From: Jim Jagielski Date: Fri, 23 Sep 2011 13:36:39 +0000 (+0000) Subject: Cleanup effort in prep for GA push: X-Git-Tag: 2.3.15~202 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=69c1a5c854b89a80cf5ca08b7b38d9f0a88c2667;p=thirdparty%2Fapache%2Fhttpd.git Cleanup effort in prep for GA push: Trim trailing whitespace... no func change git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1174747 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/bind.xml b/docs/manual/bind.xml index d91d7440001..f64ced7d974 100644 --- a/docs/manual/bind.xml +++ b/docs/manual/bind.xml @@ -49,10 +49,10 @@

When httpd starts, it binds to some port and address on the local machine and waits for incoming requests. By default, it listens to all addresses on the machine. However, it may need to - be told to listen on specific ports, or only on selected - addresses, or a combination of both. This is often combined with the - Virtual Host feature, which determines how - httpd responds to different IP addresses, hostnames and + be told to listen on specific ports, or only on selected + addresses, or a combination of both. This is often combined with the + Virtual Host feature, which determines how + httpd responds to different IP addresses, hostnames and ports.

The Listen @@ -60,9 +60,9 @@ incoming requests only on the specified port(s) or address-and-port combinations. If only a port number is specified in the Listen - directive, the server listens to the given port on all interfaces. + directive, the server listens to the given port on all interfaces. If an IP address is given as well as a port, the server will listen - on the given port and interface. Multiple Listen directives may be used to specify a number of addresses and ports to listen on. The server will respond to requests from any of the listed @@ -91,10 +91,10 @@ Listen [2001:db8::a00:20ff:fea7:ccea]:80 -

Overlapping Listen directives will result in a +

Overlapping Listen directives will result in a fatal error which will prevent the server from starting up.

- + (48)Address already in use: make_sock: could not bind to address [::]:80 @@ -107,32 +107,32 @@

A growing number of platforms implement IPv6, and APR supports IPv6 on most of these platforms, - allowing httpd to allocate IPv6 sockets, and to handle requests sent + allowing httpd to allocate IPv6 sockets, and to handle requests sent over IPv6.

One complicating factor for httpd administrators is whether or - not an IPv6 socket can handle both IPv4 connections and IPv6 - connections. Handling IPv4 connections with an IPv6 socket uses - IPv4-mapped IPv6 addresses, which are allowed by default on most - platforms, but are disallowed by default on FreeBSD, NetBSD, and + not an IPv6 socket can handle both IPv4 connections and IPv6 + connections. Handling IPv4 connections with an IPv6 socket uses + IPv4-mapped IPv6 addresses, which are allowed by default on most + platforms, but are disallowed by default on FreeBSD, NetBSD, and OpenBSD, in order to match the system-wide policy on those - platforms. On systems where it is disallowed by default, a + platforms. On systems where it is disallowed by default, a special configure parameter can change this behavior for httpd.

-

On the other hand, on some platforms, such as Linux and Tru64, the - only way to handle both IPv6 and IPv4 is to use - mapped addresses. If you want httpd to handle IPv4 and IPv6 connections - with a minimum of sockets, which requires using IPv4-mapped IPv6 +

On the other hand, on some platforms, such as Linux and Tru64, the + only way to handle both IPv6 and IPv4 is to use + mapped addresses. If you want httpd to handle IPv4 and IPv6 connections + with a minimum of sockets, which requires using IPv4-mapped IPv6 addresses, specify the --enable-v4-mapped configure option.

-

--enable-v4-mapped is the default on all platforms except - FreeBSD, NetBSD, and OpenBSD, so this is probably how your httpd was +

--enable-v4-mapped is the default on all platforms except + FreeBSD, NetBSD, and OpenBSD, so this is probably how your httpd was built.

-

If you want httpd to handle IPv4 connections only, regardless of - what your platform and APR will support, specify an IPv4 address on all +

If you want httpd to handle IPv4 connections only, regardless of + what your platform and APR will support, specify an IPv4 address on all Listen directives, as in the following examples:

@@ -141,8 +141,8 @@ Listen 192.0.2.1:80 -

If your platform supports it and you want httpd to handle IPv4 and - IPv6 connections on separate sockets (i.e., to disable IPv4-mapped +

If your platform supports it and you want httpd to handle IPv4 and + IPv6 connections on separate sockets (i.e., to disable IPv4-mapped addresses), specify the --disable-v4-mapped configure option. --disable-v4-mapped is the default on FreeBSD, NetBSD, and OpenBSD.

