-<HTML><HEAD>
-<TITLE>Test Page for Apache</TITLE>
-</HEAD><BODY>
-
-<H1>It Worked!</H1>
-
-If you can see this, then your
-<A HREF="http://www.apache.org/">Apache</A> installation was
-successful. You may now add content to this directory and
-replace this page.
-
-<P>
-The Apache <A HREF="manual/index.html">documentation has been
-included with this distribution.</A>
-
-<P>
-You are free to use the image below on an Apache-powered web
-server. Thanks for using Apache!
-
-<P>
-<img src="apache_pb.gif" alt="">
-
-</BODY></HTML>
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+ <HEAD>
+ <TITLE>Test Page for Apache</TITLE>
+ </HEAD>
+<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
+ <BODY
+ BGCOLOR="#FFFFFF"
+ TEXT="#000000"
+ LINK="#0000FF"
+ VLINK="#000080"
+ ALINK="#FF0000"
+ >
+ <H1 ALIGN="CENTER">It Worked!</H1>
+ <P>
+ If you can see this, then your
+ <A HREF="http://www.apache.org/">Apache</A> installation was
+ successful. You may now add content to this directory and
+ replace this page.
+ </P>
+ <P>
+ The Apache <A HREF="manual/index.html">documentation</A> has been
+ included with this distribution.
+ </P>
+ <P>
+ You are free to use the image below on an Apache-powered web
+ server. Thanks for using Apache!
+ </P>
+ <P ALIGN="CENTER">
+ <IMG SRC="apache_pb.gif" ALT="">
+ </P>
+ </BODY>
+</HTML>
response, then this response can be replaced with either some
friendlier text or by a redirection to another URL (local or
external).
-
+
<P>
-
+
<DT>Old behavior
<DD>NCSA httpd 1.3 would return some boring old error/problem message
<h3><a name="new">Release Notes</a></h3>
<ul>
+<li><a href="new_features_1_3.html">New features in Apache 1.3</a>
<li><a href="new_features_1_2.html">New features in Apache 1.2</a>
<li><a href="new_features_1_1.html">New features in Apache 1.1</a>
<li><a href="new_features_1_0.html">New features in Apache 1.0</a>
<!--#include virtual="header.html" -->
<H1 ALIGN="CENTER">Apache Server Frequently Asked Questions</H1>
<P>
- $Revision: 1.63.2.2 $ ($Date: 1997/06/11 21:21:39 $)
+ $Revision: 1.63.2.3 $ ($Date: 1997/06/27 03:02:04 $)
</P>
<P>
The latest version of this FAQ is always available from the main
<!-- apache.org or apacheweek.com). -->
<!-- - When adding items, make sure they're put in the right place -->
<!-- - verify that the numbering matches up. -->
-<!-- - *Don't* use <PRE></PRE> blocks - they don't appear -->
+<!-- - *Don't* use <PRE></PRE> blocks - they don't appear -->
<!-- correctly in a reliable way when this is converted to text -->
-<!-- with Lynx. Use <DL><DD><CODE>xxx<BR>xx</CODE></DD></DL> -->
-<!-- blocks inside a <P></P> instead. This is necessary to get -->
-<!-- the horizontal and vertical indenting right. -->
+<!--
with Lynx. Use <DL><DD><CODE>xxx<BR>xx</CODE></DD></DL> -->
+<!--
blocks inside a <P></P> instead. This is necessary to get -->
+<!-- the horizontal and vertical indenting right. -->
<!-- - Don't forget to include an HR tag after the last /P tag -->
<!-- but before the /LI in an item. -->
<P>
<LI><A HREF="#fdlim">Why can't I run more than <<EM>n</EM>>
virtual hosts?</A>
</LI>
+ <LI><A HREF="#freebsd-setsize">Can I increase FD_SETSIZE on FreeBSD?</A>
+ </LI>
<LI><A HREF="#limitGET">Why do I keep getting "access denied" for
form POST requests?</A>
</LI>
</LI>
<LI><A HREF="#no-info-directives">Why doesn't mod_info list any
directives?</A>
+ <LI><A HREF="#linux-shmget">When I run it under Linux I get "shmget:
+ function not found", what should I do?</A>
+ </LI>
+ <LI><A HREF="#authauthoritative">Why does my authentification give
+ me a server error?</A>
+ <LI><A HREF="#auth-on-same-machine">Do I have to keep the (mSQL)
+ authentification information on the same machine?</A>
+ </LI>
+ <LI><A HREF="#msql-slow">Why is my mSQL authentification terribly slow?</A>
</LI>
</OL>
</LI>
<P>
It means just what it says: the server was expecting a complete set of
HTTP headers (one or more followed by a blank line), and didn't get
- them. The most common cause of this (aside from people not
- outputting the required headers at all) a result of an interaction
- with perl's output buffering. To make perl flush its buffers
- after each output statement, insert the following statements before your
- first <CODE>print</CODE> or <CODE>write</CODE> statement:
+ them.
+ </P>
+ <P>
+ The most common cause of this problem is the script dying before
+ sending the complete set of headers, or possibly any at all, to the
+ server. To see if this is the case, try running the script standalone
+ from an interactive session, rather than as a script under the server.
+ If you get error messages, this is almost certainly the cause of the
+ "premature end of script headers" message.
+ </P>
+ <P>
+ The second most common cause of this (aside from people not
+ outputting the required headers at all) is a result of an interaction
+ with Perl's output buffering. To make Perl flush its buffers
+ after each output statement, insert the following statements around
+ the <CODE>print</CODE> or <CODE>write</CODE> statements that send your
+ HTTP headers:
</P>
<P>
<DL>
- <DD><CODE>$cfh = select (STDOUT);<BR>
- $| = 1;<BR>
- select ($cfh);</CODE>
+ <DD><CODE>{<BR>
+ local ($oldbar) = $|;<BR>
+ $cfh = select (STDOUT);<BR>
+ $| = 1;<BR>
+ #<BR>
+ # print your HTTP headers here<BR>
+ #<BR>
+ $| = $oldbar;<BR>
+ select ($cfh);<BR>
+ }</CODE>
</DD>
</DL>
</P>
<P>
This is generally only necessary when you are calling external
programs from your script that send output to stdout, or if there will
- be along delay between the time the headers are sent and the actual
+ be a long delay between the time the headers are sent and the actual
content starts being emitted. To maximise performance, you should
- turn buffering back <EM>on</EM> (with <CODE>$| = 0</CODE> or the
- equivalent) after the statements that send the headers.
+ turn buffer-flushing back <EM>off</EM> (with <CODE>$| = 0</CODE> or the
+ equivalent) after the statements that send the headers, as displayed
+ above.
+ </P>
<P>
If your script isn't written in Perl, do the equivalent thing for
whatever language you <EM>are</EM> using (<EM>e.g.</EM>, for C, call
HREF="../mod/core.html#listen"
><SAMP>Listen</SAMP></A>
directives. If there are no other servers running on the machine
- and all of them are running on the same port, you normally don't
- need any Listen directives at all.
+ on the same port then you normally don't
+ need any Listen directives at all. By default Apache listens to
+ all addresses on port 80.
</LI>
<LI>Reduce the number of log files. You can use
<A
<A
HREF="perf.html"
>performance hints</A>
- page.
+ page. There is a specific note for
+ <a href="#freebsd-setsize">FreeBSD</a> below.
</LI>
<LI>"Don't do that" - try to run with fewer virtual hosts
</LI>
available in the way of solutions.
</P>
<HR>
+
+ <LI><A NAME="freebsd-setsize">
+ <STRONG>Can I increase FD_SETSIZE on FreeBSD?</STRONG>
+ </A>
+ <P>
+ On FreeBSD 2.2 and older FD_SETSIZE, which limits the number of open
+ files on the system, is limted to 256. This can limit the number of
+ virtual hosts you are using; especially if they all use different log
+ files. Increasing this limit (and recompiling apache) is not enough
+ (As it is on some platforms, such as Solaris), as you also will have
+ to recompile libc with the changed setting.
+ </P>
+ <p>
+ On FreeBSD 3.0 the default is 1024, so the problem is lessened.
+ </p>
+ <HR>
+ </LI>
+
<LI><A NAME="limitGET">
<STRONG>Why do I keep getting "access denied" for form POST
requests?</STRONG>
</P>
<P>
<DL>
- <DD><CODE>if ($0 =~ m:/*nph-:) {
+ <DD><CODE>if ($0 =~ m:^(.*/)*nph-[^/]*$:) {
<BR>
$HTTP_headers =
"Connection: close\015\012";
<BR>
- printf ($HTTP_headers);
+ print $HTTP_headers;
<BR>
- };</CODE>
+ }</CODE>
</DD>
</DL>
</P>
</LI>
<LI><A NAME="linuxiovec">
<STRONG>Why do I get complaints about redefinition
- of "<CODE>struct iovec</CODE>" when compiling under Linux?</STRONG>
+ of "<CODE>struct iovec</CODE>" when
+ compiling under Linux?</STRONG>
</A>
<P>
This is a conflict between your C library includes and your kernel
<HR>
</LI>
+ <LI><A NAME="linux-shmget">
+ <STRONG>When I run it under Linux I get "shmget:
+ function not found", what should I do?</STRONG>
+ </A>
+ <P>
+ Your kernel has been built without SysV IPC support. You will have to
+ rebuild the kernel with that support enabled (it's under the
+ "General Setup" submenu). Documention for
+ kernel building is beyond the scope of this FAQ, you should consult
+ the <A HREF="http://www.linuxhq.com/HOWTO/Kernel-HOWTO.html">Kernel
+ HOWTO</A>, or the documentation provided with your distribution,
+ or a <A HREF="http://www.linuxhq.com/HOWTO/META-FAQ.html">Linux
+ newsgroup/mailing list</A>. As a last resort workaround, you can
+ comment out the <CODE>#define HAVE_SHMGET</CODE> definition in the
+ <CODE>LINUX</CODE> section of
+ <CODE>src/conf.h</CODE> and rebuild the server. This will produce
+ a server which is slower and less reliable.
