1 <?xml version="1.0" encoding="UTF-8" ?>
2 <!DOCTYPE manualpage SYSTEM "style/manualpage.dtd">
3 <?xml-stylesheet type="text/xsl" href="style/manual.en.xsl"?>
4 <!-- $LastChangedRevision$ -->
7 Licensed to the Apache Software Foundation (ASF) under one or more
8 contributor license agreements. See the NOTICE file distributed with
9 this work for additional information regarding copyright ownership.
10 The ASF licenses this file to You under the Apache License, Version 2.0
11 (the "License"); you may not use this file except in compliance with
12 the License. You may obtain a copy of the License at
14 http://www.apache.org/licenses/LICENSE-2.0
16 Unless required by applicable law or agreed to in writing, software
17 distributed under the License is distributed on an "AS IS" BASIS,
18 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 See the License for the specific language governing permissions and
20 limitations under the License.
23 <manualpage metafile="caching.xml.meta">
25 <title>Caching Guide</title>
28 <p>This document supplements the <module>mod_cache</module>,
29 <module>mod_disk_cache</module>, <module>mod_file_cache</module> and <a
30 href="programs/htcacheclean.html">htcacheclean</a> reference documentation.
31 It describes how to use Apache's caching features to accelerate web and
32 proxy serving, while avoiding common problems and misconfigurations.</p>
35 <section id="introduction">
36 <title>Introduction</title>
38 <p>As of Apache HTTP server version 2.2 <module>mod_cache</module>
39 and <module>mod_file_cache</module> are no longer marked
40 experimental and are considered suitable for production use. These
41 caching architectures provide a powerful means to accelerate HTTP
42 handling, both as an origin webserver and as a proxy.</p>
44 <p><module>mod_cache</module> and its provider modules
45 <module>mod_disk_cache</module>
46 provide intelligent, HTTP-aware caching. The content itself is stored
47 in the cache, and mod_cache aims to honour all of the various HTTP
48 headers and options that control the cachability of content. It can
49 handle both local and proxied content. <module>mod_cache</module>
50 is aimed at both simple and complex caching configurations, where
51 you are dealing with proxied content, dynamic local content or
52 have a need to speed up access to local files which change with
55 <p><module>mod_file_cache</module> on the other hand presents a more
56 basic, but sometimes useful, form of caching. Rather than maintain
57 the complexity of actively ensuring the cachability of URLs,
58 <module>mod_file_cache</module> offers file-handle and memory-mapping
59 tricks to keep a cache of files as they were when Apache was last
60 started. As such, <module>mod_file_cache</module> is aimed at improving
61 the access time to local static files which do not change very
64 <p>As <module>mod_file_cache</module> presents a relatively simple
65 caching implementation, apart from the specific sections on <directive
66 module="mod_file_cache">CacheFile</directive> and <directive
67 module="mod_file_cache">MMapStatic</directive>, the explanations
68 in this guide cover the <module>mod_cache</module> caching
71 <p>To get the most from this document, you should be familiar with
72 the basics of HTTP, and have read the Users' Guides to
73 <a href="urlmapping.html">Mapping URLs to the Filesystem</a> and
74 <a href="content-negotiation.html">Content negotiation</a>.</p>
78 <section id="overview">
80 <title>Caching Overview</title>
84 <module>mod_cache</module>
85 <module>mod_disk_cache</module>
86 <module>mod_file_cache</module>
89 <directive module="mod_cache">CacheEnable</directive>
90 <directive module="mod_cache">CacheDisable</directive>
91 <directive module="mod_file_cache">MMapStatic</directive>
92 <directive module="mod_file_cache">CacheFile</directive>
93 <directive module="mod_file_cache">CacheFile</directive>
94 <directive module="core">UseCanonicalName</directive>
95 <directive module="mod_negotiation">CacheNegotiatedDocs</directive>
99 <p>There are two main stages in <module>mod_cache</module> that can
100 occur in the lifetime of a request. First, <module>mod_cache</module>
101 is a URL mapping module, which means that if a URL has been cached,
102 and the cached version of that URL has not expired, the request will
103 be served directly by <module>mod_cache</module>.</p>
105 <p>This means that any other stages that might ordinarily happen
106 in the process of serving a request -- for example being handled
107 by <module>mod_proxy</module>, or <module>mod_rewrite</module> --
