mod_ssl_ct - Apache HTTP Server

Available Languages: de | diff --git a/docs/manual/mod/quickreference.html.es b/docs/manual/mod/quickreference.html.es index 6d2df928c94..f81be83f09e 100644 --- a/docs/manual/mod/quickreference.html.es +++ b/docs/manual/mod/quickreference.html.es @@ -359,38 +359,54 @@ headers CookieTracking on|off off svdhEEnables tracking cookie CoreDumpDirectory directorysMDirectory where Apache HTTP Server attempts to switch before dumping core -CustomLog file|pipe +CTAuditStorage directorysEExisting directory where data for off-line audit will be stored +CTLogClient executablesELocation of certificate-transparency log client tool +CTLogConfigDB filenamesELog configuration database supporting dynamic updates +CTMaxSCTAge num-secondssEMaximum age of SCT obtained from a log, before it will be +refreshed +CTProxyAwareness oblivious|aware|requiresvELevel of CT awareness and enforcement for a proxy + +CTSCTStorage directorysEExisting directory where SCTs are managed +CTServerHelloSCTLimit limitsELimit on number of SCTs that can be returned in +ServerHello +CTStaticLogConfig log-id|- public-key-file|- +1|0|- min-timestamp|- max-timestamp|- +log-URL|-sEStatic configuration of information about a log +CTStaticSCTs certificate-pem-file sct-directorysEStatic configuration of one or more SCTs for a server certificate + +CustomLog file|pipe format|nickname [env=[!]environment-variable| -expr=expression]svBSets filename and format of log file -Dav On|Off|provider-name Off dEEnable WebDAV HTTP methods -DavDepthInfinity on|off off svdEAllow PROPFIND, Depth: Infinity requests -DavGenericLockDB file-pathsvdELocation of the DAV lock database -DavLockDB file-pathsvELocation of the DAV lock database -DavMinTimeout seconds 0 svdEMinimum amount of time the server holds a lock on +expr=expression]svBSets filename and format of log file +Dav On|Off|provider-name Off dEEnable WebDAV HTTP methods +DavDepthInfinity on|off off svdEAllow PROPFIND, Depth: Infinity requests +DavGenericLockDB file-pathsvdELocation of the DAV lock database +DavLockDB file-pathsvELocation of the DAV lock database +DavMinTimeout seconds 0 svdEMinimum amount of time the server holds a lock on a DAV resource -DBDExptime time-in-seconds 300 svEKeepalive time for idle connections -DBDInitSQL "SQL statement"svEExecute an SQL statement after connecting to a database -DBDKeep number 2 svEMaximum sustained number of connections -DBDMax number 10 svEMaximum number of connections -DBDMin number 1 svEMinimum number of connections -DBDParams -param1=value1[,param2=value2]svEParameters for database connection -DBDPersist On|OffsvEWhether to use persistent connections -DBDPrepareSQL "SQL statement" labelsvEDefine an SQL prepared statement -DBDriver namesvESpecify an SQL driver -DefaultIcon url-pathsvdhBIcon to display for files when no specific icon is +DBDExptime time-in-seconds 300 svEKeepalive time for idle connections +DBDInitSQL "SQL statement"svEExecute an SQL statement after connecting to a database +DBDKeep number 2 svEMaximum sustained number of connections +DBDMax number 10 svEMaximum number of connections +DBDMin number 1 svEMinimum number of connections +DBDParams +param1=value1[,param2=value2]svEParameters for database connection +DBDPersist On|OffsvEWhether to use persistent connections +DBDPrepareSQL "SQL statement" labelsvEDefine an SQL prepared statement +DBDriver namesvESpecify an SQL driver +DefaultIcon url-pathsvdhBIcon to display for files when no specific icon is configured -DefaultLanguage language-tagsvdhBDefines a default language-tag to be sent in the Content-Language +DefaultLanguage language-tagsvdhBDefines a default language-tag to be sent in the Content-Language header field for all resources in the current context that have not been assigned a language-tag by some other means. -DefaultRuntimeDir directory-path DEFAULT_REL_RUNTIME +sCBase directory for the server run-time files -DefaultType media-type|none none svdhCThis directive has no effect other than to emit warnings +DefaultRuntimeDir directory-path DEFAULT_REL_RUNTIME +sCBase directory for the server run-time files +DefaultType media-type|none none svdhCThis directive has no effect other than to emit warnings if the value is not none. In prior versions, DefaultType would specify a default media type to assign to response content for which no other media type configuration could be found. -Define parameter-namesCDefine the existence of a variable +Define parameter-namesCDefine the existence of a variable +DeflateAlterETag AddSuffix|NoChange|Remove AddSuffix svEHow the outgoing ETag header should be modified during compression DeflateBufferSize value 8096 svEFragment size to be compressed at one time by zlib DeflateCompressionLevel valuesvEHow much compression do we apply to the output DeflateFilterNote [type] notenamesvEPlaces the compression ratio in a note for logging @@ -480,8 +496,8 @@ media type in the HTTP Content-Type header field will exit. Group unix-group #-1 sBGroup under which the server will answer requests -Header [condition] add|append|echo|edit|edit*|merge|set|unset|note -header [[expr=]value]] [replacement] +Header [condition] add|append|echo|edit|edit*|merge|set|setifempty|unset|note +header [[expr=]value]] [replacement] [early|env=[!]variable]|expr=expression] svdhEConfigure HTTP response headers HeaderName filenamesvdhBName of the file that will be inserted at the top @@ -557,7 +573,7 @@ operations LDAPOpCacheTTL seconds 600 sETime that entries in the operation cache remain valid LDAPReferralHopLimit numberdhEThe maximum number of referral hops to chase before terminating an LDAP query. -LDAPReferrals On|Off|default On dhEEnable referral chasing during queries to the LDAP server. +LDAPReferrals On|Off|default On dhEEnable referral chasing during queries to the LDAP server. LDAPRetries number-of-retries 3 sEConfigures the number of LDAP server retries. LDAPRetryDelay seconds 0 sEConfigures the delay between LDAP server retries. LDAPSharedCacheFile file-pathsESets the shared memory cache file @@ -782,203 +798,207 @@ header ProxyTimeout secondssvENetwork timeout for proxied requests ProxyVia On|Off|Full|Block Off svEInformation provided in the Via HTTP response header for proxied requests -ReadmeName filenamesvdhBName of the file that will be inserted at the end +ProxyWebsocketAsync ON|OFFsvEInstructs this module to try to create an asynchronous tunnel +ProxyWebsocketAsyncDelay num[ms] 0 svESets the amount of time the tunnel waits synchronously for data +ProxyWebsocketIdleTimeout num[ms] 0 svESets the maximum amount of time to wait for data on the websockets tunnel +ReadmeName filenamesvdhBName of the file that will be inserted at the end of the index listing -ReceiveBufferSize bytes 0 sMTCP receive buffer size -Redirect [status] URL-path -URLsvdhBSends an external redirect asking the client to fetch +ReceiveBufferSize bytes 0 sMTCP receive buffer size +Redirect [status] URL-path +URLsvdhBSends an external redirect asking the client to fetch a different URL -RedirectMatch [status] regex -URLsvdhBSends an external redirect based on a regular expression match +RedirectMatch [status] regex +URLsvdhBSends an external redirect based on a regular expression match of the current URL -RedirectPermanent URL-path URLsvdhBSends an external permanent redirect asking the client to fetch +RedirectPermanent URL-path URLsvdhBSends an external permanent redirect asking the client to fetch a different URL -RedirectTemp URL-path URLsvdhBSends an external temporary redirect asking the client to fetch +RedirectTemp URL-path URLsvdhBSends an external temporary redirect asking the client to fetch a different URL -ReflectorHeader inputheader [outputheader]svdhBReflect an input header to the output headers -RegisterHttpMethod method [method [...]]sCRegister non-standard HTTP methods -RemoteIPHeader header-fieldsvBDeclare the header field which should be parsed for useragent IP addresses -RemoteIPInternalProxy proxy-ip|proxy-ip/subnet|hostname ...svBDeclare client intranet IP addresses trusted to present the RemoteIPHeader value -RemoteIPInternalProxyList filenamesvBDeclare client intranet IP addresses trusted to present the RemoteIPHeader value -RemoteIPProxiesHeader HeaderFieldNamesvBDeclare the header field which will record all intermediate IP addresses -RemoteIPTrustedProxy proxy-ip|proxy-ip/subnet|hostname ...svBDeclare client intranet IP addresses trusted to present the RemoteIPHeader value -RemoteIPTrustedProxyList filenamesvBDeclare client intranet IP addresses trusted to present the RemoteIPHeader value -RemoveCharset extension [extension] -...vdhBRemoves any character set associations for a set of file +ReflectorHeader inputheader [outputheader]svdhBReflect an input header to the output headers +RegisterHttpMethod method [method [...]]sCRegister non-standard HTTP methods +RemoteIPHeader header-fieldsvBDeclare the header field which should be parsed for useragent IP addresses +RemoteIPInternalProxy proxy-ip|proxy-ip/subnet|hostname ...svBDeclare client intranet IP addresses trusted to present the RemoteIPHeader value +RemoteIPInternalProxyList filenamesvBDeclare client intranet IP addresses trusted to present the RemoteIPHeader value +RemoteIPProxiesHeader HeaderFieldNamesvBDeclare the header field which will record all intermediate IP addresses +RemoteIPTrustedProxy proxy-ip|proxy-ip/subnet|hostname ...svBDeclare client intranet IP addresses trusted to present the RemoteIPHeader value +RemoteIPTrustedProxyList filenamesvBDeclare client intranet IP addresses trusted to present the RemoteIPHeader value +RemoveCharset extension [extension] +...vdhBRemoves any character set associations for a set of file extensions -RemoveEncoding extension [extension] -...vdhBRemoves any content encoding associations for a set of file +RemoveEncoding extension [extension] +...vdhBRemoves any content encoding associations for a set of file extensions -RemoveHandler extension [extension] -...vdhBRemoves any handler associations for a set of file +RemoveHandler extension [extension] +...vdhBRemoves any handler associations for a set of file extensions -RemoveInputFilter extension [extension] -...vdhBRemoves any input filter associations for a set of file +RemoveInputFilter extension [extension] +...vdhBRemoves any input filter associations for a set of file extensions -RemoveLanguage extension [extension] -...vdhBRemoves any language associations for a set of file +RemoveLanguage extension [extension] +...vdhBRemoves any language associations for a set of file extensions -RemoveOutputFilter extension [extension] -...vdhBRemoves any output filter associations for a set of file +RemoveOutputFilter extension [extension] +...vdhBRemoves any output filter associations for a set of file extensions -RemoveType extension [extension] -...vdhBRemoves any content type associations for a set of file +RemoveType extension [extension] +...vdhBRemoves any content type associations for a set of file extensions -RequestHeader add|append|edit|edit*|merge|set|setifempty|unset -header [value] [replacement] +RequestHeader add|append|edit|edit*|merge|set|setifempty|unset +header [[expr=]value] [replacement] [early|env=[!]variable]|expr=expression] -svdhEConfigure HTTP request headers -RequestReadTimeout +svdhEConfigure HTTP request headers +RequestReadTimeout [header=timeout[-maxtimeout][,MinRate=rate] [body=timeout[-maxtimeout][,MinRate=rate] -svESet timeout values for receiving request headers and body from client. +svESet timeout values for receiving request headers and body from client. -Require [not] entity-name - [entity-name] ...dhBTests whether an authenticated user is authorized by +Require [not] entity-name + [entity-name] ...dhBTests whether an authenticated user is authorized by an authorization provider. -<RequireAll> ... </RequireAll>dhBEnclose a group of authorization directives of which none +<RequireAll> ... </RequireAll>dhBEnclose a group of authorization directives of which none must fail and at least one must succeed for the enclosing directive to succeed. -<RequireAny> ... </RequireAny>dhBEnclose a group of authorization directives of which one +<RequireAny> ... </RequireAny>dhBEnclose a group of authorization directives of which one must succeed for the enclosing directive to succeed. -<RequireNone> ... </RequireNone>dhBEnclose a group of authorization directives of which none +<RequireNone> ... </RequireNone>dhBEnclose a group of authorization directives of which none must succeed for the enclosing directive to not fail. -RewriteBase URL-pathdhESets the base URL for per-directory rewrites - RewriteCond - TestString CondPatternsvdhEDefines a condition under which rewriting will take place +RewriteBase URL-pathdhESets the base URL for per-directory rewrites + RewriteCond + TestString CondPatternsvdhEDefines a condition under which rewriting will take place -RewriteEngine on|off off svdhEEnables or disables runtime rewriting engine -RewriteMap MapName MapType:MapSource -svEDefines a mapping function for key-lookup -RewriteOptions OptionssvdhESets some special options for the rewrite engine -RewriteRule - Pattern Substitution [flags]svdhEDefines rules for the rewriting engine -RLimitCPU seconds|max [seconds|max]svdhCLimits the CPU consumption of processes launched +RewriteEngine on|off off svdhEEnables or disables runtime rewriting engine +RewriteMap MapName MapType:MapSource +svEDefines a mapping function for key-lookup +RewriteOptions OptionssvdhESets some special options for the rewrite engine +RewriteRule + Pattern Substitution [flags]svdhEDefines rules for the rewriting engine +RLimitCPU seconds|max [seconds|max]svdhCLimits the CPU consumption of processes launched by Apache httpd children -RLimitMEM bytes|max [bytes|max]svdhCLimits the memory consumption of processes launched +RLimitMEM bytes|max [bytes|max]svdhCLimits the memory consumption of processes launched by Apache httpd children -RLimitNPROC number|max [number|max]svdhCLimits the number of processes that can be launched by +RLimitNPROC number|max [number|max]svdhCLimits the number of processes that can be launched by processes launched by Apache httpd children -Satisfy Any|All All dhEInteraction between host-level access control and +Satisfy Any|All All dhEInteraction between host-level access control and user authentication -ScoreBoardFile file-path apache_runtime_stat +sMLocation of the file used to store coordination data for +ScoreBoardFile file-path apache_runtime_stat +sMLocation of the file used to store coordination data for the child processes -Script method cgi-scriptsvdBActivates a CGI script for a particular request +Script method cgi-scriptsvdBActivates a CGI script for a particular request method. -ScriptAlias URL-path -file-path|directory-pathsvBMaps a URL to a filesystem location and designates the +ScriptAlias URL-path +file-path|directory-pathsvBMaps a URL to a filesystem location and designates the target as a CGI script -ScriptAliasMatch regex -file-path|directory-pathsvBMaps a URL to a filesystem location using a regular expression +ScriptAliasMatch regex +file-path|directory-pathsvBMaps a URL to a filesystem location using a regular expression and designates the target as a CGI script -ScriptInterpreterSource Registry|Registry-Strict|Script Script svdhCTechnique for locating the interpreter for CGI +ScriptInterpreterSource Registry|Registry-Strict|Script Script svdhCTechnique for locating the interpreter for CGI scripts -ScriptLog file-pathsvBLocation of the CGI script error logfile -ScriptLogBuffer bytes 1024 svBMaximum amount of PUT or POST requests that will be recorded +ScriptLog file-pathsvBLocation of the CGI script error logfile +ScriptLogBuffer bytes 1024 svBMaximum amount of PUT or POST requests that will be recorded in the scriptlog -ScriptLogLength bytes 10385760 svBSize limit of the CGI script logfile -ScriptSock file-path cgisock sBThe filename prefix of the socket to use for communication with +ScriptLogLength bytes 10385760 svBSize limit of the CGI script logfile +ScriptSock file-path cgisock sBThe filename prefix of the socket to use for communication with the cgi daemon -SecureListen [IP-address:]portnumber -Certificate-Name [MUTUAL]sBEnables SSL encryption for the specified port -SeeRequestTail On|Off Off sCDetermine if mod_status displays the first 63 characters +SecureListen [IP-address:]portnumber +Certificate-Name [MUTUAL]sBEnables SSL encryption for the specified port +SeeRequestTail On|Off Off sCDetermine if mod_status displays the first 63 characters of a request or the last 63, assuming the request itself is greater than 