From: Joe Orton Date: Fri, 5 Jul 2019 12:21:52 +0000 (+0000) Subject: Transforms. X-Git-Tag: 2.5.0-alpha2-ci-test-only~1988 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=29a3e3e50af3f0ba3c486b5e28bd3801be166c33;p=thirdparty%2Fapache%2Fhttpd.git Transforms. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1862610 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/developer/output-filters.html.en b/docs/manual/developer/output-filters.html.en index e1c6e199531..cf3b14a7c7c 100644 --- a/docs/manual/developer/output-filters.html.en +++ b/docs/manual/developer/output-filters.html.en @@ -552,7 +552,7 @@ chunk_size = (speed / (1000 / RATE_INTERVAL_MS));

The commit linked in the beginning of the section contains also a bit of code refactoring so it is not trivial to read during the first pass, but the overall idea is basically what written up to now. The goal of this section is not to - cause an headache to the reader trying to read C code, but to put him/her into + cause a headache to the reader trying to read C code, but to put him/her into the right mindset needed to use efficiently the tools offered by the httpd's filter chain toolset.

diff --git a/docs/manual/howto/encrypt.html.en b/docs/manual/howto/encrypt.html.en index ec8857ea844..bb64a4ccf6a 100644 --- a/docs/manual/howto/encrypt.html.en +++ b/docs/manual/howto/encrypt.html.en @@ -159,7 +159,7 @@

There are also companies that offer certificates for web servers free of charge. The pioneer in this is Let's Encrypt which is a service of the - Internet Security Research Group (ISRG), a not-for-profit organization to + Internet Security Research Group (ISRG), a not-for-profit organization to "reduce financial, technological, and education barriers to secure communication over the Internet."

diff --git a/docs/manual/mod/directives.html.en b/docs/manual/mod/directives.html.en index ae13c2294ff..4543021aa81 100644 --- a/docs/manual/mod/directives.html.en +++ b/docs/manual/mod/directives.html.en @@ -455,20 +455,28 @@
  • MDCAChallenges
  • MDCertificateAgreement
  • MDCertificateAuthority
    • +
  • MDCertificateFile
    • +
  • MDCertificateKeyFile
  • MDCertificateProtocol
    • +
  • MDCertificateStatus
    • +
  • MDChallengeDns01
  • MDDriveMode
  • MDHttpProxy
  • MDMember
  • MDMembers
    • +
  • MDMessageCmd
  • MDMustStaple
  • MDNotifyCmd
  • MDomain
  • <MDomainSet>
  • MDPortMap
  • MDPrivateKeys
    • +
  • MDRenewMode
  • MDRenewWindow
  • MDRequireHttps
    • +
  • MDServerStatus
  • MDStoreDir
    • +
  • MDWarnWindow
  • MemcacheConnTTL
  • MergeSlashes
  • MergeTrailers
    • @@ -579,6 +587,7 @@
  • Redirect
  • RedirectMatch
  • RedirectPermanent
    • +
  • RedirectRelative
  • RedirectTemp
  • RedisConnPoolTTL
  • RedisTimeout
    • diff --git a/docs/manual/mod/mod_alias.html.en b/docs/manual/mod/mod_alias.html.en index 637c74935ef..4a2b5f99e31 100644 --- a/docs/manual/mod/mod_alias.html.en +++ b/docs/manual/mod/mod_alias.html.en @@ -79,6 +79,7 @@
  • Redirect
  • RedirectMatch
  • RedirectPermanent
    • +
  • RedirectRelative
  • RedirectTemp
  • ScriptAlias
  • ScriptAliasMatch
    • @@ -462,6 +463,25 @@ a different URL permanent (status 301). Exactly equivalent to Redirect permanent.

    + +
    top
    +

    RedirectRelative Directive

    + + + + + + + + +
    Description:Allows relative redirect targets.
    Syntax:RedirectRelative OFF|ON
    Default:RedirectRelative OFF
    Context:server config, virtual host, directory
    Status:Base
    Module:mod_alias
    Compatibility:2.5.1 and later
    +

    By default, if the target URL of a Redirect + directive is a relative URL beginning with a '/' character, the server + converts it to a an absolute URL before responding to the client. By + setting RedirectRelative to the value "ON", + the relative URL is presented to the client directly.

    + +
    top

    RedirectTemp Directive

    diff --git a/docs/manual/mod/mod_autoindex.html.en b/docs/manual/mod/mod_autoindex.html.en index 1c2b1bf91cc..430b34deb28 100644 --- a/docs/manual/mod/mod_autoindex.html.en +++ b/docs/manual/mod/mod_autoindex.html.en @@ -614,8 +614,7 @@ indexing the various AddAlt* directives. -
    Charset=character-set (Apache HTTP Server 2.0.61 and - later)
    +
    Charset=character-set
    The Charset keyword allows you to specify the character set of the generated page. The @@ -845,8 +844,7 @@ indexing Last-Modified header on all Unix platforms. If this is a concern, leave this option disabled.
    -
    Type=MIME content-type (Apache HTTP Server 2.0.61 and - later)
    +
    Type=MIME content-type
    The Type keyword allows you to specify the MIME content-type of the generated page. The default @@ -864,8 +862,7 @@ indexing "%d-%b-%Y %H:%M" in 2.4.0. Setting this option restores the date format from 2.2 and earlier.
    -
    VersionSort - (Apache HTTP Server 2.0a3 and later)
    +
    VersionSort
    The VersionSort keyword causes files containing version numbers to sort in a natural way. Strings are sorted as @@ -892,8 +889,7 @@ indexing

    -
    XHTML - (Apache HTTP Server 2.0.49 and later)
    +
    XHTML
    The XHTML keyword forces mod_autoindex to emit XHTML 1.0 code instead of HTML 3.2. diff --git a/docs/manual/mod/mod_http2.html.en b/docs/manual/mod/mod_http2.html.en index 0a3998ad654..3ffbce7ec80 100644 --- a/docs/manual/mod/mod_http2.html.en +++ b/docs/manual/mod/mod_http2.html.en @@ -770,7 +770,7 @@ H2PushPriority text/css interleaved # weight 256 default
    top

    H2TLSCoolDownSecs Directive

    - + @@ -809,7 +809,7 @@ H2PushPriority text/css interleaved # weight 256 default
    top

    H2TLSWarmUpSize Directive

    Description:
    Description:Configure the number of seconds of idle time on TLS before shrinking writes
    Syntax:H2TLSCoolDownSecs seconds
    Default:H2TLSCoolDownSecs 1
    Context:server config, virtual host
    - + diff --git a/docs/manual/mod/mod_md.html.en b/docs/manual/mod/mod_md.html.en index 5a515288b49..66a591990c3 100644 --- a/docs/manual/mod/mod_md.html.en +++ b/docs/manual/mod/mod_md.html.en @@ -39,12 +39,19 @@

    This module manages common properties of domains for one or more virtual hosts. - Specifically it can use the ACME protocol - (RFC Draft) - to automate certificate provisioning. These will be configured for managed domains and - their virtual hosts automatically. This includes renewal of certificates before they - expire. The most famous Certificate Authority currently implementing the ACME protocol - is Let's Encrypt.

    + Its main feature is the use of the ACME protocol + (RFC 8555) + to automate certificate provisioning. Certificates will be renewed + by the module ahead of their expiration to account for disruption in internet + services. There are ways to monitor the status of all Managed Domains + and configurations that will run your own notification commands on renewal, + expiration and errors. +

    +

    + The default ACME Certificate Authority is + Let's Encrypt, but it is possible + to configure another CA that supports the protocol. +

    Warning

    This module is experimental. Its behaviors, directives, and @@ -84,17 +91,17 @@

    This module requires mod_watchdog to be loaded as well.

    - Certificate signup and renewal with Let's Encrypt requires your server to be + Certificate sign-up and renewal with Let's Encrypt requires your server to be reachable on port 80 (http:) from the outside. The alternative method over port 443 (https:) is currently disabled for security reasons (status from 2018-01-14).

    The module will select from the methods offered by Let's Encrypt. If LE decides - at one point in the future, to re-enable it again, mod_md will + at one point in the future, to re-enable it again, mod_md will use it when suitable.

    But for now, only the port 80 variant is available (termed "http-01"). Only - when LE can reach your server on port 80 will mod_md work for + when LE can reach your server on port 80 will mod_md work for you. For now, at least.

    If you do not want to offer any sites on port 80 any more, you may leave it open @@ -104,6 +111,114 @@ from Let's Encrypt.

    + +

    Wildcard Certificates

    +

    + Wildcard certificates are possible with version 2.x of `mod_md``. But they are + not straight-forward. Let's Encrypt requires the `dns-01` challenge verification + for those. No other is considered good enough. +

    + The difficulty here is that Apache cannot do that on its own. (which is also + a security benefit, since corrupting a web server or the communication path to + it is the scenario `dns-01` protects against). As the name implies, `dns-01` + requires you to show some specific DNS records for your domain that contain + some challenge data. So you need to _write_ your domain's DNS records. +

    + If you know how to do that, you can integrated this with `mod_md`. Let's + say you have a script for that in `/usr/bin/acme-setup-dns` you configure + Apache with: +

    + 
    MDChallengeDns01 /usr/bin/acme-setup-dns
    + +

    + and Apache will call this script when it needs to setup/teardown a DNS challenge + record for a domain. +

    + Assuming you want a certificate for `*.mydomain.com`, mod_md will call: +

    + 
    /usr/bin/acme-setup-dns setup mydomain.com challenge-data
+# this needs to remove all existing DNS TXT records for 
+# _acme-challenge.mydomain.com and create a new one with 
+# content "challenge-data"
    + +

    + and afterwards it will call +

    + 
    /usr/bin/acme-setup-dns teardown mydomain.com
+# this needs to remove all existing DNS TXT records for 
+# _acme-challenge.mydomain.com
    + +
    + +

    Monitoring

    +

    + Apache has a standard module for monitoring: mod_status. + mod_md contributes a section and makes monitoring your + domains easy. +

    + You see all your MDs listed alphabetically, the domain names they contain, + an overall status, expiration times and specific settings. The settings + show your selection of renewal times (or the default), the CA that is used, + etc. +

    + The 'Renewal' column will show activity and error descriptions for certificate + renewals. This should make life easier for people to find out if everything + is all right or what went wrong. +

    + If there is an error with an MD it will be shown here as well. This let's + you assess problems without digging through your server logs. +

    + There is also a new 'md-status' handler available to give you the MD information + from 'server-status' in JSON format. You configure it as +

    + 
    <Location "/md-status">
+  SetHandler md-status
+</Location>
    + +

    + on your server. As with 'server-status' you will want to add + authorization for this. +

    + If you just want to check the JSON status of a specific domain, simply append + that to your status url: +

    + 
    > curl https://<yourhost>/md-status/another-domain.org
+{
+  "name": "another-domain.org",
+  "domains": [
+    "another-domain.org",
+    "www.another-domain.org"
+  ],
+  ...
    + +

    + This JSON status also shows a log of activities when domains are renewed: +

    + 
    {
+"when": "Wed, 19 Jun 2019 14:45:58 GMT",
+"type": "progress", "detail": "The certificate for the managed domain has been renewed successfully and can be used. A graceful server restart now is recommended."
+},{
+"when": "Wed, 19 Jun 2019 14:45:58 GMT",
+"type": "progress", "detail": "Retrieving certificate chain for test-901-003-1560955549.org"
+},{
+"when": "Wed, 19 Jun 2019 14:45:58 GMT",
+"type": "progress", "detail": "Waiting for finalized order to become valid"
+},{
+"when": "Wed, 19 Jun 2019 14:45:50 GMT",
+"type": "progress", "detail": "Submitting CSR to CA for test-901-003-1560955549.org"
+},
+...
    + +

    + You will also find this information in the file `job.json` in your staging and, + when activated, domains directory. This allows you to inspect these at + any later point in time as well. +

    + In addition, there is MDCertificateStatus which + gives access to relevant certificate information in JSON format. +

    +
    +
    Description:
    Description:Configure the number of bytes on TLS connection before doing max writes
    Syntax:H2TLSWarmUpSize amount
    Default:H2TLSWarmUpSize 1048576
    Context:server config, virtual host

    Controls if the base server, the one outside all VirtualHosts should be managed by - mod_md or not. Default is to not do this, for the very reason that + mod_md or not. By default, it will not. For the very reason that it may have confusing side-effects. It is recommended that you have virtual hosts for all managed domains and do not rely on the global, fallback server configuration.

