Table Of Contents
HTTP 1.1 Web Server and Client
Restrictions for HTTP 1.1 Web Server and Client
Information About the HTTP 1.1 Web Server and Client
HTTP Server General Access Policies
Selective Enabling of Applications Within the HTTP Infrastructure
How to Configure the HTTP 1.1 Web Server and Client
Enabling and Configuring the HTTP Server
Enabling Selected HTTP Applications
Configuring the HTTP Client Default Username and Password
Configuring Other HTTP Client Connection Characteristics and Cache
Configuration Examples for the HTTP 1.1 Web Server and Client
HTTP Server Enabling and Configuration: Example
HTTP Connectivity Verification: Example
HTTP Applications Enabled Selectively: Example
ip http active-session-modules
ip http client source-interface
Feature Information for the HTTP 1.1 Web Server and Client
HTTP 1.1 Web Server and Client
First Published: December 4, 2006Last Updated: December 4, 2006The HTTP 1.1 Web Server and Client feature provides a consistent interface for users and applications by implementing support for HTTP 1.1 in Cisco IOS software-based devices. The integrated HTTP server application program interface (API) supports server application interfaces and provides a complete solution for HTTP services to and from Cisco devices.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for the HTTP 1.1 Web Server and Client" section.
Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•Restrictions for HTTP 1.1 Web Server and Client
•Information About the HTTP 1.1 Web Server and Client
•How to Configure the HTTP 1.1 Web Server and Client
•Configuration Examples for the HTTP 1.1 Web Server and Client
•Feature Information for the HTTP 1.1 Web Server and Client
Restrictions for HTTP 1.1 Web Server and Client
The secure HTTP (HTTPS) server and client—secure HTTP communication in which Secure Socket Layer (SSL) encryption technology provides HTTP server and client authentication and is used to encrypt data sent to and received from an HTTP server—are not supported in the HTTP 1.1 web server and client feature in Cisco IOS Release 12.2(31)SB2.
Information About the HTTP 1.1 Web Server and Client
To use the HTTP 1.1 web server and client, you should understand the following concepts:
•HTTP Server General Access Policies
•Selective Enabling of Applications Within the HTTP Infrastructure
HTTP 1.1 with Cisco Devices
This feature updates the Cisco implementation of HTTP from 1.0 to 1.1. The HTTP server allows features and applications, such as the Cisco web browser user interface, to be run on your routing device.
The Cisco implementation of HTTP 1.1 is backward compatible with previous Cisco IOS releases. If you are currently using configurations that enable the HTTP server, no configuration changes are needed, as all defaults remain the same.
The process of enabling and configuring the HTTP server also remains the same as in previous releases. Support for Server Side Includes (SSI) and HTML forms has not changed. Additional configuration options, in the form of the ip http timeout-policy command and the ip http max-connections command have been added. These options allow configurable resource limits for the HTTP server. If you do not use these optional commands, the default policies are used.
Remote applications may require that you enable the HTTP server before using them. Applications that use the HTTP server include the following:
•Cisco web browser user interface—This user interface uses the Cisco IOS Homepage Server, HTTP-based EXEC Server, and HTTP IOS File System (IFS) Server.
•VPN Device Manager (VDM) application—VDM uses the VDM Server and the XML Session Manager (XSM).
•QoS Device Manager (QDM) application—QDM uses the QDM Server.
HTTP Server General Access Policies
General access characteristics for the server can be specified using the ip http timeout-policy command to configure a value for idle time, connection life, and request maximum. By adjusting these values you can configure a general policy; for example, if you want to maximize throughput for HTTP connections, you should configure a policy that minimizes connection overhead. You can configure such a policy by specifying large values for the life and request options so that each connection stays open longer and more requests are processed for each connection.
Another example is to configure a policy that minimizes the response time for new connections by specifying small values for the life and request options so that the connections are quickly released to serve new clients.
A throughput policy is better for HTTP sessions with dedicated management applications, because it allows the application to send more requests before the connection is closed, while a response time policy is better for interactive HTTP sessions, because it allows more people to connect to the server at the same time without having to wait for connections to become available.
In general, you should configure these options as appropriate for your environment. The value for the idle option should be balanced so that it is large enough not to cause an unwanted request or response timeout on the connection, but small enough that it does not hold a connection open longer than necessary.
Access security policies for the HTTP server are configured using the ip http authentication command, which allows only selective users to access the server, and the ip http access-class command, which allows only selective IP hosts to access the server.
Selective Enabling of Applications Within the HTTP Infrastructure
The ability to selectively enable applications using an HTTP server feature eliminates a potential security vulnerability by providing a facility to enable selected HTTP services on the Cisco IOS HTTP server infrastructure. This feature also provides the capability to view the current state of the HTTP services, including which services are enabled or disabled.
Prior to this feature, HTTP applications running on a router or a switch were either all enabled or all disabled when the HTTP server was enabled or disabled using the ip http server command. In the situation where all HTTP applications were enabled, remote end-users were given potential access to services that could allow remote end-users to pose a potential security threat to service providers.
With ability to selectively enable applications using an HTTP server, the Cisco IOS HTTP infrastructure provides a way to enable only selected HTTP applications to run on a router or a switch, thereby bypassing a potential security vulnerability. Selected HTTP applications can be enabled using the ip http active-session-modules configuration command.
Note The maximum number of sessions that can be registered with the Cisco IOS HTTP server is 32.
How to Configure the HTTP 1.1 Web Server and Client
This section contains the following tasks:
•Enabling and Configuring the HTTP Server
•Enabling Selected HTTP Applications
•Configuring the HTTP Client Default Username and Password
•Configuring Other HTTP Client Connection Characteristics and Cache
Enabling and Configuring the HTTP Server
To enable the HTTP server and configure optional server characteristics, perform the following steps. The HTTP server is disabled by default.