63 chars. -SendBufferSize bytes 0 sMTCP buffer size -ServerAdmin email-address|URLsvCEmail address that the server includes in error +SendBufferSize bytes 0 sMTCP buffer size +ServerAdmin email-address|URLsvCEmail address that the server includes in error messages sent to the client -ServerAlias hostname [hostname] ...vCAlternate names for a host used when matching requests +ServerAlias hostname [hostname] ...vCAlternate names for a host used when matching requests to name-virtual hosts -ServerLimit numbersMUpper limit on configurable number of processes -ServerName [scheme://]fully-qualified-domain-name[:port]svCHostname and port that the server uses to identify +ServerLimit numbersMUpper limit on configurable number of processes +ServerName [scheme://]fully-qualified-domain-name[:port]svCHostname and port that the server uses to identify itself -ServerPath URL-pathvCLegacy URL pathname for a name-based virtual host that +ServerPath URL-pathvCLegacy URL pathname for a name-based virtual host that is accessed by an incompatible browser -ServerRoot directory-path /usr/local/apache sCBase directory for the server installation -ServerSignature On|Off|EMail Off svdhCConfigures the footer on server-generated documents -ServerTokens Major|Minor|Min[imal]|Prod[uctOnly]|OS|Full Full sCConfigures the Server HTTP response +ServerRoot directory-path /usr/local/apache sCBase directory for the server installation +ServerSignature On|Off|EMail Off svdhCConfigures the footer on server-generated documents +ServerTokens Major|Minor|Min[imal]|Prod[uctOnly]|OS|Full Full sCConfigures the Server HTTP response header -Session On|Off Off svdhEEnables a session for the current directory or location -SessionCookieName name attributessvdhEName and attributes for the RFC2109 cookie storing the session -SessionCookieName2 name attributessvdhEName and attributes for the RFC2965 cookie storing the session -SessionCookieRemove On|Off Off svdhEControl for whether session cookies should be removed from incoming HTTP headers -SessionCryptoCipher namesvdhXThe crypto cipher to be used to encrypt the session -SessionCryptoDriver name [param[=value]]sXThe crypto driver to be used to encrypt the session -SessionCryptoPassphrase secret [ secret ... ] svdhXThe key used to encrypt the session -SessionCryptoPassphraseFile filenamesvdXFile containing keys used to encrypt the session -SessionDBDCookieName name attributessvdhEName and attributes for the RFC2109 cookie storing the session ID -SessionDBDCookieName2 name attributessvdhEName and attributes for the RFC2965 cookie storing the session ID -SessionDBDCookieRemove On|Off On svdhEControl for whether session ID cookies should be removed from incoming HTTP headers -SessionDBDDeleteLabel label deletesession svdhEThe SQL query to use to remove sessions from the database -SessionDBDInsertLabel label insertsession svdhEThe SQL query to use to insert sessions into the database -SessionDBDPerUser On|Off Off svdhEEnable a per user session -SessionDBDSelectLabel label selectsession svdhEThe SQL query to use to select sessions from the database -SessionDBDUpdateLabel label updatesession svdhEThe SQL query to use to update existing sessions in the database -SessionEnv On|Off Off svdhEControl whether the contents of the session are written to the +Session On|Off Off svdhEEnables a session for the current directory or location +SessionCookieName name attributessvdhEName and attributes for the RFC2109 cookie storing the session +SessionCookieName2 name attributessvdhEName and attributes for the RFC2965 cookie storing the session +SessionCookieRemove On|Off Off svdhEControl for whether session cookies should be removed from incoming HTTP headers +SessionCryptoCipher namesvdhXThe crypto cipher to be used to encrypt the session +SessionCryptoDriver name [param[=value]]sXThe crypto driver to be used to encrypt the session +SessionCryptoPassphrase secret [ secret ... ] svdhXThe key used to encrypt the session +SessionCryptoPassphraseFile filenamesvdXFile containing keys used to encrypt the session +SessionDBDCookieName name attributessvdhEName and attributes for the RFC2109 cookie storing the session ID +SessionDBDCookieName2 name attributessvdhEName and attributes for the RFC2965 cookie storing the session ID +SessionDBDCookieRemove On|Off On svdhEControl for whether session ID cookies should be removed from incoming HTTP headers +SessionDBDDeleteLabel label deletesession svdhEThe SQL query to use to remove sessions from the database +SessionDBDInsertLabel label insertsession svdhEThe SQL query to use to insert sessions into the database +SessionDBDPerUser On|Off Off svdhEEnable a per user session +SessionDBDSelectLabel label selectsession svdhEThe SQL query to use to select sessions from the database +SessionDBDUpdateLabel label updatesession svdhEThe SQL query to use to update existing sessions in the database +SessionEnv On|Off Off svdhEControl whether the contents of the session are written to the HTTP_SESSION environment variable -SessionExclude pathsvdhEDefine URL prefixes for which a session is ignored -SessionHeader headersvdhEImport session updates from a given HTTP response header -SessionInclude pathsvdhEDefine URL prefixes for which a session is valid -SessionMaxAge maxage 0 svdhEDefine a maximum age in seconds for a session -SetEnv env-variable [value]svdhBSets environment variables -SetEnvIf attribute +SessionExclude pathsvdhEDefine URL prefixes for which a session is ignored +SessionHeader headersvdhEImport session updates from a given HTTP response header +SessionInclude pathsvdhEDefine URL prefixes for which a session is valid +SessionMaxAge maxage 0 svdhEDefine a maximum age in seconds for a session +SetEnv env-variable [value]svdhBSets environment variables +SetEnvIf attribute regex [!]env-variable[=value] - [[!]env-variable[=value]] ...svdhBSets environment variables based on attributes of the request + [[!]env-variable[=value]] ...svdhBSets environment variables based on attributes of the request -SetEnvIfExpr expr +SetEnvIfExpr expr [!]env-variable[=value] - [[!]env-variable[=value]] ...svdhBSets environment variables based on an ap_expr expression -SetEnvIfNoCase attribute regex + [[!]env-variable[=value]] ...svdhBSets environment variables based on an ap_expr expression +SetEnvIfNoCase attribute regex [!]env-variable[=value] - [[!]env-variable[=value]] ...svdhBSets environment variables based on attributes of the request + [[!]env-variable[=value]] ...svdhBSets environment variables based on attributes of the request without respect to case -SetHandler handler-name|NonesvdhCForces all matching files to be processed by a +SetHandler handler-name|NonesvdhCForces all matching files to be processed by a handler -SetInputFilter filter[;filter...]svdhCSets the filters that will process client requests and POST +SetInputFilter filter[;filter...]svdhCSets the filters that will process client requests and POST input -SetOutputFilter filter[;filter...]svdhCSets the filters that will process responses from the +SetOutputFilter filter[;filter...]svdhCSets the filters that will process responses from the server -SSIEndTag tag "-->" svBString that ends an include element -SSIErrorMsg message "[an error occurred +svdhBError message displayed when there is an SSI +SSIEndTag tag "-->" svBString that ends an include element +SSIErrorMsg message "[an error occurred +svdhBError message displayed when there is an SSI error -SSIETag on|off off dhBControls whether ETags are generated by the server. -SSILastModified on|off off dhBControls whether Last-Modified headers are generated by the +SSIETag on|off off dhBControls whether ETags are generated by the server. +SSILastModified on|off off dhBControls whether Last-Modified headers are generated by the server. -SSILegacyExprParser on|off off dhBEnable compatibility mode for conditional expressions. -SSIStartTag tag "" svBinclude è¦ç´ ãçµäºãããæåå -SSIErrorMsg message "[an error occurred +svdhBSSI ã®ã¨ã©ã¼ããã£ãã¨ãã«è¡¨ç¤ºãããã¨ã©ã¼ã¡ãã»ã¼ã¸ -SSIETag on|off off dhBControls whether ETags are generated by the server. -SSILastModified on|off off dhBControls whether Last-Modified headers are generated by the + [[!]env-variable[=value]] ...svdhBãªã¯ã¨ã¹ãã®å±æ§ã«åºã¥ãã¦å¤§æåå°æåãåºå¥ããã«ç°å¢å¤æ°ãè¨å®ãã +SetHandler handler-name|NonesvdhCããããããã¡ã¤ã«ããã³ãã©ã§å¦çãããããã«ãã +SetInputFilter filter[;filter...]svdhCã¯ã©ã¤ã¢ã³ãã®ãªã¯ã¨ã¹ãã POST ã®å¥åãå¦çãããã£ã«ã¿ãè¨å®ãã +SetOutputFilter filter[;filter...]svdhCãµã¼ãã®å¿çãå¦çãããã£ã«ã¿ãè¨å®ãã +SSIEndTag tag "-->" svBinclude è¦ç´ ãçµäºãããæåå +SSIErrorMsg message "[an error occurred +svdhBSSI ã®ã¨ã©ã¼ããã£ãã¨ãã«è¡¨ç¤ºãããã¨ã©ã¼ã¡ãã»ã¼ã¸ +SSIETag on|off off dhBControls whether ETags are generated by the server. +SSILastModified on|off off dhBControls whether Last-Modified headers are generated by the server. -SSILegacyExprParser on|off off dhBEnable compatibility mode for conditional expressions. -SSIStartTag tag "" svBString that ends an include element -SSIErrorMsg message "[an error occurred +svdhBError message displayed when there is an SSI +SSIEndTag tag "-->" svBString that ends an include element +SSIErrorMsg message "[an error occurred +svdhBError message displayed when there is an SSI error -SSIETag on|off off dhBControls whether ETags are generated by the server. -SSILastModified on|off off dhBControls whether Last-Modified headers are generated by the +SSIETag on|off off dhBControls whether ETags are generated by the server. +SSILastModified on|off off dhBControls whether Last-Modified headers are generated by the server. -SSILegacyExprParser on|off off dhBEnable compatibility mode for conditional expressions. -SSIStartTag tag "" skTString that ends an include element -SSIErrorMsg message "[an error occurred +skdhTError message displayed when there is an SSI +SetOutputFilter sÃ¼zgeÃ§[;sÃ¼zgeÃ§...]skdhÃSunucunun yanÄ±tlarÄ±nÄ± iÅleyecek sÃ¼zgeÃ§leri belirler. +SSIEndTag tag "-->" skTString that ends an include element +SSIErrorMsg message "[an error occurred +skdhTError message displayed when there is an SSI error -SSIETag on|off off dhTControls whether ETags are generated by the server. -SSILastModified on|off off dhTControls whether Last-Modified headers are generated by the +SSIETag on|off off dhTControls whether ETags are generated by the server. +SSILastModified on|off off dhTControls whether Last-Modified headers are generated by the server. -SSILegacyExprParser on|off off dhTEnable compatibility mode for conditional expressions. -SSIStartTag tag "" svBString that ends an include element -SSIErrorMsg message "[an error occurred +svdhBError message displayed when there is an SSI +SSIEndTag tag "-->" svBString that ends an include element +SSIErrorMsg message "[an error occurred +svdhBError message displayed when there is an SSI error -SSIETag on|off off dhBControls whether ETags are generated by the server. -SSILastModified on|off off dhBControls whether Last-Modified headers are generated by the +SSIETag on|off off dhBControls whether ETags are generated by the server. +SSILastModified on|off off dhBControls whether Last-Modified headers are generated by the server. -SSILegacyExprParser on|off off dhBEnable compatibility mode for conditional expressions. -SSIStartTag tag "<!--#" svBString that starts an include element -SSITimeFormat formatstring "%A, %d-%b-%Y %H:%M +svdhBConfigures the format in which date strings are +SSILegacyExprParser on|off off dhBEnable compatibility mode for conditional expressions. +SSIStartTag tag "<!--#" svBString that starts an include element +SSITimeFormat formatstring "%A, %d-%b-%Y %H:%M +svdhBConfigures the format in which date strings are displayed -SSIUndefinedEcho string "(none)" svdhBString displayed when an unset variable is echoed -SSLCACertificateFile file-pathsvEFile of concatenated PEM-encoded CA Certificates +SSIUndefinedEcho string "(none)" svdhBString displayed when an unset variable is echoed +SSLCACertificateFile file-pathsvEFile of concatenated PEM-encoded CA Certificates for Client Auth -SSLCACertificatePath directory-pathsvEDirectory of PEM-encoded CA Certificates for +SSLCACertificatePath directory-pathsvEDirectory of PEM-encoded CA Certificates for Client Auth -SSLCADNRequestFile file-pathsvEFile of concatenated PEM-encoded CA Certificates +SSLCADNRequestFile file-pathsvEFile of concatenated PEM-encoded CA Certificates for defining acceptable CA names -SSLCADNRequestPath directory-pathsvEDirectory of PEM-encoded CA Certificates for +SSLCADNRequestPath directory-pathsvEDirectory of PEM-encoded CA Certificates for defining acceptable CA names -SSLCARevocationCheck chain|leaf|none none svEEnable CRL-based revocation checking -SSLCARevocationFile file-pathsvEFile of concatenated PEM-encoded CA CRLs for +SSLCARevocationCheck chain|leaf|none none svEEnable CRL-based revocation checking +SSLCARevocationFile file-pathsvEFile of concatenated PEM-encoded CA CRLs for Client Auth -SSLCARevocationPath directory-pathsvEDirectory of PEM-encoded CA CRLs for +SSLCARevocationPath directory-pathsvEDirectory of PEM-encoded CA CRLs for Client Auth -SSLCertificateChainFile file-pathsvEFile of PEM-encoded Server CA Certificates -SSLCertificateFile file-pathsvEServer PEM-encoded X.509 certificate data file -SSLCertificateKeyFile file-pathsvEServer PEM-encoded private key file -SSLCipherSuite cipher-spec DEFAULT (depends on +svdhECipher Suite available for negotiation in SSL +SSLCertificateChainFile file-pathsvEFile of PEM-encoded Server CA Certificates +SSLCertificateFile file-pathsvEServer PEM-encoded X.509 certificate data file +SSLCertificateKeyFile file-pathsvEServer PEM-encoded private key file +SSLCipherSuite cipher-spec DEFAULT (depends on +svdhECipher Suite available for negotiation in SSL handshake -SSLCompression on|off off svEEnable compression on the SSL level -SSLCryptoDevice engine builtin sEEnable use of a cryptographic hardware accelerator -SSLEngine on|off|optional off svESSL Engine Operation Switch -SSLFIPS on|off off sESSL FIPS mode Switch -SSLHonorCipherOrder on|off off svEOption to prefer the server's cipher preference order -SSLInsecureRenegotiation on|off off svEOption to enable support for insecure renegotiation -SSLOCSDefaultResponder urisvESet the default responder URI for OCSP validation -SSLOCSPEnable on|off off svEEnable OCSP validation of the client certificate chain -SSLOCSPOverrideResponder on|off off svEForce use of the default responder URI for OCSP validation -SSLOCSPResponderTimeout seconds 10 svETimeout for OCSP queries -SSLOCSPResponseMaxAge seconds -1 svEMaximum allowable age for OCSP responses -SSLOCSPResponseTimeSkew seconds 300 svEMaximum allowable time skew for OCSP response validation +SSLCompression on|off off svEEnable compression on the SSL level +SSLCryptoDevice engine builtin sEEnable use of a cryptographic hardware accelerator +SSLEngine on|off|optional off svESSL Engine Operation Switch +SSLFIPS on|off off sESSL FIPS mode Switch +SSLHonorCipherOrder on|off off svEOption to prefer the server's cipher preference order +SSLInsecureRenegotiation on|off off svEOption to enable support for insecure renegotiation +SSLOCSDefaultResponder urisvESet the default responder URI for OCSP validation +SSLOCSPEnable on|off off svEEnable OCSP validation of the client certificate chain +SSLOCSPOverrideResponder on|off off svEForce use of the default responder URI for OCSP validation +SSLOCSPResponderTimeout seconds 10 svETimeout for OCSP queries +SSLOCSPResponseMaxAge seconds -1 svEMaximum allowable age for OCSP responses +SSLOCSPResponseTimeSkew seconds 300 svEMaximum allowable time skew for OCSP response validation +SSLOCSPUseRequestNonce on|off on svEUse a nonce within OCSP queries SSLOpenSSLConfCmd command-name command-valuesvEConfigure OpenSSL parameters through its SSL_CONF API SSLOptions [+|-]option ...svdhEConfigure various SSL engine run-time options SSLPassPhraseDialog type builtin sEType of pass phrase dialog for encrypted private diff --git a/docs/manual/programs/ctlogconfig.html b/docs/manual/programs/ctlogconfig.html new file mode 100644 index 00000000000..d1b41e14936 --- /dev/null +++ b/docs/manual/programs/ctlogconfig.html @@ -0,0 +1,5 @@ +# GENERATED FROM XML -- DO NOT EDIT + +URI: ctlogconfig.html.en +Content-Language: en +Content-type: text/html; charset=ISO-8859-1 diff --git a/docs/manual/programs/ctlogconfig.html.en b/docs/manual/programs/ctlogconfig.html.en new file mode 100644 index 00000000000..67978b014a0 --- /dev/null +++ b/docs/manual/programs/ctlogconfig.html.en @@ -0,0 +1,192 @@ + + + +ctlogconfig - Certificate Transparency log configuration tool - Apache HTTP Server + + + + + + +