+ </P>
+ <HR>
+ </LI>
+
+ <LI><A NAME="authauthoritative">
+ <STRONG>Why does my authentification give me a server error?</STRONG>
+ </A>
+ <P>
+ Under normal circumstances, the apache access control modules will
+ pass unrecognized userids on to the next access control module in
+ line. Only if the userid is recognized, the password is validated
+ (or not) will it give the usual success or authentification failed
+ messages.
+ </p>
+ <p>
+ However if the last access module in line 'declines' the validation
+ request (because it has never heard of the userid or because it is not
+ configured) the http_request handler will give one of the following,
+ confusing, errors:
+ <UL>
+ <li> <code>check access</code>
+ <li> <code>check user. No user file? </code>
+ <li> <code>check access. No groups file? </code>
+ </ul>
+ This does not mean that you have to add a 'AuthUserFile /dev/null'
+ line as some magazines suggest !
+ </p>
+ <p>
+ The solution is to ensure that at least the last module is authoritative
+ and <b>CONFIGURED</b>. By default <code>mod_auth</code> is authoritative
+ and will give an OK/Denied, but only if it is configured with the
+ proper AuthUserFile. Likewise if a valid group is required. (Remember
+ that the modules are processed in the reverse order they appear in
+ your compile-time Configuration file.)
+ </P>
+ <p>
+ A typical situation for this error is when you are using the
+ mod_auth_dbm, mod_auth_msql, mod_auth_mysql, mod_auth_anon or
+ mod_auth_cookie on their own. These are by default <b>not</b>
+ authoritative, and this will pass the buck on to the (non-existent) next
+ authentification module when the user ID is not in their respective
+ database. Just add the appropriate 'XXXAuthoritative yes' line to
+ the configuration.
+ </p>
+ <p>
+ In general it is a good idea (though not terribly efficient) to have the
+ file based mod_auth a module of last resort. This allows you to access
+ the web server with a few special passwords even if the databases are
+ down or corrupted. This does cost a file-open/seek/close for each
+ request in a protected area.
+ </p>
+ <HR>
+ </LI>
+
+ <LI><A NAME="auth-on-same-machine">
+ <STRONG>Do I have to keep the (mSQL) authentification information
+ on the same machine?</STRONG>
+ </A>
+ <p>
+ Some organizations feel very strongly about keeping the authentification
+ information on a different machine than the webserver. With the
+ mod_auth_msql, mod_auth_mysql and other SQL modules connecting to
+ (R)DBMses this is quite well possible. Just configure an explicit host
+ to contact.
+ </p>
+ <p>
+ Be aware that with mSQL and Oracle, opening and closing these database
+ connections is very expensive and time consuming. You might want to
+ look at the code in the auth_modules and play with the compile time
+ flags to alleviate this somewhat; if your RDBMS licences alows for it.
+ </p>
+ <HR>
+ </LI>
+
+ <LI><A NAME="msql-slow">
+ <STRONG>Why is my mSQL authentification terribly slow?</STRONG>
+ </A>
+ <p>
+ You have probably configured the Host by specificing a FQHN,
+ and thus the libmsql will use a full blown tcp/ip socket to talk to
+ the database, rather than a fast internal device. Both the libmsql,
+ the mSQL faq and the mod_auth_msql documentation warn you about this. If
+ you have to use different hosts, check out the mod_auth_msql code for
+ some compile time flags which might, or might not suit you.
+ </p>
+ <HR>
+ </LI>
+
<!-- Don't forget to add HR tags at the end of each list item.. -->
</OL>
<LI>The basic mod_auth <CODE>AuthGroupFile</CODE>-specified group file
format allows commas between user names - Apache does not.<BR>
<I>- added 12/1/96</I>
+ <p>
<LI><P>If you follow the NCSA guidelines for setting up access restrictions
based on client domain, you may well have added entries for,
files if the last line does not have a trailing newline. This affects
configuration files (httpd.conf, access.conf and srm.conf), and
htpasswd and htgroup files.
+ </LI>
+
+ <LI>Apache does not permit commas delimiting the methods in <Limit>.
</OL>
connection stays in the FIN_WAIT_2 state until one of the following
happens:<P>
<UL>
- <LI>The client opens a new connection to the same or a different
- site, which causes it to fully close the older connection on
+ <LI>The client opens a new connection to the same or a different
+ site, which causes it to fully close the older connection on
that socket.
- <LI>The user exits the client, which on some (most?) clients
- causes the OS to fully shutdown the connection.
- <LI>The FIN_WAIT_2 times out, on servers that have a timeout
- for this state.
+ <LI>The user exits the client, which on some (most?) clients
+ causes the OS to fully shutdown the connection.
+ <LI>The FIN_WAIT_2 times out, on servers that have a timeout
+ for this state.
</UL><P>
If you are lucky, this means that the buggy client will fully close the
connection and release the resources on your server. However, there
The clients on which this problem has been verified to exist:<P>
<UL>
- <LI>Mozilla/3.01 (X11; I; FreeBSD 2.1.5-RELEASE i386)
- <LI>Mozilla/2.02 (X11; I; FreeBSD 2.1.5-RELEASE i386)
- <LI>Mozilla/3.01Gold (X11; I; SunOS 5.5 sun4m)
- <LI>MSIE 3.01 on the Macintosh
- <LI>MSIE 3.01 on Windows 95
+ <LI>Mozilla/3.01 (X11; I; FreeBSD 2.1.5-RELEASE i386)
+ <LI>Mozilla/2.02 (X11; I; FreeBSD 2.1.5-RELEASE i386)
+ <LI>Mozilla/3.01Gold (X11; I; SunOS 5.5 sun4m)
+ <LI>MSIE 3.01 on the Macintosh
+ <LI>MSIE 3.01 on Windows 95
</UL><P>
This does not appear to be a problem on:
<UL>
- <LI>Mozilla/3.01 (Win95; I)
+ <LI>Mozilla/3.01 (Win95; I)
</UL>
<P>
The following systems are known to have a timeout:
<P>
<UL>
- <LI><A HREF="http://www.freebsd.org/">FreeBSD</A> versions starting at 2.0 or possibly earlier.
- <LI><A HREF="http://www.netbsd.org/">NetBSD</A> version 1.2(?)
- <LI><A HREF="http://www.openbsd.org/">OpenBSD</A> all versions(?)
- <LI><A HREF="http://www.bsdi.com/">BSD/OS</A> 2.1, with the
- <A HREF="ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/K210-027">
- K210-027</A> patch installed.
- <LI><A HREF="http://www.sun.com/">Solaris</A> as of around version
- 2.2. The timeout can be tuned by using <CODE>ndd</CODE> to
- modify <CODE>tcp_fin_wait_2_flush_interval</CODE>, but the
- default should be appropriate for most servers and improper
- tuning can have negative impacts.
- <LI><A HREF="http://www.sco.com/">SCO TCP/IP Release 1.2.1</A>
- can be modified to have a timeout by following
- <A HREF="http://www.sco.com/cgi-bin/waisgate?WAISdocID=2242622956+0+0+0&WAISaction=retrieve"> SCO's instructions</A>.
- <LI><A HREF="http://www.linux.org/">Linux</A> 2.0.x and
- earlier(?)
- <LI><A HREF="http://www.hp.com/">HP-UX</A> 10.x defaults to
- terminating connections in the FIN_WAIT_2 state after the
- normal keepalive timeouts. This does not
- refer to the persistent connection or HTTP keepalive
- timeouts, but the <CODE>SO_LINGER</CODE> socket option
- which is enabled by Apache. This parameter can be adjusted
- by using <CODE>nettune</CODE> to modify parameters such as
- <CODE>tcp_keepstart</CODE> and <CODE>tcp_keepstop</CODE>.
- In later revisions, there is an explicit timer for
- connections in FIN_WAIT_2 that can be modified; contact HP
- support for details.
- <LI><A HREF="http://www.sgi.com/">SGI IRIX</A> can be patched to
- support a timeout. For IRIX 5.3, 6.2, and 6.3,
- use patches 1654, 1703 and 1778 respectively. If you
- have trouble locating these patches, please contact your
- SGI support channel for help.
- <LI><A HREF="http://www.ncr.com/">NCR's MP RAS Unix</A> 2.xx and
- 3.xx both have FIN_WAIT_2 timeouts. In 2.xx it is non-tunable
- at 600 seconds, while in 3.xx it defaults to 600 seconds and
- is calculated based on the tunable "max keep alive probes"
- (default of 8) multiplied by the "keep alive interval" (default
- 75 seconds).
- <LI><A HREF="http://www.sequent.com">Squent's ptx/TCP/IP for
- DYNIX/ptx</A> has had a FIN_WAIT_2 timeout since around
- release 4.1 in mid-1994.
+
<LI><A HREF="http://www.freebsd.org/">FreeBSD</A> versions starting at 2.0 or possibly earlier.
+
<LI><A HREF="http://www.netbsd.org/">NetBSD</A> version 1.2(?)
+
<LI><A HREF="http://www.openbsd.org/">OpenBSD</A> all versions(?)
+
<LI><A HREF="http://www.bsdi.com/">BSD/OS</A> 2.1, with the
+
<A HREF="ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/K210-027">
+ K210-027</A> patch installed.
+
<LI><A HREF="http://www.sun.com/">Solaris</A> as of around version
+ 2.2. The timeout can be tuned by using <CODE>ndd</CODE> to
+ modify <CODE>tcp_fin_wait_2_flush_interval</CODE>, but the
+ default should be appropriate for most servers and improper
+ tuning can have negative impacts.
