are accurate, and others are way outdated.
- I'd like to expand the discussion of conditional logging, and add a
- few more useful exmaples.
+ few more useful examples.
That would be a good place to document logging of cache hit/miss:
https://issues.apache.org/bugzilla/show_bug.cgi?id=48241#c2
# English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de)
# Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja)
# Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn)
-# Norwegian (no) - Polish (pl) - Portugese (pt)
+# Norwegian (no) - Polish (pl) - Portuguese (pt)
# Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv)
# Turkish (tr) - Simplified Chinese (zh-CN) - Spanish (es)
# Traditional Chinese (zh-TW)
# https://wiki.mozilla.org/Security/Server_Side_TLS
# These policies will be updated over time in new releases to keep
# settings compatible and secure with "modern" browser, or if you
-# need to support legacy installtions, "intermediate" might be your
+# need to support legacy installations, "intermediate" might be your
# choice.
# If you run the following command on your installation, the exact
# contents of the defined SSL policies will be listed:
.fi
.PP
-This creates the files /var/log/logfile\&.yyyy\&.mm where yyyy is the year and mm is the month\&. Every day at midnight, rotation will occur, including running programs specified with \fB-p\fR\&. Despite rotation ocurring, the filename will only change on the first rotation of the month\&. Rotation on other days will continue to output file and append to it\&.
+This creates the files /var/log/logfile\&.yyyy\&.mm where yyyy is the year and mm is the month\&. Every day at midnight, rotation will occur, including running programs specified with \fB-p\fR\&. Despite rotation occurring, the filename will only change on the first rotation of the month\&. Rotation on other days will continue to output file and append to it\&.
.nf
<directive
module="mod_negotiation">ForceLanguagePriority</directive>
directive can be used to override one or both of these error
- messages and substitute the servers judgement in the form of the
+ messages and substitute the servers judgment in the form of the
<directive module="mod_negotiation">LanguagePriority</directive>
directive.</p>
<note type="warning"><title>Note</title>
<p> This directive is evaluated at configuration processing time,
- not at runtime. As a result, this directive cannot be conditonally
+ not at runtime. As a result, this directive cannot be conditionally
evaluated by enclosing it in an <directive type="section" module="core"
>If</directive> section.</p>
</note>
<p>This directive allows to configure the size (in bytes) of the memory
buffer used to read data from the network or files.</p>
- <p>A larger buffer can increase peformances with larger data, but consumes
+ <p>A larger buffer can increase performances with larger data, but consumes
more memory per connection. The minimum configurable size is
<var>1024</var>.</p>
</usage>
</li>
<li>When writing data to the client, the length of time to wait
- for an acknowledgement of a packet if the send buffer is
+ for an acknowledgment of a packet if the send buffer is
full.</li>
<li>In <module>mod_cgi</module> and <module>mod_cgid</module>,
<note type="warning"><title>Note</title>
<p> This directive is evaluated at configuration processing time,
- not at runtime. As a result, this directive cannot be conditonally
+ not at runtime. As a result, this directive cannot be conditionally
evaluated by enclosing it in an <directive type="section" module="core"
>If</directive> section.</p>
</note>
may be inadvertently derived from untrusted inputs. </p>
<p> Windows systems should be isolated at the network layer from
making outbound SMB/NTLM calls to unexpected destinations as a
- more comprehensive and pre-emptive measure.</p>
+ more comprehensive and preemptive measure.</p>
</note>
<note type="warning"><title>Directive Ordering</title>
<p>Aliases and Redirects occurring in different contexts are processed
like other directives according to standard <a
- href="../sections.html#mergin">merging rules</a>. But when multiple
+ href="../sections.html#merging">merging rules</a>. But when multiple
Aliases or Redirects occur in the same context (for example, in the
same <directive type="section" module="core">VirtualHost</directive>
section) they are processed in a particular order.</p>
<p>The authentication type <code>None</code> disables authentication.
When authentication is enabled, it is normally inherited by each
- subsequent <a href="../sections.html#mergin">configuration section</a>,
+ subsequent <a href="../sections.html#merging">configuration section</a>,
unless a different authentication type is specified. If no
authentication is desired for a subsection of an authenticated
section, the authentication type <code>None</code> may be used;
<dl>
<dt>NONE</dt>
- <dd>Establish an unsecure connection on the default LDAP port. This
+ <dd>Establish an insecure connection on the default LDAP port. This
is the same as <code>ldap://</code> on port 389.</dd>
<dt>SSL</dt>
<dd>Establish a secure connection on the default secure LDAP port.
