<section id="suppress-error-charset">
<title>suppress-error-charset</title>
- <p><em>Available in versions 2.2 and later</em></p>
+ <p><em>Available in versions after 2.0.54</em></p>
<p>When Apache issues a redirect in response to a client request,
the response includes some actual text to be displayed in case
web site, at <<a href="http://httpd.apache.org/docs-2.1/faq/"
>http://httpd.apache.org/docs-2.1/faq/</a>>.</p>
- <p>Since Apache 2.0 is quite new, we don't yet know what the <em>Frequently
- Asked Questions</em> will be. While this section fills up, you should also
- consult the <a href="http://httpd.apache.org/docs/misc/FAQ.html">Apache 1.3
- FAQ</a> to see if your question is answered there.</p>
+ <p>If you don't find the answer to your question in the below
+ sections, please also consult the <a
+ href="http://httpd.apache.org/docs/misc/FAQ.html">Apache 1.3
+ FAQ</a> to see if your question is answered there.</p>
</summary>
&categories;
<li><a href="#error.acceptex">AcceptEx failed</a></li>
<li><a href="#error.scriptheaders">Premature end of script
headers</a></li>
+ <li><a href="#error.permissiondenied">Permission denied</a></li>
</ul>
<section id="error.sendfile"><title>Invalid argument:
tutorial</a>.</p>
</section>
+ <section id="error.permissiondenied"><title>Permission denied</title>
+
+ <p>A <code>Permission denied</code> error in the
+ <code>error_log</code>, accompanied by a <code>Forbidden</code>
+ message to the client usually indicates a problem with your
+ filesystem permissions, rather than a problem in the Apache HTTP
+ Server configuration files. Check to make sure that the
+ <directive module="mpm_common">User</directive> and <directive
+ module="mpm_common">Group</directive> running the child processes
+ has adequate permission to access the files in question. Also
+ check that the directory and all parent directories are at least
+ searchable for that user and group (i.e., <code>chmod
+ +x</code>).</p>
+
+ <p>Recent releases of Fedora Core and other Linux distributions
+ using SELinux have additional access restrictions beyond those
+ used by the basic filesystem. Violations of these restrictions
+ will also result in a <code>Permission denied</code> message. See
+ the <a
+ href="http://fedora.redhat.com/docs/selinux-faq-fc3/">Fedora
+ SELinux FAQ</a> and <a
+ href="http://fedora.redhat.com/docs/selinux-apache-fc3/">Apache
+ SELinux Policy Document</a>.</p>
+
+ </section>
+
</section>
</faq>
this FAQ <a href="all_in_one.html">all in one page</a> for easy searching
and printing.</p>
- <p>Since Apache 2.0 is quite new, we don't yet know what the
- <em>Frequently Asked Questions</em> will be. While this section fills up,
- you should also consult the <a
- href="http://httpd.apache.org/docs/misc/FAQ.html">Apache 1.3 FAQ</a> to see
- if your question is answered there.</p>
+ <p>If you don't find the answer to your question in the below
+ sections, please also consult the <a
+ href="http://httpd.apache.org/docs/misc/FAQ.html">Apache 1.3
+ FAQ</a> to see if your question is answered there.</p>
</summary>
&categories;
<dd>For some of the support scripts like <program>
apxs</program> or <program>dbmmanage</program> (which are
written in Perl) the Perl 5 interpreter is required (versions
- 5.003 or newer are sufficient). If no such interpreter is found by
- the <program>configure</program> script there is no harm. Of course, you
- still can build and install Apache 2.0. Only those support scripts
- cannot be used. If you have multiple Perl interpreters
- installed (perhaps a Perl 4 from the vendor and a Perl 5 from
- your own), then it is recommended to use the <code>--with-perl</code>
- option (see below) to make sure the correct one is selected
- by <program>configure</program>.</dd>
+ 5.003 or newer are sufficient). If you have multiple Perl
+ interpreters (for example, a systemwide install of Perl 4, and
+ your own install of Perl 5), you are advised to use the
+ <code>--with-perl</code> option (see below) to make sure the
+ correct one is used by <program>configure</program>.