    @@ -153,7 +276,7 @@ - + @@ -161,8 +284,8 @@

    Sets challenge types and their execution order when proving domain ownership. The names are protocol specific. - The current ACME protocol version implemented by Let's Encrypt defines two challenge - types that are supported by mod_md. By default, it will try + The current ACME protocol version implemented by Let's Encrypt defines three challenge + types that are supported by mod_md. By default, it will try the one on port 443 when available.

    @@ -170,21 +293,17 @@
    top

    MDCertificateAgreement Directive

    Description:Type of ACME challenge used to prove domain ownership.
    Syntax:MDCAChallenges name [ name ... ]
    Default:MDCAChallenges tls-sni-01 http-01
    Default:MDCAChallenges tls-alpn-01 http-01 dns-01
    Context:server config
    Status:Experimental
    Module:mod_md
    - - + +
    Description:The URL of the Terms-of-Service document, that the CA server requires you to accept.
    Syntax:MDCertificateAgreement url-of-terms-of-service
    Description:You confirm that you accepted the Terms of Service of the Certificate + Authority.
    Syntax:MDCertificateAgreement accepted
    Context:server config
    Status:Experimental
    Module:mod_md
    -

    When you use mod_md to obtain a certificate, you become a customer of the CA (e.g. Let's Encrypt). That means you need to read and agree to their Terms of Service, +

    When you use mod_md to obtain a certificate, you become a customer of the CA (e.g. Let's Encrypt). That means you need to read and agree to their Terms of Service, so that you understand what they offer and what they might exclude or require from you. - mod_md cannot, by itself, agree to such a thing. + mod_md cannot, by itself, agree to such a thing.

    -

    In case of Let's Encrypt, their current Terms of Service are here. - Those terms might (and probably will) change over time. So, the certificate renewal might require you to update this agreement URL.

    -

    Example

    MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
-MDomain example.org www.example.org mail.example.org
    -
    top
    @@ -192,7 +311,7 @@ MDomain example.org www.example.org mail.example.org - + @@ -200,15 +319,82 @@ MDomain example.org www.example.org mail.example.org

    The URL where the CA offers its service.

    - Let's Encrypt offers, right now, two such URLs. One for the real certificates and - one for testing (their staging area, at https://acme-staging.api.letsencrypt.org/directory). - In order to have mod_md use this testing service, configure your - server like this: + Let's Encrypt offers, right now, four such URLs. Two for + the own legacy version of the ACME protocol, commonly named ACMEv1. + And two for the RFC 8555 version, named ACMEv2. +

    + Each version has 2 endpoints, as their is a production endpoint and a + "staging" endpoint for testing. The testing endpoint works the same, but will + not give you certificates recognized by browsers. However, it also has + very relaxed rate limits. This allows testing of the service repeatedly + without you blocking yourself.

    -

    LE Staging Setup

    MDCertificateAuthority https://acme-staging.api.letsencrypt.org/directory
-MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
    +

    LE Staging Setup

    MDCertificateAuthority https://acme-staging-v02.api.letsencrypt.org/directory
    +
    +
    top
    +

    MDCertificateFile Directive

    +
    Description:The URL of the ACME Certificate Authority service.
    Syntax:MDCertificateAuthority url
    Default:MDCertificateAuthority https://acme-v01.api.letsencrypt.org/directory
    Default:MDCertificateAuthority https://acme-v02.api.letsencrypt.org/directory
    Context:server config
    Status:Experimental
    Module:mod_md
    + + + + + +
    Description:Specify a static certificate file for the MD.
    Syntax:MDCertificateFile path-to-pem-file
    Context:server config
    Status:Experimental
    Module:mod_md
    +

    + This is used inside a MDomainSet and specifies + the file holding the certificate chain for the Managed Domain. The matching + key is specified via MDCertificateKeyFile. +

    +

    Example

    <MDomain mydomain.com>
+  MDCertificateFile /etc/ssl/my.cert
+  MDCertificateKeyFile /etc/ssl/my.key
+</MDomain>
    +
    + +

    + This is that equivalent of the mod_ssl + SSLCertificateFile directive. It + has several uses. +

    + If you want to migrate an existing domain, using static files, to + automated Let's Encrypt certificates, for one. You define the + MDomainSet, add the files here and remove + the SSLCertificateFile from + your VirtualHosts. +

    + This will give you the same as before, with maybe less repeating lines + in your configuration. Then you can add MDRenewMode + 'always' to it and the module will get a new certificate before + the one from the file expires. When it has done so, you remove the + MDCertificateFile and reload the server. +

    + Another use case is that you renew your Let's Encrypt certificates with + another ACME clients, for example the excellent + certbot. Then let your MDs point + to the files from certbot and have both working together. +

    + + +
    top
    +

    MDCertificateKeyFile Directive

    + + + + + + +
    Description:Specify a static private key for for the static cerrtificate.
    Syntax:MDCertificateKeyFile path-to-file
    Context:server config
    Status:Experimental
    Module:mod_md
    +

    + This is used inside a MDomainSet and specifies + the file holding the private key for the Managed Domain. The matching + certificate is specified via MDCertificateFile. +

    + This is that equivalent of the mod_ssl + SSLCertificateKeyFile directive. +

    +
    top

    MDCertificateProtocol Directive

    @@ -220,33 +406,72 @@ MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15- Status:Experimental Module:mod_md -

    Specifies the protocol to use. Currently, only ACME is supported.

    +

    + Specifies the protocol to use. Currently, only ACME is supported. +

    + +
    +
    top
    +

    MDCertificateStatus Directive

    + + + + + + + +
    Description:Exposes public certificate information in JSON.
    Syntax:MDCertificateStatus on|off
    Default:MDCertificateStatus on
    Context:server config
    Status:Experimental
    Module:mod_md
    +

    + When enabled, a resources is available in Managed Domains at + 'https://domain/.httpd/certificate-status' that returns a JSON + document list key properties of the current and of a renewed + certificate - when available. +

    +

    Example

    {
+  "valid-until": "Thu, 29 Aug 2019 16:06:35 GMT",
+  "valid-from": "Fri, 31 May 2019 16:06:35 GMT",
+  "serial": "03039C464D454EDE79FCD2CAE859F668F269",
+  "sha256-fingerprint": "1ff3bfd2c7c199489ed04df6e29a9b4ea6c015fe8a1b0ce3deb88afc751e352d"
+  "renewal" : { ...renewed cert information... }
+}
    +
    + +
    +
    top
    +

    MDChallengeDns01 Directive

    + + + + + + +
    Description:
    Syntax:MDChallengeDns01 path-to-command
    Context:server config
    Status:Experimental
    Module:mod_md
    +

    + Define a program to be called when the `dns-01` challenge needs to be setup/torn down. + The program is given the argument `setup` or `teardown` followed by the domain name. + For `setup` the challenge content is additionally given. +

    + You do not need to specify this, as long as a 'http:' or 'https:' challenge + method is possible. However, Let's Encrypt makes 'dns-01' the only + challenge available for wildcard certificates. If you require + one of those, you need to configure this. +

    + See the section about wildcard certificates above for more details. +

    top

    MDDriveMode Directive

    - +
    Description:Control when it is allowed to obtain/renew certificates.
    Description:former name of MDRenewMode.
    Syntax:MDDriveMode always|auto|manual
    Default:MDDriveMode auto
    Context:server config
    Status:Experimental
    Module:mod_md
    -

    In 'auto' mode, mod_md will drive a Managed Domain's - properties (e.g. certificate management) whenever necessary. When a MD is not used - in any virtual host, the module will do nothing. When a certificate is missing, it - will try to get one. When a certificate expires soon (see - MDRenewWindow), it will - renew it. -

    - In 'manual' mode, it is your duty to do all this. The module will provide the existing - certificate to mod_ssl, if available. But it will not contact the CA for signup/renewal. - This can be useful in clustered setups where you want just one node to perform - the driving. -

    - The third mode 'always' is like 'auto', with the difference that - mod_md will not check if the MD is actually used. +

    This directive exists for backward compatibility as the old name for + MDRenewMode.

    @@ -275,13 +500,13 @@ MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-

    Instead of listing all dns names on the same line, you may use - MDMember to add such names + MDMember to add such names to a managed domain.

    -

    Example

    <MDomainSet example.org>
+            
    Example
    <MDomain example.org>
     MDMember www.example.org
     MDMember mail.example.org
-</MDomainSet example.org>
    
+</MDomain>

    If you use it in the global context, outside a specific MD, you can only @@ -306,6 +531,46 @@ MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15- are automatically added to the members of a Managed Domain or not.

    + +
    top
    +

    MDMessageCmd Directive

    + + + + + + +
    Description:Handle events for Manage Domains
    Syntax:MDMessageCmd path-to-cmd optional-args
    Context:server config
    Status:Experimental
    Module:mod_md
    +

    + This command gets called when one of the following events happen for + a Managed Domain: "renewed", "expiring", "errored". The command may + be invoked for more than these in the future and ignore events + it is not prepared to handle. +

    + This is the more flexible companion to MDNotifyCmd. +

    +

    Example

    +MDMessageCmd /etc/apache/md-message + +# will be invoked when a new certificate for mydomain.org is available as: +/etc/apache/md-message renewed mydomain.com + 

    +
    +
    +

    + The program should not block, as the module will wait for it to finish. A + return code other than 0 is regarded as an error. +

    + 'errored' is no immediate cause for concern since renewal is attempted + early enough to allow the internet to come back. +

    + 'expiring' should be taken serious. It is issued when the + MDWarnWindow is reached. By default this is + 10% of the certificate lifetime, so for Let's Encrypt this currently + means 9 days before it expires. The warning is repeated at most once + a day. +

    +
    top

    MDMustStaple Directive

    @@ -328,16 +593,17 @@ MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-
    top

    MDNotifyCmd Directive

    - +
    Description:Run a program when Managed Domain are ready.
    Description:Run a program when a Managed Domain is ready.
    Syntax:MDNotifyCmd path [ args ]
    Context:server config
    Status:Experimental
    Module:mod_md
    -

    The configured executable is run when Managed Domains have signed up or - renewed their certificates. It is given the names of the processed MDs as - additional arguments (after the parameters specified here). It should - return status code 0 to indicate that it has run successfully. +

    + The configured executable is run when a Managed Domain has signed up or + renewed its certificate. It is given the name of the processed MD as + additional arguments (after the parameters specified here). It should + return status code 0 to indicate that it has run successfully.