Restrictions
The HTTPS server is not supported in Cisco IOS Release 12.2(31)SB.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip http server
4. ip http authentication {aaa {command-authorization level listname |
exec-authorization listname | login-authentication listname} | enable | local | tacacs}5. ip http port port-number
6. ip http path url
7. ip http access-class access-list-number
8. ip http max-connections value
9. ip http timeout-policy idle seconds life seconds requests value
DETAILED STEPS
Enabling Selected HTTP Applications
Perform this task to selectively enable the HTTP applications that will service incoming HTTP requests from remote clients.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip http session-module-list listname prefix1 [prefix2,..., prefixn]
4. ip http active-session-modules {listname | none | all}
5. end
6. show ip http server session-module
DETAILED STEPS
Configuring the HTTP Client Default Username and Password
The standard HTTP 1.1 client is always enabled and there are no commands that exist to disable the HTTP client. Commands are available that can be used to set the default username and password for all connection requests with the remote HTTP server. To set the default username and password, perform the following steps.
Restrictions
The HTTPS client is not supported in Cisco IOS Release 12.2(31)SB.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip http client username username
4. ip http client password password
5. do copy running-config startup-config
DETAILED STEPS
Configuring Other HTTP Client Connection Characteristics and Cache
The standard HTTP 1.1 client is always enabled and there are no commands that exist to disable the HTTP client. There are a number of optional characteristics that can be configured for the standard HTTP client. Perform this task to configure optional characteristics of the HTTP client. One or more of the following steps can be performed in any order.
Restrictions
The HTTPS client is not supported in Cisco IOS Release 12.2(31)SB.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip http client connection {forceclose | idle timeout seconds | retry count | timeout seconds}
4. ip http client proxy-server {proxy-name | ip-address} [proxy-port port-number]
5. ip http client response timeout seconds
6. ip http client source-interface interface-id
7. ip http client cache {ager interval minutes | memory file file-size-limit |
memory pool pool-size-limit}DETAILED STEPS
Configuration Examples for the HTTP 1.1 Web Server and Client
This section provides the following configuration examples:
•HTTP Server Enabling and Configuration: Example
•HTTP Connectivity Verification: Example
•HTTP Applications Enabled Selectively: Example
HTTP Server Enabling and Configuration: Example
The following example shows a typical configuration that enables the server and sets some of the characteristics:
Router(config)# ip http serverRouter(config)# ip http authentication aaaRouter(config)# ip http path flash:Router(config)# ip http access-class 10Router(config)# ip http max-connections 10In the following example, a Throughput timeout policy is applied. This configuration allows each connection to be idle a maximum of 30 seconds (approximately). Each connection will remain open (be "alive") until either the HTTP server has been busy processing requests for approximately 2 minutes (120 seconds) or until approximately100 requests have been processed.
Router(config)# ip http timeout-policy idle 30 life 120 requests 100In the following example, a Response Time timeout policy is applied. This configuration allows each connection to be idle a maximum of 30 seconds (approximately). Each connection will be closed when the first request has been processed.
Router(config)# ip http timeout-policy idle 30 life 30 requests 1HTTP Connectivity Verification: Example
To verify remote connectivity to the HTTP server, enter the system IP address in a web browser, followed by a colon and the appropriate port number (80 is the default port number).
For example, if the system IP address is 209.165.202.129 and the port number is 8080, enter http://209.165.202.129:8080 as the URL in a web browser.
If HTTP authentication is configured, a login dialog box will appear. Enter the appropriate username and password. If the default login authentication method of "enable" is configured, you may leave the username field blank, and use the "enable" password to log in.
The system home page should appear in your browser.
HTTP Applications Enabled Selectively: Example
The following configuration sample shows a configuration with different set of services available for HTTP requests. In this example, only the HTTP applications defined in list1 (Simple Certificate Enrollment Protocol [SCEP] and HOME_PAGE and HTTP IFS) are enabled for providing services to remote HTTP clients.
ip http session-module-list list1 HOME_PAGE,HTTP_IFS
ip http active-session-modules list1
ip http server
Additional References
The following sections provide references related to the HTTP 1.1 Web Server and Client features:
Related Documents
Standards
MIBs
RFCs
Technical Assistance
Command Reference
This section documents new and modified commands only.
New Commands
Modified Commands
•ip http active-session-modules
•ip http client source-interface
clear ip http client cache
To remove information from the HTTP client cache, use the clear ip http client cache command in privileged EXEC mode.
clear ip http client cache {all | session session-name | url complete-url}
Syntax Description
Command Default
None
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to clear entries from the HTTP client cache pool: all the entries, all the entries owned by a specific session, or only the entry associated with a specific request from an HTTP server.
Examples
The following example clears all entries in the HTTP client cache:
Router# clear ip http client cache all
The following example removes HTTP client cache entries that belong to the HTTP Client File System (CFS) application:
Router# clear ip http client cache session HTTP CFS
The following example removes HTTP client cache entries at the location http://myrouter.cisco.com/flash:/:
Router# clear ip http client cache url http://myrouter.cisco.com/flash:/
Related Commands
Command Descriptionip http path
Specifies the base path used to locate files for use by the HTTP server.
show ip http client
Displays a report about the HTTP client.
debug ip http all
To enable debugging output for all HTTP processes on the system, use the debug ip http all command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug ip http all
no debug ip http all
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Privileged EXEC
Command History
Release Modification12.2(15)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
Usage Guidelines
Use this command to enable debugging messages for all HTTP processes and activity. Issuing this command is equivalent to issuing the following commands:
•debug ip http authentication
•debug ip http ezsetup
•debug ip http ssi
•debug ip http token
•debug ip http transaction
•debug ip http url
Examples
For sample output and field descriptions of this command, see the documentation of the commands listed in the "Usage Guidelines" section.