<p>If the algorithm type <var>HS256</var> is used, the algorithm is set to
<var>HMAC-SHA256</var>, and the secret is set within the <var>file</var> specified
as the third parameter. The contents of the bearer token is still visible, and so
- the channel must still be protected from evesdropping through TLS.</p>
+ the channel must still be protected from eavesdropping through TLS.</p>
<p>If the signature is verified, and if present, the <var>sub</var> claim is
assigned to REMOTE_USER.</p>
<p>If the algorithm type <var>HS256</var> is used, the algorithm is set to
<var>HMAC-SHA256</var>, and the secret is set within the <var>file</var> specified
as the third parameter. The contents of the bearer token is still visible, and so
- the channel must still be protected from evesdropping through TLS.</p>
+ the channel must still be protected from eavesdropping through TLS.</p>
<example><title>Verification Example</title>
<highlight language="config">
<usage>
<p>If authentication succeeds but authorization fails, Apache HTTPD will
respond with an HTTP response code of '401 UNAUTHORIZED' by default. This
- usually causes browsers to display the password dialogue to the user
+ usually causes browsers to display the password dialog to the user
again, which is not wanted in all situations.
<directive>AuthzSendForbiddenOnFailure</directive> allows to change the
response code to '403 FORBIDDEN'.</p>
<p>Order of processing is important and is affected both by the
order in the configuration file and by placement in <a
- href="../sections.html#mergin">configuration sections</a>. These
+ href="../sections.html#merging">configuration sections</a>. These
two directives have a different effect if reversed:</p>
<highlight language="config">
<p>Since 2.4.10, new measures are in place to avoid the reference time
from being inflated by cache hits or slow requests. First, the reference
- time is not updated if no backend LDAP conncetions were needed. Second,
+ time is not updated if no backend LDAP connections were needed. Second,
the reference time uses the time the HTTP request was received instead
of the time the request is completed.</p>
<usage>
<p>If set, this directive allows content-negotiated documents
to be cached by proxy servers. This could mean that clients
- behind those proxys could retrieve versions of the documents
+ behind those proxies could retrieve versions of the documents
that are not the best match for their abilities, but it will
make caching more efficient.</p>
behavior regarding reuse/keepalive of backend connections (which were
never reused before for these URLs), the parameter <var>enablereuse</var>
(or <var>disablereuse</var>) default to <code>off</code> (resp. <code>on</code>)
- in this case. Setting <code>enablereuse=on</code> explicitely allows to
+ in this case. Setting <code>enablereuse=on</code> explicitly allows to
reuse connections <strong>unless</strong> some backreference(s) belong in
the <code>authority</code> part (hostname and/or port) of the <var>url</var>
(this condition is enforced since Apache HTTP Server 2.4.55, and produces
<code>ssl_key_size</code> refer to the
corresponding pieces of HTTP and HTTPS.</p>
<p>The <code>jvm_route</code>, is used to support sticky
- sessions -- associating a user's sesson with a particular Tomcat instance
+ sessions -- associating a user's session with a particular Tomcat instance
in the presence of multiple, load-balancing servers.</p>
<p>The <code>secret</code> is sent when the <code>secret=secret_keyword</code>
parameter is used in
configure the Balancer and BalancerMembers.</p>
</section>
-<section id="stickyness">
- <title>Load balancer stickyness</title>
- <p>The balancer supports stickyness. When a request is proxied
+<section id="stickiness">
+ <title>Load balancer stickiness</title>
+ <p>The balancer supports stickiness. When a request is proxied
to some back-end, then all following requests from the same user
should be proxied to the same back-end. Many load balancers implement
this feature via a table that maps client IP addresses to back-ends.