+ If no Perl 5 interpreter is found by the
+ <program>configure</program> script, you will not be able to use
+ the affected support scripts. Of course, you will still be able to
+ build and use Apache 2.0.</dd>
</dl>
</section>
</directivesynopsis>
<directivesynopsis location="mpm_common"><name>ListenBacklog</name>
</directivesynopsis>
+<directivesynopsis location="mpm_common"><name>ReceiveBufferSize</name>
+</directivesynopsis>
<directivesynopsis location="mpm_common"><name>SendBufferSize</name>
</directivesynopsis>
<directivesynopsis location="mpm_common"><name>StartThreads</name>
</directivesynopsis>
<directivesynopsis location="mpm_common"><name>ListenBacklog</name>
</directivesynopsis>
+<directivesynopsis location="mpm_common"><name>ReceiveBufferSize</name>
+</directivesynopsis>
<directivesynopsis location="mpm_common"><name>SendBufferSize</name>
</directivesynopsis>
<directivesynopsis location="mpm_common"><name>LockFile</name>
<override>FileInfo</override>
<usage>
- <p>The Redirect directive maps an old URL into a new one. The
- new URL is returned to the client which attempts to fetch it
- again with the new address. <var>URL-path</var> a (%-decoded)
- path; any requests for documents beginning with this path will
- be returned a redirect error to a new (%-encoded) URL beginning
- with <var>URL</var>.</p>
+ <p>The Redirect directive maps an old URL into a new one by asking
+ the client to refetch the resource at the new location.</p>
+
+ <p>The old <em>URL-path</em> is a (%-decoded) path beginning with
+ a slash. A relative path is not allowed. The new <em>URL</em>
+ should be an absolute URL beginning with a scheme and hostname,
+ but a URL-path beginning with a slash may also be used, in which
+ case the scheme and hostname of the current server will be
+ added.</p>
+
+ <p>Then any request beginning with <em>URL-Path</em> will return a
+ redirect request to the client at the location of the target
+ <em>URL</em>. Additional path information beyond the matched
+ <em>URL-Path</em> will be appended to the target URL.</p>
<example><title>Example:</title>
- Redirect /service http://foo2.bar.com/service
+ Redirect /service http://foo2.example.com/service
</example>
- <p>If the client requests http://myserver/service/foo.txt, it
- will be told to access http://foo2.bar.com/service/foo.txt
+ <p>If the client requests http://example.com/service/foo.txt, it
+ will be told to access http://foo2.example.com/service/foo.txt
instead.</p>
<note><title>Note</title> <p>Redirect directives take precedence over
Alias and ScriptAlias directives, irrespective of their ordering in
-the configuration file. Also, <var>URL-path</var> must be a fully
-qualified URL, not a relative path, even when used with .htaccess files or
-inside of <directive type="section" module="core">Directory</directive>
-sections.</p></note>
+the configuration file.</p></note>
<p>If no <var>status</var> argument is given, the redirect will
be "temporary" (HTTP status 302). This indicates to the client
<IfModule mod_cache.c><br />
<indent>
#LoadModule disk_cache_module modules/mod_disk_cache.so<br />
- # If you want to use mod_disk_cache instead of mod_mem_cache,
- # uncomment the line above and comment out the LoadModule line below.
+ # If you want to use mod_disk_cache instead of mod_mem_cache,<br />
+ # uncomment the line above and comment out the LoadModule line below.<br />
<IfModule mod_disk_cache.c><br />
<indent>
CacheRoot c:/cacheroot<br />
MCacheMaxObjectSize 2048<br />
</indent>
</IfModule><br />
+ <br />
+ # When acting as a proxy, don't cache the list of security updates<br />
+ CacheDisable http://security.update.server/update-list/<br />
</indent>
</IfModule>
</example>
CacheEnable fd /images<br />
CacheEnable disk /<br />
</example>
+
+ <p>When acting as a forward proxy server, <var>url-string</var> can
+ also be used to specify remote sites and proxy protocols which
+ caching should be enabled for.</p>
+
+ <example>
+ # Cache proxied url's<br />
+ CacheEnable disk /<br /><br />
+ # Cache FTP-proxied url's<br />
+ CacheEnable disk ftp://<br /><br />
+ # Cache content from www.apache.org<br />
+ CacheEnable disk http://www.apache.org/<br />
+ </example>
+
</usage>
</directivesynopsis>
</section>
<section id="API"><title>Apache DBD API</title>
- <p><module>mod_dbd</module> exports three functions for other modules
+ <p><module>mod_dbd</module> exports four functions for other modules
to use. The API is as follows:</p>
<example>
*/
AP_DECLARE(ap_dbd_t*) ap_dbd_acquire(request_rec*);
+/* Prepare a statement for use by a client module */
+AP_DECLARE(void) ap_dbd_prepare(server_rec*, const char*, const char*);
+
/* Also export them as optional functions for modules that prefer it */
APR_DECLARE_OPTIONAL_FN(ap_dbd_t*, ap_dbd_open, (apr_pool_t*, server_rec*));
APR_DECLARE_OPTIONAL_FN(void, ap_dbd_close, (server_rec*, ap_dbd_t*));
APR_DECLARE_OPTIONAL_FN(ap_dbd_t*, ap_dbd_acquire, (request_rec*));</code></pre>
+APR_DECLARE_OPTIONAL_FN(void, ap_dbd_prepare, (server_rec*, const char*, const char*));
</example>
</section>
SQL query or select commands.</p>
<p>It is up to dbd user modules to use the prepared statements
- and document what statements can be specified in httpd.conf.</p>
+ and document what statements can be specified in httpd.conf,
+ or to provide their own directives and use <code>ap_dbd_prepare</code>.</p>
</section>
<directivesynopsis>
<tr><td><code>%{<var>format</var>}P</code></td>
<td>The process ID or thread id of the child that serviced the
- request. Valid formats are <code>pid</code> and <code>tid</code>.
+ request. Valid formats are <code>pid</code>, <code>tid</code>,
+ and <code>hextid</code>. <code>hextid</code> requires APR 1.2.0 or
+ higher.
