corresponding to the requested resource. In a POST request the response will contain an entity describing or containing the result of the action.[2] 201 Created The request has been fulfilled and resulted in a new resource being created.[2] 202 Accepted

The request has been accepted for processing, but the processing has not been completed. The request might or might not eventually be acted upon, as it might be disallowed when processing actually takes place.[2] 203 Non-Authoritative Information (since HTTP/1.1) The server successfully processed the request, but is returning information that may be from another source.[2] 204 No Content The server successfully processed the request, but is not returning any content.[2] 205 Reset Content The server successfully processed the request, but is not returning any content. Unlike a 204 response, this response requires that the requester reset the document view.[2] 206 Partial Content The server is delivering only part of the resource due to a range header sent by the client. The range header is used by tools like wget to enable resuming of interrupted downloads, or split a download into multiple simultaneous streams.[2] 207 Multi-Status (WebDAV; RFC 4918) The message body that follows is an XML message and can contain a number of separate response codes, depending on how many sub-requests were made.[4] 208 Already Reported (WebDAV; RFC 5842) The members of a DAV binding have already been enumerated in a previous reply to this request, and are not being included again. 226 IM Used (RFC 3229) The server has fulfilled a GET request for the resource, and the response is a representation of the result of one or more instance-manipulations applied to the current instance. [5]

3xx Redirection
The client must take additional action to complete the request.[2] This class of status code indicates that further action needs to be taken by the user agent in order to fulfil the request. The action required may be carried out by the user agent without interaction with the user if and only if the method used in the second request is GET or HEAD. A user agent should not automatically redirect a request more than five times, since such redirections usually indicate an infinite loop. 300 Multiple Choices Indicates multiple options for the resource that the client may follow. It, for instance, could be used to present different format options for video, list files with different extensions, or word sense disambiguation.[2] 301 Moved Permanently This and all future requests should be directed to the given URI.[2] 302 Found This is an example of industry practice contradicting the standard.[2] The HTTP/1.0 specification (RFC 1945) required the client to perform a temporary redirect (the

original describing phrase was "Moved Temporarily"),[6] but popular browsers implemented 302 with the functionality of a 303 See Other. Therefore, HTTP/1.1 added status codes 303 and 307 to distinguish between the two behaviours.[7] However, some Web applications and frameworks use the 302 status code as if it were the 303.[citation needed] 303 See Other (since HTTP/1.1) The response to the request can be found under another URI using a GET method. When received in response to a POST (or PUT/DELETE), it should be assumed that the server has received the data and the redirect should be issued with a separate GET message.[2] 304 Not Modified Indicates the resource has not been modified since last requested.[2] Typically, the HTTP client provides a header like the If-Modified-Since header to provide a time against which to compare. Using this saves bandwidth and reprocessing on both the server and client, as only the header data must be sent and received in comparison to the entirety of the page being re-processed by the server, then sent again using more bandwidth of the server and client. 305 Use Proxy (since HTTP/1.1) Many HTTP clients (such as Mozilla[8] and Internet Explorer) do not correctly handle responses with this status code, primarily for security reasons.[2] 306 Switch Proxy No longer used.[2] Originally meant "Subsequent requests should use the specified proxy."[9] 307 Temporary Redirect (since HTTP/1.1) In this case, the request should be repeated with another URI; however, future requests can still use the original URI.[2] In contrast to 302, the request method should not be changed when reissuing the original request. For instance, a POST request must be repeated using another POST request. 308 Permanent Redirect (experimental Internet-Draft)[10] The request, and all future requests should be repeated using another URI. 307 and 308 (as proposed) parallel the behaviours of 302 and 301, but do not require the HTTP method to change. So, for example, submitting a form to a permanently redirected resource may continue smoothly.

4xx Client Error

The 4xx class of status code is intended for cases in which the client seems to have erred. Except when responding to a HEAD request, the server should include an entity containing an explanation of the error situation, and whether it is a temporary or permanent condition. These status codes are applicable to any request method. User agents should display any included entity to the user. 400 Bad Request The request cannot be fulfilled due to bad syntax.[2] 401 Unauthorized

Similar to 403 Forbidden, but specifically for use when authentication is possible but has failed or not yet been provided.[2] The response must include a WWWAuthenticate header field containing a challenge applicable to the requested resource. See Basic access authentication and Digest access authentication. 402 Payment Required Reserved for future use.[2] The original intention was that this code might be used as part of some form of digital cash or micropayment scheme, but that has not happened, and this code is not usually used. As an example of its use, however, Apple's MobileMe service generates a 402 error ("httpStatusCode:402" in the Mac OS X Console log) if the MobileMe account is delinquent.[citation needed] 403 Forbidden The request was a legal request, but the server is refusing to respond to it.[2] Unlike a 401 Unauthorized response, authenticating will make no difference.[2] 404 Not Found The requested resource could not be found but may be available again in the future. [2] Subsequent requests by the client are permissible. 405 Method Not Allowed A request was made of a resource using a request method not supported by that resource;[2] for example, using GET on a form which requires data to be presented via POST, or using PUT on a read-only resource. 406 Not Acceptable The requested resource is only capable of generating content not acceptable according to the Accept headers sent in the request.[2] 407 Proxy Authentication Required The client must first authenticate itself with the proxy.[2] 408 Request Timeout The server timed out waiting for the request.[2] According to W3 HTTP specifications: "The client did not produce a request within the time that the server was prepared to wait. The client MAY repeat the request without modifications at any later time." 409 Conflict Indicates that the request could not be processed because of conflict in the request, such as an edit conflict.[2] 410 Gone Indicates that the resource requested is no longer available and will not be available again.[2] This should be used when a resource has been intentionally removed and the resource should be purged. Upon receiving a 410 status code, the client should not request the resource again in the future. Clients such as search engines should remove the resource from their indices. Most use cases do not require clients and search engines to purge the resource, and a "404 Not Found" may be used instead. 411 Length Required The request did not specify the length of its content, which is required by the requested resource.[2] 412 Precondition Failed The server does not meet one of the preconditions that the requester put on the request.[2]