    @@ -352,7 +618,7 @@ MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-

    All the names in the list are managed as one Managed Domain (MD). - mod_md will request one single certificate that is valid for all these names. This + mod_md will request one single certificate that is valid for all these names. This directive uses the global settings (see other MD directives below). If you need specific settings for one MD, use the <MDomainSet>. @@ -366,12 +632,11 @@ MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15- changes in its service or status of your certificates.

    The second setting, MDCertificateAgreement, - is the URL of the Terms of Service of the CA. When you configure the URL, - you confirm that you have read and agree to the terms described in the linked - document. Before you do that, the CA will not hand out certificates to you. + should have the value "accepted". By specifying this, you confirm that your + accept the Terms of Service of the CA.

    Example

    ServerAdmin mailto:admin@example.org
-MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
+MDCertificateAgreement accepted
 MDomain example.org www.example.org
 
 <VirtualHost *:443>
@@ -392,7 +657,7 @@ MDomain example.org www.example.org
                 There are two special names that you may use in this directive: 'manual'
                 and 'auto'. This determines if a Managed Domain shall have exactly the 
                 name list as is configured ('manual') or offer more convenience. With 'auto'
-                all names of a virtual host are added to a MD. Conventiently, 'auto' is also
+                all names of a virtual host are added to a MD. Conveniently, 'auto' is also
                 the default.
             
    
             
    Example
    MDomain example.org
@@ -434,20 +699,26 @@ MDomain example2.org auto
 Module:mod_md
 
             
    
-                This directive allows you to define a Managed Domain (MD) with specific
-                settings, different from the global MD* ones. For example, you can have
-                such an MD use another CA then Let's Encrypt, have its unique renewal duration
-                etc.
+                This is the directive MDomain
+                with the added possibility to add setting just for this MD. In fact,
+                you may also use "<MDomain ..>" as a shortcut.
             
    
-            
    Example
    <MDomainSet sandbox.example.org>
+            
    
+                This allows you to configure an MD that uses another Certificate Authority,
+                have other renewal requirements, etc.
+            
    
+            
    Example
    <MDomain sandbox.example.org>
     MDCertificateAuthority   https://someotherca.com/ACME
-    MDCertificateAgreement   https://someotherca.com/terms/v_1.02.pdf
-</MDomainSet>
    
+</MDomain>
    
+
    
+        
    
+            A common use case is to configure https: requirements separately for
+            your domains.
+        
    
+            
    Example
    <MDomain example.org>
+    MDRequireHttps temporary
+</MDomain>
    
 
    
-        
    This is a specialized version of MDomain,
-        it should be used only when a fine grained configuration is required.
-        MDomain is the suggested choice
-        for the general use case.
    
         
 
    
 
    top
    
@@ -455,33 +726,41 @@ MDomain example2.org auto
 
-
+
    
 
    Description:Map external to internal ports for domain ownership verification.
    
 
    Syntax:MDPortMap map1 [ map2 ]
    Default:MDPortMap 80:80 443:443
    Default:MDPortMap http:80 https:443
    
 
    Context:server config
    
 
    Status:Experimental
    
 
    Module:mod_md
    
 
    
             
    
-                The ACME protocol provides two methods to verify domain ownership: one that uses
-                port 80 and one for port 443. If your server is not reachable by at least one
-                of the two, ACME will not work for you.
+                The ACME protocol provides two methods to verify domain ownership via
+                HTTP: one that uses 'http:' urls (port 80) and one for 'https:' urls
+                (port 443). If your server is not reachable by at least one
+                of the two, ACME may only work by configuring your DNS server,
+                see MDChallengeDns01.
             
    
-                mod_md will look at your server configuration and try to figure
-                out which of those are available. Then it can select the proper ACME challenge
-                to create a certificate for your site.
+                On most public facing servers, 'http:' arrives on port 80 and
+                'https:' on port 443. The module checks the ports your Apache server
+                is listening on and assumes those are available. This means that
+                when your server does not listen on port 80, it assumes that
+                'http:' requests from the internet will not work.
             
    
-                However if you have some fancy port forwarding in place, your server may be
-                reachable from the Internet on port 443, but the local port that httpd uses is
-                another one. Your server might only listen on ports 5001 and 5002, but be reached
-                on ports 443 and 80. How should mod_md figure that one out?
-            
    
-                With MDPortMap you can tell it which 'Internet port'
-                corresponds to which local port.
+                This is a good guess, but it may be wrong. For example, your Apache
+                might listen to port 80, but your firewall might block it. 'http:' 
+                is only available in your intranet. So, the module will falsely assume
+                that Let's Encrypt can use 'http:' challenges with your server. This 
+                will then fail, because your firewall will drop those.
             
    
-            
    Example
    MDPortMap 80:- 443:5002
    
+            
    Example
    MDPortMap http:- https:8433
    
 
    
             
    
-                This example says that the server is not reachable on port 80 from the outside, but
-                local port 5002 is the one responding to https: requests.
+                The above example shows how you can specify that 'http:' requests from 
+                the internet will never arrive. In addition it says that 'https:' requests
+                will arrive on local port 8433.
+            
    
+                This is necessary if you have port forwarding in place, your server may be
+                reachable from the Internet on port 443, but the local port that httpd uses is
+                another one. Your server might only listen on ports 8443 and 8000, but be reached
+                on ports 443 and 80 (from the internet).
             
    
         
 
    
@@ -515,6 +794,38 @@ MDomain example2.org auto
                 generated for certificates. ACME account keys are unaffected by this.
             
    
         
+
    +
    top
    +

    MDRenewMode Directive

    + + + + + + + +
    Description:Controls if certificates shall be renewed.
    Syntax:MDRenewMode always|auto|manual
    Default:MDRenewMode auto
    Context:server config
    Status:Experimental
    Module:mod_md
    +

    + In the default 'auto' mode, the module will do what makes most sense + of each Managed Domain. For a domain without any certificates, it will + obtain them from the Certificate Authority. +

    +

    + However, if you have defined an MD that is not used by any of Apache's + VirtualHosts, it will not bother. And for MDs with static certificate + files (see MDCertificateFile), + it assumes that you have your own source, and will not renew them either. +

    +

    + You can override this default in either way. If you specify 'always', + the module will renew certificates for an MD, irregardless if the + domains are in use or if there are static files. +

    +

    + For the opposite effect, configure 'manual' and no renewal will + be attempted. +

    +
    top

    MDRenewWindow Directive

    @@ -527,10 +838,10 @@ MDomain example2.org auto Module:mod_md

    - If the validity of the certificate falls below duration, mod_md + If the validity of the certificate falls below duration, mod_md will get a new signed certificate.

    - Normally, certificates are valid for around 90 days and mod_md will renew + Normally, certificates are valid for around 90 days and mod_md will renew them the earliest 33% of their complete lifetime before they expire (so for 90 days validity, 30 days before it expires). If you think this is not what you need, you can specify either the exact time, as in: @@ -594,17 +905,36 @@ MDRenewWindow 10%

    You can achieve the same with mod_alias and some Redirect configuration, basically. If you do it yourself, please make sure to exclude the paths - /.well-known/* from your redirection, otherwise mod_md + /.well-known/* from your redirection, otherwise mod_md might have trouble signing on new certificates.

    If you set this globally, it applies to all managed domains. If you want it for a specific domain only, use:

    -

    Example

    <MDomainSet xxx.yyy>
+            
    Example
    <MDomain xxx.yyy>
   MDRequireHttps temporary
-</MDomainSet>
    
+</MDomain>
    +
    +
    top
    +

    MDServerStatus Directive

    + + + + + + + +
    Description:Control if Managed Domain information is added to server-status.
    Syntax:MDServerStatus on|off
    Default:MDServerStatus on
    Context:server config
    Status:Experimental
    Module:mod_md
    +

    + Apaches 'server-status' handler allows you configure a resource to monitor + what is going on. This includes now a section listing all Managed Domains + with the DNS names, renewal status, lifetimes and main properties. +

    + You can switch that off using this directive. +

    +
    top

    MDStoreDir Directive

    @@ -627,6 +957,30 @@ MDRenewWindow 10% are missing.

    +
    +
    top
    +

    MDWarnWindow Directive

    + + + + + + + +
    Description:Define the time window when you want to be warned about an expiring certificate.
    Syntax:MDWarnWindow duration
    Default:MDWarnWindow 10%
    Context:server config
    Status:Experimental
    Module:mod_md
    +

    + See MDRenewWindow for a description on + how you can specify the time. +

    + The modules checks the remaining lifetime of certificates and invokes + MDMessageCmd when there is less than the warn + window left. With the default, this mean 9 days for certificates from + Let's Encrypt. +

    + It also applies to Managed Domains with static certificate files ( + see MDCertificateFile). +

    +
    diff --git a/docs/manual/mod/mod_mime.html.en b/docs/manual/mod/mod_mime.html.en index 1c6dc26cb88..af8174d1c01 100644 --- a/docs/manual/mod/mod_mime.html.en +++ b/docs/manual/mod/mod_mime.html.en @@ -666,7 +666,7 @@ assigned a language-tag by some other means.

    MimeOptions Directive

    - + diff --git a/docs/manual/mod/mod_session_crypto.html.en b/docs/manual/mod/mod_session_crypto.html.en index bbce16f12fc..43e9e2d843a 100644 --- a/docs/manual/mod/mod_session_crypto.html.en +++ b/docs/manual/mod/mod_session_crypto.html.en @@ -100,7 +100,7 @@ SessionCryptoPassphrase secret
    Description:Configures mod_mime behavior
    Syntax:MimeOptionsoption [option] ...
    Syntax:MimeOptions option [option] ...
    Context:server config, virtual host, directory, .htaccess
    Override:FileInfo
    Status:Base
    - + @@ -197,14 +197,15 @@ SessionCryptoPassphrase secret

    As of version 2.4.7 if the value begins with exec: the resulting command will be executed and the first line returned to standard output by the program will be used as the key.

    -
    #key used as-is
+
    #key used as-is
 SessionCryptoPassphrase secret
 
 #Run /path/to/program to get key
 SessionCryptoPassphrase exec:/path/to/program
 
 #Run /path/to/otherProgram and provide arguments
-SessionCryptoPassphrase "exec:/path/to/otherProgram argument1"
    
+SessionCryptoPassphrase "exec:/path/to/otherProgram argument1"
    +
    @@ -224,7 +225,7 @@ SessionCryptoPassphrase "exec:/path/to/otherProgram argument1" the session, specified one per line. The file is read on server start, and a graceful restart will be necessary for httpd to pick up changes to the keys.