Related Commands
debug ip http authentication
To troubleshoot HTTP authentication problems, use the debug ip http authentication command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug ip http authentication
no debug ip http authentication
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Release Modification12.2(15)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
Usage Guidelines
Use this command to display the authentication method the router attempted and authentication-specific status messages.
Examples
The following is sample output from the debug ip http authentication command:
Router# debug ip http authenticationAuthentication for url `/' `/' level 15 privless `/'Authentication username = `local15' priv-level = 15 auth-type = localTable 1 describes the significant fields shown in the display.
Related Commands
debug ip http client
To enable debugging output for the HTTP client, use the debug ip http client command in privileged EXEC mode. To disable debugging output for the HTTP client, use the no or undebug form of this command.
debug ip http client {all | api | cache | error | main | msg | socket}
no debug ip http client {all | api | cache | error | main | msg | socket}
undebug ip http client {all | api | cache | error | main | msg | socket}
Syntax Description
Command Modes
Privileged EXEC
Command History
Release Modification12.3(2)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
Usage Guidelines
Use this command to display transactional information for the HTTP client for debugging purposes.
Examples
The following example shows sample debugging output for a failed copy transfer operation when the host name resolution fails:
Router# debug ip http client all2w4d: Cache ager calledRouter# copy http://www.example.com/index.html flash:index.htmlDestination filename [index.html]?Erase flash: before copying? [confirm] noTranslating "www.example.com"% Bad IP address for host www.example.com%Error opening http://www.example.com/index.html (I/O error)Router#2w4d: http_client_request:2w4d: httpc_setup_request:2w4d: http_client_process_request:2w4d: HTTPC: Host name resolution failed for www.example.com2w4d: http_transaction_free:2w4d: http_transaction_free: freed httpc_transaction_t
The following example shows sample debugging output for a failed copy transfer operation when the source file is not available:
Router# copy http://example.com/hi/file.html flash:/file.htmlDestination filename [file.html]?%Error opening http://example.com/hi/file.html (No such file or directory)Router#2w4d: http_client_request:2w4d: httpc_setup_request:2w4d: http_client_process_request:2w4d: httpc_request:Dont have the credentialsThu, 17 Jul 2003 07:05:25 GMT http://209.168.200.225/hi/file.html okProtocol = HTTP/1.1Content-Type = text/html; charset=iso-8859-1Date = Thu, 17 Jul 2003 14:24:29 GMT2w4d: http_transaction_free:2w4d: http_transaction_free:freed httpc_transaction_t2w4d: http_client_abort_request:2w4d: http_client_abort_request:Bad Transaction IdRouter#Table 2 describes the significant fields shown in the display.
Related Commands
debug ip http ezsetup
To display the configuration changes that occur during the EZ Setup process, use the debug ip http ezsetup command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug ip http ezsetup
no debug ip http ezsetup
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Release Modification12.3(2)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
Usage Guidelines
Use this command to verify the EZ Setup actions without changing the configuration of the router.
EZ Setup is a form you fill out to perform basic router configuration from most HTML browsers.
Examples
The following sample output from the debug ip http ezsetup command shows the configuration changes for the router when the EZ Setup form has been submitted:
Router# debug ip http ezsetupservice timestamps debugservice timestamps logservice password-encryption!hostname router-name!enable secret router-pwline vty 0 4password router-pw!interface ethernet 0ip address 172.69.52.9 255.255.255.0no shutdownip helper-address 172.31.2.132ip name-server 172.31.2.132isdn switch-type basic-5essusername Remote-name password Remote-chapinterface bri 0ip unnumbered ethernet 0encapsulation pppno shutdowndialer map ip 192.168.254.254 speed 56 name Remote-name Remote-numberisdn spid1 spid1isdn spid2 spid2ppp authentication chap callindialer-group 1!ip classlessaccess-list 101 deny udp any any eq snmpaccess-list 101 deny udp any any eq ntpaccess-list 101 permit ip any anydialer-list 1 list 101ip route 0.0.0.0 0.0.0.0 192.168.254.254ip route 192.168.254.254 255.255.255.255 bri 0logging bufferedsnmp-server community public ROip http serverip classlessip subnet-zero!endRelated Commands
debug ip http ssi
To display information about the HTML SSI EXEC command or HTML SSI ECHO command, use the debug ip http ssi command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug ip http ssi
no debug ip http ssi
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Release Modification12.3(2)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
Examples
The following is sample output from the debug ip http ssi command:
Router# debug ip http ssiHTML: filtered command `exec cmd="show users"'HTML: SSI command `exec'HTML: SSI tag `cmd' = "show users"HTML: Executing CLI `show users' in mode `exec' doneThe following line shows the contents of the SSI EXEC command:
HTML: filtered command `exec cmd="show users"'The following line indicates the type of SSI command that was requested:
HTML: SSI command `exec'The following line shows the show users argument assigned to the tag command:
HTML: SSI tag 'cmd' = "show users"The following line indicates that the show users command is being executed in EXEC mode:
HTML: Executing CLI `show users' in mode `exec' doneRelated Commands
debug ip http token
To display individual tokens parsed by the HTTP server, use the debug ip http token command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug ip http token
no debug ip http token
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Release Modification12.3(2)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
Usage Guidelines
Use the debug ip http token command to display low-level HTTP server parsings. To display high-level HTTP server parsings, use the debug ip http transaction command.