413 Request Entity Too Large The request is larger than the server is willing or able to process.[2] 414 Request-URI Too Long The URI provided was too long for the server to process.[2] 415 Unsupported Media Type The request entity has a media type which the server or resource does not support.[2] For example, the client uploads an image as image/svg+xml, but the server requires that images use a different format. 416 Requested Range Not Satisfiable The client has asked for a portion of the file, but the server cannot supply that portion.[2] For example, if the client asked for a part of the file that lies beyond the end of the file.[2] 417 Expectation Failed The server cannot meet the requirements of the Expect request-header field.[2] 418 I'm a teapot (RFC 2324) This code was defined in 1998 as one of the traditional IETF April Fools' jokes, in RFC 2324, Hyper Text Coffee Pot Control Protocol, and is not expected to be implemented by actual HTTP servers. However, known implementations do exist.
[11]

420 Enhance Your Calm (Twitter) Returned by the Twitter Search and Trends API when the client is being rate limited.[12] Likely a reference to this number's association with marijuana. Other services may wish to implement the 429 Too Many Requests response code instead. The phrase "Enhance Your Calm" is a reference to Demolition Man (film). In the film, Sylvester Stallone's character John Spartan is a hot-head in a generally more subdued future, and is regularly told to "Enhance your calm" rather than a more common phrase like "calm down". 422 Unprocessable Entity (WebDAV; RFC 4918) The request was well-formed but was unable to be followed due to semantic errors.
[4]

423 Locked (WebDAV; RFC 4918) The resource that is being accessed is locked.[4] 424 Failed Dependency (WebDAV; RFC 4918) The request failed due to failure of a previous request (e.g. a PROPPATCH).[4] 425 Unordered Collection (RFC 3648) Defined in drafts of "WebDAV Advanced Collections Protocol",[13] but not present in "Web Distributed Authoring and Versioning (WebDAV) Ordered Collections Protocol".[14] 426 Upgrade Required (RFC 2817) The client should switch to a different protocol such as TLS/1.0.[15] 428 Precondition Required The origin server requires the request to be conditional. Intended to prevent "the 'lost update' problem, where a client GETs a resource's state, modifies it, and PUTs it back to the server, when meanwhile a third party has modified the state on the server, leading to a conflict."[16] Specified in an Internet-Draft which is approved for publication as RFC.

429 Too Many Requests (approved Internet-Draft) The user has sent too many requests in a given amount of time. Intended for use with rate limiting schemes. Specified in an Internet-Draft which is approved for publication as RFC.[16] 431 Request Header Fields Too Large The server is unwilling to process the request because either an individual header field, or all the header fields collectively, are too large. Specified in an InternetDraft which is approved for publication as RFC.[16] 444 No Response (Nginx) An Nginx HTTP server extension. The server returns no information to the client and closes the connection (useful as a deterrent for malware). 449 Retry With (Microsoft) A Microsoft extension. The request should be retried after performing the appropriate action.[17] 450 Blocked by Windows Parental Controls (Microsoft) A Microsoft extension. This error is given when Windows Parental Controls are turned on and are blocking access to the given webpage.[18] 499 Client Closed Request (Nginx) An Nginx HTTP server extension. This code is introduced to log the case when the connection is closed by client while HTTP server is processing its request, making server unable to send the HTTP header back.[19]

5xx Server Error

The server failed to fulfill an apparently valid request.[2] Response status codes beginning with the digit "5" indicate cases in which the server is aware that it has encountered an error or is otherwise incapable of performing the request. Except when responding to a HEAD request, the server should include an entity containing an explanation of the error situation, and indicate whether it is a temporary or permanent condition. Likewise, user agents should display any included entity to the user. These response codes are applicable to any request method. 500 Internal Server Error A generic error message, given when no more specific message is suitable.[2] 501 Not Implemented The server either does not recognise the request method, or it lacks the ability to fulfill the request.[2] 502 Bad Gateway The server was acting as a gateway or proxy and received an invalid response from the upstream server.[2] 503 Service Unavailable The server is currently unavailable (because it is overloaded or down for maintenance).[2] Generally, this is a temporary state. 504 Gateway Timeout

The server was acting as a gateway or proxy and did not receive a timely response from the upstream server.[2] 505 HTTP Version Not Supported The server does not support the HTTP protocol version used in the request.[2] 506 Variant Also Negotiates (RFC 2295) Transparent content negotiation for the request results in a circular reference.[20] 507 Insufficient Storage (WebDAV; RFC 4918) The server is unable to store the representation needed to complete the request.[4] 508 Loop Detected (WebDAV; RFC 5842) The server detected an infinite loop while processing the request (sent in lieu of 208). 509 Bandwidth Limit Exceeded (Apache bw/limited extension) This status code, while used by many servers, is not specified in any RFCs. 510 Not Extended (RFC 2774) Further extensions to the request are required for the server to fulfill it.[21] 511 Network Authentication Required (approved Internet-Draft) The client needs to authenticate to gain network access. Intended for use by intercepting proxies used to control access to the network (e.g. "captive portals" used to require agreement to Terms of Service before granting full Internet access via a Wi-Fi hotspot). Specified in an Internet-Draft which is approved for publication as RFC.[16] 598 Network read timeout error This status code is not specified in any RFCs, but is used by some[which?] HTTP proxies to signal a network read timeout behind the proxy to a client in front of the proxy. 599 Network connect timeout error This status code is not specified in any RFCs, but is used by some[which?] HTTP proxies to signal a network connect timeout behind the proxy to a client in front of the proxy.

HTTP persistent connection

Operation
Under HTTP 1.0, there is no official specification for how keepalive operates. It was, in essence, tacked on to an existing protocol. If the browser supports keep-alive, it adds an additional header to the request:
Connection: Keep-Alive

Then, when the server receives this request and generates a response, it also adds a header to the response:
Connection: Keep-Alive

Following this, the connection is NOT dropped, but is instead kept open. When the client sends another request, it uses the same connection. This will continue until either the client or the server decides that the conversation is over, and one of them drops the connection. In HTTP 1.1 all connections are considered persistent unless declared otherwise.[1] The HTTP persistent connections do not use separate keepalive messages, they just allow multiple requests to use a single connection. However, the default connection timeout of Apache 2.0 httpd[2] is as little as 15 seconds[3] and for Apache 2.2 only 5 seconds.[4] The advantage of a short timeout is the ability to deliver multiple components of a web page quickly while not tying up multiple server processes or threads for too long.[5]