</td></tr>
<tr><td><code>%q</code></td>
</section>
-<section id="byrequests">
+<section id="requests">
<title>Request Counting Algorithm</title>
<p>Enabled via <code>lbmethod=byrequests</code>, the idea behind this
scheduler is that we distribute the requests among the
are selected with 3 <var>b</var> interspersed.</p>
</section>
-<section id="bytraffic">
+<section id="traffic">
<title>Weighted Traffic Counting Algorithm</title>
<p>Enabled via <code>lbmethod=bytraffic</code>, the idea behind this
scheduler is very similar to the Request Counting method, with
<override>AuthConfig</override>
<usage>
-<p>
-This directive sets the Certificate verification level for the remote server
-Authentication. Notice that this directive can be used both in per-server and
-per-directory context. In per-server context it applies to the remote server
-authentication process used in the standard SSL handshake when a connection is
-established. In per-directory context it forces a SSL renegotation with the
-reconfigured remote server verification level after the HTTP request was read but
-before the HTTP response is sent.</p>
+
+<p>When a proxy is configured to forward requests to a remote SSL
+server, this directive can be used to configure certificate
+verification of the remote server. Notice that this directive can be
+used both in per-server and per-directory context. In per-server
+context it applies to the remote server authentication process used in
+the standard SSL handshake when a connection is established by the
+proxy. In per-directory context it forces a SSL renegotation with the
+reconfigured remote server verification level after the HTTP request
+was read but before the HTTP response is sent.</p>
+
+<note type="warning">
+<p>Note that even when certificate verification is enabled,
+<module>mod_ssl</module> does <strong>not</strong> check whether the
+<code>commonName</code> (hostname) attribute of the server certificate
+matches the hostname used to connect to the server. In other words,
+the proxy does not guarantee that the SSL connection to the backend
+server is "secure" beyond the fact that the certificate is signed by
+one of the CAs configured using the
+<directive>SSLProxyCACertificatePath</directive> and/or
+<directive>SSLProxyCACertificateFile</directive> directives.</p>
+</note>
+
<p>
The following levels are available for <em>level</em>:</p>
<ul>
</usage>
</directivesynopsis>
+<directivesynopsis>
+<name>GracefulShutdownTimeout</name>
+<description>Specify a timeout after which a gracefully shutdown server
+will exit.</description>
+<syntax>GracefulShutDownTimeout <var>seconds</var></syntax>
+<default>GracefulShutDownTimeout 0</default>
+<contextlist><context>server config</context></contextlist>
+<modulelist><module>prefork</module><module>worker</module>
+<module>event</module></modulelist>
+<compatibility>Available in version 2.2 and later</compatibility>
+
+<usage>
+ <p>The <directive>GracefulShutdownTimeout</directive> specifies
+ how many seconds after receiving a "graceful-stop" signal, a
+ server should continue to run, handling the existing connections.</p>
+
+ <p>Setting this value to zero means that the server will wait
+ indefinitely until all remaining requests have been fully served.</p>
+</usage>
+</directivesynopsis>
+
<directivesynopsis>
<name>Group</name>
<description>Group under which the server will answer
Apache</a></seealso>
</directivesynopsis>
+<directivesynopsis>
+<name>ReceiveBufferSize</name>
+<description>TCP receive buffer size</description>
+<syntax>ReceiveBufferSize <var>bytes</var></syntax>
+<default>ReceiveBufferSize 0</default>
+<contextlist><context>server config</context></contextlist>
+<modulelist><module>beos</module><module>leader</module>
+<module>mpm_netware</module><module>mpm_winnt</module>
+<module>mpmt_os2</module><module>perchild</module><module>prefork</module>
+<module>threadpool</module><module>worker</module></modulelist>
+
+<usage>
+ <p>The server will set the TCP receive buffer size to the number of
+ bytes specified.</p>
+
+ <p>If set to the value of <code>0</code>, the server will use the
+ OS default.</p>
+</usage>
+</directivesynopsis>
+
<directivesynopsis>
<name>SendBufferSize</name>
<description>TCP buffer size</description>
<module>threadpool</module><module>worker</module></modulelist>
<usage>
- <p>The server will set the TCP buffer size to the number of bytes
+ <p>The server will set the TCP send buffer size to the number of bytes
specified. Very useful to increase past standard OS defaults on
high speed high latency (<em>i.e.</em>, 100ms or so, such as
transcontinental fast pipes).</p>
<p>If set to the value of <code>0</code>, the server will use the
- OS deault.</p>
+ OS default.</p>
</usage>
</directivesynopsis>
</directivesynopsis>
<directivesynopsis location="mpm_common"><name>MaxRequestsPerChild</name>
</directivesynopsis>
+<directivesynopsis location="mpm_common"><name>ReceiveBufferSize</name>
+</directivesynopsis>
<directivesynopsis location="mpm_common"><name>SendBufferSize</name>
</directivesynopsis>
<directivesynopsis location="mpm_common"><name>MaxSpareThreads</name>
</directivesynopsis>
<directivesynopsis location="mpm_common"><name>ScoreBoardFile</name>
</directivesynopsis>
+<directivesynopsis location="mpm_common"><name>ReceiveBufferSize</name>
+</directivesynopsis>
<directivesynopsis location="mpm_common"><name>SendBufferSize</name>
</directivesynopsis>
<directivesynopsis location="mpm_common"><name>ThreadLimit</name>
</directivesynopsis>
<directivesynopsis location="mpm_common"><name>ListenBacklog</name>
</directivesynopsis>
+<directivesynopsis location="mpm_common"><name>ReceiveBufferSize</name>
+</directivesynopsis>
<directivesynopsis location="mpm_common"><name>SendBufferSize</name>
</directivesynopsis>
<directivesynopsis location="mpm_common"><name>MaxRequestsPerChild</name>
</directivesynopsis>
<directivesynopsis location="mpm_common"><name>ScoreBoardFile</name>
</directivesynopsis>
+<directivesynopsis location="mpm_common"><name>ReceiveBufferSize</name>
+</directivesynopsis>
<directivesynopsis location="mpm_common"><name>SendBufferSize</name>
</directivesynopsis>
<directivesynopsis location="mpm_common"><name>ServerLimit</name>