This approach is transparent to clients and back-ends, but suffers
from some problems: unequal load distribution if clients are themselves
- hidden behind proxies, stickyness errors when a client uses a dynamic
- IP address that changes during a session and loss of stickyness, if the
+ hidden behind proxies, stickiness errors when a client uses a dynamic
+ IP address that changes during a session and loss of stickiness, if the
mapping table overflows.</p>
- <p>The module <module>mod_proxy_balancer</module> implements stickyness
+ <p>The module <module>mod_proxy_balancer</module> implements stickiness
on top of two alternative means: cookies and URL encoding. Providing the
cookie can be either done by the back-end or by the Apache web server
itself. The URL encoding is usually done on the back-end.</p>
ProxyPassReverse "/test" "balancer://mycluster"
</highlight>
- <p>Another example of how to provide load balancing with stickyness
+ <p>Another example of how to provide load balancing with stickiness
using <module>mod_headers</module>, even if the back-end server does
not set a suitable session cookie:
</p>
containers can be dynamically controlled by the Manager.</p>
</section>
-<section id="stickyness_implementation">
- <title>Details on load balancer stickyness</title>
- <p>When using cookie based stickyness, you need to configure the
+<section id="stickiness_implementation">
+ <title>Details on load balancer stickiness</title>
+ <p>When using cookie based stickiness, you need to configure the
name of the cookie that contains the information about which back-end
to use. This is done via the <var>stickysession</var> attribute added
to either <directive module="mod_proxy">ProxyPass</directive> or
<directive module="mod_proxy">ProxySet</directive>. The cookie can either
be set by the back-end, or as shown in the above
<a href="#example">example</a> by the Apache web server itself.</p>
- <p>Some back-ends use a slightly different form of stickyness cookie,
+ <p>Some back-ends use a slightly different form of stickiness cookie,
for instance Apache Tomcat. Tomcat adds the name of the Tomcat instance
to the end of its session id cookie, separated with a dot (<code>.</code>)
from the session id. Thus if the Apache web server finds a dot in the value
- of the stickyness cookie, it only uses the part behind the dot to search
+ of the stickiness cookie, it only uses the part behind the dot to search
for the route. In order to let Tomcat know about its instance name, you
need to set the attribute <code>jvmRoute</code> inside the Tomcat
configuration file <code>conf/server.xml</code> to the value of the
The name of the session cookie used by Tomcat (and more generally by Java
web applications based on servlets) is <code>JSESSIONID</code>
(upper case) but can be configured to something else.</p>
- <p>The second way of implementing stickyness is URL encoding.
+ <p>The second way of implementing stickiness is URL encoding.
The web server searches for a query parameter in the URL of the request.
The name of the parameter is specified again using <var>stickysession</var>.
The value of the parameter is used to lookup a member worker with <var>route</var>
for the same request, the information from the request parameter is used.</p>
</section>
-<section id="stickyness_troubleshooting">
- <title>Troubleshooting load balancer stickyness</title>
- <p>If you experience stickyness errors, e.g. users lose their
+<section id="stickiness_troubleshooting">
+ <title>Troubleshooting load balancer stickiness</title>
+ <p>If you experience stickiness errors, e.g. users lose their
application sessions and need to login again, you first want to
check whether this is because the back-ends are sometimes unavailable
or whether your configuration is wrong. To find out about possible
stability problems with the back-ends, check your Apache error log
for proxy error messages.</p>
- <p>To verify your configuration, first check, whether the stickyness
+ <p>To verify your configuration, first check, whether the stickiness
is based on a cookie or on URL encoding. Next step would be logging
the appropriate data in the access log by using an enhanced
<directive module="mod_log_config">LogFormat</directive>.
<p>Common reasons for loss of session are session timeouts,
which are usually configurable on the back-end server.</p>
<p>The balancer also logs detailed information about handling
- stickyness to the error log, if the log level is set to
+ stickiness to the error log, if the log level is set to
<code>debug</code> or higher. This is an easy way to
- troubleshoot stickyness problems, but the log volume might
+ troubleshoot stickiness problems, but the log volume might
be too high for production servers under high load.</p>
</section>
<module>mod_xml2enc</module> (see <a href="#i18n">Internationalisation</a>)
and is a standard module in HTTPD 2.4 and development versions.</p>
</section>
-<section id="custom"><title>Customised HTML Parsing</title>
+<section id="custom"><title>Customized HTML Parsing</title>
<p>Internally, mod_proxy_html uses the HTMLParser module from the
third-party <a href="http://xmlsoft.org/">libxml2</a> library.
Unlike other libxml2 parsers, HTMLParser deals with HTML without
the compatibility policy is tested.</p>
<p>The <code>strict</code> policy blocks all HTTP requests which are
-identified with a different virtual host to that identifed by SNI.