    -

    Unlike the SessionCryptoPassphrase directive, the keys are +

    Unlike the SessionCryptoPassphrase directive, the keys are not exposed within the httpd configuration and can be hidden by protecting the file appropriately.

    diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en index 77d98468bf8..c4976f8bd44 100644 --- a/docs/manual/mod/mod_ssl.html.en +++ b/docs/manual/mod/mod_ssl.html.en @@ -476,7 +476,7 @@ this directory contains the appropriate symbolic links.

    SSLCARevocationCheck Directive

    Description:The crypto cipher to be used to encrypt the session
    Syntax:SessionCryptoCipher name
    Default:aes256
    Default:SessionCryptoCipher aes256
    Context:server config, virtual host, directory, .htaccess
    Override:AuthConfig
    Status:Experimental
    - + diff --git a/docs/manual/mod/quickreference.html.en b/docs/manual/mod/quickreference.html.en index 912c21760e2..067f8eda650 100644 --- a/docs/manual/mod/quickreference.html.en +++ b/docs/manual/mod/quickreference.html.en @@ -532,8 +532,8 @@ requests - - + + - - - + + + + + - + + + - - - - - - + + + + + + + + - + + + @@ -759,7 +768,7 @@ files meta information - + @@ -909,332 +918,333 @@ a different URL of the current URL - + - - - - - - - - - - - - - - + + + + + + + + + + + + + - - - - - - - - + - - - - - - + - - + - - - + + + - - - - - - - - - - + - - + - - + - - + - - - + - - - - + + - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + - - + - - - - - + + + + - - + - - - - - + - - + - - - + + - - + - - - - - + - - - - - + + + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + - - - + + - - - + - - - - - - - - - - - - + + + + + + - - - + - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + - - - - + + + - - - + + - - - - - - + + + + + - - + - - - - - - - - - + + + + + + + - - + - - + - - - - + + - - + - - - - - - - + + - - + - +
    Description:Enable CRL-based revocation checking
    Syntax:SSLCARevocationCheck chain|leaf|none flags
    Syntax:SSLCARevocationCheck chain|leaf|none [flags ...]
    Default:SSLCARevocationCheck none
    Context:server config, virtual host
    Status:Extension
    H2PushResource [add] path [critical]svdhE
    Declares resources for early pushing to the client
    H2SerializeHeaders on|off off svE
    Serialize Request/Response Processing Switch
    H2StreamMaxMemSize bytes 65536 svE
    Maximum amount of output data buffered per stream.
    H2TLSCoolDownSecs seconds 1 svE
    -
    H2TLSWarmUpSize amount 1048576 svE
    -
    H2TLSCoolDownSecs seconds 1 svE
    Configure the number of seconds of idle time on TLS before shrinking writes
    H2TLSWarmUpSize amount 1048576 svE
    Configure the number of bytes on TLS connection before doing max writes
    H2Upgrade on|off on for h2c, off for +svdhE
    H2 Upgrade Protocol Switch
    H2WindowSize bytes 65535 svE
    Size of Stream Window for upstream data.
    Header [condition] add|append|echo|edit|edit*|merge|set|setifempty|unset|note @@ -731,23 +731,32 @@ simultaneously
    MaxSpareThreads numbersM
    Maximum number of idle threads
    MaxThreads number 2048 sM
    Set the maximum number of worker threads
    MDBaseServer on|off off sX
    Control if base server may be managed or only virtual hosts.
    MDCAChallenges name [ name ... ] tls-sni-01 http-01 sX
    Type of ACME challenge used to prove domain ownership.
    MDCertificateAgreement url-of-terms-of-servicesX
    The URL of the Terms-of-Service document, that the CA server requires you to accept.
    MDCertificateAuthority url https://acme-v01.ap +sX
    The URL of the ACME Certificate Authority service.
    MDCAChallenges name [ name ... ] tls-alpn-01 http-01 +sX
    Type of ACME challenge used to prove domain ownership.
    MDCertificateAgreement acceptedsX
    You confirm that you accepted the Terms of Service of the Certificate + Authority.
    MDCertificateAuthority url https://acme-v02.ap +sX
    The URL of the ACME Certificate Authority service.
    MDCertificateFile path-to-pem-filesX
    Specify a static certificate file for the MD.
    MDCertificateKeyFile path-to-filesX
    Specify a static private key for for the static cerrtificate.
    MDCertificateProtocol protocol ACME sX
    The protocol to use with the Certificate Authority.
    MDDriveMode always|auto|manual auto sX
    Control when it is allowed to obtain/renew certificates.
    MDCertificateStatus on|off on sX
    Exposes public certificate information in JSON.
    MDChallengeDns01 path-to-commandsX
    -
    MDDriveMode always|auto|manual auto sX
    former name of MDRenewMode.
    MDHttpProxy urlsX
    Define a proxy for outgoing connections.
    MDMember hostnamesX
    Additional hostname for the managed domain.
    MDMembers auto|manual auto sX
    Control if the alias domain names are automatically added.
    MDMustStaple on|off off sX
    Control if new certificates carry the OCSP Must Staple flag.
    MDNotifyCmd path [ args ]sX
    Run a program when Managed Domain are ready.
    MDomain dns-name [ other-dns-name... ] [auto|manual]sX
    Define list of domain names that belong to one group.
    <MDomainSet dns-name [ other-dns-name... ]>...</MDomainSet>sX
    Container for directives applied to the same managed domains.
    MDPortMap map1 [ map2 ] 80:80 443:443 sX
    Map external to internal ports for domain ownership verification.
    MDPrivateKeys type [ params... ] RSA 2048 sX
    Set type and size of the private keys generated.
    MDMessageCmd path-to-cmd optional-argssX
    Handle events for Manage Domains
    MDMustStaple on|off off sX
    Control if new certificates carry the OCSP Must Staple flag.
    MDNotifyCmd path [ args ]sX
    Run a program when a Managed Domain is ready.
    MDomain dns-name [ other-dns-name... ] [auto|manual]sX
    Define list of domain names that belong to one group.
    <MDomainSet dns-name [ other-dns-name... ]>...</MDomainSet>sX
    Container for directives applied to the same managed domains.
    MDPortMap map1 [ map2 ] http:80 https:443 sX
    Map external to internal ports for domain ownership verification.
    MDPrivateKeys type [ params... ] RSA 2048 sX
    Set type and size of the private keys generated.
    MDRenewMode always|auto|manual auto sX
    Controls if certificates shall be renewed.
    MDRenewWindow duration 33% sX
    Control when a certificate will be renewed.
    MDRequireHttps off|temporary|permanent off sX
    Redirects http: traffic to https: for Managed Domains.
    MDStoreDir path md sX
    Path on the local file system to store the Managed Domains data.
    MDServerStatus on|off on sX
    Control if Managed Domain information is added to server-status.
    MDStoreDir path md sX
    Path on the local file system to store the Managed Domains data.
    MDWarnWindow duration 10% sX
    Define the time window when you want to be warned about an expiring certificate.
    MemcacheConnTTL num[units] 15s svE
    Keepalive time for idle connections
    MergeSlashes ON|OFF ON svC
    Controls whether the server merges consecutive slashes in URLs.
    MimeMagicFile file-pathsvE
    Enable MIME-type determination based on file contents using the specified magic file
    MimeOptionsoption [option] ...svdhB
    Configures mod_mime behavior
    MimeOptions option [option] ...svdhB
    Configures mod_mime behavior
    MinSpareServers number 5 sM
    Minimum number of idle child server processes
    MinSpareThreads numbersM
    Minimum number of idle threads available to handle request spikes
    RedirectPermanent URL-path URLsvdhB
    Sends an external permanent redirect asking the client to fetch a different URL
    RedirectTemp URL-path URLsvdhB
    Sends an external temporary redirect asking the client to fetch +
    RedirectRelative OFF|ON OFF svdB
    Allows relative redirect targets.
    RedirectTemp URL-path URLsvdhB
    Sends an external temporary redirect asking the client to fetch a different URL
    RedisConnPoolTTL num[units] 15s svE
    TTL used for the connection pool with the Redis server(s)
    RedisTimeout num[units] 5s svE
    R/W timeout used for the connection with the Redis server(s)
    ReflectorHeader inputheader [outputheader]svdhB
    Reflect an input header to the output headers
    RegexDefaultOptions [none] [+|-]option [[+|-]option] ... DOLLAR_ENDONLY sC
    Allow to configure global/default options for regexes
    RegisterHttpMethod method [method [...]]sC
    Register non-standard HTTP methods
    RemoteIPHeader header-fieldsvB
    Declare the header field which should be parsed for useragent IP addresses
    RemoteIPInternalProxy proxy-ip|proxy-ip/subnet|hostname ...svB
    Declare client intranet IP addresses trusted to present the RemoteIPHeader value
    RemoteIPInternalProxyList filenamesvB
    Declare client intranet IP addresses trusted to present the RemoteIPHeader value
    RemoteIPProxiesHeader HeaderFieldNamesvB
    Declare the header field which will record all intermediate IP addresses
    RemoteIPProxyProtocol On|OffsvB
    Enable or disable PROXY protocol handling
    RemoteIPProxyProtocolExceptions host|range [host|range] [host|range]svB
    Disable processing of PROXY header for certain hosts or networks
    RemoteIPTrustedProxy proxy-ip|proxy-ip/subnet|hostname ...svB
    Restrict client IP addresses trusted to present the RemoteIPHeader value
    RemoteIPTrustedProxyList filenamesvB
    Restrict client IP addresses trusted to present the RemoteIPHeader value
    RemoveCharset extension [extension] -...vdhB
    Removes any character set associations for a set of file +
    RedisConnPoolTTL num[units] 15s svE
    TTL used for the connection pool with the Redis server(s)
    RedisTimeout num[units] 5s svE
    R/W timeout used for the connection with the Redis server(s)
    ReflectorHeader inputheader [outputheader]svdhB
    Reflect an input header to the output headers
    RegexDefaultOptions [none] [+|-]option [[+|-]option] ... DOLLAR_ENDONLY sC
    Allow to configure global/default options for regexes
    RegisterHttpMethod method [method [...]]sC
    Register non-standard HTTP methods
    RemoteIPHeader header-fieldsvB
    Declare the header field which should be parsed for useragent IP addresses
    RemoteIPInternalProxy proxy-ip|proxy-ip/subnet|hostname ...svB
    Declare client intranet IP addresses trusted to present the RemoteIPHeader value
    RemoteIPInternalProxyList filenamesvB
    Declare client intranet IP addresses trusted to present the RemoteIPHeader value
    RemoteIPProxiesHeader HeaderFieldNamesvB
    Declare the header field which will record all intermediate IP addresses
    RemoteIPProxyProtocol On|OffsvB
    Enable or disable PROXY protocol handling
    RemoteIPProxyProtocolExceptions host|range [host|range] [host|range]svB
    Disable processing of PROXY header for certain hosts or networks
    RemoteIPTrustedProxy proxy-ip|proxy-ip/subnet|hostname ...svB
    Restrict client IP addresses trusted to present the RemoteIPHeader value
    RemoteIPTrustedProxyList filenamesvB
    Restrict client IP addresses trusted to present the RemoteIPHeader value
    RemoveCharset extension [extension] +...vdhB
    Removes any character set associations for a set of file extensions
    RemoveEncoding extension [extension] -...vdhB
    Removes any content encoding associations for a set of file +
    RemoveEncoding extension [extension] +...vdhB
    Removes any content encoding associations for a set of file extensions
    RemoveHandler extension [extension] -...vdhB
    Removes any handler associations for a set of file +
    RemoveHandler extension [extension] +...vdhB
    Removes any handler associations for a set of file extensions
    RemoveInputFilter extension [extension] -...vdhB
    Removes any input filter associations for a set of file +
    RemoveInputFilter extension [extension] +...vdhB
    Removes any input filter associations for a set of file extensions
    RemoveLanguage extension [extension] -...vdhB
    Removes any language associations for a set of file +
    RemoveLanguage extension [extension] +...vdhB
    Removes any language associations for a set of file extensions
    RemoveOutputFilter extension [extension] -...vdhB
    Removes any output filter associations for a set of file +
    RemoveOutputFilter extension [extension] +...vdhB
    Removes any output filter associations for a set of file extensions
    RemoveType extension [extension] -...vdhB
    Removes any content type associations for a set of file +