+
+
+Apache > HTTP Server > Documentation > Version 2.5 > Programs
ctlogconfig - Certificate Transparency log configuration tool
+
+
Available Languages: en
+
+ +
ctlogconfig is a tool for maintaining a log configuration + database, for use with mod_ssl_ct.
+ +
Refer to the examples below for typical use.
+ +
+
Synopsis
+
Sub-commands
+
Examples
+
See also
mod_ssl_ct
Comments
+
+
+
Synopsis
+ +
+ ctlogconfig db-path dump +
+ +
+ ctlogconfig db-path configure-public-key + [ log-id|record-id ] + /path/to/public-key.pem +
+ +
+ ctlogconfig db-path configure-url + [ log-id|record-id ] + log-URL +
+ +
+ ctlogconfig db-path valid-time-range + log-id|record-id + min-timestamp max-timestamp +
+ +
+ ctlogconfig db-path trust + log-id|record-id +
+ +
+ ctlogconfig db-path distrust + log-id|record-id +
+ +
+ ctlogconfig db-path forget + log-id|record-id +
+ +
+
+
Sub-commands
+ +
+
dump
+
Display configuration database contents. The record id shown in + the output of this sub-command can be used to identify the affected + record in other sub-commands.
+ +
configure-public-key
+
Add a log's public key to the database or set the public key for an + existing entry. The log's public key is needed to validate the signature + of SCTs received by a proxy from a backend server.
+ +
configure-url
+
Add a log's URL to the database or set the URL for an existing entry. + The log's URL is used when submitting server certificates to logs in + order to obtain SCTs to send to clients.
+ +
valid-time-range
+
Set the minimum valid time and/or the maximum valid time for a log. + SCTs from the log with timestamps outside of the valid range will not be + accepted. Use - for a time that is not being configured.
+ +
trust
+
Mark a log as trusted, which is the default setting. This sub-command + is used to reverse a distrust setting.
+ +
distrust
+
Mark a log as distrusted.
+ +
forget
+
Remove information about a log from the database.
+
+
+
+
Examples
+ + +
Consider an Apache httpd instance which serves as a TLS server and a proxy. + The TLS server needs to obtain SCTs from a couple of known logs in order to + pass those to clients, and the proxy needs to be able to validate the signature + of SCTs received from backend servers.
+ +
First we'll configure the URLs for logs where server certificates are logged:
+ +
+ $ ctlogconfig /path/to/conf/log-config configure-url http://log1.example.com/ + $ ctlogconfig /path/to/conf/log-config configure-url http://log2.example.com/ + $ ctlogconfig /path/to/conf/log-config dump + Log entry: + Record 1 + Log id : (not configured) + Public key file: (not configured) + URL : http://log1.example.com/ + Time range : -INF to +INF + + Log entry: + Record 2 + Log id : (not configured) + Public key file: (not configured) + URL : http://log2.example.com/ + Time range : -INF to +INF +
+ +
Next we'll set the public key of a log where the certificate of our only + backend server is published. In this case it is the log with URL + http://log2.example.com/ which has already been configured.
+ +
+ $ ctlogconfig /path/to/conf/log-config configure-public-key \\#2 /path/to/conf/log2-pub.pem + $ ctlogconfig /path/to/conf/log-config dump + Log entry: + Record 1 + Log id : (not configured) + Public key file: (not configured) + URL : http://log1.example.com/ + Time range : -INF to +INF + + Log entry: + Record 2 + Log id : (not configured) + Public key file: /path/to/conf/log2-pub.pem + URL : http://log2.example.com/ + Time range : -INF to +INF +
+
+
+
Available Languages: en
+
Comments
Notice:
This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our mailing lists.
+
+
Copyright 2014 The Apache Software Foundation.
Licensed under the Apache License, Version 2.0.
+
Modules | Directives | FAQ | Glossary | Sitemap
+ \ No newline at end of file diff --git a/docs/manual/programs/ctlogconfig.xml.meta b/docs/manual/programs/ctlogconfig.xml.meta new file mode 100644 index 00000000000..8f42c05811c --- /dev/null +++ b/docs/manual/programs/ctlogconfig.xml.meta @@ -0,0 +1,12 @@ + + + + + ctlogconfig + /programs/ + .. + + + en + + diff --git a/docs/manual/rewrite/flags.html.fr b/docs/manual/rewrite/flags.html.fr index f1d9b3cc4c6..bc36050d387 100644 --- a/docs/manual/rewrite/flags.html.fr +++ b/docs/manual/rewrite/flags.html.fr @@ -31,6 +31,8 @@ des explications d