+
<LI><A HREF="http://www.sco.com/">SCO TCP/IP Release 1.2.1</A>
+ can be modified to have a timeout by following
+
<A HREF="http://www.sco.com/cgi-bin/waisgate?WAISdocID=2242622956+0+0+0&WAISaction=retrieve"> SCO's instructions</A>.
+
<LI><A HREF="http://www.linux.org/">Linux</A> 2.0.x and
+ earlier(?)
+
<LI><A HREF="http://www.hp.com/">HP-UX</A> 10.x defaults to
+ terminating connections in the FIN_WAIT_2 state after the
+ normal keepalive timeouts. This does not
+ refer to the persistent connection or HTTP keepalive
+ timeouts, but the <CODE>SO_LINGER</CODE> socket option
+ which is enabled by Apache. This parameter can be adjusted
+ by using <CODE>nettune</CODE> to modify parameters such as
+ <CODE>tcp_keepstart</CODE> and <CODE>tcp_keepstop</CODE>.
+ In later revisions, there is an explicit timer for
+ connections in FIN_WAIT_2 that can be modified; contact HP
+ support for details.
+
<LI><A HREF="http://www.sgi.com/">SGI IRIX</A> can be patched to
+ support a timeout. For IRIX 5.3, 6.2, and 6.3,
+ use patches 1654, 1703 and 1778 respectively. If you
+ have trouble locating these patches, please contact your
+ SGI support channel for help.
+
<LI><A HREF="http://www.ncr.com/">NCR's MP RAS Unix</A> 2.xx and
+ 3.xx both have FIN_WAIT_2 timeouts. In 2.xx it is non-tunable
+ at 600 seconds, while in 3.xx it defaults to 600 seconds and
+ is calculated based on the tunable "max keep alive probes"
+ (default of 8) multiplied by the "keep alive interval" (default
+ 75 seconds).
+
<LI><A HREF="http://www.sequent.com">Squent's ptx/TCP/IP for
+ DYNIX/ptx</A> has had a FIN_WAIT_2 timeout since around
+ release 4.1 in mid-1994.
</UL>
<P>
The following systems are known to not have a timeout:
<P>
<UL>
- <LI><A HREF="http://www.sun.com/">SunOS 4.x</A> does not and
- almost certainly never will have one because it as at the
- very end of its development cycle for Sun. If you have kernel
- source should be easy to patch.
+
<LI><A HREF="http://www.sun.com/">SunOS 4.x</A> does not and
+ almost certainly never will have one because it as at the
+ very end of its development cycle for Sun. If you have kernel
+ source should be easy to patch.
</UL>
<P>
There is a
</P>
<DL>
<DT><A
- HREF="API.html"
+ HREF="API.html"
>API</A>
</DT>
<DD>Description of Apache's Application Programming Interface.
</DD>
<DT><A
- HREF="FAQ.html"
+ HREF="FAQ.html"
>FAQ</A>
</DT>
<DD>Frequently-Asked Questions concerning the Apache project and server
</DD>
<DT><A
- HREF="client_block_api.html"
+ HREF="client_block_api.html"
>Reading Client Input in Apache 1.2</A>
</DT>
<DD>Describes differences between Apache 1.1 and 1.2 in how modules
read information from the client
</DD>
<DT><A
- HREF="compat_notes.html"
+ HREF="compat_notes.html"
>Compatibility with NCSA</A>
</DT>
<DD>Notes about Apache's compatibility with the NCSA server
</DD>
<DT><A
- HREF="fin_wait_2.html"
+ HREF="fin_wait_2.html"
><SAMP>FIN_WAIT_2</SAMP></A>
</DT>
<DD>A description of the causes of Apache processes going into the
<SAMP>FIN_WAIT_2</SAMP> state, and what you can do about it
</DD>
<DT><A
- HREF="howto.html"
+ HREF="howto.html"
>"How-To"</A>
</DT>
<DD>Instructions about how to accomplish some commonly-desired server
functionality changes
</DD>
<DT><A
- HREF="known_bugs.html"
+ HREF="known_bugs.html"
>Known Bugs</A>
</DT>
<DD>Just what it says - a list of known bugs in each of the Apache releases
</DD>
<DT><A
- HREF="nopgp.html"
+ HREF="nopgp.html"
>No PGP</A>
</DT>
<DD>Why we took PEM and PGP support out of the base Apache distribution
</DD>
<DT><A
- HREF="perf-bsd44.html"
+ HREF="perf-bsd44.html"
>Performance Notes (BSD 4.4)</A>
</DT>
<DD>Some notes about ways to improve/optimize Apache performance on
BSD 4.4 systems
</DD>
<DT><A
- HREF="perf-dec.html"
+ HREF="perf-dec.html"
>Performance Notes (Digital UNIX)</A>
</DT>
<DD>Extracts of USENET postings describing how to optimize Apache
performance on Digital UNIX systems
</DD>
<DT><A
- HREF="perf.html"
+ HREF="perf.html"
>Performance Notes (General)</A>
</DT>
<DD>Some generic notes about how to improve Apache performance
</DD>
<DT><A
- HREF="security_tips.html"
+ HREF="security_tips.html"
>Security Tips</A>
</DT>
<DD>Some "do"s - and "don't"s - for keeping your
Apache web site secure
</DD>
<DT><A
- HREF="vif-info.html"
+ HREF="vif-info.html"
>Virtual Hosts (IP-based)</A>
</DT>
<DD>Excerpts and notes about configuring and using Apache IP-based virtual
hosts
</DD>
<DT><A
- HREF="windoz_keepalive.html"
+ HREF="windoz_keepalive.html"
>Windows Bug with Web Keepalive</A>
</DT>
<DD>A brief description of a known problem with Microsoft Windows and
The most up-to-date resource for bug tracking and information is the
<A HREF="http://www.apache.org/bugdb.cgi">Apache bug database</A>.
-All existing bugs will be noted there. Below is a synopsis of
-significant outstanding bugs at release time. In fact you really
-shouldn't trust anything this page says other than the 1.2
-information.
+Significant bugs at release time will also be noted there.
+If you are running a 1.2 beta release or version 1.1.3 or earlier
+and thing you have found a bug, please upgrade to 1.2. Many bugs
+in early versions have been fixed in 1.2.
<P>See Also: <A HREF="compat_notes.html">Compatibility notes</A></P>
<HR>
-<H2>Version 1.2 (all)</H2>
+<H2>Apache 1.2 Bugs</H2>
<OL><a name="listenbug"></a>
<LI>On some architectures if your configuration uses multiple
This affects any architecture that doesn't use one of the
<code>USE_xxxxx_SERIALIZED_ACCEPT</code> definitions, see the
source file <code>conf.h</code> for your architecture.
- <p>This will be tracked as
+ This will be tracked as
<a href="http://www.apache.org/bugdb.cgi/full/467">PR#467</a>.
</LI>
This <A HREF="../../dist/contrib/patches/1.2/conneg-bug.patch">patch</A>
fixes this problem. It also fixes the problem which makes Apache
pick the last equally acceptable variant instead of the first.
- <p>This will be tracked as
+ This will be tracked as
<a href="http://www.apache.org/bugdb.cgi/full/94">PR#94</a>.
</LI>
-</OL>
-
-<H2>Version 1.2b8</H2>
-
-There are several known bugs in 1.2b8. See the
-<A HREF="http://www.apache.org/dist/patches/apply_to_1.2b8/">1.2b8 patches
-directory</A> for patches for some of the ones that have been fixed since
-the release of 1.2b8.<P>
-
-<H2>Version 1.2b1</H2>
-
-<OL>
-
- <LI>users have reported problems with many connections stuck in the
-FIN_WAIT_2 state due to server timeouts. This is a quite complicated
-problem; see our <A HREF="fin_wait_2.html">FIN_WAIT_2</A> page for
-details.
-
- <LI>hard_timeout() for request reads uses incorrect logic, and
-ends up waiting for an initial request read for the default "timeout"
-number of seconds, 1200, yet only the "KeepAliveTimeout" number of
-seconds on keepalive connections.
-
- <LI>mod_info output is not displaying current configuration as
-it should.
-
- <LI>Invalid commands in .htaccess files may cause segmentation faults.
-
-</OL>
-
-<H2>Version 1.1.1</H2>
-
-<OL>
-
- <LI>Hostnames such as "123.hotwired.com" are valid, yet
-find_allowdeny does not properly handle them. This should be put on
-Known Bugs. Be careful when fixing this because just removing the
-isalpha() check creates a security hole, consider the DNS map
-"1.1.1.1.in-addr.arpa IN PTR 2.2.2." if the user has a config line
-"allow from 2.2.2" it will allow 1.1.1.1 in (unless -DMAXIMUM_DNS).
--- which is bad because it breaks people who understand double reverse
-lookup and are trying to avoid it by using only IP addresses on
-allow/deny statements. - reported by Dean Gaudet, fixed in 1.2.
-
-</OL>
-
-
-<H2>Version 1.1.0</H2>
-
-<OL>
- <LI>mod_auth_msql misbehaviors. Grab a newer version from
- <A HREF="http://www.apache.org/dist/contrib/modules/">the modules distribution
- directory</A>. -fixed in 1.1
-
- <LI>Hanging on Netscape 2.0-3.0b4 on MSWindows (3.1 and 95) -
- we investigated pretty seriously, and as best we can tell
- this is a Netscape bug, and was fixed in 3.0b5. Please read our
- <A HREF="windoz_keepalive.html">lab report</A>.
-
-</OL>
-
-<H2>Version 1.1b2 (beta)</h2>
-<OL>
- <LI>SunOS has trouble compiling mod_status.c . It'll be fixed
- before 1.1 is released.</LI>
-
- <LI>CGI which spawn background processes may fail to return immediately.
- No fix exists yet.</LI>
-
- <LI>mod_dir appears to have problems when the DocumentRoot has a
- trailing slash.</LI>
-
-</OL>
-<H2>Version 1.1b1 (beta)</h2>
-<OL>
- <LI>The logfile can sometimes contain only part of a host
- address. This occurs if the Cookie module is compiled in
- and enabled.