Examples
The following is part of sample output from the debug ip http token command. In this example, the browser accessed the router's home page http://router-name/. The output gives the token parsed by the HTTP server and its length.
Router# debug ip http tokenHTTP: token len 3: 'GET'HTTP: token len 1: ' 'HTTP: token len 1: '/'HTTP: token len 1: ' 'HTTP: token len 4: 'HTTP'HTTP: token len 1: '/'HTTP: token len 1: '1'HTTP: token len 1: '.'HTTP: token len 1: '0'HTTP: token len 2: '\15\12'HTTP: token len 7: 'Referer'HTTP: token len 1: ':'HTTP: token len 1: ' 'HTTP: token len 4: 'http'HTTP: token len 1: ':'HTTP: token len 1: '/'HTTP: token len 1: '/'HTTP: token len 3: 'www'HTTP: token len 1: '.'HTTP: token len 3: 'thesite'HTTP: token len 1: '.'HTTP: token len 3: 'com'HTTP: token len 1: '/'HTTP: token len 2: '\15\12'HTTP: token len 10: 'Connection'HTTP: token len 1: ':'HTTP: token len 1: ' 'HTTP: token len 4: 'Keep'HTTP: token len 1: '-'HTTP: token len 5: 'Alive'HTTP: token len 2: '\15\12'HTTP: token len 4: 'User'HTTP: token len 1: '-'HTTP: token len 5: 'Agent'HTTP: token len 1: ':'HTTP: token len 1: ' 'HTTP: token len 7: 'Mozilla'HTTP: token len 1: '/'HTTP: token len 1: '2'HTTP: token len 1: '.'...Related Commands
debug ip http transaction
To display HTTP server transaction processing, use the debug ip http transaction command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug ip http transaction
no debug ip http transaction
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Release Modification12.3(2)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
Usage Guidelines
Use the debug ip http transaction command to display what the HTTP server is parsing at a high level. To display what the HTTP server is parsing at a low level, use the debug ip http token command.
Examples
The following is sample output from the debug ip http transaction command. In this example, the browser accessed the router's home page http://router-name/.
Router# debug ip http transactionHTTP: parsed uri '/'HTTP: client version 1.1HTTP: parsed extension RefererHTTP: parsed line http://www.company.com/HTTP: parsed extension ConnectionHTTP: parsed line Keep-AliveHTTP: parsed extension User-AgentHTTP: parsed line Mozilla/2.01 (X11; I; FreeBSD 2.1.0-RELEASE i386)HTTP: parsed extension HostHTTP: parsed line router-nameHTTP: parsed extension AcceptHTTP: parsed line image/gif, image/x-xbitmap, image/jpeg, image/HTTP: parsed extension AuthorizationHTTP: parsed authorization type BasicHTTP: received GET ''Table 3 describes the significant fields shown in the display.
Related Commands
debug ip http url
To show the URLs accessed from the router, use the debug ip http url command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug ip http url
no debug ip http url
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Release Modification12.3(2)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
Usage Guidelines
Use the debug ip http url command to keep track of the URLs that are accessed and to determine from which hosts the URLs are accessed.
Examples
The following is sample output from the debug ip http url command. In this example, the HTTP server accessed the URLs and /exec. The output shows the URL being requested and the IP address of the host requesting the URL.
Router# debug ip http urlHTTP: processing URL '/' from host 172.31.2.141HTTP: processing URL '/exec' from host 172.31.2.141Related Commands
ip http access-class
To specify the access list that should be used to restrict access to the HTTP server, use the ip http access-class command in global configuration mode. To remove a previously configured access list association, use the no form of this command.
ip http access-class access-list-number
no ip http access-class access-list-number
Syntax Description
access-list-number
Standard IP access list number in the range 0 to 99, as configured by the access-list global configuration command.
Command Default
No access list is applied to the HTTP server.
Command Modes
Global configuration
Command History
Usage Guidelines
If this command is configured, the specified access list is assigned to the HTTP server. Before the HTTP server accepts a connection, it checks the access list. If the check fails, the HTTP server does not accept the request for a connection.
Examples
In the following example the access list identified as "20" is defined and assigned to the HTTP server:
Router(config)# ip access-list standard 20Router(config-std-nacl)# permit 209.165.202.130 0.0.0.255Router(config-std-nacl)# permit 209.165.201.1 0.0.255.255Router(config-std-nacl)# permit 209.165.200.225 0.255.255.255! (Note: all other access implicitly denied)Router(config-std-nacl)# exitRouter(config)# ip http access-class 20Related Commands
ip http active-session-modules
To selectively enable HTTP applications that will service incoming HTTP requests from remote clients, use the ip http active-session-modules command in global configuration mode. Use the no form of this command to return to the default, for which all HTTP services will be enabled.
ip http active-session-modules {listname | none | all}
no ip http active-session-modules {listname}
Syntax Description
Defaults
If no arguments or keywords are specified, all HTTP services will be enabled.
Command Modes
Global configuration
Command History
Release Modification12.3(14)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
Usage Guidelines
Use the ip http active-session-modules command to selectively enable HTTP applications, for servicing incoming HTTP requests from remote clients. With this command, a selected list of applications can be enabled. All the applications can be enabled or none of the applications can be enabled, in other words, all disabled. Use the ip http session-module-list command to define a list of HTTP or secure HTTP (HTTPS) application names to be enabled. If an HTTP request is made for a service that is disabled, a 404 error message is displayed in the remote client browser.
Note The HTTPS server is not supported in Cisco IOS Release 12.2(31)SB.