SSLOpenSSLConfCmd Directive
@@ -1072,7 +1083,7 @@ which means that OCSP responses are considered valid as long as their
 Context:server config, virtual host
 Status:Extension
 Module:mod_ssl
-Compatibility:Available in httpd 2.5.0-dev and later, if using OpenSSL 1.0.2 or later
+Compatibility:Available in httpd 2.4.8 and later, if using OpenSSL 1.0.2 or later
 
 This directive exposes OpenSSL's SSL_CONF API to mod_ssl,
 allowing a flexible configuration of OpenSSL parameters without the need
@@ -1267,10 +1278,10 @@ query can be done in two ways which can be configured by

exec:/path/to/program
     
     Here an external program is configured which is called at startup for each
-    encrypted Private Key file. It is called with two arguments (the first is
-    of the form ``servername:portnumber'', the second is either
-    ``RSA'', ``DSA'', or ``ECC''), which
-    indicate for which server and algorithm it has to print the corresponding
+    encrypted Private Key file. It is called with one argument, a string of the
+    form ``servername:portnumber:index'' (with index
+    being a zero-based sequence number), which indicates for which server,
+    TCP port and certificate number it has to print the corresponding
     Pass Phrase to stdout.  The intent is that this external
     program first runs security checks to make sure that the system is not
     compromised by an attacker, and only when these checks were passed
@@ -2158,6 +2169,8 @@ be protected with file permissions similar to those used for
 Context:server config, virtual host
 Status:Extension
 Module:mod_ssl
+Compatibility:Available in httpd 2.4.4 and later, if using OpenSSL 1.0.1 or
+later
 
 

 This directive sets the seed used to fake SRP user parameters for unknown
@@ -2178,6 +2191,8 @@ SSLSRPUnknownUserSeed "secret"
 Context:server config, virtual host
 Status:Extension
 Module:mod_ssl
+Compatibility:Available in httpd 2.4.4 and later, if using OpenSSL 1.0.1 or
+later
 
 

 This directive enables TLS-SRP and sets the path to the OpenSSL SRP (Secure
@@ -2205,7 +2220,7 @@ avalable in the SSL_SRP_USERINFO request environment variable.
 Context:server config
 Status:Extension
 Module:mod_ssl
-Compatibility:Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later
+Compatibility:Available if using OpenSSL 0.9.8h or later
 
 Configures the cache used to store OCSP responses which get included
 in the TLS handshake if SSLUseStapling
@@ -2224,7 +2239,7 @@ the same storage types are supported as with
 Context:server config, virtual host
 Status:Extension
 Module:mod_ssl
-Compatibility:Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later
+Compatibility:Available if using OpenSSL 0.9.8h or later
 
 
Sets the timeout in seconds before invalid responses
 in the OCSP stapling cache (configured through SSLStaplingCache) will expire.
@@ -2241,7 +2256,7 @@ To set the cache timeout for valid responses, see
 Context:server config, virtual host
 Status:Extension
 Module:mod_ssl
-Compatibility:Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later
+Compatibility:Available if using OpenSSL 0.9.8h or later
 
 
When enabled and a query to an OCSP responder for stapling
 purposes fails, mod_ssl will synthesize a "tryLater" response for the
@@ -2257,7 +2272,7 @@ is also enabled.
 Context:server config, virtual host
 Status:Extension
 Module:mod_ssl
-Compatibility:Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later
+Compatibility:Available if using OpenSSL 0.9.8h or later
 
 This directive overrides the URI of an OCSP responder as obtained from
 the authorityInfoAccess (AIA) extension of the certificate.
@@ -2273,7 +2288,7 @@ Of potential use when going through a proxy for retrieving OCSP queries.
 Context:server config, virtual host
 Status:Extension
 Module:mod_ssl
-Compatibility:Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later
+Compatibility:Available if using OpenSSL 0.9.8h or later
 
 This option sets the timeout for queries to OCSP responders when
 SSLUseStapling is enabled
@@ -2289,7 +2304,7 @@ and mod_ssl is querying a responder for OCSP stapling purposes.
 Context:server config, virtual host
 Status:Extension
 Module:mod_ssl
-Compatibility:Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later
+Compatibility:Available if using OpenSSL 0.9.8h or later
 
 This option sets the maximum allowable age ("freshness") when
 considering OCSP responses for stapling purposes, i.e. when
@@ -2308,7 +2323,7 @@ which means that OCSP responses are considered valid as long as their
 Context:server config, virtual host
 Status:Extension
 Module:mod_ssl
-Compatibility:Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later
+Compatibility:Available if using OpenSSL 0.9.8h or later
 
 
This option sets the maximum allowable time skew when mod_ssl checks the
 thisUpdate and nextUpdate fields of OCSP responses
@@ -2325,7 +2340,7 @@ if SSLUseStapling i
 Context:server config, virtual host
 Status:Extension
 Module:mod_ssl
-Compatibility:Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later
+Compatibility:Available if using OpenSSL 0.9.8h or later
 
 
When enabled, mod_ssl will pass responses from unsuccessful
 stapling related OCSP queries (such as status errors, expired responses etc.)
@@ -2342,7 +2357,7 @@ for failed queries will be included in the TLS handshake.
 Context:server config, virtual host
 Status:Extension
 Module:mod_ssl
-Compatibility:Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later
+Compatibility:Available if using OpenSSL 0.9.8h or later
 
 Sets the timeout in seconds before responses in the OCSP stapling cache
 (configured through SSLStaplingCache)
@@ -2416,7 +2431,7 @@ authentication header (see SSLOptions).
 Context:server config, virtual host
 Status:Extension
 Module:mod_ssl
-Compatibility:Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later
+Compatibility:Available if using OpenSSL 0.9.8h or later
 
 This option enables OCSP stapling, as defined by the "Certificate
 Status Request" TLS extension specified in RFC 6066. If enabled (and
diff --git a/docs/manual/mod/mod_ssl_ct.html b/docs/manual/mod/mod_ssl_ct.html
new file mode 100644
index 00000000000..98736ecd872
--- /dev/null
+++ b/docs/manual/mod/mod_ssl_ct.html
@@ -0,0 +1,5 @@
+# GENERATED FROM XML -- DO NOT EDIT
+
+URI: mod_ssl_ct.html.en
+Content-Language: en
+Content-type: text/html; charset=ISO-8859-1
diff --git a/docs/manual/mod/mod_ssl_ct.html.en b/docs/manual/mod/mod_ssl_ct.html.en
new file mode 100644
index 00000000000..4fd9a3a20de
--- /dev/null
+++ b/docs/manual/mod/mod_ssl_ct.html.en
@@ -0,0 +1,345 @@
+
+
+
+mod_ssl_ct - Apache HTTP Server
+
+
+
+
+
+
+
+