</directivesynopsis>
<directivesynopsis location="mpm_common"><name>ScoreBoardFile</name>
</directivesynopsis>
+<directivesynopsis location="mpm_common"><name>ReceiveBufferSize</name>
+</directivesynopsis>
<directivesynopsis location="mpm_common"><name>SendBufferSize</name>
</directivesynopsis>
<directivesynopsis location="mpm_common"><name>ServerLimit</name>
</directivesynopsis>
<directivesynopsis location="mpm_common"><name>ListenBacklog</name>
</directivesynopsis>
+<directivesynopsis location="mpm_common"><name>ReceiveBufferSize</name>
+</directivesynopsis>
<directivesynopsis location="mpm_common"><name>SendBufferSize</name>
</directivesynopsis>
<directivesynopsis location="mpm_common"><name>LockFile</name>
</directivesynopsis>
<directivesynopsis location="mpm_common"><name>ScoreBoardFile</name>
</directivesynopsis>
+<directivesynopsis location="mpm_common"><name>ReceiveBufferSize</name>
+</directivesynopsis>
<directivesynopsis location="mpm_common"><name>SendBufferSize</name>
</directivesynopsis>
<directivesynopsis location="mpm_common"><name>ServerLimit</name>
has been introduced to cleanup <code class="module"><a href="./mod/mod_disk_cache.html">mod_disk_cache</a></code>
setups.</dd>
+ <dt>Graceful stop</dt>
+ <dd>The <code class="module"><a href="./mod/prefork.html">prefork</a></code> and <code class="module"><a href="./mod/worker.html">worker</a></code> MPMs now
+ allow <code class="program"><a href="./programs/httpd.html">httpd</a></code> to be shutdown gracefully via the
+ <a href="stopping.html#gracefulstop"><code>graceful-stop</code></a>
+ signal. The <code class="directive"><a href="./mod/mpm_common.html#gracefulshutdowntimeout">GracefulShutdownTimeout</a></code> directive
+ has been added to specify an optional timeout, after which
+ <code class="program"><a href="./programs/httpd.html">httpd</a></code> will terminate regardless of the status
+ of any requests being served.</dd>
+
<dt>Proxying</dt>
<dd>The new <code class="module"><a href="./mod/mod_proxy_balancer.html">mod_proxy_balancer</a></code> module provides
load balancing services for <code class="module"><a href="./mod/mod_proxy.html">mod_proxy</a></code>.
has been introduced to cleanup <module>mod_disk_cache</module>
setups.</dd>
+ <dt>Graceful stop</dt>
+ <dd>The <module>prefork</module>, <module>worker</module> and
+ <module>event</module> MPMs now allow <program>httpd</program>
+ to be shutdown gracefully via the
+ <a href="stopping.html#gracefulstop"><code>graceful-stop</code></a>
+ signal. The <directive
+ module="mpm_common">GracefulShutdownTimeout</directive> directive
+ has been added to specify an optional timeout, after which
+ <program>httpd</program> will terminate regardless of the status
+ of any requests being served.</dd>
+
<dt>Proxying</dt>
<dd>The new <module>mod_proxy_balancer</module> module provides
load balancing services for <module>mod_proxy</module>.
restart to make sure Apache doesn't die. This is equivalent to
<code>apachectl -k graceful</code>.</dd>
+<dt><code>graceful-stop</code></dt>
+
+<dd>Gracefully stops the Apache <program>httpd</program> daemon.
+This differs from a normal stop in that currently open connections are not
+aborted. A side effect is that old log files will not be closed immediately.
+This is equivalent to <code>apachectl -k graceful-stop</code>.</dd>
+
<dt><code>configtest</code></dt>
<dd>Run a configuration file syntax test. It parses the configuration
[ -<strong>C</strong> <var>directive</var> ] [ -<strong>c</strong>
<var>directive</var> ] [ -<strong>D</strong> <var>parameter</var> ]
[ -<strong>e</strong> <var>level</var> ] [ -<strong>E</strong>
- <var>file</var> ] [ <strong>-k</strong> start|restart|graceful|stop ]
+ <var>file</var> ]
+ [ <strong>-k</strong> start|restart|graceful|stop|graceful-stop ]
[ -<strong>R</strong> <var>directory</var> ] [ -<strong>h</strong> ]
[ -<strong>l</strong> ] [ -<strong>L</strong> ] [ -<strong>S</strong> ]
[ -<strong>t</strong> ] [ -<strong>v</strong> ] [ -<strong>V</strong> ]
module="core">ServerRoot</directive>. The default is
<code>conf/httpd.conf</code>.</dd>
-<dt><code>-k <code>start|restart|graceful|stop</code></code></dt>
+<dt><code>-k <code>start|restart|graceful|stop|graceful-stop</code></code></dt>
<dd>Signals <code>httpd</code> to start, restart, or stop. See <a
href="../stopping.html">Stopping Apache</a> for more information.</dd>
<page href="stopping.html">Stopping and Restarting the Server</page>
<page href="configuring.html">Configuration Files</page>
<page href="sections.html">How Directory, Location and Files sections work</page>
+<page href="caching.html">Content Caching</page>
<page href="server-wide.html">Server-Wide Configuration</page>
<page href="logs.html">Log Files</page>
<page href="urlmapping.html">Mapping URLs to Filesystem Locations</page>
intended to be a definitive guide to the SSL protocol, nor does it discuss
specific techniques for managing certificates in an organization, or the
important legal issues of patents and import and export restrictions.
-Rather, it is intended to provide a common background to mod_ssl users by
-pulling together various concepts, definitions, and examples as a starting
-point for further exploration.</p>
+Rather, it is intended to provide a common background to <module
+>mod_ssl</module> users by pulling together various concepts, definitions,
+and examples as a starting point for further exploration.</p>
-<p>The presented content is mainly derived, with permission by the author,
+<p>The presented content is mainly derived, with the author's permission,
from the article <a
-href="http://home.earthlink.net/~fjhirsch/Papers/wwwj/article.html">Introducing
-SSL and Certificates using SSLeay</a>
from <a
-href="http://home.earthlink.net/~fjhirsch/">Frederick J. Hirsch</a>, of The
+href="http://home.comcast.net/~fjhirsch/Papers/wwwj/">Introducing
+SSL and Certificates using SSLeay</a>
by <a
+href="http://home.comcast.net/~fjhirsch/">Frederick J. Hirsch</a>, of The
Open Group Research Institute, which was published in <a
href="http://www.ora.com/catalog/wjsum97/">Web Security: A Matter of
Trust</a>, World Wide Web Journal, Volume 2, Issue 3, Summer 1997.