Examples
The following example shows how to configure a different set of services to be available for HTTP and HTTPS requests. In this example, all HTTP applications are enabled for providing services to remote clients, but for HTTPS services, only the HTTPS applications defined in list1 (Simple Certificate Enrollment Protocol [SCEP] and HOME_PAGE) are enabled.
ip http session-module-list list1 SCEP,HOME_PAGE
ip http active-session-modules all
ip http server
ip http secure-server
ip http secure-active-session-modules list1
Related Commands
ip http authentication
To specify a particular authentication method for HTTP server users, use the ip http authentication command in global configuration mode. To disable a configured authentication method, use the no form of this command.
ip http authentication {aaa {command-authorization level listname | exec-authorization listname | login-authentication listname} | enable | local | tacacs}
no ip http authentication {aaa {command-authorization level listname | exec-authorization listname | login-authentication listname} | enable | local | tacacs}
Syntax Description
Defaults
The "enable" password is required when users (clients) connect to the HTTP server.
Three command privilege levels exist on the router.Command Modes
Global configuration
Command History
Usage Guidelines
The ip http authentication command specifies the authentication method to be used for login when a client connects to the HTTP server. Use of the ip http authentication aaa command option is recommended. The enable, local, and tacacs methods should be specified using the aaa authentication login command.
The "enable" password method is the default HTTP server authentication method. If the enable password is used as the HTTP server login authentication method, the client connects to the HTTP server with a default privilege level of 15.
Note When the "enable" password is used as the HTTP server login authentication method, any username entered will be ignored; the server will only verify the "enable" password. This may make it easier for an attacker to access the router. Because a username and password pair is more secure than using only a password for authentication, using only "enable" password for authentication is strongly discouraged. Instead, use of the local or tacacs authentication options, configured as part of a global AAA framework, is recommended.
To configure HTTP access as part of a AAA policy, use the ip http authentication aaa command option. The "local", "tacacs", or "enable" authentication methods should then be configured using the aaa authentication login command.
For information about adding users into the local username database, see the Cisco IOS Security Configuration Guide.
Examples
The following example specifies that the method configured for AAA should be used for authentication for HTTP server users. The AAA login method is configured as the "local" username/password authentication method. This example specifies that the local username database be used for login authentication and EXEC authorization of HTTP sessions:
Router(config)# aaa authentication login LOCALDB localRouter(config)# aaa authorization exec LOCALDB localRouter(config)# ip http authentication aaa login-authentication LOCALDBRouter(config)# ip http authentication aaa exec-authorization LOCALDBRelated Commands
ip http client cache
To configure the HTTP client cache, use the ip http client cache command in global configuration mode. To remove the specification of a value configured for the HTTP client cache, use the no form of this command.
ip http client cache {ager interval minutes | memory file file-size-limit |
memory pool pool-size-limit}no ip http client cache {ager interval | memory file | memory pool}
Syntax Description
Command Default
5 second ager interval for the HTTP client cache memory pool
2 KB maximum file size supported by the HTTP client cache
100 KB maximum memory pool size for the HTTP client cacheCommand Modes
Global configuration.
Command History
Release Modification12.2(15)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
Usage Guidelines
Use this command to specify the HTTP client cache ager interval, maximum file size, or maximum memory pool size.
To display the values configured by this command, use the show ip http client cache command.
Examples
The following example specifies an HTTP client cache ager interval of 10 minutes:
Router(config)# ip http client cache ager interval 10The following example specifies an HTTP client cache maximum file size of 7 KB:
Router(config)# ip http client cache memory file 7The following example specifies an HTTP client cache maximum memory pool size of 55 KB:
Router(config)# ip http client cache memory pool 55Related Commands
ip http client connection
To configures characteristics for HTTP client connections to a remote HTTP server for all file transfers, use the ip http client connection command in global configuration mode. To remove the specification of a value configured for a connection characteristic, use the no form of this command.
ip http client connection {forceclose | idle timeout seconds | retry count | timeout seconds}
no ip http client connection {forceclose | idle timeout | retry | timeout}
Syntax Description
Defaults
Persistent connection maintenance is enabled.
30-second idle timeout
1 retry attempt
10-second maximum timeoutCommand Modes
Global configuration
Command History
Release Modification12.3(7)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
Usage Guidelines
Use this command to change or remove the specification of a value configured as a characteristics for establishing an HTTP client connection to a remove HTTP server for all file transfers.
Examples
The following example configures the default HTTP client persistent connection for a 15-second idle connection period. The maximum time the HTTP client will wait for a connection is 10 seconds.
Router(config)# ip http client connection idle timeout 15
Related Commands
ip http client password
To configure the default password used for connections to remote HTTP servers, use the ip http client password command in global configuration mode. To remove a configured default password from the configuration, use the no form of this command.
ip http client password password
no ip http client password
Syntax Description
password
The password string to be used in HTTP client connection requests sent to remote HTTP servers.
Defaults
No default password exists for the HTTP connections.
Command Modes
Global configuration
Command History
Release Modification12.3(2)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
Usage Guidelines
This command is used to configure a default password before a file is download from a remote web server using the copy http:// or copy https:// command. The default password will be overridden by a password specified in the URL of the copy command.
The password is encrypted in the configuration files.
Note The secure HTTP (HTTPS) client is not supported in Cisco IOS Release 12.2(31)SB.
Examples
In the following example, the default HTTP password is configured as Secret and the default HTTP username is configured as User2 for connections to remote HTTP or HTTPS servers:
Router(config)# ip http client password Secret
Router(config)# ip http client username User2
Router(config)# do show running-config | include ip http client
Related Commands
ip http client proxy-server
To configure an HTTP proxy server, use the ip http client proxy-server command in global configuration mode. To disable or change the proxy server, use the no form of this command.
ip http client proxy-server {proxy-name | ip-address} [proxy-port port-number]
no ip http client proxy-server
Syntax Description
proxy-name | ip-address
Name or IP address for the proxy server.
proxy-port port-number
(Optional) Specifies a port number on the remote proxy server.