    RemoveType extension [extension] +...vdhB
    Removes any content type associations for a set of file extensions
    RequestHeader add|append|edit|edit*|merge|set|setifempty|unset +
    RequestHeader add|append|edit|edit*|merge|set|setifempty|unset header [[expr=]value [replacement] [early|env=[!]varname|expr=expression]] -svdhE
    Configure HTTP request headers
    RequestReadTimeout +svdhE
    Configure HTTP request headers
    RequestReadTimeout [handshake=timeout[-maxtimeout][,MinRate=rate] [header=timeout[-maxtimeout][,MinRate=rate] [body=timeout[-maxtimeout][,MinRate=rate] - handshake=0 header= +svE
    Set timeout values for completing the TLS handshake, receiving + handshake=0 header= +svE
    Set timeout values for completing the TLS handshake, receiving the request headers and/or body from client.
    Require [not] entity-name - [entity-name] ...dhB
    Tests whether an authenticated user is authorized by +
    Require [not] entity-name + [entity-name] ...dhB
    Tests whether an authenticated user is authorized by an authorization provider.
    <RequireAll> ... </RequireAll>dhB
    Enclose a group of authorization directives of which none +
    <RequireAll> ... </RequireAll>dhB
    Enclose a group of authorization directives of which none must fail and at least one must succeed for the enclosing directive to succeed.
    <RequireAny> ... </RequireAny>dhB
    Enclose a group of authorization directives of which one +
    <RequireAny> ... </RequireAny>dhB
    Enclose a group of authorization directives of which one must succeed for the enclosing directive to succeed.
    <RequireNone> ... </RequireNone>dhB
    Enclose a group of authorization directives of which none +
    <RequireNone> ... </RequireNone>dhB
    Enclose a group of authorization directives of which none must succeed for the enclosing directive to not fail.
    RewriteBase URL-pathdhE
    Sets the base URL for per-directory rewrites
    RewriteCond - TestString CondPattern [flags]svdhE
    Defines a condition under which rewriting will take place +
    RewriteBase URL-pathdhE
    Sets the base URL for per-directory rewrites
    RewriteCond + TestString CondPattern [flags]svdhE
    Defines a condition under which rewriting will take place
    RewriteEngine on|off off svdhE
    Enables or disables runtime rewriting engine
    RewriteMap MapName MapType:MapSource +
    RewriteEngine on|off off svdhE
    Enables or disables runtime rewriting engine
    RewriteMap MapName MapType:MapSource [MapTypeOptions] -svE
    Defines a mapping function for key-lookup
    RewriteOptions OptionssvdhE
    Sets some special options for the rewrite engine
    RewriteRule - Pattern Substitution [flags]svdhE
    Defines rules for the rewriting engine
    RLimitCPU seconds|max [seconds|max]svdhC
    Limits the CPU consumption of processes launched +svE
    Defines a mapping function for key-lookup
    RewriteOptions OptionssvdhE
    Sets some special options for the rewrite engine
    RewriteRule + Pattern Substitution [flags]svdhE
    Defines rules for the rewriting engine
    RLimitCPU seconds|max [seconds|max]svdhC
    Limits the CPU consumption of processes launched by Apache httpd children
    RLimitMEM bytes|max [bytes|max]svdhC
    Limits the memory consumption of processes launched +
    RLimitMEM bytes|max [bytes|max]svdhC
    Limits the memory consumption of processes launched by Apache httpd children
    RLimitNPROC number|max [number|max]svdhC
    Limits the number of processes that can be launched by +
    RLimitNPROC number|max [number|max]svdhC
    Limits the number of processes that can be launched by processes launched by Apache httpd children
    Satisfy Any|All All dhE
    Interaction between host-level access control and +
    Satisfy Any|All All dhE
    Interaction between host-level access control and user authentication
    ScoreBoardFile file-path apache_runtime_stat +sM
    Location of the file used to store coordination data for +
    ScoreBoardFile file-path apache_runtime_stat +sM
    Location of the file used to store coordination data for the child processes
    Script method cgi-scriptsvdB
    Activates a CGI script for a particular request +
    Script method cgi-scriptsvdB
    Activates a CGI script for a particular request method.
    ScriptAlias [URL-path] -file-path|directory-pathsvdB
    Maps a URL to a filesystem location and designates the +
    ScriptAlias [URL-path] +file-path|directory-pathsvdB
    Maps a URL to a filesystem location and designates the target as a CGI script
    ScriptAliasMatch regex -file-path|directory-pathsvB
    Maps a URL to a filesystem location using a regular expression +
    ScriptAliasMatch regex +file-path|directory-pathsvB
    Maps a URL to a filesystem location using a regular expression and designates the target as a CGI script
    ScriptInterpreterSource Registry|Registry-Strict|Script Script svdhC
    Technique for locating the interpreter for CGI +
    ScriptInterpreterSource Registry|Registry-Strict|Script Script svdhC
    Technique for locating the interpreter for CGI scripts
    ScriptLog file-pathsvB
    Location of the CGI script error logfile
    ScriptLogBuffer bytes 1024 svB
    Maximum amount of PUT or POST requests that will be recorded +
    ScriptLog file-pathsvB
    Location of the CGI script error logfile
    ScriptLogBuffer bytes 1024 svB
    Maximum amount of PUT or POST requests that will be recorded in the scriptlog
    ScriptLogLength bytes 10385760 svB
    Size limit of the CGI script logfile
    ScriptSock file-path cgisock sB
    The filename prefix of the socket to use for communication with +
    ScriptLogLength bytes 10385760 svB
    Size limit of the CGI script logfile
    ScriptSock file-path cgisock sB
    The filename prefix of the socket to use for communication with the cgi daemon
    SecureListen [IP-address:]portnumber -Certificate-Name [MUTUAL]sB
    Enables SSL encryption for the specified port
    SeeRequestTail On|Off Off sC
    Determine if mod_status displays the first 63 characters +
    SecureListen [IP-address:]portnumber +Certificate-Name [MUTUAL]sB
    Enables SSL encryption for the specified port
    SeeRequestTail On|Off Off sC
    Determine if mod_status displays the first 63 characters of a request or the last 63, assuming the request itself is greater than 63 chars.
    SendBufferSize bytes 0 sM
    TCP buffer size
    ServerAdmin email-address|URLsvC
    Email address that the server includes in error +
    SendBufferSize bytes 0 sM
    TCP buffer size
    ServerAdmin email-address|URLsvC
    Email address that the server includes in error messages sent to the client
    ServerAlias hostname [hostname] ...vC
    Alternate names for a host used when matching requests +
    ServerAlias hostname [hostname] ...vC
    Alternate names for a host used when matching requests to name-virtual hosts
    ServerLimit numbersM
    Upper limit on configurable number of processes
    ServerName [scheme://]domain-name|ip-address[:port]svC
    Hostname and port that the server uses to identify +
    ServerLimit numbersM
    Upper limit on configurable number of processes
    ServerName [scheme://]domain-name|ip-address[:port]svC
    Hostname and port that the server uses to identify itself
    ServerPath URL-pathvC
    Legacy URL pathname for a name-based virtual host that +
    ServerPath URL-pathvC
    Legacy URL pathname for a name-based virtual host that is accessed by an incompatible browser
    ServerRoot directory-path /usr/local/apache sC
    Base directory for the server installation
    ServerSignature On|Off|EMail Off svdhC
    Configures the footer on server-generated documents
    ServerTokens Major|Minor|Min[imal]|Prod[uctOnly]|OS|Full Full sC
    Configures the Server HTTP response +
    ServerRoot directory-path /usr/local/apache sC
    Base directory for the server installation
    ServerSignature On|Off|EMail Off svdhC
    Configures the footer on server-generated documents
    ServerTokens Major|Minor|Min[imal]|Prod[uctOnly]|OS|Full Full sC
    Configures the Server HTTP response header
    Session On|Off Off svdhE
    Enables a session for the current directory or location
    SessionCookieName name attributessvdhE
    Name and attributes for the RFC2109 cookie storing the session
    SessionCookieName2 name attributessvdhE
    Name and attributes for the RFC2965 cookie storing the session
    SessionCookieRemove On|Off Off svdhE
    Control for whether session cookies should be removed from incoming HTTP headers
    SessionCryptoCipher namesvdhX
    The crypto cipher to be used to encrypt the session
    SessionCryptoDriver name [param[=value]]sX
    The crypto driver to be used to encrypt the session
    SessionCryptoPassphrase secret [ secret ... ] svdhX
    The key used to encrypt the session
    SessionCryptoPassphraseFile filenamesvdX
    File containing keys used to encrypt the session
    SessionDBDCookieName name attributessvdhE
    Name and attributes for the RFC2109 cookie storing the session ID
    SessionDBDCookieName2 name attributessvdhE
    Name and attributes for the RFC2965 cookie storing the session ID
    SessionDBDCookieRemove On|Off On svdhE
    Control for whether session ID cookies should be removed from incoming HTTP headers
    SessionDBDDeleteLabel label deletesession svdhE
    The SQL query to use to remove sessions from the database
    SessionDBDInsertLabel label insertsession svdhE
    The SQL query to use to insert sessions into the database
    SessionDBDPerUser On|Off Off svdhE
    Enable a per user session
    SessionDBDSelectLabel label selectsession svdhE
    The SQL query to use to select sessions from the database
    SessionDBDUpdateLabel label updatesession svdhE
    The SQL query to use to update existing sessions in the database
    SessionEnv On|Off Off svdhE
    Control whether the contents of the session are written to the +
    Session On|Off Off svdhE
    Enables a session for the current directory or location
    SessionCookieName name attributessvdhE
    Name and attributes for the RFC2109 cookie storing the session
    SessionCookieName2 name attributessvdhE
    Name and attributes for the RFC2965 cookie storing the session
    SessionCookieRemove On|Off Off svdhE
    Control for whether session cookies should be removed from incoming HTTP headers
    SessionCryptoCipher name aes256 svdhX
    The crypto cipher to be used to encrypt the session
    SessionCryptoDriver name [param[=value]]sX
    The crypto driver to be used to encrypt the session
    SessionCryptoPassphrase secret [ secret ... ] svdhX
    The key used to encrypt the session
    SessionCryptoPassphraseFile filenamesvdX
    File containing keys used to encrypt the session
    SessionDBDCookieName name attributessvdhE
    Name and attributes for the RFC2109 cookie storing the session ID
    SessionDBDCookieName2 name attributessvdhE
    Name and attributes for the RFC2965 cookie storing the session ID
    SessionDBDCookieRemove On|Off On svdhE
    Control for whether session ID cookies should be removed from incoming HTTP headers
    SessionDBDDeleteLabel label deletesession svdhE
    The SQL query to use to remove sessions from the database
    SessionDBDInsertLabel label insertsession svdhE
    The SQL query to use to insert sessions into the database
    SessionDBDPerUser On|Off Off svdhE
    Enable a per user session
    SessionDBDSelectLabel label selectsession svdhE
    The SQL query to use to select sessions from the database
    SessionDBDUpdateLabel label updatesession svdhE
    The SQL query to use to update existing sessions in the database
    SessionEnv On|Off Off svdhE
    Control whether the contents of the session are written to the HTTP_SESSION environment variable
    SessionExclude pathsvdhE
    Define URL prefixes for which a session is ignored
    SessionExpiryUpdateInterval interval 0 (always update) svdhE
    Define the number of seconds a session's expiry may change without +
    SessionExclude pathsvdhE
    Define URL prefixes for which a session is ignored
    SessionExpiryUpdateInterval interval 0 (always update) svdhE
    Define the number of seconds a session's expiry may change without the session being updated
    SessionHeader headersvdhE
    Import session updates from a given HTTP response header
    SessionInclude pathsvdhE
    Define URL prefixes for which a session is valid
    SessionMaxAge maxage 0 svdhE
    Define a maximum age in seconds for a session