+Modules | Directives | FAQ | Glossary | Sitemap
+Apache HTTP Server Version 2.5
+
+
+
+Apache > HTTP Server > Documentation > Version 2.5 > Modules
+
+Apache Module mod_ssl_ct
+
+Available Languages:  en 
+
+
+
+
+Description: Implementation of Certificate Transparency (RFC 6962)
+
Status: Extension
Module Identifier: ssl_ct_module
Source File: mod_ssl_ct.c
+Summary
+
+This module provides an implementation of Certificate Transparency, in 
+conjunction with mod_ssl and command-line tools from the
+certificate-transparency
+open source project.  The goal of Certificate Transparency is to expose the
+use of server certificates which are trusted by browsers but were mistakenly
+or maliciously issued.  More information about Certificate Transparency is
+available at 
+http://www.certificate-transparency.org/.
+
+This implementation for Apache httpd provides these features for TLS
+servers and proxies:
+
+
+  Signed Certificate Timestamps (SCTs) can be obtained from logs 
+  automatically and, in conjunction with any statically configured SCTs, sent
+  to aware clients in the ServerHello (during the handshake).
+  SCTs can be received by the proxy from backend servers in the ServerHello,
+  in a certificate extension, and/or within stapled OCSP responses; any SCTs 
+  received can be partially validated on-line and optionally queued for off-line
+  audit.
+  The proxy can be configured to disallow communication with a backend
+  which does not provide an SCT which passes on-line validation.
+
+
+Configuration information about logs can be defined statically in the web
+server configuration or maintained in a Sqlite3 database.  In the latter case,
+mod_ssl_ct will reload the database periodically, so any
+site-specific infrastructure for maintaining and propagating log configuration
+information does not have to also restart httpd to make it take effect.
+
+Directives
+
+ CTAuditStorage
+ CTLogClient
+ CTLogConfigDB
+ CTMaxSCTAge
+ CTProxyAwareness
+ CTSCTStorage
+ CTServerHelloSCTLimit
+ CTStaticLogConfig
+ CTStaticSCTs
+
+Comments
+
+
+CTAuditStorage Directive
+
+
+
+
+
+
+
+Description: Existing directory where data for off-line audit will be stored
Syntax: CTAuditStorage directory
Default: none
Context: server config
Status: Extension
Module: mod_ssl_ct
+  The CTAuditStorage directive sets the name of a
+  directory where data will be stored for off-line audit.  If directory
+  is not absolute then it is assumed to be relative to 
+  DefaultRuntimeDir.
+
+  If this directive is not specified, data will not be stored for off-line
+  audit.
+
+  The directory will contain files named PID.tmp for
+  active child processes and files named PID.out for exited
+  child processes.  These .out files are ready for off-line audit. 
+  The experimental command ctauditscts (in the httpd source tree, not
+  currently installed) interfaces with certificate-transparency tools to
+  perform the audit.
+
+
+
+CTLogClient Directive
+
+
+
+
+
+
+
+Description: Location of certificate-transparency log client tool
Syntax: CTLogClient executable
Default: none
Context: server config
Status: Extension
Module: mod_ssl_ct
+  executable is the full path to the log client tool, which is
+  normally file src/client/ct within the source tree of the 
+  
+  certificate-transparency open source project.
+
+  An alternative implementation could be used to retrieve SCTs for a
+  server certificate as long as the command-line interface is equivalent.
+
+
+
+CTLogConfigDB Directive
+
+
+
+
+
+
+
+Description: Log configuration database supporting dynamic updates
Syntax: CTLogConfigDB filename
Default: none
Context: server config
Status: Extension
Module: mod_ssl_ct
+  The CTLogConfigDB directive sets the name of a database
+  containing configuration about known logs.  If filename is not absolute
+  then it is assumed to be relative to
+  ServerRoot.
+
+  Refer to the documentation for the ctlogconfig program,
+  which manages the database.
+
+
+
+CTMaxSCTAge Directive
+
+
+
+
+
+
+
+Description: Maximum age of SCT obtained from a log, before it will be
+refreshed
Syntax: CTMaxSCTAge num-seconds
Default: 1 day
Context: server config
Status: Extension
Module: mod_ssl_ct
+  Server certificates with SCTs which are older than this maximum age will
+  be resubmitted to configured logs.  Generally the log will return the same SCT
+  as before, but that is subject to log operation.  SCTs will be refreshed as
+  necessary during normal server operation, with new SCTs returned to clients
+  as they become available.
+
+
+
+CTProxyAwareness Directive
+
+
+
+
+
+
+
+Description: Level of CT awareness and enforcement for a proxy
+
Syntax: CTProxyAwareness oblivious|aware|require
Default: aware
Context: server config, virtual host
Status: Extension
Module: mod_ssl_ct
+  This directive controls awareness and checks for valid SCTs for a
+  proxy.  Several options are available:
+
+  
+    oblivious
+    The proxy will neither ask for nor examine SCTs.  Certificate
+    Transparency processing for the proxy is completely disabled.
+
+    aware
+    The proxy will perform all appropriate Certificate Transparency
+    processing, such as asking for and examining SCTs.  However, the
+    proxy will not disallow communication if the backend server does
+    not provide any valid SCTs.
+
+    require
+    The proxy will abort communication with the backend server if it
+    does not provide at least one SCT which passes on-line validation.
+  
+
+
+
+
+CTSCTStorage Directive
+
+
+
+
+
+
+
+Description: Existing directory where SCTs are managed
Syntax: CTSCTStorage directory
Default: none
Context: server config
Status: Extension
Module: mod_ssl_ct
+  The CTSCTStorage directive sets the name of a
+  directory where SCTs and SCT lists will will be stored.  If directory
+  is not absolute then it is assumed to be relative to 
+  DefaultRuntimeDir.
+
+  A subdirectory for each server certificate contains information relative
+  to that certificate; the name of the subdirectory is the SHA-256 hash of the
+  certificate.
+
+  The certificate-specific directory contains SCTs retrieved from configured 
+  logs, SCT lists prepared from statically configured SCTs and retrieved SCTs,
+  and other information used for managing SCTs.
+
+
+
+CTServerHelloSCTLimit Directive
+
+
+
+
+
+
+
+Description: Limit on number of SCTs that can be returned in
+ServerHello
Syntax: CTServerHelloSCTLimit limit
Default: 100
Context: server config
Status: Extension
Module: mod_ssl_ct
+  This directive can be used to limit the number of SCTs which can be
+  returned by a TLS server in ServerHello, in case the number of configured
+  logs and statically-defined SCTs is relatively high.
+
+  Typically only a few SCTs would be available, so this directive is only
+  needed in special circumstances.
+
+  The directive does not take into account SCTs which may be provided in
+  certificate extensions or in stapled OCSP responses.
+
+
+
+CTStaticLogConfig Directive
+
+
+
+
+
+
+
+Description: Static configuration of information about a log
Syntax: CTStaticLogConfig log-id|- public-key-file|-
+1|0|- min-timestamp|- max-timestamp|-
+log-URL|-
Default: none
Context: server config
Status: Extension
Module: mod_ssl_ct
+  This directive is used to configure information about a particular log.
+  This directive is appropriate when configuration information changes rarely.
+  If dynamic configuration updates must be supported, refer to the 
+  CTLogConfigDB directive.
+
+  Each of the six fields must be specified, but usually only a small
+  amount of information must be configured for each log; use - when no
+  information is available for the field.  The fields are defined as follows:
+
+  
+    log-id
+    This is the id of the log.  The id is the SHA-256 hash of the log's
+    public key.  In some cases it is appropriate and convenient to identify
+    the log by the id (hash), such as when configuring information regarding
+    the log's validity.
+
+    public-key-file
+    This is the name of a file containing the PEM encoding of the log's
+    public key.  If the name is not absolute, then it is assumed to be relative
+    to ServerRoot.  The public key is
+    required in order to check the signature of SCTs received by the proxy.
+
+    trust
+    This is a generic trust flag.  Set this field to 0 to
+    distrust this log.
+
+    min-timestamp
+    SCTs received from this log by the proxy are invalid if the timestamp
+    is older than this value.
+
+    max-timestamp
+    SCTs received from this log by the proxy are invalid if the timestamp
+    is newer than this value.
+
+    log-URL
+    This is the URL of the log, for use in submitting server certificates
+    and in turn obtaining an SCT to be sent to clients.  Each server certificate
+    will be submitted to all logs for which log-URL is configured.
+  
+
+
+
+CTStaticSCTs Directive
+
+
+
+
+
+
+
+Description: Static configuration of one or more SCTs for a server certificate
+
Syntax: CTStaticSCTs certificate-pem-file sct-directory
Default: none
Context: server config
Status: Extension
Module: mod_ssl_ct
+  This directive is used to statically define one or more SCTs corresponding
+  to a server certificate.  This mechanism can be used instead of or in
+  addition to dynamically obtaining SCTs from configured logs.
+
+  certificate-pem-file refers to the server certificate in PEM
+  format.  If the name is not absolute, then it is assumed to be relative to
+  ServerRoot.
+
+  sct-directory must contain one or more files with extension
+  .sct, representing one or more SCTs corresponding to the
+  server certificate.  If sct-directory is not absolute, then it is 
+  assumed to be relative to ServerRoot.
+
+
+
+
+Available Languages:  en 
+
Comments
Notice:
This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our mailing lists.
+

+Copyright 2014 The Apache Software Foundation.
Licensed under the Apache License, Version 2.0.
+Modules | Directives | FAQ | Glossary | Sitemap

+
\ No newline at end of file
diff --git a/docs/manual/mod/mod_ssl_ct.xml.meta b/docs/manual/mod/mod_ssl_ct.xml.meta
new file mode 100644
index 00000000000..c33bcb9fde4
--- /dev/null
+++ b/docs/manual/mod/mod_ssl_ct.xml.meta
@@ -0,0 +1,12 @@
+
+
+
+
+  mod_ssl_ct
+  /mod/
+  ..
+
+  
+    en
+  
+
diff --git a/docs/manual/mod/mod_suexec.html.en b/docs/manual/mod/mod_suexec.html.en
index 656681c21e2..69a325f9e06 100644
--- a/docs/manual/mod/mod_suexec.html.en
+++ b/docs/manual/mod/mod_suexec.html.en
@@ -64,8 +64,8 @@ and Group
     Example
SuexecUserGroup nobody nogroup
 
 
-    In Apache httpd 2.3.9 and later, startup will fail if this
-    directive is specified but the suEXEC feature is disabled.
+    Startup will fail if this directive is specified but the suEXEC
+    feature is disabled.
 
 See also


diff --git a/docs/manual/mod/mod_unixd.html.en b/docs/manual/mod/mod_unixd.html.en
index 6c600498cd4..00caa68aee0 100644
--- a/docs/manual/mod/mod_unixd.html.en
+++ b/docs/manual/mod/mod_unixd.html.en
@@ -119,7 +119,6 @@ Off otherwise

When On, startup will fail if the suexec binary doesn't exist or has an invalid owner or file mode.

CookieTracking on|off

CoreDumpDirectory Verzeichnis

CustomLog file|pipe +

CTAuditStorage directory

CTLogClient executable

CTLogConfigDB filename

CTMaxSCTAge num-seconds

CTProxyAwareness oblivious|aware|require

CTSCTStorage directory

CTServerHelloSCTLimit limit

CTStaticSCTs certificate-pem-file sct-directory

CustomLog file|pipe format|nickname [env=[!]environment-variable| -expr=expression]

Dav On|Off|provider-name

DavDepthInfinity on|off

DavGenericLockDB file-path

DavLockDB file-path

DavMinTimeout seconds

expression

Dav On|Off|provider-name

DavDepthInfinity on|off

DavGenericLockDB file-path

DavLockDB file-path

DavMinTimeout seconds

DBDExptime time-in-seconds

DBDInitSQL "SQL statement"

DBDKeep number

DBDMax number

DBDMin number

DBDParams -param1=value1[,param2=value2]

DBDPersist On|Off

DBDPrepareSQL "SQL statement" label

DBDriver name

DefaultIcon url-path

DBDExptime time-in-seconds

DBDInitSQL "SQL statement"

DBDKeep number

DBDMax number

DBDMin number

DBDParams +param1=value1[,param2=value2]

DBDPersist On|Off

DBDPrepareSQL "SQL statement" label

DBDriver name

DefaultIcon url-path

DefaultLanguage language-tag

DefaultRuntimeDir directory-path

DefaultType MIME-Type

DefaultRuntimeDir directory-path

DefaultType MIME-Type

Define Parametername

DeflateAlterETag AddSuffix|NoChange|Remove

DeflateBufferSize value

DeflateCompressionLevel value

DeflateFilterNote [type] notename

Group unix-group

HeaderName filename

LDAPOpCacheTTL seconds

LDAPReferralHopLimit number

LDAPReferrals On|Off|default

LDAPReferrals On|Off|default

LDAPRetries number-of-retries

LDAPRetryDelay seconds

LDAPSharedCacheFile file-path

ProxyTimeout seconds

ProxyVia On|Off|Full|Block

Via

ReadmeName filename

ProxyWebsocketAsync ON|OFF

ProxyWebsocketAsyncDelay num[ms]

ProxyWebsocketIdleTimeout num[ms]

ReadmeName filename

ReceiveBufferSize bytes

Redirect [status] URL-path -URL

ReceiveBufferSize bytes

Redirect [status] URL-path +URL

RedirectMatch [status] regex -URL

RedirectMatch [status] regex +URL

RedirectPermanent URL-path URL

RedirectTemp URL-path URL

ReflectorHeader inputheader [outputheader]

RegisterHttpMethod method [method [...]]

RemoteIPHeader header-field

RemoteIPInternalProxy proxy-ip|proxy-ip/subnet|hostname ...

RemoteIPInternalProxyList filename

RemoteIPProxiesHeader HeaderFieldName

RemoteIPTrustedProxy proxy-ip|proxy-ip/subnet|hostname ...

RemoteIPTrustedProxyList filename

RemoveCharset extension [extension] -...

ReflectorHeader inputheader [outputheader]

RegisterHttpMethod method [method [...]]

RemoteIPHeader header-field

RemoteIPInternalProxy proxy-ip|proxy-ip/subnet|hostname ...

RemoteIPInternalProxyList filename

RemoteIPProxiesHeader HeaderFieldName

RemoteIPTrustedProxy proxy-ip|proxy-ip/subnet|hostname ...

RemoteIPTrustedProxyList filename

RemoveCharset extension [extension] +...