-</OL>
-
-<H2>Version 0.8.16 (beta)</H2>
-<OL>
- <LI>(Feature) You cannot use relative pathnames for the -f or -d flags
- to httpd.<p>
- <LI><code>.asis</code> files cannot be used for content-negotiation.
-</OL>
-
-<H2>Version 0.8.13 (beta)</H2>
-
-<OL>
- <LI><CODE>AddDescription</CODE> doesn't seem to work (a fix is imminent)</LI>
-</OL>
-
-<H2>Version 0.8.11 (beta)</H2>
-<OL>
- <LI><CODE>http_main.c</CODE> function <CODE>accept_mutex_init()</CODE>
- horrible bug, <CODE>lock_fname</CODE> should be defined larger, e.g.
- <CODE><BR>
- char lock_fname[30];
- </CODE>
- <BR><B>Ooops.</B>
-
-<P>
-
- <LI>There's a bug with <B>NeXT</B>. Restarting the server causes an
- infinite loop. A fix has been provided by a user and should be included
- in a future update.
-
-<P>
-
-</OL>
-
-
-<H2>Version 0.8.10 (beta)</H2>
-
-<OL>
- <LI>Server side includes which include CGI output can have unbearable
- delays on some platforms. We're looking into a fix.
-<P>
-
- <LI>NCSA 1.3 and beyond allow wildcards in <Directory> tags; e.g.
- <Directory /home/*/public_html> - Apache doesn't (yet),
- but we have a patch coming real soon now
-
-<P>
-
- <LI>Buggy scripts can cause server misbehavior on Solaris at least.
-
-<P>
-
- <LI>Some of the default directives in srm.conf-dist are outdated
-
-<P>
-
- <LI>Descriptions of args to AddIcon and AddAlt are wrong
- in command table.
-
-<P>
-
- <LI>DirectoryIndex sometimes gets spuriously reset to the default value.
-
-<P>
-
- <LI>ErrorDocument is a little shaky, <CODE>" Some text %s</CODE> doesn't
- agree with the documentation.
-
-<P>
-
- <LI>All Aliases are checked before any ScriptAliases --- the fully
- compatible behavior would be to check both in one pass, in the order
- in which they occur in srm.conf.
-
-<P>
-</OL>
-
-<H2>Version 0.8.8 (beta)</H2>
-
-<OL>
- <LI>There's a known compilation problem with <B>NeXT</B>. Knock out the
- 2nd argument to <CODE>setjmp</CODE> when your compiler complains.<BR><BR>
- </LI>
-
- <LI><CODE>exec cgi=""</CODE> produces reasonable <B>malformed header</B>
- responses when used to invoke non-CGI scripts.<BR>
- The NCSA code ignores the missing header. (bad idea)<BR>
- Solution: write CGI to the CGI spec or use <CODE>exec cmd=""</CODE> instead.
- <P>We might add <CODE>virtual</CODE> support to <CODE>exec cmd</CODE> to
- make up for this difference.</P>
-
- <LI>A <I>scoreboard</I> file for process management is currently
- created in <B>/tmp</B>. We now find this to be a bad idea, and have plans
- to move it into the <CODE>/logs</CODE> directory along with other
- files created by Apache.
- <P>If you have any <B>/tmp</B> cleaning scripts (e.g. from crontab), you
- should have them ignore the scoreboard file, which is named
- <B>/tmp/htstatus.XXXXXXX</B>. If the scoreboard file is damaged, Apache
- can become very confused (a SIGHUP repairs the damage). Furthermore, not
- having a /tmp at all can cause disastrous results, as there's no error
- checking yet.<P>
-
- <LI>Putting authorization information (like AuthName and AuthType) into a
- <Directory> directive without a "requires" field in the <Limit>
- directive can result in a core dump.<P>
-
- <LI>AddIcon is broken. The fix is to change<BR>
- <CODE>
- { "AddIcon", add_icon, BY_<B>TYPE</B>, DIR_CMD_PERMS, ITERATE2,
- </CODE>
- <BR>to<BR>
- <CODE>
- { "AddIcon", add_icon, BY_<B>PATH</B>, DIR_CMD_PERMS, ITERATE2,
- </CODE>
- <P>in <CODE>mod_dir.c</CODE></P></LI>
-
- <LI>Under IRIX, the "Group" directive in httpd.conf needs to be a valid group name
- (i.e. "nogroup") not the numeric group ID. The distribution httpd.conf, and earlier
- ones, had the default Group be "#-1", which was causing silent exits at startup.
-
-<P>
-
-
- <LI>Server push as regular CGI's don't work - actually, any normal CGI script
- that outputs additional attributes to the Content-type line (separated by a
- semicolon) gets that extra information chopped off, which means that the line
- <code>Content-type: multipart/x-mixed-replace; boundary=ThisRandomString</code>
- gets munged to just <code>Content-type: multipart/x-mixed-replace</code>, which
- means it doesn't know what the boundary is, and fails. You can get around this
- until 0.8.9 by making the CGI script a "No Parsed Header" script by prefixing the
- name of the script with a "nph-", but then you have to be responsible for correct
- HTTP headers. If the server-push animation is a constant, unchanging stream that
- terminates at some point, you could also put that stream into a whole file and
- use the .asis file extension functionality.
-
-<P>
-
- <LI>ErrorDocument is a little shaky, <CODE>" Some text %s</CODE> doesn't
- agree with the documentation.
-
-<P>
-
-</OL>
-
-<HR>
+ <LI>
+ The PATH_INFO part of a request URI cannot include the sequence
+ <CODE>%2f</CODE>. This will be tracked as
+ <A HREF="http://www.apache.org/bugdb.cgi/full/543">PR#543</A>.
+ </LI>
-<H2>Version 0.6.4 </H2>
-<OL>
-<LI>As with NCSA 1.3 (and 1.4 ?), some <B>HEAD</B> requests on
-directories without an <CODE>index.html</CODE> fail to be logged... harmless.</LI>
-<LI>Typo in Virtual Host #defines (accidentally defined #VIRUAL_HOST"). 0.6.4b fixes this.
-</OL>
-<H2>Version 0.6.2 (first beta)</H2>
-<OL>
+ <LI>Users of early 1.2 betas reported problems with many
+ connections stuck in the FIN_WAIT_2 state due to server
+ timeouts. Several changes were made during the beta testing of 1.2
+ to reduce this problem as much as possible, although you may still
+ see sockets in FIN_WAIT_2 state due to network or operating system
+ issues outside the control of Apache. See our <A
+ HREF="fin_wait_2.html">FIN_WAIT_2</A> page for more details.
+ </LI>
-<LI><P>Apache error_log might show <CODE>httpd: caught SIGBUS, dumping core</CODE> after a successful redirect. We hope to fix this in 0.6.3</P></LI>
+ <LI>Compilation fails on SCO3 when using gcc instead of cc, complaining
+ with "<CODE>gcc: noinline: No such file or directory</CODE>". Fix
+ is given in <a href="http://www.apache.org/bugdb.cgi/full/695">PR#695</A>.
+ </LI>
-<LI><P>If you see a lot of messages such as,
-<PRE>access to /something: failed for foo.bar.com, reason: no multi in this directory</PRE>
-in your error log, don't panic !. It means "File not found", and we will
-fix it sooner or later.
+ <LI>If compilation fails complaining about "unknown symbol __inet_ntoa()"
+ then you have probably installed version 8 of bind. You will need to
+ explicitly link with the bind library by adding <CODE>-lbind</CODE>
+ to <CODE>EXTRA_LFLAGS</CODE> in <CODE>Configuration</CODE>. See
+ <A HREF="http://www.apache.org/bugdb.cgi/full/616">PR#616</A>
+ and the
+ <A HREF="http://192.168.2.4:8080/htdocs/manual/misc/FAQ.html#bind8.1">Apache FAQ</A>.
+ </LI>
-</P>
+ <LI>The message "<CODE>created shared memory segment #730499</CODE>"
+ in error_log is not an error and should be ignored. See
+ <a href="http://www.apache.org/bugdb.cgi/full/696">PR#696</A>.
+ </LI>
-<LI><P><B>WARNING</B>: Apache logs all URLs redirected <B>from</B> and
-<B>to</B>. This isn't bug, it's deliberate, but you should be aware
-of it. It's a recognition of the fact that the Common Log File format
-doesn't have any place to log the real object that was returned for
-the internally redirected request. This will be changed soon.
+ <LI>
+ Compiling on Solaris 2 with SunSoft's C compiler gives the warning
+ <CODE>"mod_include.c", line 1123: warning: end-of-loop code not
+ reached</CODE>. This is a bogus warning and can be ignored.
+ See <A HREF="http://www.apache.org/bugdb.cgi/full/681">PR#681</A>.
+ </LI>
-</P>
+ <LI>
+ There appears to be a problem on BSDI 2.1 with large numbers of
+ virtual hosts. This appears similar to a file-descriptor limit
+ but BSDI should not have this problem. This will be tracked as
+ <A HREF="http://www.apache.org/bugdb.cgi/full/611">PR#611</A>.
+ See also the
+ <A HREF="http://192.168.2.4:8080/htdocs/manual/misc/FAQ.html#fdlim">Apache
+ FAQ</A>.
+ </LI>
-<LI><P>BSDI problems: One of the test machines (<a
-href="http://www.hyperreal.com/">Hyperreal</a>) has noticed "flocks" of
-child processes sucking up large amounts of resources when moderately
-hit (on a Pentium 90 running 1.1 serving ~2 hits/second). Killing and
-restarting the daemon helps this disappear - it's being investigated,
-it might be a kernel bug, but then every server developer likes to say
-that. Let us know how well it works for you if you are using BSDI and
-have a high number of hits.</P></LI>
+ <LI>
+ Solaris 2 has problems with large numbers of virtual hosts. This is
+ because of an operating system limit of 256 file pointers, not due
+ to Apache.