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Release Modification12.3(7)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
Usage Guidelines
This command configures the HTTP client to connect to a remote proxy server for HTTP file system client connections.
Examples
The following example configures the HTTP proxy server named edge2 at port 29:
Router(config)# ip http client proxy-server edge2 proxy-port 29
Related Commands
ip http client response
To configure the number of seconds that the HTTP client waits for a response from the server for a request message, use the ip http client response command in global configuration mode. To remove the specification of the number of seconds that the HTTP client waits for a response from the server for a request message, use the no form of this command.
ip http client response timeout seconds
no ip http client response timeout
Syntax Description
timeout seconds
The seconds argument specifies the time, in seconds, to wait for a response to a Domain Name System (DNS) query. The range is from 1 to 300.
Command Default
None
Command Modes
Global configuration
Command History
Release Modification12.2(15)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
Usage Guidelines
Use this command to specify the response timeout value.
Examples
The following example specifies a response timeout of 180 seconds:
Router(config)# ip http client response timeout 180
Related Commands
ip http client source-interface
To configure a source interface for the HTTP client, use the ip http client source-interface command in global configuration mode. To change or disable the source interface, use the no form of this command.
ip http client source-interface interface-id
no ip http client source-interface
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Release Modification12.3(7)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
Usage Guidelines
Use this command to specify a source interface to use for HTTP connections.
Examples
The following example configures the source interface as Ethernet 0/1:
Router(config)# ip http client source-interface Ethernet 0/1
Related Commands
ip http client username
To configure the default username used for connections to remote HTTP servers, use the ip http client username command in global configuration mode. To remove a configured default HTTP username from the configuration, use the no form of this command.
ip http client username username
no ip http client username
Syntax Description
username
The username string (login name) to be used in HTTP client connection requests sent to remote HTTP servers.
Defaults
No default username exists for the HTTP connections.
Command Modes
Global configuration
Command History
Release Modification12.3(2)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
Usage Guidelines
This command is used to configure a default username before a file is copied to or from a remote web server using the copy http:// or copy https:// command. The default username will be overridden by a username specified in the URL of the copy command.
Note The secure HTTP (HTTPS) client is not supported in Cisco IOS Release 12.2(31)SB.
Examples
In the following example, the default HTTP password is configured as Secret and the default HTTP username is configured as User1 for connections to remote HTTP or HTTPS servers:
Router(config)# ip http client password Secret
Router(config)# ip http client username User1
Related Commands
ip http max-connections
To configure the maximum number of concurrent connections allowed for the HTTP server, use the ip http max-connections command in global configuration mode. To return the maximum connection value to the default, use the no form of this command.
ip http max-connections value
no ip http max-connections
Syntax Description
value
An integer in the range from 1 to 16 that specifies the maximum number of concurrent HTTP connections. The default is 5.
Command Default
Five concurrent HTTP connections is the default.
Command Modes
Global configuration
Command History
Release Modification12.2(15)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
Usage Guidelines
Platform-specific implementations can supersede the upper range limit of 16.
If a new value is configured that is less than the previously configured value while the current number of connections exceeds the new maximum value, the HTTP server will not abort any of the current connections. However, the server will not accept any new connections until the current number of connections falls below the new configured value.
Examples
In the following example the HTTP server is configured to allow up to 10 simultaneous connections:
Router(config)# ip http serverRouter(config)# ip http max-connections 10Related Commands
Command Descriptionip http server
Enables the HTTP 1.1 server, including the Cisco web browser user interface.
ip http path
To specify the base path used to locate files for use by the HTTP server, use the ip http path command in global configuration mode. To disable the HTTP server, use the no form of this command.
ip http path url
no ip http path
Syntax Description
url
Cisco IOS File System (IFS) URL specifying the location of the HTML files used by the HTTP server.
Command Default
The HTTP server is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
After enabling the HTTP server, you should set the base path by specifying the location of the HTML files to be served. HTML files used by the HTTP web server typically reside in system flash memory.
Remote URLs can be specified using this command, but use of remote pathnames (for example, where HTML files are located on a remote TFTP server) is not recommended.
Examples
In the following example, the HTML files are located in the default flash location on the system:
Router(config)# ip http path flash:In the following example, the HTML files are located in the directory named web on the flash memory card inserted in slot 0:
Router(config)# ip http path slot0:webRelated Commands
Command Descriptionip http server
Enables the HTTP server, including the Cisco web browser user interface.
ip http port
To specify the port number to be used by the HTTP server, use the ip http port command in global configuration mode. To return the port number to the default, use the no form of this command.
ip http port port-number
no ip http port
Syntax Description
port-number
The integer 80 or any integer in the range from 1025 to 65535 that specifies the port number to be used for the HTTP server. The default is 80.
Command Default
The HTTP server uses port 80.
Command Modes
Global configuration
Command History
Usage Guidelines
HTTP port 80 is the standard port used by web servers.
Note The secure HTTP (HTTPS) server is not supported in Cisco IOS Release 12.2(31)SB.
Examples
In the following example the HTTP server port is changed to port 8080:
Router(config)# ip http serverRouter(config)# ip http port 8080Related Commands
Command Descriptionip http server
Enables the HTTP 1.1 server, including the Cisco web browser user interface.
ip http server
To enable the HTTP server on your IP or IPv6 system, including the Cisco web browser user interface, use the ip http server command in global configuration mode. To disable the HTTP server, use the no form of this command.
ip http server
no ip http server
Syntax Description
This command has no arguments or keywords.