    SetEnv env-variable [value]svdhB
    Sets environment variables
    SetEnvIf attribute +
    SessionHeader headersvdhE
    Import session updates from a given HTTP response header
    SessionInclude pathsvdhE
    Define URL prefixes for which a session is valid
    SessionMaxAge maxage 0 svdhE
    Define a maximum age in seconds for a session
    SetEnv env-variable [value]svdhB
    Sets environment variables
    SetEnvIf attribute regex [!]env-variable[=value] - [[!]env-variable[=value]] ...svdhB
    Sets environment variables based on attributes of the request + [[!]env-variable[=value]] ...svdhB
    Sets environment variables based on attributes of the request
    SetEnvIfExpr expr +
    SetEnvIfExpr expr [!]env-variable[=value] - [[!]env-variable[=value]] ...svdhB
    Sets environment variables based on an ap_expr expression
    SetEnvIfNoCase attribute regex + [[!]env-variable[=value]] ...svdhB
    Sets environment variables based on an ap_expr expression
    SetEnvIfNoCase attribute regex [!]env-variable[=value] - [[!]env-variable[=value]] ...svdhB
    Sets environment variables based on attributes of the request + [[!]env-variable[=value]] ...svdhB
    Sets environment variables based on attributes of the request without respect to case
    SetHandler handler-name|none|expressionsvdhC
    Forces all matching files to be processed by a +
    SetHandler handler-name|none|expressionsvdhC
    Forces all matching files to be processed by a handler
    SetInputFilter filter[;filter...]svdhC
    Sets the filters that will process client requests and POST +
    SetInputFilter filter[;filter...]svdhC
    Sets the filters that will process client requests and POST input
    SetOutputFilter filter[;filter...]svdhC
    Sets the filters that will process responses from the +
    SetOutputFilter filter[;filter...]svdhC
    Sets the filters that will process responses from the server
    SSIEndTag tag "-->" svB
    String that ends an include element
    SSIErrorMsg message "[an error occurred +svdhB
    Error message displayed when there is an SSI +
    SSIEndTag tag "-->" svB
    String that ends an include element
    SSIErrorMsg message "[an error occurred +svdhB
    Error message displayed when there is an SSI error
    SSIETag on|off off dhB
    Controls whether ETags are generated by the server.
    SSILastModified on|off off dhB
    Controls whether Last-Modified headers are generated by the +
    SSIETag on|off off dhB
    Controls whether ETags are generated by the server.
    SSILastModified on|off off dhB
    Controls whether Last-Modified headers are generated by the server.
    SSILegacyExprParser on|off off dhB
    Enable compatibility mode for conditional expressions.
    SSIStartTag tag "<!--#" svB
    String that starts an include element
    SSITimeFormat formatstring "%A, %d-%b-%Y %H:%M +svdhB
    Configures the format in which date strings are +
    SSILegacyExprParser on|off off dhB
    Enable compatibility mode for conditional expressions.
    SSIStartTag tag "<!--#" svB
    String that starts an include element
    SSITimeFormat formatstring "%A, %d-%b-%Y %H:%M +svdhB
    Configures the format in which date strings are displayed
    SSIUndefinedEcho string "(none)" svdhB
    String displayed when an unset variable is echoed
    SSLCACertificateFile file-pathsvE
    File of concatenated PEM-encoded CA Certificates +
    SSIUndefinedEcho string "(none)" svdhB
    String displayed when an unset variable is echoed
    SSLCACertificateFile file-pathsvE
    File of concatenated PEM-encoded CA Certificates for Client Auth
    SSLCACertificatePath directory-pathsvE
    Directory of PEM-encoded CA Certificates for +
    SSLCACertificatePath directory-pathsvE
    Directory of PEM-encoded CA Certificates for Client Auth
    SSLCADNRequestFile file-pathsvE
    File of concatenated PEM-encoded CA Certificates +
    SSLCADNRequestFile file-pathsvE
    File of concatenated PEM-encoded CA Certificates for defining acceptable CA names
    SSLCADNRequestPath directory-pathsvE
    Directory of PEM-encoded CA Certificates for +
    SSLCADNRequestPath directory-pathsvE
    Directory of PEM-encoded CA Certificates for defining acceptable CA names
    SSLCARevocationCheck chain|leaf|none flags none svE
    Enable CRL-based revocation checking
    SSLCARevocationFile file-pathsvE
    File of concatenated PEM-encoded CA CRLs for +
    SSLCARevocationCheck chain|leaf|none [flags ...] none svE
    Enable CRL-based revocation checking
    SSLCARevocationFile file-pathsvE
    File of concatenated PEM-encoded CA CRLs for Client Auth
    SSLCARevocationPath directory-pathsvE
    Directory of PEM-encoded CA CRLs for +
    SSLCARevocationPath directory-pathsvE
    Directory of PEM-encoded CA CRLs for Client Auth
    SSLCertificateChainFile file-pathsvE
    File of PEM-encoded Server CA Certificates
    SSLCertificateFile file-path|certidsvE
    Server PEM-encoded X.509 certificate data file or token identifier
    SSLCertificateKeyFile file-path|keyidsvE
    Server PEM-encoded private key file
    SSLCipherSuite [protocol] cipher-spec DEFAULT (depends on +svdhE
    Cipher Suite available for negotiation in SSL +
    SSLCertificateChainFile file-pathsvE
    File of PEM-encoded Server CA Certificates
    SSLCertificateFile file-path|certidsvE
    Server PEM-encoded X.509 certificate data file or token identifier
    SSLCertificateKeyFile file-path|keyidsvE
    Server PEM-encoded private key file
    SSLCipherSuite [protocol] cipher-spec DEFAULT (depends on +svdhE
    Cipher Suite available for negotiation in SSL handshake
    SSLCompression on|off off svE
    Enable compression on the SSL level
    SSLCryptoDevice engine builtin sE
    Enable use of a cryptographic hardware accelerator
    SSLEngine on|off|optional off svE
    SSL Engine Operation Switch
    SSLFIPS on|off off sE
    SSL FIPS mode Switch
    SSLHonorCipherOrder on|off off svE
    Option to prefer the server's cipher preference order
    SSLInsecureRenegotiation on|off off svE
    Option to enable support for insecure renegotiation
    SSLOCSPDefaultResponder urisvE
    Set the default responder URI for OCSP validation
    SSLOCSPEnable on|leaf|off off svE
    Enable OCSP validation of the client certificate chain
    SSLOCSPNoverify on|off off svE
    skip the OCSP responder certificates verification
    SSLOCSPOverrideResponder on|off off svE
    Force use of the default responder URI for OCSP validation
    SSLOCSPProxyURL urlsvE
    Proxy URL to use for OCSP requests
    SSLOCSPResponderCertificateFile filesvE
    Set of trusted PEM encoded OCSP responder certificates
    SSLOCSPResponderTimeout seconds 10 svE
    Timeout for OCSP queries
    SSLOCSPResponseMaxAge seconds -1 svE
    Maximum allowable age for OCSP responses
    SSLOCSPResponseTimeSkew seconds 300 svE
    Maximum allowable time skew for OCSP response validation
    SSLOCSPUseRequestNonce on|off on svE
    Use a nonce within OCSP queries
    SSLOpenSSLConfCmd command-name command-valuesvE
    Configure OpenSSL parameters through its SSL_CONF API
    SSLOptions [+|-]option ...svdhE
    Configure various SSL engine run-time options
    SSLPassPhraseDialog type builtin sE
    Type of pass phrase dialog for encrypted private +
    SSLCompression on|off off svE
    Enable compression on the SSL level
    SSLCryptoDevice engine builtin sE
    Enable use of a cryptographic hardware accelerator
    SSLEngine on|off|optional off svE
    SSL Engine Operation Switch
    SSLFIPS on|off off sE
    SSL FIPS mode Switch
    SSLHonorCipherOrder on|off off svE
    Option to prefer the server's cipher preference order
    SSLInsecureRenegotiation on|off off svE
    Option to enable support for insecure renegotiation
    SSLOCSPDefaultResponder urisvE
    Set the default responder URI for OCSP validation
    SSLOCSPEnable on|leaf|off off svE
    Enable OCSP validation of the client certificate chain
    SSLOCSPNoverify on|off off svE
    skip the OCSP responder certificates verification
    SSLOCSPOverrideResponder on|off off svE
    Force use of the default responder URI for OCSP validation
    SSLOCSPProxyURL urlsvE
    Proxy URL to use for OCSP requests
    SSLOCSPResponderCertificateFile filesvE
    Set of trusted PEM encoded OCSP responder certificates
    SSLOCSPResponderTimeout seconds 10 svE
    Timeout for OCSP queries
    SSLOCSPResponseMaxAge seconds -1 svE
    Maximum allowable age for OCSP responses
    SSLOCSPResponseTimeSkew seconds 300 svE
    Maximum allowable time skew for OCSP response validation
    SSLOCSPUseRequestNonce on|off on svE
    Use a nonce within OCSP queries
    SSLOpenSSLConfCmd command-name command-valuesvE
    Configure OpenSSL parameters through its SSL_CONF API
    SSLOptions [+|-]option ...svdhE
    Configure various SSL engine run-time options
    SSLPassPhraseDialog type builtin sE
    Type of pass phrase dialog for encrypted private keys
    SSLPolicy namesvE
    Apply a SSLPolicy by name
    SSLProtocol [+|-]protocol ... all -SSLv3 svE
    Configure usable SSL/TLS protocol versions
    SSLProxyCACertificateFile file-pathsvpE
    File of concatenated PEM-encoded CA Certificates +
    SSLPolicy namesvE
    Apply a SSLPolicy by name
    SSLProtocol [+|-]protocol ... all -SSLv3 svE
    Configure usable SSL/TLS protocol versions
    SSLProxyCACertificateFile file-pathsvpE
    File of concatenated PEM-encoded CA Certificates for Remote Server Auth
    SSLProxyCACertificatePath directory-pathsvpE
    Directory of PEM-encoded CA Certificates for +
    SSLProxyCACertificatePath directory-pathsvpE
    Directory of PEM-encoded CA Certificates for Remote Server Auth
    SSLProxyCARevocationCheck chain|leaf|none none svpE
    Enable CRL-based revocation checking for Remote Server Auth
    SSLProxyCARevocationFile file-pathsvpE
    File of concatenated PEM-encoded CA CRLs for +
    SSLProxyCARevocationCheck chain|leaf|none none svpE
    Enable CRL-based revocation checking for Remote Server Auth
    SSLProxyCARevocationFile file-pathsvpE
    File of concatenated PEM-encoded CA CRLs for Remote Server Auth
    SSLProxyCARevocationPath directory-pathsvpE
    Directory of PEM-encoded CA CRLs for +
    SSLProxyCARevocationPath directory-pathsvpE
    Directory of PEM-encoded CA CRLs for Remote Server Auth
    SSLProxyCheckPeerCN on|off on svpE
    Whether to check the remote server certificate's CN field +
    SSLProxyCheckPeerCN on|off on svpE
    Whether to check the remote server certificate's CN field
    SSLProxyCheckPeerExpire on|off on svpE
    Whether to check if remote server certificate is expired +
    SSLProxyCheckPeerExpire on|off on svpE
    Whether to check if remote server certificate is expired
    SSLProxyCheckPeerName on|off on svpE
    Configure host name checking for remote server certificates +
    SSLProxyCheckPeerName on|off on svpE
    Configure host name checking for remote server certificates
    SSLProxyCipherSuite [protocol] cipher-spec ALL:!ADH:RC4+RSA:+H +svpE
    Cipher Suite available for negotiation in SSL +
    SSLProxyCipherSuite [protocol] cipher-spec ALL:!ADH:RC4+RSA:+H +svpE
    Cipher Suite available for negotiation in SSL proxy handshake
    SSLProxyEngine on|off off svpE
    SSL Proxy Engine Operation Switch
    SSLProxyMachineCertificateChainFile filenamesvpE
    File of concatenated PEM-encoded CA certificates to be used by the proxy for choosing a certificate
    SSLProxyMachineCertificateFile filenamesvpE
    File of concatenated PEM-encoded client certificates and keys to be used by the proxy
    SSLProxyMachineCertificatePath directorysvpE
    Directory of PEM-encoded client certificates and keys to be used by the proxy
    SSLProxyProtocol [+|-]protocol ... all -SSLv3 svpE
    Configure usable SSL protocol flavors for proxy usage
    SSLProxyVerify level none svpE
    Type of remote server Certificate verification
    SSLProxyVerifyDepth number 1 svpE
    Maximum depth of CA Certificates in Remote Server +
    SSLProxyEngine on|off off svpE
    SSL Proxy Engine Operation Switch
    SSLProxyMachineCertificateChainFile filenamesvpE
    File of concatenated PEM-encoded CA certificates to be used by the proxy for choosing a certificate
    SSLProxyMachineCertificateFile filenamesvpE
    File of concatenated PEM-encoded client certificates and keys to be used by the proxy
    SSLProxyMachineCertificatePath directorysvpE
    Directory of PEM-encoded client certificates and keys to be used by the proxy