Advantages

Less CPU and memory usage (because fewer connections are open simultaneously) Enables HTTP pipelining of requests and responses Reduced network congestion (fewer TCP connections) Reduced latency in subsequent requests (no handshaking) Errors can be reported without the penalty of closing the TCP connection

According to RFC 2616 (page 46), a single-user client should not maintain more than 2 connections with any server or proxy. A proxy should use up to 2N connections to another server or proxy, where N is the number of simultaneously active users. These guidelines are intended to improve HTTP response times, avoid congestion. If HTTP pipelining is correctly implemented, there is no performance benefit to be gained from additional connections (while additional connections may cause issues with congestion).[6]

Disadvantages

It has been suggested with modern widespread high-bandwidth connections, Keep-Alive might not be as useful as it once was. The webserver will keep a connection open for a certain number of seconds (By default 15 in Apache), which may hurt performance more than the total performance benefits. [7] For services where single documents are regularly requested ( for example image hosting websites ), Keep-Alive can be massively detrimental to performance due to keeping unnecessary connections open for many seconds after the document was retrieved.

Use in web browsers

Schema of multiple vs. persistent connection. Netscape Navigator (since at least 4.05) and Internet Explorer (since at least 4.01) support persistent connections to Web servers and proxies. Netscape does not close persistent connections using timeout. All idling persistent connections are queued. When there is a need to open new persistent connections while connecting to a different server, the idle connections are killed by the browser using some form of LRU algorithm.[8] Internet Explorer supports persistent connections. By default, versions 6 and 7 use 2 persistent connections while version 8 uses 6.[9] Persistent connections time out after 60 seconds of inactivity which is changeable via the Windows Registry.[10] Mozilla Firefox supports persistent connections. The number of simultaneous connections can be customized (per-server, per-proxy, total). Persistent connections time out after 115 seconds (1.92 minutes) of inactivity which is changeable via the configuration.[11] Opera supports persistent connections since 4.0.[12] The number of simultaneous connections can be customized (per-server, total).

IPv4

From Wikipedia, the free encyclopedia (Redirected from IPv4 header) Jump to: navigation, search Internet Protocol version 4 (IPv4) is the fourth revision in the development of the Internet Protocol (IP) and the first version of the protocol to be widely deployed. Together with IPv6, it is at the core of standards-based internetworking methods of the Internet. IPv4 is still by far the most widely deployed Internet Layer protocol (As of 2011, IPv6 deployment is still in its infancy). IPv4 is described in IETF publication RFC 791 (September 1981), replacing an earlier definition (RFC 760, January 1980). IPv4 is a connectionless protocol for use on packet-switched Link Layer networks (e.g., Ethernet). It operates on a best effort delivery model, in that it does not guarantee delivery, nor does it assure proper sequencing or avoidance of duplicate delivery. These aspects, including data integrity, are addressed by an upper layer transport protocol, such as the Transmission Control Protocol (TCP).

Addressing
IPv4 uses 32-bit (four-byte) addresses, which limits the address space to 4294967296 (232) addresses. Addresses were assigned to users, and the number of unassigned addresses decreased. IPv4 address exhaustion occurred on February 3, 2011. It had been significantly delayed by address changes such as classful network design, Classless Inter-Domain Routing, and network address translation (NAT). This limitation of IPv4 stimulated the development of IPv6 in the 1990s, which has been in commercial deployment since 2006. IPv4 reserves special address blocks for private networks (~18 million addresses) and multicast addresses (~270 million addresses).

Special-use addresses
Main article: Reserved IP addresses#Reserved IPv4 addresses Reserved address blocks Range Description 0.0.0.0/8 Current network (only valid as source address) 10.0.0.0/8 Private network 100.64.0.0/10 Shared Address Space 127.0.0.0/8 Loopback 169.254.0.0/16 Link-local

Reference RFC 1700 RFC 1918 RFC 6598 RFC 5735 RFC 3927

172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 192.88.99.0/24 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/4 240.0.0.0/4 255.255.255.255

Private network Reserved (IANA) TEST-NET-1, documentation and examples IPv6 to IPv4 relay Private network Network benchmark tests TEST-NET-2, documentation and examples TEST-NET-3, documentation and examples IP multicast (former Class D network) Reserved (former Class E network) Broadcast

RFC 1918 RFC 5735 RFC 5735 RFC 3068 RFC 1918 RFC 2544 RFC 5737 RFC 5737 RFC 5771 RFC 1700 RFC 919

Private networks Of the approximately four billion addresses allowed in IPv4, three ranges of address are reserved for use in private networks. These ranges are not routable outside of private networks, and private machines cannot directly communicate with public networks. They can, however, do so through network address translation. The following are the three ranges reserved for private networks (RFC 1918): Name 24-bit block 20-bit block 16-bit block Address range 10.0.0.0 10.255.255.255 172.16.0.0 172.31.255.255 192.168.0.0 192.168.255.255 Number of addresses 16777216 1048576 65536 Classful description Single Class A Largest CIDR block 10.0.0.0/8

Contiguous range of 16 172.16.0.0/12 Class B blocks Contiguous range of 192.168.0.0/16 256 Class C blocks

Virtual private networks

Packets with a private destination address are ignored by all public routers. Two private networks (e.g., two branch offices) cannot communicate via the public internet, unless they use an IP tunnel or a virtual private network (VPN). When one private network wants to send a packet to another private network, the first private network encapsulates the packet in a protocol layer so that the packet can travel through the public network. Then the packet travels through the public network. When the packet reaches the other private network, its protocol layer is removed, and the packet travels to its destination. Optionally, encapsulated packets may be encrypted to secure the data while it travels over the public network.

Loopback
Main article: Loopback The class A network 127.0.0.0 (classless network 127.0.0.0/8) is reserved for loopback. IP packets which source addresses belong to this network should never appear outside a host. The modus operandi of this network expands upon that of a loopback interface:

IP packets which source and destination addresses belong to the network (or subnetwork) of the same loopback interface are returned back to that interface; IP packets which source and destination addresses belong to networks (or subnetworks) of different interfaces of the same host, one of them being a loopback interface, are forwarded regularly.

Address resolution
Main article: Domain Name System Hosts on the Internet are usually known by names, e.g., www.example.com, not primarily by their IP address, which is used for routing and network interface identification. The use of domain names requires translating, called resolving, them to addresses and vice versa. This is analogous to looking up a phone number in a phone book using the recipient's name. The translation between addresses and domain names is performed by the Domain Name System (DNS), a hierarchical, distributed naming system which allows for subdelegation of name spaces to other DNS servers. DNS is often described in analogy to the telephone system directory information systems in which subscriber names are translated to telephone numbers.