+ See also the
+ <A HREF="http://192.168.2.4:8080/htdocs/manual/misc/FAQ.html#fdlim">Apache
+ FAQ</A>.
+ </LI>
</OL>
Thanks.
<UL>
-<LI><A HREF="http://www.yahoo.com/Science/Mathematics/Security_and_Encryption/">
+<LI><A HREF="http://www.yahoo.com/Computers_and_Internet/Security_and_Encryption/">
Yahoo - Science: Mathematics: Security and Encryption</A>
<LI><A HREF="http://www.eff.org/pub/EFF/Policy/Crypto/">
EFF Crypto/Privacy/Security Archive</A>
ICLU - Your Rights in Cyberspace</A>
</UL>
-
<a href="http://bong.com/~brian">Brian</a>, <a href="mailto:brian@hyperreal.com">brian@hyperreal.com</a>
+
<a href="http://www.behlendorf.com/~brian/">Brian</a>, <a href="mailto:brian@hyperreal.com">brian@hyperreal.com</a>
<!--#include virtual="footer.html" -->
</BODY>
<blockquote>It really does help if your kernel and frequently used utilities
are fully optimized. Rebuilding the FreeBSD kernel on an AMD-133
(486-class CPU) web-server with<BR>
-<code> -m486 -fexpensive-optimizations -fomit-frame-ponter -O2</code><BR>
+<code> -m486 -fexpensive-optimizations -fomit-frame-pointer -O2</code><BR>
helped reduce the number of "unable" errors, because the CPU was
often maxed out.</blockquote>
<P>
<LI><A HREF="#AUX">A/UX (Apple's UNIX)</A>
<LI><A HREF="#BSD">BSD-based (BSDI, FreeBSD, etc)</A>
<LI><A HREF="#DEC">Digital UNIX</A>
-<LI><A HREF="#HP">Hewlett-Packard</A>
<LI><A HREF="#Linux">Linux</A>
<LI><A HREF="#SGI">SGI</A>
<LI><A HREF="#Solaris">Solaris</A>
<UL>
<LI><A HREF="http://www.digital.com/info/internet/document/ias/tuning.html">DIGITAL
- UNIX Tuning Parameters for Web Servers</A>
+ UNIX Tuning Parameters for Web Servers</A>
<LI>We have some <A HREF="perf-dec.html">newsgroup postings</A> on how to tune
- Digital UNIX 3.2 and 4.0.
+ Digital UNIX 3.2 and 4.0.
</UL>
<P><HR>
-<H3><A NAME="HP">
-Hewlett-Packard
-</A></H3>
-
-Some documentation on tuning HP machines can be found at <A
-HREF="http://www.software.hp.com/internet/perf/tuning.html">http://www.software.hp.com/internet/perf/tuning.html</A>.
-
-<P><HR>
-
<H3><A NAME="Linux">
Linux
</A></H3>
that these are three distinct class C addresses in three distinct
class C nets). Here are the ifconfigs:
- ifconfig le0 198.3.2.1 up -trailers # config primary interface
+ ifconfig le0 198.3.2.1 up -trailers # config primary interface
- ifconfig vif0 198.4.3.2 up # config first virtual interface
- route delete net 198.4.3 198.4.3.2 # delete spurious route
- route add host 198.4.3.2 198.4.3.2 0 # add route for this i/f
+ ifconfig vif0 198.4.3.2 up # config first virtual interface
+ route delete net 198.4.3 198.4.3.2 # delete spurious route
+ route add host 198.4.3.2 198.4.3.2 0 # add route for this i/f
- ifconfig vif1 198.5.4.3 up # config second virtual interface
- route delete net 198.5.4 198.5.4.3 # delete spurious route
- route add host 198.5.4.3 198.5.4.3 0 # add route for this i/f
+ ifconfig vif1 198.5.4.3 up # config second virtual interface
+ route delete net 198.5.4 198.5.4.3 # delete spurious route
+ route add host 198.5.4.3 198.5.4.3 0 # add route for this i/f
The route deletes are needed because the ifconfig creates a default
route to the interface's network, which can cause problems; all that's
and netinet/if_vif.h, configure your kernel with the number of
virtual interfaces you want using a line like:
-pseudo-device vif4 # Virtual IP interface
+pseudo-device vif4 # Virtual IP interface
in your configuration file, and the line
-netinet/if_vif.c optional vif device-driver
+netinet/if_vif.c optional vif device-driver
in the "files" file. Also, add the appropriate entries in conf.c, so
that you can access the if_attach() routine when you open the device:
then, way down in the definition for cdevsw[]:
--------------------
- vifopen, vifclose, vifread, vifwrite, /*14*/
- vifioctl, nodev, nodev, 0,
- 0, nodev,
+ vifopen, vifclose, vifread, vifwrite, /*14*/
+ vifioctl, nodev, nodev, 0,
+ 0, nodev,
--------------------
Make sure you remember the correct major device number, 14 in this case!
---------------------netinet/if_vif.h--------------------------------------
typedef struct
{
- struct ifnet vif_if;
- struct ifnet *vif_sif; /* slave interface */
- int vif_flags;
+ struct ifnet vif_if;
+ struct ifnet *vif_sif; /* slave interface */
+ int vif_flags;
} vif_softc_t;
-#define VIFMTU (1024+512)
+#define VIFMTU (1024+512)
---------------------------------------------------------------------------
and
#include "../net/netisr.h"
#include "../net/route.h"
-#ifdef INET
+#ifdef INET
#include "../netinet/in.h"
#include "../netinet/in_systm.h"
#include "../netinet/in_var.h"
vifattach()
{
- register int i;
- register struct ifnet *ifp;
- int vifoutput(), vififioctl();
-
- for (i=0; i<NVIF; i++)
- {
- ifp = &vif_softc[i].vif_if;
- ifp->if_name = "vif";
- ifp->if_unit = i;
- ifp->if_mtu = VIFMTU;
- ifp->if_flags = IFF_LOOPBACK | IFF_NOARP;
- ifp->if_ioctl = vififioctl;
- ifp->if_output = vifoutput;
- if_attach(ifp);
- }
+ register int i;
+ register struct ifnet *ifp;
+ int vifoutput(), vififioctl();
+
+ for (i=0; i<NVIF; i++)
+ {
+ ifp = &vif_softc[i].vif_if;
+ ifp->if_name = "vif";
+ ifp->if_unit = i;
+ ifp->if_mtu = VIFMTU;
+ ifp->if_flags = IFF_LOOPBACK | IFF_NOARP;
+ ifp->if_ioctl = vififioctl;
+ ifp->if_output = vifoutput;
+ if_attach(ifp);
+ }
}
vifopen(dev, flag)
int dev, flag;
{
- int unit;
-
- if (!vifs_inited)
- {
- vifattach();
- vifs_inited = 1;
- printf("vif initialized\n");
- }
-
- unit = minor(dev);
- if ((unit < 0) || (unit >= NVIF))
- {
- return ENXIO;
- }
-
- return 0;
+ int unit;
+
+ if (!vifs_inited)
+ {
+ vifattach();
+ vifs_inited = 1;
+ printf("vif initialized\n");
+ }
+
+ unit = minor(dev);
+ if ((unit < 0) || (unit >= NVIF))
+ {
+ return ENXIO;
+ }
+
+ return 0;
}
vifclose(dev, flag)
int dev, flag;
{
- return 0;
+ return 0;
}
vifread()
{
- return ENXIO;
+ return ENXIO;
}
vifwrite()
{
- return ENXIO;
+ return ENXIO;
}
vifselect()
{
- return ENXIO;
+ return ENXIO;
}
vifoutput(ifp, m0, dst)
- struct ifnet *ifp;
- register struct mbuf *m0;
- struct sockaddr *dst;
+ struct ifnet *ifp;
+ register struct mbuf *m0;
+ struct sockaddr *dst;
{
- int s;
- register struct ifqueue *ifq;
- struct mbuf *m;
- struct sockaddr_in *din;
-
- if (dst->sa_family != AF_INET)
- {
- printf("%s%d: can't handle af%d\n",
- ifp->if_name, ifp->if_unit,
- dst->sa_family);
- m_freem(m0);
- return (EAFNOSUPPORT);
- }
-
- din = (struct sockaddr_in *)dst;
-
- if (din->sin_addr.s_addr == IA_SIN(ifp->if_addrlist)->sin_addr.s_addr)
- {
- /* printf("%s%d: looping\n", ifp->if_name, ifp->if_unit); */
-
- /*
- * Place interface pointer before the data
- * for the receiving protocol.
- */
- if (m0->m_off <= MMAXOFF &&
- m0->m_off >= MMINOFF + sizeof(struct ifnet *)) {
- m0->m_off -= sizeof(struct ifnet *);
- m0->m_len += sizeof(struct ifnet *);
- } else {
- MGET(m, M_DONTWAIT, MT_HEADER);
- if (m == (struct mbuf *)0)
- return (ENOBUFS);
- m->m_off = MMINOFF;
- m->m_len = sizeof(struct ifnet *);
- m->m_next = m0;
- m0 = m;
- }
- *(mtod(m0, struct ifnet **)) = ifp;
- s = splimp();
- ifp->if_opackets++;
- ifq = &ipintrq;
- if (IF_QFULL(ifq)) {
- IF_DROP(ifq);
- m_freem(m0);
- splx(s);
- return (ENOBUFS);
- }
- IF_ENQUEUE(ifq, m0);
- schednetisr(NETISR_IP);
- ifp->if_ipackets++;
- splx(s);
- return (0);
- }
-
- return EHOSTUNREACH;
+ int s;
+ register struct ifqueue *ifq;
+ struct mbuf *m;
+ struct sockaddr_in *din;
+
+ if (dst->sa_family != AF_INET)
+ {
+ printf("%s%d: can't handle af%d\n",
+ ifp->if_name, ifp->if_unit,
+ dst->sa_family);
+ m_freem(m0);
+ return (EAFNOSUPPORT);
+ }
+
+ din = (struct sockaddr_in *)dst;
+
+ if (din->sin_addr.s_addr == IA_SIN(ifp->if_addrlist)->sin_addr.s_addr)
+ {
+ /* printf("%s%d: looping\n", ifp->if_name, ifp->if_unit); */
+
+ /*
+ * Place interface pointer before the data
+ * for the receiving protocol.