108 won't happen. But then this is the point of caching content in
111 <p>If the URL is not found within the cache, <module>mod_cache</module>
112 will add a <a href="filter.html">filter</a> to the request handling. After
113 Apache has located the content by the usual means, the filter will be run
114 as the content is served. If the content is determined to be cacheable,
115 the content will be saved to the cache for future serving.</p>
117 <p>If the URL is found within the cache, but also found to have expired,
118 the filter is added anyway, but <module>mod_cache</module> will create
119 a conditional request to the backend, to determine if the cached version
120 is still current. If the cached version is still current, its
121 meta-information will be updated and the request will be served from the
122 cache. If the cached version is no longer current, the cached version
123 will be deleted and the filter will save the updated content to the cache
127 <title>Improving Cache Hits</title>
129 <p>When caching locally generated content, ensuring that
130 <directive module="core">UseCanonicalName</directive> is set to
131 <code>On</code> can dramatically improve the ratio of cache hits. This
132 is because the hostname of the virtual-host serving the content forms
133 a part of the cache key. With the setting set to <code>On</code>
134 virtual-hosts with multiple server names or aliases will not produce
135 differently cached entities, and instead content will be cached as
136 per the canonical hostname.</p>
138 <p>Because caching is performed within the URL to filename translation
139 phase, cached documents will only be served in response to URL requests.
140 Ordinarily this is of little consequence, but there is one circumstance
141 in which it matters: If you are using <a href="howto/ssi.html">Server
142 Side Includes</a>;</p>
146 <!-- The following include can be cached -->
147 <!--#include virtual="/footer.html" -->
149 <!-- The following include can not be cached -->
150 <!--#include file="/path/to/footer.html" --></pre>
153 <p>If you are using Server Side Includes, and want the benefit of speedy
154 serves from the cache, you should use <code>virtual</code> include
159 <title>Expiry Periods</title>
161 <p>The default expiry period for cached entities is one hour, however
162 this can be easily over-ridden by using the <directive
163 module="mod_cache">CacheDefaultExpire</directive> directive. This
164 default is only used when the original source of the content does not
165 specify an expire time or time of last modification.</p>
167 <p>If a response does not include an <code>Expires</code> header but does
168 include a <code>Last-Modified</code> header, <module>mod_cache</module>
169 can infer an expiry period based on the use of the <directive
170 module="mod_cache">CacheLastModifiedFactor</directive> directive.</p>
172 <p>For local content, <module>mod_expires</module> may be used to
173 fine-tune the expiry period.</p>
175 <p>The maximum expiry period may also be controlled by using the
176 <directive module="mod_cache">CacheMaxExpire</directive>.</p>
181 <title>A Brief Guide to Conditional Requests</title>
183 <p>When content expires from the cache and is re-requested from the
184 backend or content provider, rather than pass on the original request,
185 Apache will use a conditional request instead.</p>
187 <p>HTTP offers a number of headers which allow a client, or cache
188 to discern between different versions of the same content. For
189 example if a resource was served with an "Etag:" header, it is
190 possible to make a conditional request with an "If-None-Match:"
191 header. If a resource was served with a "Last-Modified:" header
192 it is possible to make a conditional request with an
193 "If-Modified-Since:" header, and so on.</p>
195 <p>When such a conditional request is made, the response differs
196 depending on whether the content matches the conditions. If a request is
197 made with an "If-Modified-Since:" header, and the content has not been
198 modified since the time indicated in the request then a terse "304 Not
199 Modified" response is issued.</p>
201 <p>If the content has changed, then it is served as if the request were
202 not conditional to begin with.</p>
204 <p>The benefits of conditional requests in relation to caching are
205 twofold. Firstly, when making such a request to the backend, if the
206 content from the backend matches the content in the store, this can be
207 determined easily and without the overhead of transferring the entire