Address space exhaustion

Main article: IPv4 address exhaustion Since the 1980s, it was apparent that the pool of available IPv4 addresses was being depleted at a rate that was not initially anticipated in the original design of the network address system.[6] The threat of exhaustion was the motivation for remedial technologies, such as classful networks, Classless Inter-Domain Routing (CIDR) methods, and network address translation (NAT). Eventually, IPv6 was created, which has many more addresses available. Several market forces accelerated IPv4 address exhaustion:

Rapidly growing number of Internet users

Always-on devices ADSL modems, cable modems Mobile devices laptop computers, PDAs, mobile phones

Some technologies mitigated IPv4 address exhaustion:

Network address translation (NAT) is a technology that allows a private network to use one public IP address. It permits private addresses in the private network. Use of private networks Dynamic Host Configuration Protocol (DHCP) Name-based virtual hosting of web sites Tighter control by regional Internet registries over the allocation of addresses to local Internet registries Network renumbering to reclaim large blocks of address space allocated in the early days of the Internet

The primary address pool of the Internet, maintained by IANA, was exhausted on 3 February 2011, when the last 5 blocks were allocated to the 5 RIRs.[7][8] APNIC was the first RIR to exhaust its regional pool on 15 April 2011, except for a small amount of address space reserved for the transition to IPv6, which will be allocated under a much more restricted policy.[9] The accepted and standard solution is to use Internet Protocol Version 6. The address size was increased in IPv6 to 128 bits, providing a vastly increased address space that also allows improved route aggregation across the Internet and offers large subnetwork allocations of a minimum of 264 host addresses to end-users. Migration to IPv6 is in progress but completion is expected to take considerable time.

Packet structure
An IP packet consists of a header section and a data section.

Header
The IPv4 packet header consists of 14 fields, of which 13 are required. The 14th field is optional (red background in table) and aptly named: options. The fields in the header are packed with the most significant byte first (big endian), and for the diagram and discussion, the most significant bits are considered to come first (MSB 0 bit numbering). The most significant bit is numbered 0, so the version field is actually found in the four most significant bits of the first byte, for example. bit offset 0 03 47 813 Differentiated Services Code Point 14-15 Explicit Congestion Notification 16 18 1931 Total Length

Internet Version Header Length

32 Identification Flags Fragment Offset 64 Time to Live Protocol Header checksum 96 Source IP Address 128 Destination IP Address 160 Options ( if Header Length > 5 ) 160 or Data 192+ Version The first header field in an IP packet is the four-bit version field. For IPv4, this has a value of 4 (hence the name IPv4). Internet Header Length (IHL) The second field (4 bits) is the Internet Header Length (IHL), which is the number of 32-bit words in the header. Since an IPv4 header may contain a variable number of options, this field specifies the size of the header (this also coincides with the offset to the data). The minimum value for this field is 5 (RFC 791), which is a length of 532 = 160 bits = 20 bytes. Being a 4-bit value, the maximum length is 15 words (1532 bits) or 480 bits = 60 bytes. Differentiated Services Code Point (DSCP) Originally defined as the Type of Service field, this field is now defined by RFC 2474 for Differentiated services (DiffServ). New technologies are emerging that require real-time data streaming and therefore make use of the DSCP field. An example is Voice over IP (VoIP), which is used for interactive data voice exchange. Explicit Congestion Notification (ECN) This field is defined in RFC 3168 and allows end-to-end notification of network congestion without dropping packets. ECN is an optional feature that is only used when both endpoints support it and are willing to use it. It is only effective when supported by the underlying network. Total Length This 16-bit field defines the entire packet (fragment) size, including header and data, in bytes. The minimum-length packet is 20 bytes (20-byte header + 0 bytes data) and the maximum is 65,535 bytes the maximum value of a 16-bit word. The largest datagram that any host is required to be able to reassemble is 576 bytes, but most modern hosts handle much larger packets. Sometimes subnetworks impose further restrictions on the packet size, in which case datagrams must be fragmented. Fragmentation is handled in either the host or router in IPv4. Identification This field is an identification field and is primarily used for uniquely identifying fragments of an original IP datagram. Some experimental work has suggested using the ID field for other purposes, such as for adding packet-tracing information to help trace datagrams with spoofed source addresses.[10] Flags A three-bit field follows and is used to control or identify fragments. They are (in order, from high order to low order):

bit 0: Reserved; must be zero.[note 1]

bit 1: Don't Fragment (DF) bit 2: More Fragments (MF)

If the DF flag is set, and fragmentation is required to route the packet, then the packet is dropped. This can be used when sending packets to a host that does not have sufficient resources to handle fragmentation. It can also be used for Path MTU Discovery, either automatically by the host IP software, or manually using diagnostic tools such as ping or traceroute. For unfragmented packets, the MF flag is cleared. For fragmented packets, all fragments except the last have the MF flag set. The last fragment has a non-zero Fragment Offset field, differentiating it from an unfragmented packet. Fragment Offset The fragment offset field, measured in units of eight-byte blocks, is 13 bits long and specifies the offset of a particular fragment relative to the beginning of the original unfragmented IP datagram. The first fragment has an offset of zero. This allows a maximum offset of (213 1) 8 = 65,528 bytes, which would exceed the maximum IP packet length of 65,535 bytes with the header length included (65,528 + 20 = 65,548 bytes). Time To Live (TTL) An eight-bit time to live field helps prevent datagrams from persisting (e.g. going in circles) on an internet. This field limits a datagram's lifetime. It is specified in seconds, but time intervals less than 1 second are rounded up to 1. In practice, the field has become a hop countwhen the datagram arrives at a router, the router decrements the TTL field by one. When the TTL field hits zero, the router discards the packet and typically sends a ICMP Time Exceeded message to the sender. The program traceroute uses these ICMP Time Exceeded messages to print the routers used by packets to go from the source to the destination. Protocol This field defines the protocol used in the data portion of the IP datagram. The Internet Assigned Numbers Authority maintains a list of IP protocol numbers which was originally defined in RFC 790. Header Checksum Main article: Header checksum The 16-bit checksum field is used for error-checking of the header. When a packet arrives at a router, the router calculates the checksum of the header and compares it to the checksum field. If the values do not match, the router discards the packet. Errors in the data field must be handled by the encapsulated protocol. Both UDP and TCP have checksum fields. When a packet arrives at a router, the router decreases the TTL field. Consequently, the router must calculate a new checksum. RFC 1071 defines the checksum calculation: The checksum field is the 16-bit one's complement of the one's complement sum of all 16-bit words in the header. For purposes of computing the checksum, the value of the checksum field is zero. For example, use Hex 4500003044224000800600008c7c19acae241e2b (20 bytes IP header):