    SSLProxyProtocol [+|-]protocol ... all -SSLv3 svpE
    Configure usable SSL protocol flavors for proxy usage
    SSLProxyVerify level none svpE
    Type of remote server Certificate verification
    SSLProxyVerifyDepth number 1 svpE
    Maximum depth of CA Certificates in Remote Server Certificate verification
    SSLRandomSeed context source -[bytes]sE
    Pseudo Random Number Generator (PRNG) seeding +
    SSLRandomSeed context source +[bytes]sE
    Pseudo Random Number Generator (PRNG) seeding source
    SSLRenegBufferSize bytes 131072 dhE
    Set the size for the SSL renegotiation buffer
    SSLRequire expressiondhE
    Allow access only when an arbitrarily complex +
    SSLRenegBufferSize bytes 131072 dhE
    Set the size for the SSL renegotiation buffer
    SSLRequire expressiondhE
    Allow access only when an arbitrarily complex boolean expression is true
    SSLRequireSSLdhE
    Deny access when SSL is not used for the +
    SSLRequireSSLdhE
    Deny access when SSL is not used for the HTTP request
    SSLSessionCache type none sE
    Type of the global/inter-process SSL Session +
    SSLSessionCache type none sE
    Type of the global/inter-process SSL Session Cache
    SSLSessionCacheTimeout seconds 300 svE
    Number of seconds before an SSL session expires +
    SSLSessionCacheTimeout seconds 300 svE
    Number of seconds before an SSL session expires in the Session Cache
    SSLSessionTicketKeyFile file-pathsvE
    Persistent encryption/decryption key for TLS session tickets
    SSLSessionTickets on|off on svE
    Enable or disable use of TLS session tickets
    SSLSRPUnknownUserSeed secret-stringsvE
    SRP unknown user seed
    SSLSRPVerifierFile file-pathsvE
    Path to SRP verifier file
    SSLStaplingCache typesE
    Configures the OCSP stapling cache
    SSLStaplingErrorCacheTimeout seconds 600 svE
    Number of seconds before expiring invalid responses in the OCSP stapling cache
    SSLStaplingFakeTryLater on|off on svE
    Synthesize "tryLater" responses for failed OCSP stapling queries
    SSLStaplingForceURL urisvE
    Override the OCSP responder URI specified in the certificate's AIA extension
    SSLStaplingResponderTimeout seconds 10 svE
    Timeout for OCSP stapling queries
    SSLStaplingResponseMaxAge seconds -1 svE
    Maximum allowable age for OCSP stapling responses
    SSLStaplingResponseTimeSkew seconds 300 svE
    Maximum allowable time skew for OCSP stapling response validation
    SSLStaplingReturnResponderErrors on|off on svE
    Pass stapling related OCSP errors on to client
    SSLStaplingStandardCacheTimeout seconds 3600 svE
    Number of seconds before expiring responses in the OCSP stapling cache
    SSLStrictSNIVHostCheck on|off off svE
    Whether to allow non-SNI clients to access a name-based virtual +
    SSLSessionTicketKeyFile file-pathsvE
    Persistent encryption/decryption key for TLS session tickets
    SSLSessionTickets on|off on svE
    Enable or disable use of TLS session tickets
    SSLSRPUnknownUserSeed secret-stringsvE
    SRP unknown user seed
    SSLSRPVerifierFile file-pathsvE
    Path to SRP verifier file
    SSLStaplingCache typesE
    Configures the OCSP stapling cache
    SSLStaplingErrorCacheTimeout seconds 600 svE
    Number of seconds before expiring invalid responses in the OCSP stapling cache
    SSLStaplingFakeTryLater on|off on svE
    Synthesize "tryLater" responses for failed OCSP stapling queries
    SSLStaplingForceURL urisvE
    Override the OCSP responder URI specified in the certificate's AIA extension
    SSLStaplingResponderTimeout seconds 10 svE
    Timeout for OCSP stapling queries
    SSLStaplingResponseMaxAge seconds -1 svE
    Maximum allowable age for OCSP stapling responses
    SSLStaplingResponseTimeSkew seconds 300 svE
    Maximum allowable time skew for OCSP stapling response validation
    SSLStaplingReturnResponderErrors on|off on svE
    Pass stapling related OCSP errors on to client
    SSLStaplingStandardCacheTimeout seconds 3600 svE
    Number of seconds before expiring responses in the OCSP stapling cache
    SSLStrictSNIVHostCheck on|off off svE
    Whether to allow non-SNI clients to access a name-based virtual host.
    SSLUserName varnamesdhE
    Variable name to determine user name
    SSLUseStapling on|off off svE
    Enable stapling of OCSP responses in the TLS handshake
    SSLVerifyClient level none svdhE
    Type of Client Certificate verification
    SSLVerifyDepth number 1 svdhE
    Maximum depth of CA Certificates in Client +
    SSLUserName varnamesdhE
    Variable name to determine user name
    SSLUseStapling on|off off svE
    Enable stapling of OCSP responses in the TLS handshake
    SSLVerifyClient level none svdhE
    Type of Client Certificate verification
    SSLVerifyDepth number 1 svdhE
    Maximum depth of CA Certificates in Client Certificate verification
    StartServers numbersM
    Number of child server processes created at startup
    StartThreads numbersM
    Number of threads created on startup
    StrictHostCheck ON|OFF OFF svC
    Controls whether the server requires the requested hostname be +
    StartServers numbersM
    Number of child server processes created at startup
    StartThreads numbersM
    Number of threads created on startup
    StrictHostCheck ON|OFF OFF svC
    Controls whether the server requires the requested hostname be listed enumerated in the virtual host handling the request
    Substitute s/pattern/substitution/[infq]dhE
    Pattern to filter the response content
    SubstituteInheritBefore on|off on dhE
    Change the merge order of inherited patterns
    SubstituteMaxLineLength bytes(b|B|k|K|m|M|g|G) 1m dhE
    Set the maximum line size
    Suexec On|OffsB
    Enable or disable the suEXEC feature
    SuexecUserGroup User GroupsvE
    User and group for CGI programs to run as
    ThreadLimit numbersM
    Sets the upper limit on the configurable number of threads +
    Substitute s/pattern/substitution/[infq]dhE
    Pattern to filter the response content
    SubstituteInheritBefore on|off on dhE
    Change the merge order of inherited patterns
    SubstituteMaxLineLength bytes(b|B|k|K|m|M|g|G) 1m dhE
    Set the maximum line size
    Suexec On|OffsB
    Enable or disable the suEXEC feature
    SuexecUserGroup User GroupsvE
    User and group for CGI programs to run as
    ThreadLimit numbersM
    Sets the upper limit on the configurable number of threads per child process
    ThreadsPerChild numbersM
    Number of threads created by each child process
    ThreadStackSize sizesM
    The size in bytes of the stack used by threads handling +
    ThreadsPerChild numbersM
    Number of threads created by each child process
    ThreadStackSize sizesM
    The size in bytes of the stack used by threads handling client connections
    TimeOut time-interval[s] 60 svC
    Amount of time the server will wait for +
    TimeOut time-interval[s] 60 svC
    Amount of time the server will wait for certain events before failing a request
    TraceEnable [on|off|extended] on svC
    Determines the behavior on TRACE requests
    TransferLog file|pipesvB
    Specify location of a log file
    TypesConfig file-path conf/mime.types sB
    The location of the mime.types file
    UnDefine parameter-namesvC
    Undefine the existence of a variable
    UndefMacro namesvdB
    Undefine a macro
    UnsetEnv env-variable [env-variable] -...svdhB
    Removes variables from the environment
    Use name [value1 ... valueN] -svdB
    Use a macro
    UseCanonicalName On|Off|DNS Off svdC
    Configures how the server determines its own name and +
    TraceEnable [on|off|extended] on svC
    Determines the behavior on TRACE requests
    TransferLog file|pipesvB
    Specify location of a log file
    TypesConfig file-path conf/mime.types sB
    The location of the mime.types file
    UnDefine parameter-namesvC
    Undefine the existence of a variable
    UndefMacro namesvdB
    Undefine a macro
    UnsetEnv env-variable [env-variable] +...svdhB
    Removes variables from the environment
    Use name [value1 ... valueN] +svdB
    Use a macro
    UseCanonicalName On|Off|DNS Off svdC
    Configures how the server determines its own name and port
    UseCanonicalPhysicalPort On|Off Off svdC
    Configures how the server determines its own port
    User unix-userid #-1 sB
    The userid under which the server will answer +
    UseCanonicalPhysicalPort On|Off Off svdC
    Configures how the server determines its own port
    User unix-userid #-1 sB
    The userid under which the server will answer requests
    UserDir directory-filename [directory-filename] ... -svB
    Location of the user-specific directories
    VHostCGIMode On|Off|Secure On vX
    Determines whether the virtualhost can run +
    UserDir directory-filename [directory-filename] ... +svB
    Location of the user-specific directories
    VHostCGIMode On|Off|Secure On vX
    Determines whether the virtualhost can run subprocesses, and the privileges available to subprocesses.
    VHostCGIPrivs [+-]?privilege-name [[+-]?privilege-name] ...vX
    Assign arbitrary privileges to subprocesses created +
    VHostCGIPrivs [+-]?privilege-name [[+-]?privilege-name] ...vX
    Assign arbitrary privileges to subprocesses created by a virtual host.
    VHostGroup unix-groupidvX
    Sets the Group ID under which a virtual host runs.
    VHostPrivs [+-]?privilege-name [[+-]?privilege-name] ...vX
    Assign arbitrary privileges to a virtual host.
    VHostSecure On|Off On vX
    Determines whether the server runs with enhanced security +
    VHostGroup unix-groupidvX
    Sets the Group ID under which a virtual host runs.
    VHostPrivs [+-]?privilege-name [[+-]?privilege-name] ...vX
    Assign arbitrary privileges to a virtual host.
    VHostSecure On|Off On vX
    Determines whether the server runs with enhanced security for the virtualhost.
    VHostUser unix-useridvX
    Sets the User ID under which a virtual host runs.
    VirtualDocumentRoot interpolated-directory|none none svE
    Dynamically configure the location of the document root +
    VHostUser unix-useridvX
    Sets the User ID under which a virtual host runs.
    VirtualDocumentRoot interpolated-directory|none none svE
    Dynamically configure the location of the document root for a given virtual host
    VirtualDocumentRootIP interpolated-directory|none none svE
    Dynamically configure the location of the document root +
    VirtualDocumentRootIP interpolated-directory|none none svE
    Dynamically configure the location of the document root for a given virtual host
    <VirtualHost +
    <VirtualHost addr[:port] [addr[:port]] - ...> ... </VirtualHost>sC
    Contains directives that apply only to a specific + ...> ... </VirtualHost>sC
    Contains directives that apply only to a specific hostname or IP address
    VirtualScriptAlias interpolated-directory|none none svE
    Dynamically configure the location of the CGI directory for +
    VirtualScriptAlias interpolated-directory|none none svE
    Dynamically configure the location of the CGI directory for a given virtual host
    VirtualScriptAliasIP interpolated-directory|none none svE
    Dynamically configure the location of the CGI directory for +
    VirtualScriptAliasIP interpolated-directory|none none svE
    Dynamically configure the location of the CGI directory for a given virtual host
    Warning messagesvdhC
    Warn from configuration parsing with a custom message
    WatchdogInterval time-interval[s] 1 sB
    Watchdog interval in seconds
    XBitHack on|off|full off svdhB
    Parse SSI directives in files with the execute bit +
    Warning messagesvdhC
    Warn from configuration parsing with a custom message
    WatchdogInterval time-interval[s] 1 sB
    Watchdog interval in seconds
    XBitHack on|off|full off svdhB
    Parse SSI directives in files with the execute bit set
    xml2EncAlias charset alias [alias ...]sB
    Recognise Aliases for encoding values
    xml2EncDefault namesvdhB
    Sets a default encoding to assume when absolutely no information +
    xml2EncAlias charset alias [alias ...]sB
    Recognise Aliases for encoding values
    xml2EncDefault namesvdhB
    Sets a default encoding to assume when absolutely no information can be automatically detected
    xml2StartParse element [element ...]svdhB
    Advise the parser to skip leading junk.
    xml2StartParse element [element ...]svdhB
    Advise the parser to skip leading junk.