210 <p>Secondly, conditional requests are usually less strenuous on the
211 backend. For static files, typically all that is involved is a call
212 to <code>stat()</code> or similar system call, to see if the file has
213 changed in size or modification time. As such, even if Apache is
214 caching local content, even expired content may still be served faster
215 from the cache if it has not changed. As long as reading from the cache
216 store is faster than reading from the backend (e.g. <module
217 >mod_disk_cache</module> with memory disk
218 compared to reading from disk).</p>
222 <title>What Can be Cached?</title>
224 <p>As mentioned already, the two styles of caching in Apache work
225 differently, <module>mod_file_cache</module> caching maintains file
226 contents as they were when Apache was started. When a request is
227 made for a file that is cached by this module, it is intercepted
228 and the cached file is served.</p>
230 <p><module>mod_cache</module> caching on the other hand is more
231 complex. When serving a request, if it has not been cached
232 previously, the caching module will determine if the content
233 is cacheable. The conditions for determining cachability of
237 <li>Caching must be enabled for this URL. See the <directive
238 module="mod_cache">CacheEnable</directive> and <directive
239 module="mod_cache">CacheDisable</directive> directives.</li>
241 <li>The response must have a HTTP status code of 200, 203, 300, 301 or
244 <li>The request must be a HTTP GET request.</li>
246 <li>If the request contains an "Authorization:" header, the response
247 will not be cached.</li>
249 <li>If the response contains an "Authorization:" header, it must
250 also contain an "s-maxage", "must-revalidate" or "public" option
251 in the "Cache-Control:" header.</li>
253 <li>If the URL included a query string (e.g. from a HTML form GET
254 method) it will not be cached unless the response includes an
255 "Expires:" header, as per RFC2616 section 13.9.</li>
257 <li>If the response has a status of 200 (OK), the response must
258 also include at least one of the "Etag", "Last-Modified" or
259 the "Expires" headers, unless the
260 <directive module="mod_cache">CacheIgnoreNoLastMod</directive>
261 directive has been used to require otherwise.</li>
263 <li>If the response includes the "private" option in a "Cache-Control:"
264 header, it will not be stored unless the
265 <directive module="mod_cache">CacheStorePrivate</directive> has been
266 used to require otherwise.</li>
268 <li>Likewise, if the response includes the "no-store" option in a
269 "Cache-Control:" header, it will not be stored unless the
270 <directive module="mod_cache">CacheStoreNoStore</directive> has been
273 <li>A response will not be stored if it includes a "Vary:" header
274 containing the match-all "*".</li>
279 <title>What Should Not be Cached?</title>
281 <p>In short, any content which is highly time-sensitive, or which varies
282 depending on the particulars of the request that are not covered by
283 HTTP negotiation, should not be cached.</p>
285 <p>If you have dynamic content which changes depending on the IP address
286 of the requester, or changes every 5 minutes, it should almost certainly
289 <p>If on the other hand, the content served differs depending on the
290 values of various HTTP headers, it is possible that it might be possible
291 to cache it intelligently through the use of a "Vary" header.</p>
295 <title>Variable/Negotiated Content</title>
297 <p>If a response with a "Vary" header is received by
298 <module>mod_cache</module> when requesting content by the backend it
299 will attempt to handle it intelligently. If possible,
300 <module>mod_cache</module> will detect the headers attributed in the
301 "Vary" response in future requests and serve the correct cached
304 <p>If for example, a response is received with a vary header such as;</p>
307 Vary: negotiate,accept-language,accept-charset
310 <p><module>mod_cache</module> will only serve the cached content to
311 requesters with matching accept-language and accept-charset headers
312 matching those of the original request.</p>
317 <section id="security">
318 <title>Security Considerations</title>
321 <title>Authorization and Access Control</title>
323 <p>Using <module>mod_cache</module> is very much like having a built
324 in reverse-proxy. Requests will be served by the caching module unless
325 it determines that the backend should be queried. When caching local
326 resources, this drastically changes the security model of Apache.</p>