money. Alice would like the message to be private, since it will
include information such as her account number and transfer amount. One
solution is to use a cryptographic algorithm, a technique that would
- transform her message into an encrypted form, unreadable except by
- those it is intended for. Once in this form, the message may only be
- interpreted through the use of a secret key. Without the key the
- message is useless: good cryptographic algorithms make it so difficult
+ transform her message into an encrypted form, unreadable until it is
+ decrypted. Once in this form, the message can only be
+ decrypted by using a secret key. Without the key the message is useless:
+ good cryptographic algorithms make it so difficult
for intruders to decode the original text that it isn't worth their
effort.</p>
<dt>Conventional cryptography</dt>
<dd>also known as symmetric cryptography, requires the sender and
receiver to share a key: a secret piece of information that may be
- used to encrypt or decrypt a message. If this key is secret, then
- nobody other than the sender or receiver may read the message. If
- Alice and the bank know a secret key, then they may send each other
- private messages. The task of privately choosing a key before
- communicating, however, can be problematic.</dd>
+ used to encrypt or decrypt a message. As long as this key is kept
+ secret, nobody other than the sender or recipient can read the message.
+ If Alice and the bank know a secret key, then they can send each other
+ private messages. The task of sharing a key between sender and recipient
+ before communicating, while also keeping it secret from others, can be
+ problematic.</dd>
<dt>Public key cryptography</dt>
<dd>also known as asymmetric cryptography, solves the key exchange
(the public key) and keeping the other secret (the private key).</dd>
</dl>
- <p>Anyone may encrypt a message using the public key, but only the
+ <p>Anyone can encrypt a message using the public key, but only the
owner of the private key will be able to read it. In this way, Alice
- may send private messages to the owner of a key-pair (the bank), by
+ can send private messages to the owner of a key-pair (the bank), by
encrypting it using their public key. Only the bank will be able to
decrypt it.</p>
</section>
is still a concern that someone might modify her original message or
substitute it with a different one, in order to transfer the money
to themselves, for instance. One way of guaranteeing the integrity
- of Alice's message is to create a concise summary of her message and
- send this to the bank as well. Upon receipt of the message, the bank
- creates its own summary and compares it with the one Alice sent. If
- they agree then the message was received intact.</p>
+ of Alice's message is for her to create a concise summary of her
+ message and send this to the bank as well. Upon receipt of the message,
+ the bank creates its own summary and compares it with the one Alice
+ sent. If the summaries are the same then the message has been received
+ intact.</p>
<p>A summary such as this is called a <dfn>message digest</dfn>, <em>one-way
-function</em> or <em>hash function</em>. Message digests are used to create
-short, fixed-length representations of longer, variable-length messages.
-Digest algorithms are designed to produce unique digests for different
-messages. Message digests are designed to make it too difficult to determine
-the message from the digest, and also impossible to find two different
-messages which create the same digest -- thus eliminating the possibility of
-substituting one message for another while maintaining the same digest.</p>
-<p>Another challenge that Alice faces is finding a way to send the digest to the
-bank securely; when this is achieved, the integrity of the associated message
-is assured. One way to do this is to include the digest in a digital
-signature.</p>
+ function</em> or <em>hash function</em>. Message digests are used to create
+ a short, fixed-length representation of a longer, variable-length message.
+ Digest algorithms are designed to produce a unique digests for each
+ message. Message digests are designed to make it impractically difficult
+ to determine the message from the digest, and (in theory) impossible to
+ find two different messages which create the same digest -- thus
+ eliminating the possibility of substituting one message for another while
+ maintaining the same digest.</p>
+
+ <p>Another challenge that Alice faces is finding a way to send the digest
+ to the bank securely; if the digest is not sent securely, its integrity may
+ be compromised, and with it, the possibility for the bank to determine the
+ integrity of the original message. Only if the digest is sent securely can
+ the integrity of the associated message be determined.</p>
+
+ <p>One way to send the digest securely is to include it in a digital
+ signature.</p>
</section>
<section id="digitalsignatures"><title>Digital Signatures</title>
<p>When Alice sends a message to the bank, the bank needs to ensure that the
-message is really from her, so an intruder does not request a transaction
+message is really from her, so an intruder cannot request a transaction
involving her account. A <em>digital signature</em>, created by Alice and
included with the message, serves this purpose.</p>
<p>Digital signatures are created by encrypting a digest of the message,
and other information (such as a sequence number) with the sender's
-private key. Though anyone may <em>decrypt</em> the signature using the public
-key, only the signer knows the private key. This means that only they may
+private key. Though anyone can <em>decrypt</em> the signature using the public
+key, only the sender knows the private key. This means that only they can
have signed it. Including the digest in the signature means the signature is
only good for that message; it also ensures the integrity of the message since
no one can change the digest and still sign it.</p>
<p>Although Alice could have sent a private message to the bank, signed
it, and ensured the integrity of the message, she still needs to be sure
that she is really communicating with the bank. This means that she needs
-to be sure that the public key she is using corresponds to the bank's
-private key. Similarly, the bank also needs to verify that the message
-signature really corresponds to Alice's signature.</p>
+to be sure that the public key she is using is part of the bank's key-pair,
+and not an intruder's. Similarly, the bank needs to verify that the message
+signature really was signed by the private key that belongs to Alice.</p>
<p>If each party has a certificate which validates the other's identity,
-confirms the public key, and is signed by a trusted agency, then they both
-will be assured that they are communicating with whom they think they are.