RemoveEncoding extension [extension] -...

RemoveEncoding extension [extension] +...

RemoveHandler extension [extension] -...

RemoveHandler extension [extension] +...

RemoveInputFilter extension [extension] -...

RemoveInputFilter extension [extension] +...

RemoveLanguage extension [extension] -...

RemoveLanguage extension [extension] +...

RemoveOutputFilter extension [extension] -...

RemoveOutputFilter extension [extension] +...

RemoveType extension [extension] -...

RemoveType extension [extension] +...

RequestReadTimeout +

RequestReadTimeout [header=timeout[-maxtimeout][,MinRate=rate] [body=timeout[-maxtimeout][,MinRate=rate] -

Require [not] entity-name - [entity-name] ...

Require [not] entity-name + [entity-name] ...

RewriteBase URL-path

RewriteCond - TestString CondPattern

RewriteBase URL-path

RewriteCond + TestString CondPattern

RewriteEngine on|off

RewriteMap MapName MapType:MapSource -

RewriteOptions Options

RewriteRule - Pattern Substitution [flags]

RLimitCPU Sekunden|max [Sekunden|max]

RewriteEngine on|off

RewriteMap MapName MapType:MapSource +

RewriteOptions Options

RewriteRule + Pattern Substitution [flags]

RLimitCPU Sekunden|max [Sekunden|max]

RLimitMEM Bytes|max [Bytes|max]

RLimitNPROC Zahl|max [Zahl|max]

Satisfy Any|All

ScoreBoardFile Dateipfad

Script Methode CGI-Skript

ScriptAlias URL-path -file-path|directory-path

ScriptAlias URL-path +file-path|directory-path

ScriptAliasMatch regex -file-path|directory-path

ScriptAliasMatch regex +file-path|directory-path

ScriptInterpreterSource Registry|Registry-Strict|Script

ScriptLog file-path

ScriptLogBuffer bytes

ScriptLog file-path

ScriptLogBuffer bytes

ScriptLogLength bytes

ScriptSock file-path

ScriptLogLength bytes

ScriptSock file-path

SecureListen [IP-address:]portnumber -Certificate-Name [MUTUAL]

SeeRequestTail On|Off

SecureListen [IP-address:]portnumber +Certificate-Name [MUTUAL]

SeeRequestTail On|Off

SendBufferSize Bytes

ServerAdmin E-Mail-Adresse|URL

SendBufferSize Bytes

ServerAdmin E-Mail-Adresse|URL

ServerAlias Hostname [Hostname] ...

ServerLimit Anzahl

ServerName -voll-qualifizierter-Domainname[:port]

ServerName +voll-qualifizierter-Domainname[:port]

ServerPath URL-Pfad

ServerRoot Verzeichnis

ServerSignature On|Off|EMail

ServerRoot Verzeichnis

ServerSignature On|Off|EMail

Server

Session On|Off

SessionCookieName name attributes

SessionCookieName2 name attributes

SessionCookieRemove On|Off

SessionCryptoCipher name

SessionCryptoDriver name [param[=value]]

SessionCryptoPassphrase secret [ secret ... ]

SessionCryptoPassphraseFile filename

SessionDBDCookieName name attributes

SessionDBDCookieName2 name attributes

SessionDBDCookieRemove On|Off

SessionDBDDeleteLabel label

SessionDBDInsertLabel label

SessionDBDPerUser On|Off

SessionDBDSelectLabel label

SessionDBDUpdateLabel label

SessionEnv On|Off

Session On|Off

SessionCookieName name attributes

SessionCookieName2 name attributes

SessionCookieRemove On|Off

SessionCryptoCipher name

SessionCryptoDriver name [param[=value]]

SessionCryptoPassphrase secret [ secret ... ]

SessionCryptoPassphraseFile filename

SessionDBDCookieName name attributes

SessionDBDCookieName2 name attributes

SessionDBDCookieRemove On|Off

SessionDBDDeleteLabel label

SessionDBDInsertLabel label

SessionDBDPerUser On|Off

SessionDBDSelectLabel label

SessionDBDUpdateLabel label

SessionEnv On|Off

HTTP_SESSION

SessionExclude path

SessionHeader header

SessionInclude path

SessionMaxAge maxage

SetEnv env-variable [value]