328 <p>As traversing a filesystem hierarchy to examine potential
329 <code>.htaccess</code> files would be a very expensive operation,
330 partially defeating the point of caching (to speed up requests),
331 <module>mod_cache</module> makes no decision about whether a cached
332 entity is authorised for serving. In other words; if
333 <module>mod_cache</module> has cached some content, it will be served
334 from the cache as long as that content has not expired.</p>
336 <p>If, for example, your configuration permits access to a resource by IP
337 address you should ensure that this content is not cached. You can do this
338 by using the <directive module="mod_cache">CacheDisable</directive>
339 directive, or <module>mod_expires</module>. Left unchecked,
340 <module>mod_cache</module> - very much like a reverse proxy - would cache
341 the content when served and then serve it to any client, on any IP
346 <title>Local exploits</title>
348 <p>As requests to end-users can be served from the cache, the cache
349 itself can become a target for those wishing to deface or interfere with
350 content. It is important to bear in mind that the cache must at all
351 times be writable by the user which Apache is running as. This is in
352 stark contrast to the usually recommended situation of maintaining
353 all content unwritable by the Apache user.</p>
355 <p>If the Apache user is compromised, for example through a flaw in
356 a CGI process, it is possible that the cache may be targeted. When
357 using <module>mod_disk_cache</module>, it is relatively easy to
358 insert or modify a cached entity.</p>
360 <p>This presents a somewhat elevated risk in comparison to the other
361 types of attack it is possible to make as the Apache user. If you are
362 using <module>mod_disk_cache</module> you should bear this in mind -
363 ensure you upgrade Apache when security upgrades are announced and
364 run CGI processes as a non-Apache user using <a
365 href="suexec.html">suEXEC</a> if possible.</p>
370 <title>Cache Poisoning</title>
372 <p>When running Apache as a caching proxy server, there is also the
373 potential for so-called cache poisoning. Cache Poisoning is a broad
374 term for attacks in which an attacker causes the proxy server to
375 retrieve incorrect (and usually undesirable) content from the backend.
378 <p>For example if the DNS servers used by your system running Apache
379 are vulnerable to DNS cache poisoning, an attacker may be able to control
380 where Apache connects to when requesting content from the origin server.
381 Another example is so-called HTTP request-smuggling attacks.</p>
383 <p>This document is not the correct place for an in-depth discussion
384 of HTTP request smuggling (instead, try your favourite search engine)
385 however it is important to be aware that it is possible to make
386 a series of requests, and to exploit a vulnerability on an origin
387 webserver such that the attacker can entirely control the content
388 retrieved by the proxy.</p>
392 <section id="filehandle">
393 <title>File-Handle Caching</title>
397 <module>mod_file_cache</module>
400 <directive module="mod_file_cache">CacheFile</directive>
404 <p>The act of opening a file can itself be a source of delay, particularly
405 on network filesystems. By maintaining a cache of open file descriptors
406 for commonly served files, Apache can avoid this delay. Currently Apache
407 provides one implementation of File-Handle Caching.</p>
410 <title>CacheFile</title>
412 <p>The most basic form of caching present in Apache is the file-handle
413 caching provided by <module>mod_file_cache</module>. Rather than caching
414 file-contents, this cache maintains a table of open file descriptors. Files
415 to be cached in this manner are specified in the configuration file using
416 the <directive module="mod_file_cache">CacheFile</directive>
420 <directive module="mod_file_cache">CacheFile</directive> directive
421 instructs Apache to open the file when Apache is started and to re-use
422 this file-handle for all subsequent access to this file.</p>
425 <pre>CacheFile /usr/local/apache2/htdocs/index.html</pre>
428 <p>If you intend to cache a large number of files in this manner, you
429 must ensure that your operating system's limit for the number of open
430 files is set appropriately.</p>
432 <p>Although using <directive module="mod_file_cache">CacheFile</directive>
433 does not cause the file-contents to be cached per-se, it does mean
434 that if the file changes while Apache is running these changes will