+confirms the public key, and is signed by a trusted agency, then both
+can be assured that they are communicating with whom they think they are.
Such a trusted agency is called a <em>Certificate Authority</em>, and
certificates are used for authentication.</p>
<p>A Certificate Authority may define a policy specifying which
distinguished field names are optional, and which are required. It
may also place requirements upon the field contents, as may users of
- certificates. As an example, a Netscape browser requires that the
- Common Name for a certificate representing a server has a name which
- matches a wildcard pattern for the domain name of that server, such
+ certificates. For example, a Netscape browser requires that the
+ Common Name for a certificate representing a server matches a wildcard
+ pattern for the domain name of that server, such
as <code>*.snakeoil.com</code>.</p>
<p>The binary format of a certificate is defined using the ASN.1
Rules (DER), which are based on the more general Basic Encoding Rules
(BER). For those transmissions which cannot handle binary, the binary
form may be translated into an ASCII form by using Base64 encoding
- [<a href="#MIME">MIME</a>]. This encoded version is called PEM encoded
- (the name comes from "Privacy Enhanced Mail"), when placed between
- begin and end delimiter lines as illustrated in the following
- example.</p>
+ [<a href="#MIME">MIME</a>]. When placed between begin and end delimiter
+ lines (as below), this encoded version is called a PEM ("Privacy Enhanced
+ Mail") encoded certificate.</p>
<example>
<title>Example of a PEM-encoded certificate (snakeoil.crt)</title>
<section id="certificateauthorities">
<title>Certificate Authorities</title>
- <p>By first verifying the information in a certificate request
+ <p>By verifying the information in a certificate request
before granting the certificate, the Certificate Authority assures
- the identity of the private key owner of a key-pair. For instance,
- if Alice requests a personal certificate, the Certificate Authority
- must first make sure that Alice really is the person the certificate
- request claims.</p>
+ itself of the identity of the private key owner of a key-pair.
+ For instance, if Alice requests a personal certificate, the
+ Certificate Authority must first make sure that Alice really is the
+ person the certificate claims she is.</p>
<section id="certificatechains">
<title>Certificate Chains</title>
<p>As noted earlier, each certificate requires an issuer to assert
the validity of the identity of the certificate subject, up to
the top-level Certificate Authority (CA). This presents a problem:
- Since this is who vouches for the certificate of the top-level
+ who can vouch for the certificate of the top-level
authority, which has no issuer? In this unique case, the
certificate is "self-signed", so the issuer of the certificate is
- the same as the subject. As a result, one must exercise extra care
- in trusting a self-signed certificate. The wide publication of a
+ the same as the subject. Browsers are preconfigured to trust well-known
+ certificate authorities, but it is important to exercise extra care in
+ trusting a self-signed certificate. The wide publication of a
public key by the root authority reduces the risk in trusting this
key -- it would be obvious if someone else publicized a key
- claiming to be the authority. Browsers are preconfigured to trust
- well-known certificate authorities.</p>
+ claiming to be the authority.</p>
<p>A number of companies, such as <a href="http://www.thawte.com/"
>Thawte</a> and <a href="http://www.verisign.com/">VeriSign</a>
<p>Establishing a Certificate Authority is a responsibility which
requires a solid administrative, technical, and management
framework. Certificate Authorities not only issue certificates,
- they also manage them -- that is, they determine how long
- certificates are valid, they renew them, and they keep lists of
- certificates that have already been issued but are no longer valid
- (Certificate Revocation Lists, or CRLs). Say Alice is entitled to
- a certificate as an employee of a company. Say too, that the
- certificate needs to be revoked when Alice leaves the company. Since
- certificates are objects that get passed around, it is impossible
- to tell from the certificate alone that it has been revoked. When
- examining certificates for validity, therefore, it is necessary to
- contact the issuing Certificate Authority to check CRLs -- this
- is not usually an automated part of the process.</p>
+ they also manage them -- that is, they determine for how long
+ certificates remain valid, they renew them, and they keep lists of
+ certificates that were issued in the past but are no longer valid
+ (Certificate Revocation Lists, or CRLs).</p>
+
+ <p>For example, if Alice is entitled to a certificate as an
+ employee of a company, but has now left
+ that company, her certificate may need to be revoked.
+ Because certificates are only issued after the subject's identity has
+ been verified, and can then be passed around to all those with whom
+ the subject may communicate, it is impossible to tell from the
+ certificate alone that it has been revoked.
+ When examining certificates for validity, therefore,
+ it is necessary to contact the issuing Certificate Authority to
+ check CRLs -- this is usually not an automated part of the process.</p>
<note><title>Note</title>
- <p>If you use a Certificate Authority that is not configured into
- browsers by default, it is necessary to load the Certificate
+ <p>If you use a Certificate Authority that browsers are not configured
+ to trust by default, it is necessary to load the Certificate
Authority certificate into the browser, enabling the browser to
validate server certificates signed by that Certificate Authority.