+ */
+ if (m0->m_off <= MMAXOFF &&
+ m0->m_off >= MMINOFF + sizeof(struct ifnet *)) {
+ m0->m_off -= sizeof(struct ifnet *);
+ m0->m_len += sizeof(struct ifnet *);
+ } else {
+ MGET(m, M_DONTWAIT, MT_HEADER);
+ if (m == (struct mbuf *)0)
+ return (ENOBUFS);
+ m->m_off = MMINOFF;
+ m->m_len = sizeof(struct ifnet *);
+ m->m_next = m0;
+ m0 = m;
+ }
+ *(mtod(m0, struct ifnet **)) = ifp;
+ s = splimp();
+ ifp->if_opackets++;
+ ifq = &ipintrq;
+ if (IF_QFULL(ifq)) {
+ IF_DROP(ifq);
+ m_freem(m0);
+ splx(s);
+ return (ENOBUFS);
+ }
+ IF_ENQUEUE(ifq, m0);
+ schednetisr(NETISR_IP);
+ ifp->if_ipackets++;
+ splx(s);
+ return (0);
+ }
+
+ return EHOSTUNREACH;
}
/*
*/
/* ARGSUSED */
vififioctl(ifp, cmd, data)
- register struct ifnet *ifp;
- int cmd;
- caddr_t data;
+ register struct ifnet *ifp;
+ int cmd;
+ caddr_t data;
{
- int error = 0;
+ int error = 0;
- switch (cmd) {
+ switch (cmd) {
- case SIOCSIFADDR:
- ifp->if_flags |= IFF_UP;
- /*
- * Everything else is done at a higher level.
- */
- break;
+ case SIOCSIFADDR:
+ ifp->if_flags |= IFF_UP;
+ /*
+ * Everything else is done at a higher level.
+ */
+ break;
- default:
- error = EINVAL;
- }
- return (error);
+ default:
+ error = EINVAL;
+ }
+ return (error);
}
vifioctl(dev, cmd, arg, mode)
caddr_t arg;
int mode;
{
- int unit;
-
- unit = minor(dev);
- if ((unit < 0) || (unit >= NVIF))
- return ENXIO;
-
- return EINVAL;
+ int unit;
+
+ unit = minor(dev);
+ if ((unit < 0) || (unit >= NVIF))
+ return ENXIO;
+
+ return EINVAL;
}
----------------------------------------------------------------------------
<dd>
<!--%plaintext <?INDEX {\tt FollowSymLinks} option> -->
The server will follow symbolic links in this directory.
+<b>Note</b>: even though the server follows the symlink it does <i>not</i>
+change the pathname used to match against <code><Directory></code>
+sections.
<dt>Includes
<dd>
<!--%plaintext <?INDEX {\tt Includes} option> -->
<A name="sendbuffersize"><h2>SendBufferSize directive</h2></A>
<!--%plaintext <?INDEX {\tt SendBufferSize} directive> -->
<strong>Syntax:</strong> SendBufferSize <em>bytes</em><br>
-<strong>Context:</strong> server config, virtual host<br>
+<strong>Context:</strong> server config<br>
<strong>Status:</strong> core<p>
The server will set the TCP buffer size to the number of bytes
<strong>Status:</strong> Extension<br>
<strong>Module:</strong> mod_auth_anon<p>
- A list of one or more 'magic' userIDs which are allowed access
- without password verification. The userIDs are space separated.
- It is possible to use the ' and " quotes to allow a space in
- a userID as well as the \ escape character.
- <p>
- Please note that the comparison is <b>case-IN-sensitive</b>.
- <br>
- I strongly suggest that the magic username '<code>anonymous</code>'
- is always one of the allowed userIDs.
- <p>
- Example:<br>
- <code>
- Anonymous: anonymous "Not Registered" 'I don\'t know'
- </code><p>
- This would allow the user to enter without password verification
- by using the userId's 'anonymous', 'AnonyMous','Not Registered' and
- 'I Don't Know'.
+ A list of one or more 'magic' userIDs which are allowed access
+ without password verification. The userIDs are space separated.
+ It is possible to use the ' and " quotes to allow a space in
+ a userID as well as the \ escape character.
+ Please note that the comparison is <b>case-IN-sensitive</b>.
+ <br>
+ I strongly suggest that the magic username '<code>anonymous</code>'
+ is always one of the allowed userIDs.
+ Example:<br>
+ <code>
+ Anonymous: anonymous "Not Registered" 'I don\'t know'
+ This would allow the user to enter without password verification
+ by using the userId's 'anonymous', 'AnonyMous','Not Registered' and
+ 'I Don't Know'.
<HR>
<A name="Authoritative"><h2>Anonymous_Authoritative</h2></A>
When set 'on', there is no
fall-through to other authorization methods. So if a
userID does not match the values specified in the
- <code>Anonymous</code> directive, access is denied.
- <p>
- Be sure you know what you are doing when you decide to switch
- it on. And remember that it is the linking order of the modules
- (in the Configuration / Make file) which details the order
- in which the Authorization modules are queried.
+ <code>Anonymous</code> directive, access is denied.
+ Be sure you know what you are doing when you decide to switch
+ it on. And remember that it is the linking order of the modules
+ (in the Configuration / Make file) which details the order
+ in which the Authorization modules are queried.
<hr>
<A name="LogEmail"><h2>Anonymous_LogEmail</h2></A>
<strong>Status:</strong> Extension<br>
<strong>Module:</strong> mod_auth_anon<p>
- When set 'on', the default, the 'password' entered (which hopefully
- contains a sensible email address) is logged in the httpd-log file.
+ When set 'on', the default, the 'password' entered (which hopefully
+ contains a sensible email address) is logged in the httpd-log file.
<hr>
<A name="MustGiveEmail"><h2>Anonymous_MustGiveEmail</h2></a>
<strong>Status:</strong> Extension<br>
<strong>Module:</strong> mod_auth_anon<p>
- Specifies whether the user must specify an email
- address as the password. This prohibits blank passwords.
+ Specifies whether the user must specify an email
+ address as the password. This prohibits blank passwords.
<HR>
<A name="NoUserID"><h2>Anonymous_NoUserID</h2></A>
<strong>Status:</strong> Extension<br>
<strong>Module:</strong> mod_auth_anon<p>
- When set 'on', users can leave
- the userID (and perhaps the password field) empty. This
- can be very convenient for MS-Explorer users who can
- just hit return or click directly on the OK button; which
- seems a natural reaction.
+ When set 'on', users can leave
+ the userID (and perhaps the password field) empty. This
+ can be very convenient for MS-Explorer users who can
+ just hit return or click directly on the OK button; which
+ seems a natural reaction.
<hr>
<strong>Status:</strong> Extension<br>
<strong>Module:</strong> mod_auth_anon<p>
- When set 'on' the 'password' entered is
- checked for at least one '@' and a '.' to encourage users to enter
- valid email addresses (see the above <code>Auth_LogEmail</code>).
+ When set 'on' the 'password' entered is
+ checked for at least one '@' and a '.' to encourage users to enter
+ valid email addresses (see the above <code>Auth_LogEmail</code>).
<hr><a name="Example"><h2>Example</h2></a>
<dl>
<dt><code>
Anonymous anonymous guest www test welcome<p>
-Anonymous_MustGiveEmail on<br>
+Anonymous_MustGiveEmail on<br>
Anonymous_VerifyEmail on<br>
-Anonymous_NoUserId off<br>
-Anonymous_LogEmail on<br>
+Anonymous_NoUserId off<br>
+Anonymous_LogEmail on<br>
<p>
AuthName Use 'anonymous' & Email address for guest entry<br>
AuthType basic<p>
</dd>
<dt>Version 0.5<br></dt>
<dd>Added 'VerifyEmail' and 'LogEmail' options. Multiple
- 'anonymous' tokens allowed. more docs. Added Authoritative
- functionality.
+ 'anonymous' tokens allowed. more docs. Added Authoritative
+ functionality.
</dd>
</dl>
<dd>
<!--%plaintext <?INDEX {\tt SuppressDescription} index option> -->
This will suppress the file description in fancy indexing listings.
+<dt>IconHeight[=pixels] (<EM>Apache 1.3 and later</EM>)
+<dd>
+<!--%plaintext <?INDEX {\tt IconHeight} index option> -->
+Presence of this option, when used with IconWidth, will cause the server
+to include <SAMP>HEIGHT</SAMP> and <SAMP>WIDTH</SAMP> attributes in the
+<SAMP>IMG</SAMP> tag for the file icon. This allows browser to
+precalculate the page layout without having to wait until all the
+images have been loaded. If no value is given for the option, it
+defaults to the standard height of the icons supplied with the Apache
+software.
+<dt>IconWidth[=pixels] (<EM>Apache 1.3 and later</EM>)
+<dd>
+<!--%plaintext <?INDEX {\tt IconWidth} index option> -->
+Presence of this option, when used with IconHeight, will cause the server
+to include <SAMP>HEIGHT</SAMP> and <SAMP>WIDTH</SAMP> attributes in the
+<SAMP>IMG</SAMP> tag for the file icon. This allows browser to
+precalculate the page layout without having to wait until all the
+images have been loaded. If no value is given for the option, it
+defaults to the standard width of the icons supplied with the Apache
+software.