@@ -152,14 +152,14 @@ Specifying the protocol with Listen

The optional second protocol argument of Listen - is not required for most - configurations. If not specified, https is the default for - port 443 and http the default for all other ports. The + is not required for most + configurations. If not specified, https is the default for + port 443 and http the default for all other ports. The protocol is used to determine which module should handle a request, and - to apply protocol specific optimizations with the + to apply protocol specific optimizations with the AcceptFilter directive.

-

You only need to set the protocol if you are running on non-standard +

You only need to set the protocol if you are running on non-standard ports. For example, running an https site on port 8443:

@@ -171,7 +171,7 @@ How This Works With Virtual Hosts

The Listen directive does not implement + module="mpm_common">Listen directive does not implement Virtual Hosts - it only tells the main server what addresses and ports to listen on. If no VirtualHost diff --git a/docs/manual/caching.xml b/docs/manual/caching.xml index 4e462448167..20d5619f2a6 100644 --- a/docs/manual/caching.xml +++ b/docs/manual/caching.xml @@ -26,9 +26,9 @@

This document supplements the mod_cache, - mod_cache_disk, mod_file_cache and mod_cache_disk, mod_file_cache and htcacheclean reference documentation. - It describes how to use the Apache HTTP Server's caching features to accelerate web and + It describes how to use the Apache HTTP Server's caching features to accelerate web and proxy serving, while avoiding common problems and misconfigurations.

 @@ -41,44 +41,44 @@ caching architectures provide a powerful means to accelerate HTTP handling, both as an origin webserver and as a proxy.

-

mod_cache and its provider modules - mod_cache_disk +

mod_cache and its provider modules + mod_cache_disk provide intelligent, HTTP-aware caching. The content itself is stored in the cache, and mod_cache aims to honor all of the various HTTP headers and options that control the cachability of content. It can handle both local and proxied content. mod_cache is aimed at both simple and complex caching configurations, where - you are dealing with proxied content, dynamic local content or - have a need to speed up access to local files which change with + you are dealing with proxied content, dynamic local content or + have a need to speed up access to local files which change with time.

mod_file_cache on the other hand presents a more basic, but sometimes useful, form of caching. Rather than maintain the complexity of actively ensuring the cachability of URLs, - mod_file_cache offers file-handle and memory-mapping - tricks to keep a cache of files as they were when httpd was last - started. As such, mod_file_cache is aimed at improving + mod_file_cache offers file-handle and memory-mapping + tricks to keep a cache of files as they were when httpd was last + started. As such, mod_file_cache is aimed at improving the access time to local static files which do not change very often.

As mod_file_cache presents a relatively simple - caching implementation, apart from the specific sections on CacheFile and CacheFile and MMapFile, the explanations - in this guide cover the mod_cache caching + in this guide cover the mod_cache caching architecture.

-

To get the most from this document, you should be familiar with - the basics of HTTP, and have read the Users' Guides to - Mapping URLs to the Filesystem and +

To get the most from this document, you should be familiar with + the basics of HTTP, and have read the Users' Guides to + Mapping URLs to the Filesystem and Content negotiation.

- +
Caching Overview - + mod_cache @@ -98,7 +98,7 @@

There are two main stages in mod_cache that can occur in the lifetime of a request. First, mod_cache is a URL mapping module, which means that if a URL has been cached, - and the cached version of that URL has not expired, the request will + and the cached version of that URL has not expired, the request will be served directly by mod_cache.

This means that any other stages that might ordinarily happen @@ -110,7 +110,7 @@

If the URL is not found within the cache, mod_cache will add a filter to the request handling. After httpd has located the content by the usual means, the filter will be run - as the content is served. If the content is determined to be cacheable, + as the content is served. If the content is determined to be cacheable, the content will be saved to the cache for future serving.