4500 + 0030 + 4422 + 4000 + 8006 + 0000 + 8c7c + 19ac + ae24 + 1e2b = 2BBCF 2 + BBCF = BBD1 = 1011101111010001, the 1'S of sum = 0100010000101110 = 442E To validate a header's checksum the same algorithm may be used - the checksum of a header which contains a correct checksum field is a word containing all zeros (value 0): 2BBCF + 442E = 2FFFD. 2 + FFFD = FFFF. the 1'S of FFFF = 0. Source address This field is the IPv4 address of the sender of the packet. Note that this address may be changed in transit by a network address translation device. Destination address This field is the IPv4 address of the receiver of the packet. As with the source address, this may be changed in transit by a network address translation device. Options The options field is not often used. Note that the value in the IHL field must include enough extra 32-bit words to hold all the options (plus any padding needed to ensure that the header contains an integral number of 32-bit words). The list of options may be terminated with an EOL (End of Options List, 0x00) option; this is only necessary if the end of the options would not otherwise coincide with the end of the header. The possible options that can be put in the header are as follows: Field Size (bits) Description Copied 1 Set to 1 if the options need to be copied into all fragments of a fragmented packet. A general options category. 0 is for "control" options, and 2 is for "debugging and Option Class 2 measurement". 1, and 3 are reserved. Option 5 Specifies an option. Number Option Indicates the size of the entire option (including this field). This field may not exist 8 Length for simple options. Option Data Variable Option-specific data. This field may not exist for simple options.

Note: If the header length is greater than 5, i.e. it is from 6 to 15, it means that the options field is present and must be considered. Note: Copied, Option Class, and Option Number are sometimes referred to as a single eight-bit field - the Option Type. The following two options are discouraged because they create security concerns: Loose Source and Record Route (LSRR) and Strict Source and Record Route (SSRR). Many routers block packets containing these options.[citation needed]

Requests
Field name Accept Accept-Charset Accept-Encoding Accept-Language Accept-Datetime Authorization Description Example Content-Types that Accept: text/plain are acceptable Character sets that Accept-Charset: utf-8 are acceptable Acceptable Accept-Encoding: <compress | gzip | encodings. See deflate | sdch | identity> HTTP compression. Acceptable Accept-Language: en-US languages for response Acceptable version Accept-Datetime: Thu, 31 May 2007 20:35:00 GMT in time Authorization: Basic Authentication QWxhZGRpbjpvcGVuIHNlc2FtZQ== credentials for HTTP

Field name

Cache-Control

Connection

Cookie

Description Example authentication Used to specify directives that MUST be obeyed Cache-Control: no-cache by all caching mechanisms along the request/response chain What type of connection the user- Connection: close agent would prefer an HTTP cookie previously sent by Cookie: $Version=1; Skin=new; the server with
Set-Cookie

Content-Length

Content-MD5

Content-Type

Date

Expect

From

Host

(below) The length of the request body in octets (8-bit bytes) A Base64-encoded binary MD5 sum of the content of the request body The mime type of the body of the request (used with POST and PUT requests) The date and time that the message was sent Indicates that particular server behaviors are required by the client The email address of the user making the request The domain name of the server (for virtual hosting), mandatory since HTTP/1.1

Content-Length: 348

Content-MD5: Q2hlY2sgSW50ZWdyaXR5IQ==

Content-Type: application/x-www-formurlencoded

Date: Tue, 15 Nov 1994 08:12:31 GMT

Expect: 100-continue

From: user@example.com

Host: en.wikipedia.org

Description Example Only perform the action if the client supplied entity matches the same entity on the server. This is mainly for If-Match: If-Match methods like PUT "737060cd8c284d8af7ad3082f209582d" to only update a resource if it has not been modified since the user last updated it. Allows a 304 Not If-Modified-Since: Sat, 29 Oct 1994 Modified to be If-Modified-Since returned if content 19:43:31 GMT is unchanged Allows a 304 Not Modified to be If-None-Match: If-None-Match returned if content "737060cd8c284d8af7ad3082f209582d" is unchanged, see HTTP ETag If the entity is unchanged, send me the part(s) that I am If-Range: If-Range missing; otherwise, "737060cd8c284d8af7ad3082f209582d" send me the entire new entity Only send the response if the If-Unmodified-Since: Sat, 29 Oct 1994 If-Unmodified-Since entity has not been 19:43:31 GMT modified since a specific time. Limit the number of times the message Max-Forwards can be forwarded Max-Forwards: 10 through proxies or gateways. Implementationspecific headers that may have various Pragma: no-cache Pragma effects anywhere along the requestresponse chain. Proxy-Authorization: Basic Proxy-Authorization Authorization
QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Field name

Field name

Range

Referer[sic]

TE

Upgrade User-Agent

Via

Description Example credentials for connecting to a proxy. Request only part of an entity. Bytes are Range: bytes=500-999 numbered from 0. This is the address of the previous web page from which a link to the currently requested page was Referer: followed. (The http://en.wikipedia.org/wiki/Main_Page word referrer is misspelled in the RFC as well as in most implementations.) The transfer encodings the user agent is willing to accept: the same values as for the response header Transfer-Encoding can be used, plus the "trailers" value TE: trailers, deflate (related to the "chunked" transfer method) to notify the server it expects to receive additional headers (the trailers) after the last, zero-sized, chunk. Ask the server to Upgrade: HTTP/2.0, SHTTP/1.3, IRC/6.9, upgrade to another RTA/x11 protocol. The user agent User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; string of the user Trident/5.0) agent Informs the server of proxies through Via: 1.0 fred, 1.1 nowhere.com which the request (Apache/1.1) was sent.

Field name Warning

Description Example A general warning about possible Warning: 199 Miscellaneous warning problems with the entity body.