SetEnvIf attribute +

SessionExclude pathsvdhEDefine URL prefixes for which a session is ignored +SessionHeader headersvdhEImport session updates from a given HTTP response header +SessionInclude pathsvdhEDefine URL prefixes for which a session is valid +SessionMaxAge maxage 0 svdhEDefine a maximum age in seconds for a session +SetEnv env-variable [value]svdhBSets environment variables +SetEnvIf attribute regex [!]env-variable[=value] - [[!]env-variable[=value]] ...svdhBSets environment variables based on attributes of the request + [[!]env-variable[=value]] ...svdhBSets environment variables based on attributes of the request -SetEnvIfExpr expr +SetEnvIfExpr expr [!]env-variable[=value] - [[!]env-variable[=value]] ...svdhBSets environment variables based on an ap_expr expression -SetEnvIfNoCase attribute regex + [[!]env-variable[=value]] ...svdhBSets environment variables based on an ap_expr expression +SetEnvIfNoCase attribute regex [!]env-variable[=value] - [[!]env-variable[=value]] ...svdhBSets environment variables based on attributes of the request + [[!]env-variable[=value]] ...svdhBSets environment variables based on attributes of the request without respect to case -SetHandler Handlername|NonesvdhCErzwingt die Verarbeitung aller passenden Dateien durch +SetHandler Handlername|NonesvdhCErzwingt die Verarbeitung aller passenden Dateien durch einen Handler -SetInputFilter Filter[;Filter...]svdhCBestimmt die Filter, die Client-Anfragen und POST-Eingaben +SetInputFilter Filter[;Filter...]svdhCBestimmt die Filter, die Client-Anfragen und POST-Eingaben verarbeiten -SetOutputFilter Filter[;Filter...]svdhCBestimmt die Filter, die Antworten des Servers verarbeiten -SSIEndTag tag "-->" svBString that ends an include element -SSIErrorMsg message "[an error occurred +svdhBError message displayed when there is an SSI +SetOutputFilter Filter[;Filter...]svdhCBestimmt die Filter, die Antworten des Servers verarbeiten +SSIEndTag tag "-->" svBString that ends an include element +SSIErrorMsg message "[an error occurred +svdhBError message displayed when there is an SSI error -SSIETag on|off off dhBControls whether ETags are generated by the server. -SSILastModified on|off off dhBControls whether Last-Modified headers are generated by the +SSIETag on|off off dhBControls whether ETags are generated by the server. +SSILastModified on|off off dhBControls whether Last-Modified headers are generated by the server. -SSILegacyExprParser on|off off dhBEnable compatibility mode for conditional expressions. -SSIStartTag tag "" svBString that ends an include element -SSIErrorMsg message "[an error occurred +svdhBError message displayed when there is an SSI +SSIEndTag tag "-->" svBString that ends an include element +SSIErrorMsg message "[an error occurred +svdhBError message displayed when there is an SSI error -SSIETag on|off off dhBControls whether ETags are generated by the server. -SSILastModified on|off off dhBControls whether Last-Modified headers are generated by the +SSIETag on|off off dhBControls whether ETags are generated by the server. +SSILastModified on|off off dhBControls whether Last-Modified headers are generated by the server. -SSILegacyExprParser on|off off dhBEnable compatibility mode for conditional expressions. -SSIStartTag tag "<!--#" svBString that starts an include element -SSITimeFormat formatstring "%A, %d-%b-%Y %H:%M +svdhBConfigures the format in which date strings are +SSILegacyExprParser on|off off dhBEnable compatibility mode for conditional expressions. +SSIStartTag tag "<!--#" svBString that starts an include element +SSITimeFormat formatstring "%A, %d-%b-%Y %H:%M +svdhBConfigures the format in which date strings are displayed -SSIUndefinedEcho string "(none)" svdhBString displayed when an unset variable is echoed -SSLCACertificateFile file-pathsvEFile of concatenated PEM-encoded CA Certificates +SSIUndefinedEcho string "(none)" svdhBString displayed when an unset variable is echoed +SSLCACertificateFile file-pathsvEFile of concatenated PEM-encoded CA Certificates for Client Auth -SSLCACertificatePath directory-pathsvEDirectory of PEM-encoded CA Certificates for +SSLCACertificatePath directory-pathsvEDirectory of PEM-encoded CA Certificates for Client Auth -SSLCADNRequestFile file-pathsvEFile of concatenated PEM-encoded CA Certificates +SSLCADNRequestFile file-pathsvEFile of concatenated PEM-encoded CA Certificates for defining acceptable CA names -SSLCADNRequestPath directory-pathsvEDirectory of PEM-encoded CA Certificates for +SSLCADNRequestPath directory-pathsvEDirectory of PEM-encoded CA Certificates for defining acceptable CA names -SSLCARevocationCheck chain|leaf|none none svEEnable CRL-based revocation checking -SSLCARevocationFile file-pathsvEFile of concatenated PEM-encoded CA CRLs for +SSLCARevocationCheck chain|leaf|none none svEEnable CRL-based revocation checking +SSLCARevocationFile file-pathsvEFile of concatenated PEM-encoded CA CRLs for Client Auth -SSLCARevocationPath directory-pathsvEDirectory of PEM-encoded CA CRLs for +SSLCARevocationPath directory-pathsvEDirectory of PEM-encoded CA CRLs for Client Auth -SSLCertificateChainFile file-pathsvEFile of PEM-encoded Server CA Certificates -SSLCertificateFile file-pathsvEServer PEM-encoded X.509 certificate data file -SSLCertificateKeyFile file-pathsvEServer PEM-encoded private key file -SSLCipherSuite cipher-spec DEFAULT (depends on +svdhECipher Suite available for negotiation in SSL +SSLCertificateChainFile file-pathsvEFile of PEM-encoded Server CA Certificates +SSLCertificateFile file-pathsvEServer PEM-encoded X.509 certificate data file +SSLCertificateKeyFile file-pathsvEServer PEM-encoded private key file +SSLCipherSuite cipher-spec DEFAULT (depends on +svdhECipher Suite available for negotiation in SSL handshake -SSLCompression on|off off svEEnable compression on the SSL level -SSLCryptoDevice engine builtin sEEnable use of a cryptographic hardware accelerator -SSLEngine on|off|optional off svESSL Engine Operation Switch -SSLFIPS on|off off sESSL FIPS mode Switch -SSLHonorCipherOrder on|off off svEOption to prefer the server's cipher preference order -SSLInsecureRenegotiation on|off off svEOption to enable support for insecure renegotiation -SSLOCSDefaultResponder urisvESet the default responder URI for OCSP validation -SSLOCSPEnable on|off off svEEnable OCSP validation of the client certificate chain -SSLOCSPOverrideResponder on|off off svEForce use of the default responder URI for OCSP validation -SSLOCSPResponderTimeout seconds 10 svETimeout for OCSP queries -SSLOCSPResponseMaxAge seconds -1 svEMaximum allowable age for OCSP responses -SSLOCSPResponseTimeSkew seconds 300 svEMaximum allowable time skew for OCSP response validation -SSLOCSPUseRequestNonce on|off on svEUse a nonce within OCSP queries -SSLOpenSSLConfCmd command-name command-valuesvEConfigure OpenSSL parameters through its SSL_CONF API -SSLOptions [+|-]option ...svdhEConfigure various SSL engine run-time options -SSLPassPhraseDialog type builtin sEType of pass phrase dialog for encrypted private +SSLCompression on|off off svEEnable compression on the SSL level +SSLCryptoDevice engine builtin sEEnable use of a cryptographic hardware accelerator +SSLEngine on|off|optional off svESSL Engine Operation Switch +SSLFIPS on|off off sESSL FIPS mode Switch +SSLHonorCipherOrder on|off off svEOption to prefer the server's cipher preference order +SSLInsecureRenegotiation on|off off svEOption to enable support for insecure renegotiation +SSLOCSDefaultResponder urisvESet the default responder URI for OCSP validation +SSLOCSPEnable on|off off svEEnable OCSP validation of the client certificate chain +SSLOCSPOverrideResponder on|off off svEForce use of the default responder URI for OCSP validation +SSLOCSPResponderTimeout seconds 10 svETimeout for OCSP queries +SSLOCSPResponseMaxAge seconds -1 svEMaximum allowable age for OCSP responses +SSLOCSPResponseTimeSkew seconds 300 svEMaximum allowable time skew for OCSP response validation +SSLOCSPUseRequestNonce on|off on svEUse a nonce within OCSP queries +SSLOpenSSLConfCmd command-name command-valuesvEConfigure OpenSSL parameters through its SSL_CONF API +SSLOptions [+|-]option ...svdhEConfigure various SSL engine run-time options +SSLPassPhraseDialog type builtin sEType of pass phrase dialog for encrypted private keys -SSLProtocol [+|-]protocol ... all svEConfigure usable SSL/TLS protocol versions -SSLProxyCACertificateFile file-pathsvEFile of concatenated PEM-encoded CA Certificates +SSLProtocol [+|-]protocol ... all svEConfigure usable SSL/TLS protocol versions +SSLProxyCACertificateFile file-pathsvEFile of concatenated PEM-encoded CA Certificates for Remote Server Auth -SSLProxyCACertificatePath directory-pathsvEDirectory of PEM-encoded CA Certificates for +SSLProxyCACertificatePath directory-pathsvEDirectory of PEM-encoded CA Certificates for Remote Server Auth -SSLProxyCARevocationCheck chain|leaf|none none svEEnable CRL-based revocation checking for Remote Server Auth -SSLProxyCARevocationFile file-pathsvEFile of concatenated PEM-encoded CA CRLs for +SSLProxyCARevocationCheck chain|leaf|none none svEEnable CRL-based revocation checking for Remote Server Auth +SSLProxyCARevocationFile file-pathsvEFile of concatenated PEM-encoded CA CRLs for Remote Server Auth -SSLProxyCARevocationPath directory-pathsvEDirectory of PEM-encoded CA CRLs for +SSLProxyCARevocationPath directory-pathsvEDirectory of PEM-encoded CA CRLs for Remote Server Auth -SSLProxyCheckPeerCN on|off on svEWhether to check the remote server certificate's CN field +SSLProxyCheckPeerCN on|off on svEWhether to check the remote server certificate's CN field -SSLProxyCheckPeerExpire on|off on svEWhether to check if remote server certificate is expired +SSLProxyCheckPeerExpire on|off on svEWhether to check if remote server certificate is expired -SSLProxyCheckPeerName on|off on svEConfigure host name checking for remote server certificates +SSLProxyCheckPeerName on|off on svEConfigure host name checking for remote server certificates -SSLProxyCipherSuite cipher-spec ALL:!ADH:RC4+RSA:+H +svdhECipher Suite available for negotiation in SSL +SSLProxyCipherSuite cipher-spec ALL:!ADH:RC4+RSA:+H +svdhECipher Suite available for negotiation in SSL proxy handshake -SSLProxyEngine on|off off svESSL Proxy Engine Operation Switch -SSLProxyMachineCertificateChainFile filenamesEFile of concatenated PEM-encoded CA certificates to be used by the proxy for choosing a certificate -SSLProxyMachineCertificateFile filenamesEFile of concatenated PEM-encoded client certificates and keys to be used by the proxy -SSLProxyMachineCertificatePath directorysEDirectory of PEM-encoded client certificates and keys to be used by the proxy -SSLProxyProtocol [+|-]protocol ... all svEConfigure usable SSL protocol flavors for proxy usage -SSLProxyVerify level none svEType of remote server Certificate verification -SSLProxyVerifyDepth number 1 svEMaximum depth of CA Certificates in Remote Server +SSLProxyEngine on|off off svESSL Proxy Engine Operation Switch +SSLProxyMachineCertificateChainFile filenamesEFile of concatenated PEM-encoded CA certificates to be used by the proxy for choosing a certificate +SSLProxyMachineCertificateFile filenamesEFile of concatenated PEM-encoded client certificates and keys to be used by the proxy +SSLProxyMachineCertificatePath directorysEDirectory of PEM-encoded client certificates and keys to be used by the proxy +SSLProxyProtocol [+|-]protocol ... all svEConfigure usable SSL protocol flavors for proxy usage +SSLProxyVerify level none svEType of remote server Certificate verification +SSLProxyVerifyDepth number 1 svEMaximum depth of CA Certificates in Remote Server Certificate verification -SSLRandomSeed context source -[bytes]sEPseudo Random Number Generator (PRNG) seeding +SSLRandomSeed context source +[bytes]sEPseudo Random Number Generator (PRNG) seeding source -SSLRenegBufferSize bytes 131072 dhESet the size for the SSL renegotiation buffer -SSLRequire expressiondhEAllow access only when an arbitrarily complex +SSLRenegBufferSize bytes 131072 dhESet the size for the SSL renegotiation buffer +SSLRequire expressiondhEAllow access only when an arbitrarily complex boolean expression is true -SSLRequireSSLdhEDeny access when SSL is not used for the +SSLRequireSSLdhEDeny access when SSL is not used for the HTTP request -SSLSessionCache type none sEType of the global/inter-process SSL Session +SSLSessionCache type none sEType of the global/inter-process SSL Session Cache -SSLSessionCacheTimeout seconds 300 svENumber of seconds before an SSL session expires +SSLSessionCacheTimeout seconds 300 svENumber of seconds before an SSL session expires in the Session Cache -SSLSessionTicketKeyFile file-pathsvEPersistent encryption/decryption key for TLS session tickets -SSLSRPUnknownUserSeed secret-stringsvESRP unknown user seed -SSLSRPVerifierFile file-pathsvEPath to SRP verifier file -SSLStaplingCache typesEConfigures the OCSP stapling cache -SSLStaplingErrorCacheTimeout seconds 600 svENumber of seconds before expiring invalid responses in the OCSP stapling cache -SSLStaplingFakeTryLater on|off on svESynthesize "tryLater" responses for failed OCSP stapling queries -SSLStaplingForceURL urisvEOverride the OCSP responder URI specified in the certificate's AIA extension -SSLStaplingResponderTimeout seconds 10 svETimeout for OCSP stapling queries -SSLStaplingResponseMaxAge seconds -1 svEMaximum allowable age for OCSP stapling responses -SSLStaplingResponseTimeSkew seconds 300 svEMaximum allowable time skew for OCSP stapling response validation -SSLStaplingReturnResponderErrors on|off on svEPass stapling related OCSP errors on to client -SSLStaplingStandardCacheTimeout seconds 3600 svENumber of seconds before expiring responses in the OCSP stapling cache -SSLStrictSNIVHostCheck on|off off svEWhether to allow non-SNI clients to access a name-based virtual +SSLSessionTicketKeyFile file-pathsvEPersistent encryption/decryption key for TLS session tickets +SSLSRPUnknownUserSeed secret-stringsvESRP unknown user seed +SSLSRPVerifierFile file-pathsvEPath to SRP verifier file +SSLStaplingCache typesEConfigures the OCSP stapling cache +SSLStaplingErrorCacheTimeout seconds 600 svENumber of seconds before expiring invalid responses in the OCSP stapling cache +SSLStaplingFakeTryLater on|off on svESynthesize "tryLater" responses for failed OCSP stapling queries +SSLStaplingForceURL urisvEOverride the OCSP responder URI specified in the certificate's AIA extension +SSLStaplingResponderTimeout seconds 10 svETimeout for OCSP stapling queries +SSLStaplingResponseMaxAge seconds -1 svEMaximum allowable age for OCSP stapling responses +SSLStaplingResponseTimeSkew seconds 300 svEMaximum allowable time skew for OCSP stapling response validation +SSLStaplingReturnResponderErrors on|off on svEPass stapling related OCSP errors on to client +SSLStaplingStandardCacheTimeout seconds 3600 svENumber of seconds before expiring responses in the OCSP stapling cache +SSLStrictSNIVHostCheck on|off off svEWhether to allow non-SNI clients to access a name-based virtual host. -SSLUserName varnamesdhEVariable name to determine user name -SSLUseStapling on|off off svEEnable stapling of OCSP responses in the TLS handshake -SSLVerifyClient level none svdhEType of Client Certificate verification -SSLVerifyDepth number 1 svdhEMaximum depth of CA Certificates in Client +SSLUserName varnamesdhEVariable name to determine user name +SSLUseStapling on|off off svEEnable stapling of OCSP responses in the TLS handshake +SSLVerifyClient level none svdhEType of Client Certificate verification +SSLVerifyDepth number 1 svdhEMaximum depth of CA Certificates in Client Certificate verification -StartServers numbersMNumber of child server processes created at startup -StartThreads numbersMNumber of threads created on startup -Substitute s/pattern/substitution/[infq]dhEPattern to filter the response content -Suexec On|OffsBEnable or disable the suEXEC feature -SuexecUserGroup User GroupsvEUser and group for CGI programs to run as -ThreadLimit numbersMSets the upper limit on the configurable number of threads +StartServers numbersMNumber of child server processes created at startup +StartThreads numbersMNumber of threads created on startup +Substitute s/pattern/substitution/[infq]dhEPattern to filter the response content +Suexec On|OffsBEnable or disable the suEXEC feature +SuexecUserGroup User GroupsvEUser and group for CGI programs to run as +ThreadLimit numbersMSets the upper limit on the configurable number of threads per child process -ThreadsPerChild numbersMNumber of threads created by each child process -ThreadStackSize sizesMThe size in bytes of the stack used by threads handling +ThreadsPerChild numbersMNumber of threads created by each child process +ThreadStackSize sizesMThe size in bytes of the stack used by threads handling client connections -TimeOut seconds 60 svCAmount of time the server will wait for +TimeOut seconds 60 svCAmount of time the server will wait for certain events before failing a request -TraceEnable [on|off|extended] on svCDetermines the behavior on TRACE requests -TransferLog file|pipesvBSpecify location of a log file -TypesConfig file-path conf/mime.types sBThe location of the mime.types file -UnDefine parameter-namesCUndefine the existence of a variable -UndefMacro namesvdBUndefine a macro -UnsetEnv env-variable [env-variable] -...svdhBRemoves variables from the environment -Use name [value1 ... valueN] -svdBUse a macro -UseCanonicalName On|Off|DNS Off svdCConfigures how the server determines its own name and +TraceEnable [on|off|extended] on svCDetermines the behavior on TRACE requests +TransferLog file|pipesvBSpecify location of a log file +TypesConfig file-path conf/mime.types sBThe location of the mime.types file +UnDefine parameter-namesCUndefine the existence of a variable +UndefMacro namesvdBUndefine a macro +UnsetEnv env-variable [env-variable] +...svdhBRemoves variables from the environment +Use name [value1 ... valueN] +svdBUse a macro +UseCanonicalName On|Off|DNS Off svdCConfigures how the server determines its own name and port -UseCanonicalPhysicalPort On|Off Off svdCConfigures how the server determines its own port -User unix-userid #-1 sBThe userid under which the server will answer +UseCanonicalPhysicalPort On|Off Off svdCConfigures how the server determines its own port +User unix-userid #-1 sBThe userid under which the server will answer requests -UserDir directory-filename [directory-filename] ... -svBLocation of the user-specific directories -VHostCGIMode On|Off|Secure On vXDetermines whether the virtualhost can run +UserDir directory-filename [directory-filename] ... +svBLocation of the user-specific directories +VHostCGIMode On|Off|Secure On vXDetermines whether the virtualhost can run subprocesses, and the privileges available to subprocesses. -VHostPrivs [+-]?privilege-name [[+-]?privilege-name] ...vXAssign arbitrary privileges to subprocesses created +VHostPrivs [+-]?privilege-name [[+-]?privilege-name] ...vXAssign arbitrary privileges to subprocesses created by a virtual host. -VHostGroup unix-groupidvXSets the Group ID under which a virtual host runs. -VHostPrivs [+-]?privilege-name [[+-]?privilege-name] ...vXAssign arbitrary privileges to a virtual host. -VHostSecure On|Off On vXDetermines whether the server runs with enhanced security +VHostGroup unix-groupidvXSets the Group ID under which a virtual host runs. +VHostPrivs [+-]?privilege-name [[+-]?privilege-name] ...vXAssign arbitrary privileges to a virtual host. +VHostSecure On|Off On vXDetermines whether the server runs with enhanced security for the virtualhost. -VHostUser unix-useridvXSets the User ID under which a virtual host runs. -VirtualDocumentRoot interpolated-directory|none none svEDynamically configure the location of the document root +VHostUser unix-useridvXSets the User ID under which a virtual host runs. +VirtualDocumentRoot interpolated-directory|none none svEDynamically configure the location of the document root for a given virtual host -VirtualDocumentRootIP interpolated-directory|none none svEDynamically configure the location of the document root +VirtualDocumentRootIP interpolated-directory|none none svEDynamically configure the location of the document root for a given virtual host -<VirtualHost +<VirtualHost addr[:port] [addr[:port]] - ...> ... </VirtualHost>sCContains directives that apply only to a specific + ...> ... </VirtualHost>sCContains directives that apply only to a specific hostname or IP address -VirtualScriptAlias interpolated-directory|none none svEDynamically configure the location of the CGI directory for +VirtualScriptAlias interpolated-directory|none none svEDynamically configure the location of the CGI directory for a given virtual host -VirtualScriptAliasIP interpolated-directory|none none svEDynamically configure the location of the CGI directory for +VirtualScriptAliasIP interpolated-directory|none none svEDynamically configure the location of the CGI directory for a given virtual host -Warning messagesvdhCWarn from configuration parsing with a custom message -WatchdogInterval number-of-seconds 1 sBWatchdog interval in seconds -XBitHack on|off|full off svdhBParse SSI directives in files with the execute bit +Warning messagesvdhCWarn from configuration parsing with a custom message +WatchdogInterval number-of-seconds 1 sBWatchdog interval in seconds +XBitHack on|off|full off svdhBParse SSI directives in files with the execute bit set -xml2EncAlias charset alias [alias ...]sBRecognise Aliases for encoding values -xml2EncDefault namesvdhBSets a default encoding to assume when absolutely no information +xml2EncAlias charset alias [alias ...]sBRecognise Aliases for encoding values +xml2EncDefault namesvdhBSets a default encoding to assume when absolutely no information can be automatically detected -xml2StartParse element [element ...]svdhBAdvise the parser to skip leading junk. +xml2StartParse element [element ...]svdhBAdvise the parser to skip leading junk.