435 not be picked up. The file will be consistently served as it was
436 when Apache was started.</p>
438 <p>If the file is removed while Apache is running, Apache will continue
439 to maintain an open file descriptor and serve the file as it was when
440 Apache was started. This usually also means that although the file
441 will have been deleted, and not show up on the filesystem, extra free
442 space will not be recovered until Apache is stopped and the file
443 descriptor closed.</p>
448 <section id="inmemory">
449 <title>In-Memory Caching</title>
453 <module>mod_file_cache</module>
456 <directive module="mod_cache">CacheEnable</directive>
457 <directive module="mod_cache">CacheDisable</directive>
458 <directive module="mod_file_cache">MMapStatic</directive>
462 <p>Serving directly from system memory is universally the fastest method
463 of serving content. Reading files from a disk controller or, even worse,
464 from a remote network is orders of magnitude slower. Disk controllers
465 usually involve physical processes, and network access is limited by
466 your available bandwidth. Memory access on the other hand can take mere
469 <p>System memory isn't cheap though, byte for byte it's by far the most
470 expensive type of storage and it's important to ensure that it is used
471 efficiently. By caching files in memory you decrease the amount of
472 memory available on the system. As we'll see, in the case of operating
473 system caching, this is not so much of an issue, but when using
474 Apache's own in-memory caching it is important to make sure that you
475 do not allocate too much memory to a cache. Otherwise the system
476 will be forced to swap out memory, which will likely degrade
480 <title>Operating System Caching</title>
482 <p>Almost all modern operating systems cache file-data in memory managed
483 directly by the kernel. This is a powerful feature, and for the most
484 part operating systems get it right. For example, on Linux, let's look at
485 the difference in the time it takes to read a file for the first time
486 and the second time;</p>
489 colm@coroebus:~$ time cat testfile > /dev/null
493 colm@coroebus:~$ time cat testfile > /dev/null
499 <p>Even for this small file, there is a huge difference in the amount
500 of time it takes to read the file. This is because the kernel has cached
501 the file contents in memory.</p>
503 <p>By ensuring there is "spare" memory on your system, you can ensure
504 that more and more file-contents will be stored in this cache. This
505 can be a very efficient means of in-memory caching, and involves no
506 extra configuration of Apache at all.</p>
508 <p>Additionally, because the operating system knows when files are
509 deleted or modified, it can automatically remove file contents from the
510 cache when neccessary. This is a big advantage over Apache's in-memory
511 caching which has no way of knowing when a file has changed.</p>
514 <p>Despite the performance and advantages of automatic operating system
515 caching there are some circumstances in which in-memory caching may be
516 better performed by Apache.</p>
519 <title>MMapStatic Caching</title>
521 <p><module>mod_file_cache</module> provides the
522 <directive module="mod_file_cache">MMapStatic</directive> directive, which
523 allows you to have Apache map a static file's contents into memory at
524 start time (using the mmap system call). Apache will use the in-memory
525 contents for all subsequent accesses to this file.</p>
528 <pre>MMapStatic /usr/local/apache2/htdocs/index.html</pre>
532 <directive module="mod_file_cache">CacheFile</directive> directive, any
533 changes in these files will not be picked up by Apache after it has
536 <p> The <directive module="mod_file_cache">MMapStatic</directive>
537 directive does not keep track of how much memory it allocates, so
538 you must ensure not to over-use the directive. Each Apache child
539 process will replicate this memory, so it is critically important
540 to ensure that the files mapped are not so large as to cause the
541 system to swap memory.</p>
546 <title>Disk-based Caching</title>
550 <module>mod_disk_cache</module>
553 <directive module="mod_cache">CacheEnable</directive>
554 <directive module="mod_cache">CacheDisable</directive>
558 <p><module>mod_disk_cache</module> provides a disk-based caching mechanism
559 for <module>mod_cache</module>. This cache is intelligent and content will
560 be served from the cache only as long as it is considered valid.</p>
562 <p>Typically the module will be configured as so;</p>
566 CacheRoot /var/cache/apache/