Common non-standard request headers

Non-standard header fields are conventionally marked by prefixing the field name with X- .
[7]

Field name

X-Requested-With[8]

Description Example mainly used to identify Ajax requests. Most JavaScript frameworks X-Requested-With: XMLHttpRequest send this header with value of
XMLHttpRequest

X-Do-Not-Track[9]

DNT[10]

Requests a web application to disable their tracking of a user. Note that, as of yet, this is largely ignored by web applications. It does however open the door to future X-Do-Not-Track: 1 legislation[clarification needed (by whom?)] requiring web applications to comply with a user's request to not be tracked. Mozilla implements the DNT header with a similar purpose. DNT: 1 (Do Not Track Enabled) Requests a web application to disable their tracking of a user. DNT: 0 (Do Not Track Disabled) This is Mozilla's version of the X-DoNot-Track header (since Firefox 4.0 Beta 11). Safari and IE9 also have support for this header.[11] On March 7, 2011, a draft proposal was submitted to IETF.

Field name

X-Forwarded-For[14]

X-ATT-DeviceId[15]

X-Wap-Profile[16]

Description Example The W3C Tracking Protection Working Group is producing a spec.[13] a de facto standard for identifying the originating IP address of a client connecting X-Forwarded-For: client1, proxy1, proxy2 to a web server through an HTTP proxy or load balancer Allows easier parsing of the MakeModel/Firmware x-att-deviceid: MakeModel/Firmware that is usually found in the User-Agent String of AT&T Devices Links to an XML file on the Internet with a full description and details about the device x-wap-profile: currently connecting. http://wap.samsungmobile.com/uaprof/SGHIn the example to the I777.xml right is an XML file for an AT&T Samsung Galaxy S2.
[12]

Responses
Field name Accept-Ranges Age Allow Description What partial content range types this Accept-Ranges: bytes server supports The age the object has been in a Age: 12 proxy cache in seconds Valid actions for a specified Allow: GET, HEAD resource. To be used for a 405 Method not allowed Tells all caching mechanisms from server to client whether they may Cache-Control: max-age=3600 cache this object. It is measured in seconds Options that are desired for the Connection: close connection[17] Content-Encoding: gzip The type of encoding used on the Example

Cache-Control Connection Content-Encoding

Field name Content-Language Content-Length Content-Location Content-MD5 Content-Disposition Content-Range Content-Type Date ETag Expires Last-Modified

Link Location

Pragma

Description Example data. See HTTP compression. Content-Language: da The language the content is in The length of the response body in Content-Length: 348 octets (8-bit bytes) An alternate location for the Content-Location: /index.htm returned data A Base64-encoded binary MD5 sum Content-MD5: Q2hlY2sgSW50ZWdyaXR5IQ== of the content of the response An opportunity to raise a "File Content-Disposition: attachment; filename=fname.ext Download" dialogue box for a known MIME type Where in a full body message this Content-Range: bytes 21010-47021/47022 partial message belongs Content-Type: text/html; charset=utf-8 The mime type of this content The date and time that the message Date: Tue, 15 Nov 1994 08:12:31 GMT was sent An identifier for a specific version ETag: "737060cd8c284d8af7ad3082f209582d" of a resource, often a message digest Gives the date/time after which the Expires: Thu, 01 Dec 1994 16:00:00 GMT response is considered stale The last modified date for the Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT requested object, in RFC 2822 format Used to express a typed relationship with another resource, where the Link: </feed>; rel="alternate"[18] relation type is defined by RFC 5988 Used in redirection, or when a new Location: http://www.w3.org/pub/WWW/People.html resource has been created. This header is supposed to set P3P policy, in the form of P3P:CP="your_compact_policy". However, P3P did not take off,[19] P3P: CP="This is not a P3P policy! See most browsers have never fully http://www.google.com/support/accounts/bin/answer.p implemented it, a lot of websites set for more info." this header with fake policy text, that was enough to fool browsers the existence of P3P policy and grant permissions for third party cookies. Implementation-specific headers that may have various effects Pragma: no-cache anywhere along the requestresponse chain.

Description Example Request authentication to access the Proxy-Authenticate: Basic Proxy-Authenticate proxy. Used in redirection, or when a new resource has been created. This refresh redirects after 5 seconds. Refresh This is a proprietary, non-standard Refresh: 5; url=http://www.w3.org/pub/WWW/People.ht header extension introduced by Netscape and supported by most web browsers. If an entity is temporarily unavailable, this instructs the client Retry-After: 120 Retry-After to try again after a specified period of time (seconds). Server: Apache/2.4.1 (Unix) Server A name for the server Set-Cookie: UserID=JohnDoe; Max-Age=3600; Version=1 Set-Cookie an HTTP cookie A HSTS Policy informing the HTTP client how long to cache the HTTPS Strict-Transport-Security: max-age=16070400; includ Strict-Transport-Security only policy and whether this applies to subdomains. The Trailer general field value indicates that the given set of header Trailer: Max-Forwards Trailer fields is present in the trailer of a message encoded with chunked transfer-coding. The form of encoding used to safely transfer the entity to the user. Transfer-Encoding: chunked Transfer-Encoding Currently defined methods are: chunked, compress, deflate, gzip, identity. Tells downstream proxies how to match future request headers to Vary decide whether the cached response Vary: * can be used rather than requesting a fresh one from the origin server. Informs the client of proxies through Via: 1.0 fred, 1.1 nowhere.com (Apache/1.1) Via which the response was sent. A general warning about possible Warning: 199 Miscellaneous warning Warning problems with the entity body. Indicates the authentication scheme WWW-Authenticate: Basic WWW-Authenticate that should be used to access the requested entity.