Command Default
The HTTP server is disabled on the Cisco Catalyst 4000 series switch. The HTTP server is enabled for clustering on the following Cisco switches: Catalyst 3700 series, Catalyst 3750 series, Catalyst 3550 series, Catalyst 3560 series, and Catalyst 2950 series.
The HTTP server uses the standard port 80 by default.
Command Modes
Global configuration
Command History
Usage Guidelines
With IPv6 support added in Cisco IOS Release 12.2(2)T, the ip http server command simultaneously enables and disables both IP and IPv6 access to the HTTP server. However, an access list configured with the ip http access-class command will only be applied to IPv4 traffic. IPv6 traffic filtering is not supported.
Caution The standard HTTP server and the secure HTTP (HTTPS) server can run on your system at the same time. If you enable the secure HTTP server using the ip http secure-server command, disable the standard HTTP server using the no ip http server command to ensure that secure data cannot be accessed through the standard HTTP connection.
Examples
The following example shows how to enable the HTTP server on both IP and IPv6 systems:
Router(config)# ip http serverRouter(config)# ip http path flash:Related Commands
ip http session-module-list
To define a list of HTTP or secure HTTP (HTTPS) application names, use the ip http session-module-list command in global configuration mode. To remove the defined list, use the no form of this command.
ip http session-module-list listname prefix1 [prefix2,...,prefixn]
no ip http session-module-list listname prefix1 [prefix2,...,prefixn]
Syntax Description
Defaults
No list of HTTP or HTTPS application names is defined.
Command Modes
Global configuration
Command History
Release Modification12.3(14)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
Usage Guidelines
Use this command to define a list of HTTP or HTTPS application names. The defined list can then be used by the ip http active-session-modules or ip http secure-active-session-modules commands to selectively enable HTTP or HTTPS applications, respectively, for servicing incoming HTTP and HTTPS requests from remote clients.
When defining a list of HTTP or HTTPS application names, use the following guidelines:
•A maximum of four lists can be defined on a router or switch. Attempts to define more than four lists will fail and an error message will be displayed stating the limit restrictions.
•An existing list can be removed using the no ip http session-module-list command.
•You cannot reconfigure an existing list. Instead of reconfiguring an existing list, remove the existing list and create a new list with the same name.
•There is no limit to how many application names can be in the list. However, the maximum number of sessions that can be registered with the Cisco IOS HTTP or HTTPS server is 32.
Note The HTTPS server is not supported in Cisco IOS Release 12.2(31)SB.
Examples
The following example shows how to configure a different set of services to be available for HTTP and HTTPS requests. In this example, all HTTP applications are enabled for providing services to remote clients, but for HTTPS services, only the HTTPS applications defined in list1 (Simple Certificate Enrollment Protocol [SCEP] and HOME_PAGE) are enabled.
ip http session-module-list list1 SCEP,HOME_PAGE
ip http active-session-modules all
ip http server
ip http secure-server
ip http secure-active-session-modules list1
Related Commands
ip http timeout-policy
To configure the parameters for closing connections to the local HTTP server, use the ip http timeout-policy command in global configuration mode. To return the parameters to their defaults, use the no form of this command.
ip http timeout-policy idle seconds life seconds requests value
no ip http timeout-policy
Syntax Description
Command Default
HTTP server connection idle time: 180 seconds (3 minutes)
HTTP server connection life time: 180 seconds (3 minutes)
HTTP server connection maximum requests: 1
Command Modes
Global configuration
Command History
Release Modification12.2(15)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
Usage Guidelines
This command sets the characteristics that determine how long a connection to the HTTP server should remain open.
This command may not take effect immediately on any HTTP connections that are open at the time you use this command. In other words, new values for idle time, life time, and maximum requests will apply only to connections made to the HTTP server after this command is issued.
A connection may be closed sooner than the configured idle time if the server is too busy or the limit on the life time or the number of requests is reached.
A connection may be closed sooner than the configured life time if the server is too busy or the limit on the idle time or the number of requests is reached. Also, since the server will not close a connection while actively processing a request, the connection may remain open longer than the specified life time if processing is occurring when the life maximum is reached. In this case, the connection will be closed when processing finishes.
A connection may be closed before the maximum number of requests are processed if the server is too busy or the limit on the idle time or life time is reached.
The ip http timeout-policy command allows you to specify a general access policy to the HTTP server by adjusting the connection timeout values. For example, if you want to maximize throughput for HTTP connections, you should configure a policy that minimizes connection overhead. You can do this by specifying large values for the life and requests options so that each connection stays open longer and more requests are processed for each connection.
Another example would be to configure a policy that minimizes the response time for new connections. You can do this by specifying small values for the life and requests options so that the connections are quickly released to serve new clients.
A throughput policy would be better for HTTP sessions with dedicated management applications, as it would allow the application to send more requests before the connection is closed, while a response time policy would be better for interactive HTTP sessions, as it would allow more people to connect to the server at the same time without having to wait for connections to become available.
In general, you should configure these options as appropriate for your environment. The value for the idle option should be balanced so that it is large enough not to cause an unwanted request or response timeout on the connection, but small enough that it does not hold a connection open longer than necessary.
Examples
In the following example, a Throughput timeout policy is applied. This configuration would allow each connection to be idle a maximum of 30 seconds (approximately). Each connection will remain open (be "alive") until either the HTTP server has been busy processing requests for approximately 2 minutes (120 seconds) or until approximately 100 requests have been processed.
Router(config)# ip http timeout-policy idle 30 life 120 requests 100In the following example, a Response Time timeout policy is applied. This configuration would allow each connection to be idle a maximum of 30 seconds (approximately). Each connection will be closed as soon as the first request has been processed.