</dl>
This default is that no options are enabled. If multiple IndexOptions
could apply to a directory, then the most specific one is taken complete;
Unix egrep command.
<DT>( <I>test_condition</I> )
- <DD>true if <I>test_condition</I> is true
+ <DD>true if <I>test_condition</I> is true
<DT>! <I>test_condition</I>
- <DD>true if <I>test_condition</I> is false
+ <DD>true if <I>test_condition</I> is false
<DT><I>test_condition1</I> && <I>test_condition2</I>
- <DD>true if both <I>test_condition1</I> and
- <I>test_condition2</I> are true
+ <DD>true if both <I>test_condition1</I> and
+ <I>test_condition2</I> are true
<DT><I>test_condition1</I> || <I>test_condition2</I>
- <DD>true if either <I>test_condition1</I> or
- <I>test_condition2</I> is true
+ <DD>true if either <I>test_condition1</I> or
+ <I>test_condition2</I> is true
</DL>
<P> "<I>=</I>" and "<I>!=</I>" bind more tightly than "<I>&&</I>" and
<li><a href="#shortname">Using Netscape hostname shortcuts</a>
<li><a href="#mimetypes">Why doesn't file type <i>xxx</i> download via FTP?</a>
<li><a href="#startup">Why does Apache start more slowly when using the
- proxy module?</a>
+ proxy module?</a>
<li><a href="#socks">Can I use the Apache proxy module with my SOCKS proxy?</a>
</ul>
</pre>
<h2><a name="startup">Why does Apache start more slowly when using the
- proxy module?</a></h2>
+ proxy module?</a></h2>
If you're using the <code>ProxyBlock</code> or <code>NoCache</code>
directives, hostnames' IP addresses are looked up and cached during
which will be expanded. You can use this flag more than once to set more
than one variable. The variables can be later dereferenced at a lot of
situations, but the usual location will be from within XSSI (via
- <tt><!--#echo var="VAR"--></tt>) or CGI (e.g. <tt>$ENV{'VAR'}</tt>).
- But additionally you can also dereference it in a following RewriteCond
- pattern via <tt>%{ENV:VAR}</tt>. Use this to strip but remember
- information from URLs.
+ <tt><!--#echo var="VAR"--></tt>) or CGI (e.g. <tt>$ENV{'VAR'}</tt>).
+ But additionally you can also dereference it in a following RewriteCond
+ pattern via <tt>%{ENV:VAR}</tt>. Use this to strip but remember
+ information from URLs.
</ul>
<p>
Do this by adding the following to the AUX_CFLAGS line in the
"Configuration" file and then recompiling as usual.
<pre>
- AUX_CFLAGS= (something) -DSTATUS
+ AUX_CFLAGS= (something) -DSTATUS
</pre>
<BLOCKQUOTE>
<li><b><a href="mod/mod_proxy.html">Optional proxy module</a></b><br>
An improved FTP, HTTP, and CONNECT mode SSL proxy is included with
Apache 1.2. Some of the changes visible to users:
- <dl><dl>
- <dt>- Improved FTP proxy supporting PASV mode
- <dt>- ProxyBlock directive for excluding sites to proxy
- <dt>- NoCache * directive for disabling proxy caching
- <dt>- Numerous bug fixes
- </dl></dl>
+ <dt>- Improved FTP proxy supporting PASV mode
+ <dt>- ProxyBlock directive for excluding sites to proxy
+ <dt>- NoCache * directive for disabling proxy caching
+ <dt>- Numerous bug fixes
+ </dl></dl>
</ul>
The defaults for each variable are:
<PRE>
-MinSpareServers 5
-MaxSpareServers 10
-StartServers 5
+MinSpareServers 5
+MaxSpareServers 10
+StartServers 5
</PRE>
There is an absolute maximum number of simultaneous children defined
<P ALIGN="LEFT">
<OL>
- <LH><BIG><STRONG>CONTENTS</STRONG></BIG></LH>
- <LI><A HREF="#what">What is suEXEC?</A></LI>
- <LI><A HREF="#before">Before we begin.</A></LI>
- <LI><A HREF="#model">suEXEC Security Model.</A></LI>
- <LI><A HREF="#install">Configuring & Installing suEXEC</A></LI>
- <LI><A HREF="#enable">Enabling & Disabling suEXEC</A></LI>
- <LI><A HREF="#debug">Debugging suEXEC</A></LI>
- <LI><A HREF="#jabberwock">Beware the Jabberwock: Warnings & Examples</A></LI>
+ <LH><BIG><STRONG>CONTENTS</STRONG></BIG></LH>
+ <LI><A HREF="#what">What is suEXEC?</A></LI>
+ <LI><A HREF="#before">Before we begin.</A></LI>
+ <LI><A HREF="#model">suEXEC Security Model.</A></LI>
+ <LI><A HREF="#install">Configuring & Installing suEXEC</A></LI>
+ <LI><A HREF="#enable">Enabling & Disabling suEXEC</A></LI>
+ <LI><A HREF="#debug">Debugging suEXEC</A></LI>
+ <LI><A HREF="#jabberwock">Beware the Jabberwock: Warnings &
+ Examples</A></LI>
</OL>
</P>
The wrapper then employs the following process to determine success or
failure -- if any one of these conditions fail, the program logs the failure
and exits with an error, otherwise it will continue:
- <OL>
- <LI><STRONG>Was the wrapper called with the proper number of arguments?</STRONG>
- <BLOCKQUOTE>
- The wrapper will only execute if it is given the proper number of arguments.
- The proper argument format is known to the Apache web server. If the wrapper
- is not receiving the proper number of arguments, it is either being hacked, or
- there is something wrong with the suEXEC portion of your Apache binary.
- </BLOCKQUOTE>
- </LI>
- <LI><STRONG>Is the user executing this wrapper a valid user of this system?</STRONG>
- <BLOCKQUOTE>
- This is to ensure that the user executing the wrapper is truly a user of the system.
- </BLOCKQUOTE>
- </LI>
- <LI><STRONG>Is this valid user allowed to run the wrapper?</STRONG>
- <BLOCKQUOTE>
- Is this user the user allowed to run this wrapper? Only one user (the Apache
- user) is allowed to execute this program.
- </BLOCKQUOTE>
- </LI>
- <LI><STRONG>Does the target program have an unsafe hierarchical reference?</STRONG>
- <BLOCKQUOTE>
- Does the target program contain a leading '/' or have a '..' backreference? These
- are not allowed; the target program must reside within the Apache webspace.
- </BLOCKQUOTE>
- </LI>
- <LI><STRONG>Is the target user name valid?</STRONG>
- <BLOCKQUOTE>
- Does the target user exist?
- </BLOCKQUOTE>
- </LI>
- <LI><STRONG>Is the target group name valid?</STRONG>
- <BLOCKQUOTE>
- Does the target group exist?
- </BLOCKQUOTE>
- </LI>
- <LI><STRONG>Is the target user <EM>NOT</EM> superuser?</STRONG>
- <BLOCKQUOTE>
- Presently, suEXEC does not allow 'root' to execute CGI/SSI programs.
- </BLOCKQUOTE>
- </LI>
- <LI><STRONG>Is the target userid <EM>ABOVE</EM> the minimum ID number?</STRONG>
- <BLOCKQUOTE>
- The minimum user ID number is specified during configuration. This allows you
- to set the lowest possible userid that will be allowed to execute CGI/SSI programs.
- This is useful to block out "system" accounts.
- </BLOCKQUOTE>
- </LI>
- <LI><STRONG>Is the target group <EM>NOT</EM> the superuser group?</STRONG>
- <BLOCKQUOTE>
- Presently, suEXEC does not allow the 'root' group to execute CGI/SSI programs.
- </BLOCKQUOTE>
- </LI>
- <LI><STRONG>Is the target groupid <EM>ABOVE</EM> the minimum ID number?</STRONG>
- <BLOCKQUOTE>
- The minimum group ID number is specified during configuration. This allows you
- to set the lowest possible groupid that will be allowed to execute CGI/SSI programs.
- This is useful to block out "system" groups.
- </BLOCKQUOTE>
- </LI>
- <LI><STRONG>Can the wrapper successfully become the target user and group?</STRONG>
- <BLOCKQUOTE>
- Here is where the program becomes the target user and group via setuid and setgid
- calls. The group access list is also initialized with all of the groups of which
- the user is a member.
- </BLOCKQUOTE>
- </LI>
- <LI><STRONG>Does the directory in which the program resides exist?</STRONG>
- <BLOCKQUOTE>
- If it doesn't exist, it can't very well contain files.
- </BLOCKQUOTE>
- </LI>
- <LI><STRONG>Is the directory within the Apache webspace?</STRONG>
- <BLOCKQUOTE>
- If the request is for a regular portion of the server, is the requested directory
- within the server's document root? If the request is for a UserDir, is the requested
- directory within the user's document root?
- </BLOCKQUOTE>
- </LI>
- <LI><STRONG>Is the directory <EM>NOT</EM> writable by anyone else?</STRONG>
- <BLOCKQUOTE>
- We don't want to open up the directory to others; only the owner user may be able
- to alter this directories contents.
- </BLOCKQUOTE>
- </LI>
- <LI><STRONG>Does the target program exist?</STRONG>
- <BLOCKQUOTE>
- If it doesn't exists, it can't very well be executed.
- </BLOCKQUOTE>
- </LI>
- <LI><STRONG>Is the target program <EM>NOT</EM> writable by anyone else?</STRONG>
- <BLOCKQUOTE>
- We don't want to give anyone other than the owner the ability to change the program.
- </BLOCKQUOTE>
- </LI>
- <LI><STRONG>Is the target program <EM>NOT</EM> setuid or setgid?</STRONG>
- <BLOCKQUOTE>
- We do not want to execute programs that will then change our UID/GID again.