569 CacheDirLength 1</pre>
572 <p>Importantly, as the cached files are locally stored, operating system
573 in-memory caching will typically be applied to their access also. So
574 although the files are stored on disk, if they are frequently accessed
575 it is likely the operating system will ensure that they are actually
576 served from memory.</p>
579 <title>Understanding the Cache-Store</title>
581 <p>To store items in the cache, <module>mod_disk_cache</module> creates
582 a 22 character hash of the URL being requested. This hash incorporates
583 the hostname, protocol, port, path and any CGI arguments to the URL,
584 to ensure that multiple URLs do not collide.</p>
586 <p>Each character may be any one of 64-different characters, which mean
587 that overall there are 64^22 possible hashes. For example, a URL might
588 be hashed to <code>xyTGxSMO2b68mBCykqkp1w</code>. This hash is used
589 as a prefix for the naming of the files specific to that URL within
590 the cache, however first it is split up into directories as per
591 the <directive module="mod_disk_cache">CacheDirLevels</directive> and
592 <directive module="mod_disk_cache">CacheDirLength</directive>
595 <p><directive module="mod_disk_cache">CacheDirLevels</directive>
596 specifies how many levels of subdirectory there should be, and
597 <directive module="mod_disk_cache">CacheDirLength</directive>
598 specifies how many characters should be in each directory. With
599 the example settings given above, the hash would be turned into
601 <code>/var/cache/apache/x/y/TGxSMO2b68mBCykqkp1w</code>.</p>
603 <p>The overall aim of this technique is to reduce the number of
604 subdirectories or files that may be in a particular directory,
605 as most file-systems slow down as this number increases. With
607 <directive module="mod_disk_cache">CacheDirLength</directive>
608 there can at most be 64 subdirectories at any particular level.
609 With a setting of 2 there can be 64 * 64 subdirectories, and so on.
610 Unless you have a good reason not to, using a setting of "1"
611 for <directive module="mod_disk_cache">CacheDirLength</directive>
615 <directive module="mod_disk_cache">CacheDirLevels</directive>
616 depends on how many files you anticipate to store in the cache.
617 With the setting of "2" used in the above example, a grand
618 total of 4096 subdirectories can ultimately be created. With
619 1 million files cached, this works out at roughly 245 cached
620 URLs per directory.</p>
622 <p>Each URL uses at least two files in the cache-store. Typically
623 there is a ".header" file, which includes meta-information about
624 the URL, such as when it is due to expire and a ".data" file
625 which is a verbatim copy of the content to be served.</p>
627 <p>In the case of a content negotiated via the "Vary" header, a
628 ".vary" directory will be created for the URL in question. This
629 directory will have multiple ".data" files corresponding to the
630 differently negotiated content.</p>
634 <title>Maintaining the Disk Cache</title>
636 <p>Although <module>mod_disk_cache</module> will remove cached content
637 as it is expired, it does not maintain any information on the total
638 size of the cache or how little free space may be left.</p>
640 <p>Instead, provided with Apache is the <a
641 href="programs/htcacheclean.html">htcacheclean</a> tool which, as the name
642 suggests, allows you to clean the cache periodically. Determining
643 how frequently to run <a
644 href="programs/htcacheclean.html">htcacheclean</a> and what target size to
645 use for the cache is somewhat complex and trial and error may be needed to
646 select optimal values.</p>
648 <p><a href="programs/htcacheclean.html">htcacheclean</a> has two modes of
649 operation. It can be run as persistent daemon, or periodically from
651 href="programs/htcacheclean.html">htcacheclean</a> can take up to an hour
652 or more to process very large (tens of gigabytes) caches and if you are
653 running it from cron it is recommended that you determine how long a typical
654 run takes, to avoid running more than one instance at a time.</p>
657 <img src="images/caching_fig1.gif" alt="" width="600"
658 height="406" /><br />
659 <a id="figure1" name="figure1"><dfn>Figure 1</dfn></a>: Typical
660 cache growth / clean sequence.</p>
662 <p>Because <module>mod_disk_cache</module> does not itself pay attention
663 to how much space is used you should ensure that
664 <a href="programs/htcacheclean.html">htcacheclean</a> is configured to
665 leave enough "grow room" following a clean.</p>