Doing so may be dangerous, since once loaded, the browser will
the Internet Engineering Task Force (IETF).</p>
<section id="session">
-<title>Session Establishment</title>
+<title>Establishing a Session</title>
<p>The SSL session is established by following a handshake sequence
between client and server, as shown in <a href="#figure1"
>Figure 1</a>. This sequence may vary, depending on whether the server
is configured to provide a server certificate or request a client
- certificate. Though cases exist where additional handshake steps
+ certificate. Although cases exist where additional handshake steps
are required for management of cipher information, this article
- summarizes one common scenario: see the SSL specification for the full
+ summarizes one common scenario. See the SSL specification for the full
range of possibilities.</p>
<note><title>Note</title>
- <p>Once an SSL session has been established it may be reused, thus
- avoiding the performance penalty of repeating the many steps needed
- to start a session. For this the server assigns each SSL session a
+ <p>Once an SSL session has been established, it may be reused. This
+ avoids the performance penalty of repeating the many steps needed
+ to start a session. To do this, the server assigns each SSL session a
unique session identifier which is cached in the server and which the
- client can use on forthcoming connections to reduce the handshake
- (until the session identifer expires in the cache of the server).</p>
+ client can use in future connections to reduce the handshake time
+ (until the session identifer expires from the cache of the server).</p>
</note>
<p class="figure">
</ol>
<p>The first step, Cipher Suite Negotiation, allows the client and
- server to choose a Cipher Suite supportable by both of them. The SSL3.0
+ server to choose a Cipher Suite supported by both of them. The SSL3.0
protocol specification defines 31 Cipher Suites. A Cipher Suite is
defined by the following components:</p>
<p>The key exchange method defines how the shared secret symmetric
cryptography key used for application data transfer will be agreed
upon by client and server. SSL 2.0 uses RSA key exchange only, while
- SSL 3.0 supports a choice of key exchange algorithms including the
- RSA key exchange when certificates are used, and Diffie-Hellman key
- exchange for exchanging keys without certificates and without prior
- communication between client and server.</p>
+ SSL 3.0 supports a choice of key exchange algorithms including
+ RSA key exchange (when certificates are used), and Diffie-Hellman key
+ exchange (for exchanging keys without certificates, or without prior
+ communication between client and server).</p>
<p>One variable in the choice of key exchange methods is digital
signatures -- whether or not to use them, and if so, what kind of
- signatures to use. Signing with a private key provides assurance
+ signatures to use. Signing with a private key provides protection
against a man-in-the-middle-attack during the information exchange
- used
in generating the shared key [<a href="#AC96">AC96</a>, p516].</p>
+ used
to generating the shared key [<a href="#AC96">AC96</a>, p516].</p>
</section>
<section id="ciphertransfer">
<title>Cipher for Data Transfer</title>
- <p>SSL uses the conventional cryptography algorithm (symmetric
- cryptography) described earlier for encrypting messages in a session.
- There are nine choices, including the choice to perform no
- encryption:</p>
+ <p>SSL uses conventional symmetric cryptography, as described earlier,
+ for encrypting messages in a session.
+ There are nine choices of how to encrypt, including the option not to
+ encrypt:</p>
<ul>
<li>No encryption</li>
</ul></li>
</ul>
- <p>Here "CBC" refers to Cipher Block Chaining, which means that a
+ <p>"CBC" refers to Cipher Block Chaining, which means that a
portion of the previously encrypted cipher text is used in the
encryption of the current block. "DES" refers to the Data Encryption
Standard [<a href="#AC96">AC96</a>, ch12], which has a number of
- variants (including DES40 and 3DES_EDE). "Idea" is one of the best
- and cryptographically strongest available algorithms, and "RC2" is
- a proprietary algorithm from RSA DSI [<a href="#AC96">AC96</a>,
- ch13].</p>
+ variants (including DES40 and 3DES_EDE). "Idea" is currently one of
+ the best and cryptographically strongest algorithms available,
+ and "RC2" is a proprietary algorithm from RSA DSI [<a href="#AC96"
+ >AC96</a>, ch13].</p>
</section>
<section id="digestfuntion">
</ul>
<p>The message digest is used to create a Message Authentication Code
- (MAC) which is encrypted with the message to provide integrity and to
- prevent against replay attacks.</p>
+ (MAC) which is encrypted with the message to verify integrity and to
+ protect against replay attacks.</p>
</section>
<section id="handshake">
<p>The encapsulation of SSL control protocols by the record protocol
means that if an active session is renegotiated the control protocols
- will be transmitted securely. If there were no session before, then
- the Null cipher suite is used, which means there is no encryption and
- messages have no integrity digests until the session has been
+ will be transmitted securely. If there was no previous session,
+ the Null cipher suite is used, which means there will be no encryption and
+ messages will have no integrity digests, until the session has been
established.</p>
</section>
<title>Data Transfer</title>
<p>The SSL Record Protocol, shown in <a href="#figure3">Figure 3</a>,
is used to transfer application and SSL Control data between the
- client and server, possibly fragmenting this data into smaller units,
+ client and server, where necessary fragmenting this data into smaller units,
or combining multiple higher level protocol data messages into single
units. It may compress, attach digest signatures, and encrypt these
units before transmitting them using the underlying reliable transport
- protocol (Note: currently all major SSL implementations lack support
+ protocol (Note: currently, no major SSL implementations include support
for compression).</p>
<p class="figure">
<section id="securehttp">
<title>Securing HTTP Communication</title>
<p>One common use of SSL is to secure Web HTTP communication between
- a browser and a webserver. This case does not preclude the use of
- non-secured HTTP. The secure version is mainly plain HTTP over SSL
- (named HTTPS), but with one major difference: it uses the URL scheme
- <code>https</code> rather than <code>http</code> and a different
- server port (by default 443). This mainly is what <module
- >mod_ssl</module> provides to you for the Apache webserver...</p>
+ a browser and a webserver. This does not preclude the use of
+ non-secured HTTP - the secure version (called HTTPS) is the same as