Field name

Common non-standard response headers

Non-standard header fields are conventionally marked by prefixing the field name with X- . Field name X-Frame-Options[20] X-XSS-Protection[21] X-Content-Type-Options[22] Description Example Clickjacking protection: "deny" - no X-Frame-Options: rendering within a frame, deny "sameorigin" - no rendering if origin mismatch Cross-site scripting (XSS) filter
X-XSS-Protection: 1; mode=block

X-Forwarded-Proto[23]

Front-End-Https[24]

X-Powered-By[25]

X-UA-Compatible[26]

the only defined value, "nosniff", X-Content-Typeprevents Internet Explorer from Options: nosniff MIME-sniffing a response away from the declared content-type a de facto standard for identifying the originating protocol of an HTTP request, since a reverse proxy (load X-Forwarded-Proto: balancer) may communicate with a https web server using HTTP even if the request to the reverse proxy is HTTPS Non-standard header used by Front-End-Https: on Microsoft applications and loadbalancers specifies the technology (e.g. ASP.NET, PHP, JBoss) supporting X-Powered-By: the web application (version details PHP/5.4.0 are often in X-Runtime, XVersion, or X-AspNet-Version) Recommends the preferred X-UA-Compatible: rendering engine (often a IE=EmulateIE7 X-UAbackward-compatibility mode) to Compatible: IE=edge use to display the content. Also X-UA-Compatible: used to activate Chrome Frame in Chrome=1 Internet Explorer.

List of TCP and UDP port numbers

Port TCP UDP Description 0 UDP Reserved 20 TCP FTPdata transfer 21 TCP FTPcontrol (command) 23 TCP Telnet protocolunencrypted text communications 25 TCP Simple Mail Transfer Protocol (SMTP) 80 TCP Hypertext Transfer Protocol (HTTP) 118 TCP UDP SQL (Structured Query Language) Services 194 TCP UDP Internet Relay Chat (IRC) 443 TCP HTTPS (Hypertext Transfer Protocol over SSL/TLS) 554 TCP UDP Real Time Streaming Protocol (RTSP) 4664 TCP Google Desktop Search 66606669 TCP Internet Relay Chat (IRC) 8008 TCP HTTP Alternate

Apache HTTP Server

Apache HTTP Server

Original author(s) Developer(s) Initial release Stable release Written in Operating system Available in

Robert McCool Apache Software Foundation 1995[1] 2.4.2 / April 17, 2012; 5 days ago XML and C[2] Cross-platform English

Type License Website

Web server Apache License 2.0 httpd.apache.org

The Apache HTTP Server, commonly referred to as Apache (/pti/), is web server software notable for playing a key role in the initial growth of the World Wide Web. [3] In 2009 it became the first web server software to surpass the 100 million website milestone.[4] Apache was the first viable alternative to the Netscape Communications Corporation web server (currently named Oracle iPlanet Web Server), and since has evolved to rival other web servers in terms of functionality and performance[citation needed]. Typically Apache is run on a Unix-like operating system.[5] Apache is developed and maintained by an open community of developers under the auspices of the Apache Software Foundation. The application is available for a wide variety of operating systems, including Unix, FreeBSD, Linux, Solaris, Novell NetWare, Mac OS X, Microsoft Windows, OS/2, TPF, and eComStation. Released under the Apache License, Apache is open-source software. Apache was originally based on NCSA HTTPd code. The NCSA code has since been removed from Apache, due to a rewrite. Since April 1996 Apache has been the most popular HTTP server software in use. As of March 2012 Apache was estimated to serve 57.46% of all active websites and 65.24% of the top servers across all domains.[6]

Name
According to the FAQ in the Apache project website, the name Apache was chosen out of respect to the Native American tribe Apache (Inde) and its superior skills in warfare and strategy. The website also explains the popular but erroneous origin of the name, A Patchy Server (since it was a conjunction of software patches)[7]

Features
Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Some common language interfaces support Perl, Python, Tcl, and PHP. Popular authentication modules include mod_access, mod_auth, mod_digest, and mod_auth_digest, the successor to mod_digest. A sample of other features include Secure Sockets Layer and Transport Layer Security support (mod_ssl), a proxy module (mod_proxy), a URL rewriter (also known as a rewrite engine, implemented under mod_rewrite), custom log files (mod_log_config), and filtering support (mod_include and mod_ext_filter).

Popular compression methods on Apache include the external extension module, mod_gzip, implemented to help with reduction of the size (weight) of web pages served over HTTP. ModSecurity is an open source intrusion detection and prevention engine for web applications. Apache logs can be analyzed through a web browser using free scripts such as AWStats/W3Perl or Visitors. Virtual hosting allows one Apache installation to serve many different actual websites. For example, one machine with one Apache installation could simultaneously serve www.example.com, www.example.org, test47.test-server.example.edu, etc. Apache features configurable error messages, DBMS-based authentication databases, and content negotiation. It is also supported by several graphical user interfaces (GUIs). It supports password authentication and digital certificate authentication. Apache has a built in search engine and an HTML authorizing tool and supports FTP.

Performance
Although the main design goal of Apache is not to be the "fastest" web server, Apache does have performance similar to other "high-performance" web servers. Instead of implementing a single architecture, Apache provides a variety of MultiProcessing Modules (MPMs) which allow Apache to run in a process-based, hybrid (process and thread) or event-hybrid mode, to better match the demands of each particular infrastructure. This implies that the choice of correct MPM and the correct configuration is important. Where compromises in performance need to be made, the design of Apache is to reduce latency and increase throughput, relative to simply handling more requests, thus ensuring consistent and reliable processing of requests within reasonable time-frames. The Apache version considered by the Apache Foundation as providing high-performance is the multi-threaded version which mixes the use of several processes and several threads per process.[8] This architecture, and the way implemented in Apache 2.4.0, provides for performance at least equal to other event-based webservers [9]

Licensing
With the release of Apache 2.0, there was a change to the Apache Foundation license. Some Apache users[who?] did not like the change and continued the use of pre-2.0 Apache versions (typically 1.3.x). The OpenBSD project went to the extent of effectively forking Apache 1.3.x for its purposes.[10]