+identified with a different virtual host to that identified by SNI.
The <code>insecure</code> policy allows all HTTP requests regardless
of virtual host identified; such a configuration may be vulnerable to
<a
module="mod_ssl">SSLCipherSuite</directive> and <directive
module="mod_ssl">SSLProtocol</directive>)</li>
- <li><strong>client vertification and authentication
+ <li><strong>client verification and authentication
settings</strong>: directives which affect TLS client certificate
verification or authentication, such as <directive
module="mod_ssl">SSLVerifyClient</directive>, <directive
not been tampered with.</dd>
<dt>Signed Certificate Timestamp (SCT)</dt>
- <dd>This is an acknowledgement from a log that it has accepted a valid
+ <dd>This is an acknowledgment from a log that it has accepted a valid
certificate. It is signed with the log's public key. One or more SCTs
is passed to clients during the handshake, either in the ServerHello
(TLS extension), certificate extension, or in a stapled OCSP response.</dd>
<p>During the build process, adding the keyword "install" to the makefile command line
will automatically produce a complete distribution package under the subdirectory
<code>DIST</code>. Install httpd by simply copying the distribution that was produced
- by the makfiles to the root of a NetWare volume (see: <a href="#comp">Compiling Apache httpd for
+ by the mak
efiles to the root of a NetWare volume (see: <a href="#comp">Compiling Apache httpd for
NetWare</a> below).</p>
</section>
or <code>-n</code>, httpd will use the file name compiled into the
server, such as <code>conf\httpd.conf</code>. This built-in path
is relative to the installation directory. You can verify the compiled
- file name from a value labelled as <code>SERVER_CONFIG_FILE</code> when
+ file name from a value labeled as <code>SERVER_CONFIG_FILE</code> when
invoking httpd with the <code>-V</code> switch, like this:</p>
<example>
<li>The server root compiled into the server. This is <code>
/apache</code> by default, you can verify it by using <code>
- httpd.exe -V</code> and looking for a value labelled as
+ httpd.exe -V</code> and looking for a value labeled as
<code>HTTPD_ROOT</code>.</li>
</ol>
same stdin, stdout, and stderr as rotatelogs itself, and also inherits
the environment.</p>
<p>When two parameters are provided, under some conditions the parameters
-will have the same value. For example, if rotation is triggerd but the
+will have the same value. For example, if rotation is triggered but the
portions of the time and date incorporated into the log filename do not change
across the rotation.</p>
</dd>
<p>This creates the files /var/log/logfile.yyyy.mm where
yyyy is the year and mm is the month. Every day at midnight, rotation
will occur, including running programs specified with <code>-p</code>.
- Despite rotation ocurring, the filename will only change on the first
+ Despite rotation occurring, the filename will only change on the first
rotation of the month. Rotation on other days will continue to output file
and append to it.
</p>
<section id="flag_unsafe_allow_3f"><title>UnsafeAllow3F</title>
<p> Setting this flag is required to allow a rewrite to continue If the
HTTP request being written has an encoded question mark, '%3f', and the
- rewritten result has a '?' in the substiution. This protects from a malicious
+ rewritten result has a '?' in the substitution. This protects from a malicious
URL taking advantage of a capture and re-substitution of the encoded
question mark.</p>
</section>
<dt>Solutions:</dt>
<dd>
<p> Many of the solutions in this section will all use the same condition,
-which leaves the matched value in the %2 backreference. %1 is the beginining
+which leaves the matched value in the %2 backreference. %1 is the beginning
of the query string (up to the key of intererest), and %3 is the remainder. This
condition is a bit complex for flexibility and to avoid double '&&' in the
substitutions.</p>
<p>The <module>mod_auth_basic</module> method is generally required when
the certificates are completely arbitrary, or when their DNs have
- no common fields (usually the organisation, etc.). In this case,
+ no common fields (usually the organization, etc.). In this case,
you should establish a password database containing <em>all</em>
clients allowed, as follows:</p>
applicable to a general-purpose web server.</p>
<p> Name-based virtual hosting builds off of the IP-based virtual host
- selection algorithm, meaning that comparisons of ther requested hostname
+ selection algorithm, meaning that comparisons of the requested hostname
to configured hostnames occurs only within the set of virtual hosts that
share the most specific IP:PORT based match at the network layer.</p>
projects / thirdparty / apache / httpd.git / commitdiff