    Available Languages:  de  | diff --git a/docs/manual/platform/windows.html.en b/docs/manual/platform/windows.html.en index 61cee9fd9ed..6f79376bb59 100644 --- a/docs/manual/platform/windows.html.en +++ b/docs/manual/platform/windows.html.en @@ -617,7 +617,7 @@ RewriteRule "(.*)" "${lowercase:$1}" [R,L] <Directory "//imagehost/www/images/"> #... -<Directory> +</Directory>

    When running Apache httpd as a service, you must create a diff --git a/docs/manual/programs/htpasswd.html.en b/docs/manual/programs/htpasswd.html.en index 684066e1c25..61ec4cb627d 100644 --- a/docs/manual/programs/htpasswd.html.en +++ b/docs/manual/programs/htpasswd.html.en @@ -42,13 +42,14 @@ stores, though. To use a DBM database see dbmmanage or htdbm.

    -

    htpasswd encrypts passwords using either bcrypt, - a version of MD5 modified for Apache, SHA1, or the system's - crypt() routine. Files - managed by htpasswd may contain a mixture of different encoding - types of passwords; some - user records may have bcrypt or MD5-encrypted passwords while others in the - same file may have passwords encrypted with crypt().

    +

    htpasswd encrypts passwords using either bcrypt, a + version of MD5 modified for Apache, SHA-1, or the system's + crypt() routine. SHA-2-based hashes (SHA-256 and + SHA-512) are supported for crypt(). Files managed by + htpasswd may contain a mixture of different encoding + types of passwords; some user records may have bcrypt or + MD5-encrypted passwords while others in the same file may have + passwords encrypted with crypt().

    This manual page only lists the command line arguments. For details of the directives necessary to configure user authentication in @@ -71,9 +72,12 @@ distribution.

  • Comments
    • [ -i ] [ -m | -B | + -2 | + -5 | -d | -s | -p ] + [ -r rounds ] [ -C cost ] [ -D ] [ -v ] passwdfile username

    @@ -82,9 +86,12 @@ distribution.
  • Comments
    • [ -c ] [ -m | -B | + -2 | + -5 | -d | -s | -p ] + [ -r rounds ] [ -C cost ] [ -D ] [ -v ] passwdfile username @@ -94,17 +101,23 @@ distribution.
  • Comments
    • [ -i ] [ -m | -B | + -2 | + -5 | -d | -s | -p ] + [ -r rounds ] [ -C cost ] username

    htpasswd -nb [ -m | - -B | + -B | + -2 | + -5 | -d | -s | -p ] + [ -r rounds ] [ -C cost ] username password

    top
    @@ -137,6 +150,14 @@ distribution.
  • Comments
    • Use MD5 encryption for passwords. This is the default (since version 2.2.18).
    +
    -2
    +
    Use SHA-256 crypt() based hashes for passwords. This is + supported on most Unix platforms.
    + +
    -5
    +
    Use SHA-512 crypt() based hashes for passwords. This is + supported on most Unix platforms.
    +
    -B
    Use bcrypt encryption for passwords. This is currently considered to be very secure.
    @@ -146,6 +167,12 @@ distribution.
  • Comments
    • encryption). It sets the computing time used for the bcrypt algorithm (higher is more secure but slower, default: 5, valid: 4 to 17). +
    -r
    +
    This flag is only allowed in combination with -2 + or -5. It sets the number of hash rounds used for the + SHA-2 algorithms (higher is more secure but slower; the default is + 5,000).
    +
    -d
    Use crypt() encryption for passwords. This is not supported by the httpd server on Windows and @@ -154,9 +181,10 @@ distribution.
  • Comments
    • It used to be the default algorithm until version 2.2.17.
    -s
    -
    Use SHA encryption for passwords. Facilitates migration from/to Netscape - servers using the LDAP Directory Interchange Format (ldif). - This algorithm is insecure by today's standards.
    +
    Use SHA-1 (160-bit) encryption for passwords. Facilitates migration + from/to Netscape servers using the LDAP Directory Interchange + Format (ldif). This algorithm is insecure by + today's standards.
    -p
    Use plaintext passwords. Though htpasswd will support @@ -245,13 +273,19 @@ distribution.
  • Comments
    • 8 characters of the password are used to form the password. If the supplied password is longer, the extra characters will be silently discarded.

    -

    The SHA encryption format does not use salting: for a given password, - there is only one encrypted representation. The crypt() and - MD5 formats permute the representation by prepending a random salt string, - to make dictionary attacks against the passwords more difficult.

    +

    The SHA-1 encryption format does not use salting: for a given + password, there is only one encrypted representation. The + crypt() and MD5 formats permute the representation by + prepending a random salt string, to make dictionary attacks + against the passwords more difficult.

    + +

    The SHA-1 and crypt() formats are insecure by + today's standards.

    -

    The SHA and crypt() formats are insecure by today's - standards.

    +

    The SHA-2-based crypt() formats (SHA-256 and + SHA-512) are supported on most modern Unix systems, and follow the + specification at https://www.akkadia.org/drepper/SHA-crypt.txt.

    +
    top

    Restrictions

    diff --git a/docs/manual/programs/htpasswd.xml.fr b/docs/manual/programs/htpasswd.xml.fr index 242f3339157..654f0de750d 100644 --- a/docs/manual/programs/htpasswd.xml.fr +++ b/docs/manual/programs/htpasswd.xml.fr @@ -1,7 +1,7 @@ - + diff --git a/docs/manual/programs/htpasswd.xml.ko b/docs/manual/programs/htpasswd.xml.ko index b128d69df7b..a94efbf4e61 100644 --- a/docs/manual/programs/htpasswd.xml.ko +++ b/docs/manual/programs/htpasswd.xml.ko @@ -1,7 +1,7 @@ - + +