Description:	Implementation of Certificate Transparency (RFC 6962) +
Status:	Extension
Module Identifier:	ssl_ct_module
Source File:	mod_ssl_ct.c

Description:	Existing directory where data for off-line audit will be stored
Syntax:	`CTAuditStorage directory`
Default:	`none`
Context:	server config
Status:	Extension
Module:	mod_ssl_ct

Description:	Location of certificate-transparency log client tool
Syntax:	`CTLogClient executable`
Default:	`none`
Context:	server config
Status:	Extension
Module:	mod_ssl_ct

Description:	Log configuration database supporting dynamic updates
Syntax:	`CTLogConfigDB filename`
Default:	`none`
Context:	server config
Status:	Extension
Module:	mod_ssl_ct

Description:	Maximum age of SCT obtained from a log, before it will be +refreshed
Syntax:	`CTMaxSCTAge num-seconds`
Default:	`1 day`
Context:	server config
Status:	Extension
Module:	mod_ssl_ct

Description:	Level of CT awareness and enforcement for a proxy +
Syntax:	`CTProxyAwareness oblivious\|aware\|require`
Default:	`aware`
Context:	server config, virtual host
Status:	Extension
Module:	mod_ssl_ct

Description:	Existing directory where SCTs are managed
Syntax:	`CTSCTStorage directory`
Default:	`none`
Context:	server config
Status:	Extension
Module:	mod_ssl_ct

Description:	Limit on number of SCTs that can be returned in +ServerHello
Syntax:	`CTServerHelloSCTLimit limit`
Default:	`100`
Context:	server config
Status:	Extension
Module:	mod_ssl_ct

Description:	Static configuration of information about a log
Syntax:	`CTStaticLogConfig log-id\|- public-key-file\|- +1\|0\|- min-timestamp\|- max-timestamp\|- +log-URL\|-`
Default:	`none`
Context:	server config
Status:	Extension
Module:	mod_ssl_ct

Description:	Static configuration of one or more SCTs for a server certificate +
Syntax:	`CTStaticSCTs certificate-pem-file sct-directory`
Default:	`none`
Context:	server config
Status:	Extension
Module:	mod_ssl_ct

Description:	Autorisation par groupes sur base de fichiers DBM
Statut:	Extension
Identificateur de Module:	authz_dbm_module

Description:	Autorisation de groupes à base de fichiers textes
Statut:	Base

Description:	Autorisations de groupe basées sur l'hôte (nom ou adresse IP)
Statut:	Base

Description:	Autorisation basée sur l'utilisateur
Statut:	Base
Identificateur de Module:	authz_user_module

Description:	How the outgoing ETag header should be modified during compression
Syntax:	`DeflateAlterETag AddSuffix\|NoChange\|Remove`
Default:	`DeflateAlterETag AddSuffix`
Context:	server config, virtual host
Status:	Extension
Module:	mod_deflate

Description:	Comment l'en-tête sortant ETag doit être modifié au cours +de la compression
Syntaxe:	`DeflateAlterETag AddSuffix\|NoChange\|Remove`
Défaut:	`DeflateAlterETag AddSuffix`
Contexte:	configuration du serveur, serveur virtuel
Statut:	Extension
Module:	mod_deflate

èª¬æ:	How the outgoing ETag header should be modified during compression
æ§æ:	`DeflateAlterETag AddSuffix\|NoChange\|Remove`
ããã©ã«ã:	`DeflateAlterETag AddSuffix`
ã³ã³ããã¹ã:	ãµã¼ãè¨å®ãã¡ã¤ã«, ãã¼ãã£ã«ãã¹ã
ã¹ãã¼ã¿ã¹:	Extension
ã¢ã¸ã¥ã¼ã«:	mod_deflate

èª¬æ:	zlib ãä¸åº¦ã«å§ç¸®ããå¡ã®å¤§ãã

¼³¸í:	How the outgoing ETag header should be modified during compression
¹®¹ý:	`DeflateAlterETag AddSuffix\|NoChange\|Remove`
±âº»°ª:	`DeflateAlterETag AddSuffix`
»ç¿ëÀå¼Ò:	ÁÖ¼¹ö¼³Á¤, °¡»óÈ£½ºÆ®
»óÅÂ:	Extension
¸ðµâ:	mod_deflate

¼³¸í:	zlibÀÌ ÇÑ¹ø¿¡ ¾ÐÃàÇÒ Å©±â
Override:	Indexes
Status:	Base
Module:	mod_dir
Compatibility:	The `disabled` argument is available in version 2.4.4 and +later

Description:	Configure les en-têtes d'une réponse HTTP
Syntaxe:	`Header [condition] add\|append\|echo\|edit\|edit*\|merge\|set\|unset\|note -en-tête [[expr=]valeur] [remplacement] +`
Syntaxe:	`Header [condition] add\|append\|echo\|edit\|edit*\|merge\|set\|setifempty\|unset\|note +en-tête [[expr=]valeur]] [remplacement] [early\|env=[!]variable]\|expr=expression]`
Contexte:	configuration du serveur, serveur virtuel, répertoire, .htaccess
Statut:	Extension
Module:	mod_headers
Compatibilité:	SetIfEmpty est disponible depuis la version 2.4.7 du -serveur HTTP Apache

Description:	Configure les en-têtes d'une requête HTTP
Syntaxe:	`RequestHeader add\|append\|edit\|edit*\|merge\|set\|setifempty\|unset -en-tête [valeur] [remplacement] +en-tête [[expr=]valeur] [remplacement] [early\|env=[!]variable]\|expr=expression]`
Contexte:	configuration du serveur, serveur virtuel, répertoire, .htaccess
Statut:	Extension
Module:	mod_headers
Compatibilité:	SetIfEmpty est disponible depuis la version 2.4.7 du -serveur HTTP Apache

Description:	Conservation des connexions LDAP et services de mise en cache du résultat à destination des autres modules LDAP
Statut:	Extension
Contexte:	configuration du serveur
Statut:	Expérimental
Module:	mod_lua
Compatibilité:	Disponible depuis la version 2.5.0 du serveur HTTP +
Compatibilité:	Disponible depuis la version 2.4.5 du serveur HTTP Apache

Description:	Serveur mandataire/passerelle multi-protocole
Statut:	Extension
Identificateur de Module:	proxy_module
Contexte:	configuration du serveur, serveur virtuel
Statut:	Extension
Module:	mod_proxy
Compatibilité:	Disponible à partir de la version 2.4.4 du serveur +
Compatibilité:	Disponible à partir de la version 2.4.5 du serveur HTTP Apache.

Description:	Instructs this module to try to create an asynchronous tunnel
Syntax:	`ProxyWebsocketAsync ON\|OFF`
Context:	server config, virtual host
Status:	Extension
Module:	mod_proxy_wstunnel

Description:	Sets the amount of time the tunnel waits synchronously for data
Syntax:	`ProxyWebsocketAsyncDelay num[ms]`
Default:	`ProxyWebsocketAsyncDelay 0`
Context:	server config, virtual host
Status:	Extension
Module:	mod_proxy_wstunnel

Description:	Sets the maximum amount of time to wait for data on the websockets tunnel
Syntax:	`ProxyWebsocketIdleTimeout num[ms]`
Default:	`ProxyWebsocketIdleTimeout 0`
Context:	server config, virtual host
Status:	Extension
Module:	mod_proxy_wstunnel

Description:	Ce module fournit un moteur de réécriture à base de règles permettant de réécrire les URLs des requêtes à la volée
chain\|C	backrefnoplus\|BNP	Avec ce drapeau, si les références arrières sont échappées, + les espaces seront échappés en %20 au lieu de +. Ceci s'avère + utile lorsqu'une référence arrière est utilisée dans la partie + chemin, et non dans la chaîne de paramètres de la requête ; + pour plus de détails, voir ici.
chain\|C	La règle est chaînée avec la règle suivante. Si la règle échoue, la ou les règles avec lesquelles elle est est chaînée seront sautées. détails ...
Context:	server config, virtual host
Status:	Extension
Module:	mod_ssl
Compatibility:	Available if using OpenSSL 0.9.7 or later

Description:	Use a nonce within OCSP queries
Syntax:	`SSLOCSPUseRequestNonce on\|off`
Default:	`SSLOCSPUseRequestNonce on`
Context:	server config, virtual host
Status:	Extension
Module:	mod_ssl
Compatibility:	Available in httpd 2.5-dev and later

Avertissement :

Siehe auch

Siehe auch

Consulte también

åç §

åç §

Directives

Example

Directives

Exemple

ãã£ã¬ã¯ãã£ã

Áö½Ã¾îµé

Directives

See also

Avertissement à propos de la sécurité

Apache Module mod_ssl_ct

Summary

Directives

Example

See also

ctlogconfig - Certificate Transparency log configuration tool

See also

åç§

åç§

ãã£ã¬ã¯ãã£ã