What is Apache?
The Apache HTTP Server

is a powerful, flexible, HTTP/1.1 compliant web server implements the latest protocols, including HTTP/1.1 (RFC2616) is highly configurable and extensible with third-party modules can be customised by writing 'modules' using the Apache module API provides full source code and comes with an unrestrictive license runs on Windows 2000, Netware 5.x and above, OS/2, and most versions of Unix, as well as several other operating systems is actively being developed encourages user feedback through new ideas, bug reports and patches implements many frequently requested features, including: o DBM databases as well, as relational databases and LDAP for authentication o allows you to easily set up password-protected pages with enormous numbers of authorized users, without bogging down the server. o Customized responses to errors and problems o Allows you to set up files, or even CGI scripts, which are returned by the server in response to errors and problems, e.g. setup a script to intercept 500 Server Errors and perform on-the-fly diagnostics for both users and yourself. o Multiple DirectoryIndex directives - Allows you to say DirectoryIndex index.html index.cgi, which instructs the server to either send back index.html or run index.cgi when a directory URL is requested, whichever it finds in the directory. o Unlimited flexible URL rewriting and aliasing - Apache has no fixed limit on the numbers of Aliases and Redirects which may be declared in the config files. In addition, a powerful rewriting engine can be used to solve most URL manipulation problems. o Content negotiation - i.e. the ability to automatically serve clients of varying sophistication and HTML level compliance, with documents which offer the best representation of information that the client is capable of accepting. o Virtual Hosts - Allows the server to distinguish between requests made to different IP addresses or names (mapped to the same machine). Apache also offers dynamically configurable mass-virtual hosting. o Configurable Reliable Piped Logs - You can configure Apache to generate logs in the format that you want. In addition, on most Unix architectures, Apache can send log files to a pipe, allowing for log rotation, hit filtering, real-time splitting of multiple vhosts into separate logs, and asynchronous DNS resolving on the fly.

.htaccess
A .htaccess (hypertext access) file is a directory-level configuration file supported by several web servers, that allows for decentralized management of web server configuration. The original purpose of .htaccess - reflected in its name - was to allow per-directory access control, by for example requiring a password to access the content. Nowadays however, the .htaccess files can override many other configuration settings including content type and character set, CGI handlers, etc. These files are placed inside the web tree, and are able to override a subset of the server's global configuration for that directory, and all sub-directories.[1]

Format
For historical reasons the format of .htaccess is the same as the Apache web server's global configuration file[2] even when used with web servers such as Sun Java System Web Server[3] and Zeus Web Server[4] which have very different native global configuration files.

Common usage
Authorization, authentication

An .htaccess file is often used to specify security restrictions for a directory, hence the filename "access". The .htaccess file is often accompanied by a .htpasswd file which stores valid usernames and their passwords.[5] Rewriting URLs Servers often use .htaccess to rewrite long, overly comprehensive URLs to shorter and more memorable ones. Blocking Use allow/deny to block users by IP address or domain. Also, use to block bad bots, rippers and referrers. Often used to restrict access by Search Engine spiders SSI Enable server-side includes. Directory listing Control how the server will react when no specific web page is specified. Customized error responses Changing the page that is shown when a server-side error occurs, for example HTTP 404 Not Found or, to indicate to a search engine that a page has moved, HTTP 301 Moved Permanently[6]. MIME types Instruct the server how to treat different varying file types. Cache Control .htaccess files allow a server to control caching by web browsers and proxies to reduce bandwidth usage, server load, and perceived lag.

Advantages
Immediate changes Because .htaccess files are read on every request, changes made in these files take immediate effect as opposed to the main configuration file which requires the server to be restarted for the new settings to take effect. Non-privileged users For servers with multiple users, it is often desirable to allow individual users the ability to alter their site configuration. The use of .htaccess files allows such individualization, and by unprivileged users because the main server configuration files do not need to be changed.[7]

Disadvantages
Controlling Apache using the main server configuration file httpd.conf[8] is often preferred for security and performance reasons:[9] Performance loss For each HTTP request, there are additional file-system accesses for parent directories when using .htaccess, to check for possibly existing .htaccess files in those parent directories which are allowed to hold .htaccess files. It is possible to

programatically migrate directives from .htaccess to httpd.conf if this performance loss is a concern.[10] Security Allowing individual users to modify the configuration of a server can cause security concerns if not set up properly

XAMPP
XAMPP

Developer(s) Stable release

Apache Friends 1.7.7 / September 20, 2011; 6 months ago 1.8.0-beta2 (Linux, Windows) / March Preview release 28, 2012; 24 days ago Cross-platform (Linux, Windows, Operating system Solaris, Mac OS X) Type WAMP, MAMP, SAMP, LAMP License GPL Website www.apachefriends.org/en/xampp.html XAMPP ( /zmp/ or /ks.mp/[1]) is a free and open source cross-platform web server solution stack package, consisting mainly of the Apache HTTP Server, MySQL database, and interpreters for scripts written in the PHP and Perl programming languages.

Etymology
XAMPP's name is an acronym for:

X (to be read as "cross", meaning cross-platform) Apache HTTP Server MySQL PHP Perl

The program is released under the terms of the GNU General Public License and acts as a free web server capable of serving dynamic pages. XAMPP is available for Microsoft Windows, Linux, Solaris, and Mac OS X, and is mainly used for web development projects. This software is useful while you are creating dynamic webpages using programming languages like PHP, JSP, Servlets.

Requirements and features

XAMPP requires only one zip, tar, 7z, or exe file to be downloaded and run, and little or no configuration of the various components that make up the web server is required. XAMPP is regularly updated to incorporate the latest releases of Apache/MySQL/PHP and Perl. It also comes with a number of other modules including OpenSSL and phpMyAdmin. Self-contained, multiple instances of XAMPP can exist on a single computer, and any given instance can be copied from one computer to another. It is offered in both a full, standard version and a smaller version.

Use
Officially, XAMPP's designers intended it for use only as a development tool, to allow website designers and programmers to test their work on their own computers without any access to the Internet. To make this as easy as possible, many important security features are disabled by default.[2] In practice, however, XAMPP is sometimes used to actually serve web pages on the World Wide Web[citation needed]. A special tool is provided to passwordprotect the most important parts of the package.[citation needed] XAMPP also provides support for creating and manipulating databases in MySQL and SQLite among others. Once XAMPP is installed you can treat your localhost like a remote host by connecting using an FTP client. Using a program like FileZilla has many advantages when installing a content management system (CMS) like Joomla. You can also connect to localhost via FTP with your HTML editor. The default FTP user "newuser", the default FTP password is "wampp".

The default MySQL user is "root" while there is no default MySQL password.

Components
XAMPP 1.7.7, including:[3]

Apache 2.2.21 MySQL 5.5.16 PHP 5.3.8 phpMyAdmin 3.4.5 FileZilla FTP Server 0.9.39 Tomcat 7.0.21 (with mod_proxy_ajp as connector)

Linux (1.8.0-beta2): [4]

Apache (2.4.1) MySQL (5.5.21) PHP (5.4) phpMyAdmin (3.4.9) OpenSSL (1.0.0h)