- </BLOCKQUOTE>
- </LI>
- <LI><STRONG>Is the target user/group the same as the program's user/group?</STRONG>
- <BLOCKQUOTE>
- Is the user the owner of the file?
- </BLOCKQUOTE>
- </LI>
- <LI><STRONG>Can we successfully clean the process environment to ensure safe operations?</STRONG>
- <BLOCKQUOTE>
- suEXEC cleans the process' environment by establishing a safe execution PATH (defined
- during configuration), as well as only passing through those variables whose names
- are listed in the safe environment list (also created during configuration).
- </BLOCKQUOTE>
- </LI>
- <LI><STRONG>Can we successfully become the target program and execute?</STRONG>
- <BLOCKQUOTE>
- Here is where suEXEC ends and the target program begins.
- </BLOCKQUOTE>
- </LI>
- </OL>
+ <LI><STRONG>Was the wrapper called with the proper number of arguments?</STRONG>
+ The wrapper will only execute if it is given the proper number of arguments.
+ The proper argument format is known to the Apache web server. If the wrapper
+ is not receiving the proper number of arguments, it is either being hacked, or
+ there is something wrong with the suEXEC portion of your Apache binary.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the user executing this wrapper a valid user of this system?</STRONG>
+ This is to ensure that the user executing the wrapper is truly a user of the system.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is this valid user allowed to run the wrapper?</STRONG>
+ Is this user the user allowed to run this wrapper? Only one user (the Apache
+ user) is allowed to execute this program.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Does the target program have an unsafe hierarchical reference?</STRONG>
+ Does the target program contain a leading '/' or have a '..' backreference? These
+ are not allowed; the target program must reside within the Apache webspace.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target user name valid?</STRONG>
+ Does the target user exist?
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target group name valid?</STRONG>
+ Does the target group exist?
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target user <EM>NOT</EM> superuser?</STRONG>
+ Presently, suEXEC does not allow 'root' to execute CGI/SSI programs.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target userid <EM>ABOVE</EM> the minimum ID number?</STRONG>
+ The minimum user ID number is specified during configuration. This allows you
+ to set the lowest possible userid that will be allowed to execute CGI/SSI programs.
+ This is useful to block out "system" accounts.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target group <EM>NOT</EM> the superuser group?</STRONG>
+ Presently, suEXEC does not allow the 'root' group to execute CGI/SSI programs.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target groupid <EM>ABOVE</EM> the minimum ID number?</STRONG>
+ The minimum group ID number is specified during configuration. This allows you
+ to set the lowest possible groupid that will be allowed to execute CGI/SSI programs.
+ This is useful to block out "system" groups.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Can the wrapper successfully become the target user and group?</STRONG>
+ Here is where the program becomes the target user and group via setuid and setgid
+ calls. The group access list is also initialized with all of the groups of which
+ the user is a member.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Does the directory in which the program resides exist?</STRONG>
+ If it doesn't exist, it can't very well contain files.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the directory within the Apache webspace?</STRONG>
+ If the request is for a regular portion of the server, is the requested directory
+ within the server's document root? If the request is for a UserDir, is the requested
+ directory within the user's document root?
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the directory <EM>NOT</EM> writable by anyone else?</STRONG>
+ We don't want to open up the directory to others; only the owner user may be able
+ to alter this directories contents.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Does the target program exist?</STRONG>
+ If it doesn't exists, it can't very well be executed.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target program <EM>NOT</EM> writable by anyone else?</STRONG>
+ We don't want to give anyone other than the owner the ability to change the program.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target program <EM>NOT</EM> setuid or setgid?</STRONG>
+ We do not want to execute programs that will then change our UID/GID again.
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Is the target user/group the same as the program's user/group?</STRONG>
+ Is the user the owner of the file?
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Can we successfully clean the process environment to ensure safe operations?</STRONG>
+ suEXEC cleans the process' environment by establishing a safe execution PATH (defined
+ during configuration), as well as only passing through those variables whose names
+ are listed in the safe environment list (also created during configuration).
+ </BLOCKQUOTE>
+ </LI>
+ <LI><STRONG>Can we successfully become the target program and execute?</STRONG>
+ Here is where suEXEC ends and the target program begins.
+ </BLOCKQUOTE>
+ </LI>
+ </OL>
</P>
<P ALIGN="LEFT">
<STRONG><A HREF="suexec.html">BACK TO CONTENTS</A></STRONG>
</P>
-<H3><A NAME="install">Configuring & Installing suEXEC</A></H3>
+<H3><A NAME="install">Configuring & Installing suEXEC</A></H3>
<P ALIGN="LEFT">
Here's where we begin the fun. The configuration and installation of suEXEC is
a four step process: edit the suEXEC header file, compile suEXEC, place the
<STRONG><A HREF="suexec.html">BACK TO CONTENTS</A></STRONG>
</P>
-<H3><A NAME="enable">Enabling & Disabling suEXEC</A></H3>
+<H3><A NAME="enable">Enabling & Disabling suEXEC</A></H3>
<P ALIGN="LEFT">
After properly installing the <STRONG>suexec</STRONG> wrapper
executable, you must kill and restart the Apache server. A simple
<STRONG><A HREF="suexec.html">BACK TO CONTENTS</A></STRONG>
</P>
-<H3><A NAME="jabberwock">Beware the Jabberwock: Warnings & Examples</A></H3>
+<H3><A NAME="jabberwock">Beware the Jabberwock: Warnings & Examples</A></H3>
<P ALIGN="LEFT">
<STRONG>NOTE!</STRONG> This section may not be complete. For the latest
revision of this section of the documentation, see the Apache Group's
limitations on server setup. Please review these before submitting any
"bugs" regarding suEXEC.
<UL>
- <LH><STRONG>suEXEC Points Of Interest</STRONG></LH>
- <LI>Hierarchy limitations
- <BLOCKQUOTE>
- For security and efficiency reasons, all suexec requests must
- remain within either a top-level document root for virtual
- host requests, or one top-level personal document root for
- userdir requests. For example, if you have four VirtualHosts
- configured, you would need to structure all of your VHosts'
- document roots off of one main Apache document hierarchy to
- take advantage of suEXEC for VirtualHosts. (Example forthcoming.)
- </BLOCKQUOTE>
- </LI>
- <LI>suEXEC's PATH environment variable
- <BLOCKQUOTE>
- This can be a dangerous thing to change. Make certain every
- path you include in this define is a <STRONG>trusted</STRONG>
- directory. You don't want to open people up to having someone
- from across the world running a trojan horse on them.
- </BLOCKQUOTE>
- </LI>
- <LI>Altering the suEXEC code
- <BLOCKQUOTE>
- Again, this can cause <STRONG>Big Trouble</STRONG> if you try
- this without knowing what you are doing. Stay away from it
- if at all possible.
- </BLOCKQUOTE>
- </LI>
+ <LH><STRONG>suEXEC Points Of Interest</STRONG></LH>
+ <LI>Hierarchy limitations
+ For security and efficiency reasons, all suexec requests must
+ remain within either a top-level document root for virtual
+ host requests, or one top-level personal document root for
+ userdir requests. For example, if you have four VirtualHosts
+ configured, you would need to structure all of your VHosts'
+ document roots off of one main Apache document hierarchy to
+ take advantage of suEXEC for VirtualHosts. (Example forthcoming.)
+ </BLOCKQUOTE>
+ </LI>
+ <LI>suEXEC's PATH environment variable
+ This can be a dangerous thing to change. Make certain every
+ path you include in this define is a <STRONG>trusted</STRONG>
+ directory. You don't want to open people up to having someone
+ from across the world running a trojan horse on them.
+ </BLOCKQUOTE>
+ </LI>
+ <LI>Altering the suEXEC code
+ Again, this can cause <STRONG>Big Trouble</STRONG> if you try
+ this without knowing what you are doing. Stay away from it
+ if at all possible.
+ </BLOCKQUOTE>
+ </LI>
</UL>
<P ALIGN="CENTER">
"rlimit" to some large number, like 512.
<LI>Edit http_main.c to add calls to setrlimit() from main(), along the lines of
<PRE>
- struct rlimit rlp;
+ struct rlimit rlp;
- rlp.rlim_cur = rlp.rlim_max = 512;
+ rlp.rlim_cur = rlp.rlim_max = 512;
if (setrlimit(RLIMIT_NPROC, &rlp)) {
fprintf(stderr, "setrlimit(RLIMIT_NPROC) failed.\n");
exit(1);
<dd>
<!--%plaintext <?INDEX {\tt SuppressDescription} index option> -->
This will suppress the file description in fancy indexing listings.
+<dt>IconHeight[=pixels] (<EM>Apache 1.3 and later</EM>)
+<dd>
+<!--%plaintext <?INDEX {\tt IconHeight} index option> -->
+Presence of this option, when used with IconWidth, will cause the server
+to include <SAMP>HEIGHT</SAMP> and <SAMP>WIDTH</SAMP> attributes in the
+<SAMP>IMG</SAMP> tag for the file icon. This allows browser to
+precalculate the page layout without having to wait until all the
+images have been loaded. If no value is given for the option, it
+defaults to the standard height of the icons supplied with the Apache
+software.
+<dt>IconWidth[=pixels] (<EM>Apache 1.3 and later</EM>)
+<dd>
+<!--%plaintext <?INDEX {\tt IconWidth} index option> -->
+Presence of this option, when used with IconHeight, will cause the server
+to include <SAMP>HEIGHT</SAMP> and <SAMP>WIDTH</SAMP> attributes in the
+<SAMP>IMG</SAMP> tag for the file icon. This allows browser to
+precalculate the page layout without having to wait until all the
+images have been loaded. If no value is given for the option, it
+defaults to the standard width of the icons supplied with the Apache
+software.
</dl>
This default is that no options are enabled. If multiple IndexOptions
could apply to a directory, then the most specific one is taken complete;
projects / thirdparty / apache / httpd.git / commitdiff