+ plain HTTP over SSL, but uses the URL scheme <code>https</code>
+ rather than <code>http</code>, and a different server port (by default,
+ port 443). This functionality is a large part of what <module
+ >mod_ssl</module> provides for the Apache webserver.</p>
</section>
</section>
<!-- /ssl -->
<p>The second method of signaling the <program>httpd</program> processes
is to use the <code>-k</code> command line options: <code>stop</code>,
- <code>restart</code>, and <code>graceful</code>,
+ <code>restart</code>, <code>graceful</code> and <code>graceful-stop</code>,
as described below. These are arguments to the <program>
httpd</program> binary, but we recommend that
you send them using the <program>apachectl</program> control script, which
it with a child from the new <em>generation</em> of the
configuration, which begins serving new requests immediately.</p>
- <note>On certain platforms that do not allow <code>USR1</code> to
- be used for a graceful restart, an alternative signal may be used (such
- as <code>WINCH</code>). The command <code>apachectl graceful</code>
- will send the right signal for your platform.</note>
-
<p>This code is designed to always respect the process control
directive of the MPMs, so the number of processes and threads
available to serve clients will be maintained at the appropriate
been created, then create enough to pick up the slack. Hence the
code tries to maintain both the number of children appropriate for
the current load on the server, and respect your wishes with the
- <directive>StartServers</directive> parameter.</p>
+ <directive module="mpm_common">StartServers</directive>
+ parameter.</p>
- <p>Users of the <module>mod_status</module>
+ <p>Users of <module>mod_status</module>
will notice that the server statistics are <strong>not</strong>
set to zero when a <code>USR1</code> is sent. The code was
written to both minimize the time in which the server is unable
error. See above for a method of avoiding this.</note>
</section>
+<section id="gracefulstop"><title>Graceful Stop</title>
+
+<dl><dt>Signal: WINCH</dt>
+<dd><code>apachectl -k graceful-stop</code></dd>
+</dl>
+
+ <p>The <code>WINCH</code> or <code>graceful-stop</code> signal causes
+ the parent process to <em>advise</em> the children to exit after
+ their current request (or to exit immediately if they're not
+ serving anything). The parent will then remove its <directive
+ module="mpm_common">PidFile</directive> and cease listening on
+ all ports. The parent will continue to run, and monitor children
+ which are handling requests. Once all children have finalised
+ and exited or the timeout specified by the <directive
+ module="mpm_common">GracefulShutdownTimeout</directive> has been
+ reached, the parent will also exit. If the timeout is reached,
+ any remaining children will be sent the <code>TERM</code> signal
+ to force them to exit.</p>
+
+ <p>A <code>TERM</code> signal will immediately terminate the
+ parent process and all children when in the "graceful" state. However
+ as the <directive module="mpm_common">PidFile</directive> will
+ have been removed, you will not be able to use
+ <code>apachectl</code> or <code>httpd</code> to send this signal,</p>
+
+ <note><p>The <code>graceful-stop</code> signal allows you to run multiple
+ identically configured instances of <program>httpd</program> at the
+ same time. This is a powerful feature when performing graceful
+ upgrades of Apache, however it can also cause deadlocks and race
+ conditions with some configurations.</p>
+
+ <p>Care has been taken to ensure that on-disk files
+ such as the <directive module="core">Lockfile</directive> and <directive
+ module="mod_cgid">ScriptSock</directive> files contain the server
+ PID, and should co-exist without problem. However, if a configuration
+ directive, third-party module or persistent CGI utilises any other on-disk
+ lock or state files; care should be taken to ensure that multiple running
+ instances of <program>httpd</program> do not clobber each others files.</p>
+
+ <p>You should also be wary of other potential race conditions, such as
+ using <program>rotatelogs</program> style piped logging. Multiple running
+ instances of <program>rotatelogs</program> attempting to rotate the same
+ logfiles at the same time may destroy each other's logfiles.</p></note>
+</section>
+
+
<section id="race"><title>Appendix: signals and race conditions</title>
<p>Prior to Apache 1.2b9 there were several <em>race
- conditions</em> involving the restart and die signals (a simple
- description of race condition is: a time-sensitive problem, as
- in if something happens at just the wrong time it won't behave
- as expected). For those architectures that have the "right"
+ conditions</em> involving the restart and die signals (a simply put,
+ a race condition is a time-sensitive problem - if something happens
+ at just the wrong time or things happen in the wrong order,
+ undesired behaviour will result. If the same thing happens at the right
+ time, all will be well). For those architectures that have the "right"
feature set we have eliminated as many as we can. But it should
- be noted that there still do exist race conditions on certain
+ be noted that race conditions do still exist on certain
architectures.</p>
- <p>Architectures that use an on disk <directive
- module="mpm_common">ScoreBoardFile</directive> have the potential
- to corrupt their scoreboards. This can result in the "bind:
+ <p>Architectures that use an on-disk <directive
+ module="mpm_common">ScoreBoardFile</directive> can potentially have
+ their scoreboards corrupted. This can result in the "bind:
Address already in use" (after <code>HUP</code>) or "long lost
child came home!" (after <code>USR1</code>). The former is a fatal
error, while the latter just causes the server to lose a
- scoreboard slot. So it might be advisable to use graceful
+ scoreboard slot. So it may be advisable to use graceful
restarts, with an occasional hard restart. These problems are very
difficult to work around, but fortunately most architectures do
not require a scoreboard file. See the <directive
- module="mpm_common">ScoreBoardFile</directive> documentation for a
- architecture uses it.</p>
+ module="mpm_common">ScoreBoardFile</directive> documentation for
+ architecture which uses it.</p>
<p>All architectures have a small race condition in each child
involving the second and subsequent requests on a persistent
<directive module="core">KeepAliveTimeout</directive>,
<directive module="core">KeepAlive</directive>,
<directive module="core">MaxKeepAliveRequests</directive>,
+ <directive module="core">ReceiveBufferSize</directive>,
or <directive module="core">SendBufferSize</directive>
directive then the respective value is inherited from the
main_server. (That is, inherited from whatever the final
projects / thirdparty / apache / httpd.git / commitdiff