Router(config)# ip http timeout-policy idle 30 life 30 requests 1Related Commands
Command Descriptionip http server
Enables the HTTP server, including the Cisco web browser user interface.
show ip http client
To display a report about the HTTP client, use the show ip http client command in user EXEC or privileged EXEC mode.
show ip http client {all | cache | connection | history | secure status | session-module | statistics}
Syntax Description
Command Modes
User EXEC
Privileged EXECCommand History
Release Modification12.3(2)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
The all, cache, and statistics keywords were added.
Usage Guidelines
Use this command to display information about the HTTP client.
Note The secure HTTP (HTTPS) server is not supported in Cisco IOS Release 12.2(31)SB.
Examples
The following is sample output from the show ip http client cache command:
Router# show ip http client cache
HTTP client cache:Maximum Memory size for cache : 100000 bytes (default)Maximum memory per cache entry : 2000 bytes (default)Memory used : 1381 bytesMemory Available : 98619 bytesCache Ager interval : 5 minutes (default)Total entries created : 2Id Type Url Memory-size(Bytes) Refcnt Valid(Sec)__________________________________________________________________________536 Hdr 172.25.125.69/ 673 0 -132 Hdr 172.25.125.7:8888/ 708 0 -1The report is self-explanatory and lists information about the cache.
The following is sample output from the show ip http client connection command:
Router# show ip http client connection
HTTP client current connections:Persistent connection = enabled (default)Connection establishment timeout = 10s (default)Connection idle timeout = 30s (default)Maximum number of connection establishment retries = 1 (default)Maximum http client connections per host : 2HTTP secure client capability: Not presentlocal-ipaddress:port remote-ipaddress:port in-bytes out-bytes:80 172.20.67.174:11012 12584 176Total client connections : 1The report is self-explanatory and lists the active connections and user-configured or default values for the connections.
The following is sample output from the show ip http client history command:
Router# show ip http client history
HTTP client history:GET 03:25:36 UTC Thu Feb 26 2004mailer.cisco.com/mailer.htmlGET 03:25:56 UTC Thu Feb 26 2004mailer.cisco.com/mailer.htmlGET 03:26:10 UTC Thu Feb 26 2004mailer.cisco.com/mailer.htmlThe report is self-explanatory and lists the most recent URLs accessed by the HTTP client.
The following is sample output from the show ip http client secure status command:
Router# show ip http client secure statusHTTP secure client ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-12aHTTP secure client trustpoint: TP-1Table 4 describes the significant fields shown in the display.
The following is sample output from the show ip http client session-module command:
Router# show ip http client session-module
HTTP client application session modules:Id :1Application Name :HTTP CFSVersion :HTTP/1.1Persistent :non-persistentResponse-timeout :0Retries :0Proxy :Id :6Application Name :httpc_ifs_0Version :HTTP/1.1Persistent :non-persistentResponse-timeout :16Retries :0Proxy :Table 5 describes the fields shown in the display.
Related Commands
show ip http server
To display details about the current configuration of the HTTP server, use the show ip http server command in user EXEC or privileged EXEC mode.
show ip http server {all | status | session-module | connection | statistics | history}
Syntax Description
Command Modes
User EXEC
Privileged EXECCommand History
Release Modification12.2(15)T
This command was introduced.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2.
Usage Guidelines
Use this command to show detailed status information about the HTTP server.
If the HTTP secure server capability is present, the output of the show ip http server all command will also include the information found in the output of the show ip http server secure status command.
Note The secure HTTP (HTTPS) server is not supported in Cisco IOS Release 12.2(31)SB.
Examples
The following is sample output from the show ip http server all command:
Router# show ip http server all
HTTP server status: EnabledHTTP server port: 80HTTP server authentication method: enableHTTP server access class: 0HTTP server base path:Maximum number of concurrent server connections allowed: 5Server idle time-out: 30 secondsServer life time-out: 120 secondsMaximum number of requests allowed on a connection: 2HTTP secure server capability: Not PresentHTTP server application session modules:Session module Name Handle DescriptionHomepage_Server 5 IOS Homepage ServerQDM 2 QOS Device Manager ServerHTTP IFS Server 1 HTTP based IOS File ServerQDM SA 3 QOS Device Manager Signed Applet ServerWEB_EXEC 4 HTTP based IOS EXEC ServerXSM 6 XML Session ManagerVDM 7 VPN Device Manager ServerITS 8 IOS Telephony ServiceITS_LOCDIR 9 ITS Local Directory SearchHTTP server current connections:local-ipaddress:port remote-ipaddress:port in-bytes out-bytes172.19.254.37:80 192.168.254.45:33737 70 2294HTTP server statistics:Accepted connections total: 1360HTTP server history:local-ipaddress:port remote-ipaddress:port in-bytes out-bytes end-time172.19.254.37:80 192.168.254.45:63530 60 1596 10:50:00 12/19Table 6 describes the significant fields shown in the display.
The following example shows sample output for the show ip http server status command:
Router# show ip http server statusHTTP server status: DisabledHTTP server port: 80HTTP server authentication method: enableHTTP server access class: 0HTTP server base path:Maximum number of concurrent server connections allowed: 5Server idle time-out: 600 secondsServer life time-out: 600 secondsMaximum number of requests allowed on a connection: 1HTTP secure server capability: PresentHTTP secure server status: DisabledHTTP secure server port: 443HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-12aHTTP secure server client authentication: DisabledHTTP secure server trustpoint:The lines indicating the status of the HTTP secure (HTTPS) server will only be visible if your software image supports the HTTPS server. If your software image does not support SSL, only the following line will be visible:
HTTP secure server capability: Not present
Related Commands
Feature Information for the HTTP 1.1 Web Server and Client
Table 7 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 7 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2006 Cisco Systems, Inc. All rights reserved.