If the URL is found within the cache, but also found to have expired, @@ -125,8 +125,8 @@

Improving Cache Hits -

When caching locally generated content, ensuring that - UseCanonicalName is set to +

When caching locally generated content, ensuring that + UseCanonicalName is set to On can dramatically improve the ratio of cache hits. This is because the hostname of the virtual-host serving the content forms a part of the cache key. With the setting set to On @@ -134,10 +134,10 @@ differently cached entities, and instead content will be cached as per the canonical hostname.

-

Because caching is performed within the URL to filename translation +

Because caching is performed within the URL to filename translation phase, cached documents will only be served in response to URL requests. Ordinarily this is of little consequence, but there is one circumstance - in which it matters: If you are using Server + in which it matters: If you are using Server Side Includes;

@@ -152,19 +152,19 @@ serves from the cache, you should use virtual include types.

- +
Expiry Periods - -

The default expiry period for cached entities is one hour, however - this can be easily over-ridden by using the The default expiry period for cached entities is one hour, however + this can be easily over-ridden by using the CacheDefaultExpire directive. This default is only used when the original source of the content does not specify an expire time or time of last modification.

If a response does not include an Expires header but does include a Last-Modified header, mod_cache - can infer an expiry period based on the use of the CacheLastModifiedFactor directive.

For local content, mod_expires may be used to @@ -178,29 +178,29 @@

A Brief Guide to Conditional Requests -

When content expires from the cache and is re-requested from the +

When content expires from the cache and is re-requested from the backend or content provider, rather than pass on the original request, httpd will use a conditional request instead.

HTTP offers a number of headers which allow a client, or cache to discern between different versions of the same content. For example if a resource was served with an "Etag:" header, it is - possible to make a conditional request with an "If-None-Match:" + possible to make a conditional request with an "If-None-Match:" header. If a resource was served with a "Last-Modified:" header - it is possible to make a conditional request with an + it is possible to make a conditional request with an "If-Modified-Since:" header, and so on.

When such a conditional request is made, the response differs - depending on whether the content matches the conditions. If a request is - made with an "If-Modified-Since:" header, and the content has not been - modified since the time indicated in the request then a terse "304 Not + depending on whether the content matches the conditions. If a request is + made with an "If-Modified-Since:" header, and the content has not been + modified since the time indicated in the request then a terse "304 Not Modified" response is issued.

If the content has changed, then it is served as if the request were not conditional to begin with.

-

The benefits of conditional requests in relation to caching are - twofold. Firstly, when making such a request to the backend, if the +

The benefits of conditional requests in relation to caching are + twofold. Firstly, when making such a request to the backend, if the content from the backend matches the content in the store, this can be determined easily and without the overhead of transferring the entire resource.

@@ -213,30 +213,30 @@ from the cache if it has not changed. As long as reading from the cache store is faster than reading from the backend (e.g. mod_cache_disk with memory disk - compared to reading from disk).

+ compared to reading from disk).

What Can be Cached? -

As mentioned already, the two styles of caching in httpd work - differently, mod_file_cache caching maintains file - contents as they were when httpd was started. When a request is - made for a file that is cached by this module, it is intercepted +

As mentioned already, the two styles of caching in httpd work + differently, mod_file_cache caching maintains file + contents as they were when httpd was started. When a request is + made for a file that is cached by this module, it is intercepted and the cached file is served.

mod_cache caching on the other hand is more complex. When serving a request, if it has not been cached previously, the caching module will determine if the content - is cacheable. The conditions for determining cachability of + is cacheable. The conditions for determining cachability of a response are;

    -
  1. Caching must be enabled for this URL. See the Caching must be enabled for this URL. See the CacheEnable and CacheDisable directives.
    2. -
  2. The response must have a HTTP status code of 200, 203, 300, 301 or +
  3. The response must have a HTTP status code of 200, 203, 300, 301 or 410.
  4. The request must be a HTTP GET request.
    5. @@ -257,17 +257,17 @@
  5. If the response has a status of 200 (OK), the response must also include at least one of the "Etag", "Last-Modified" or the "Expires" headers, or the max-age or s-maxage directive of - the "Cache-Control:" header, unless the - CacheIgnoreNoLastMod + the "Cache-Control:" header, unless the + CacheIgnoreNoLastMod directive has been used to require otherwise.
  6. If the response includes the "private" option in a "Cache-Control:" - header, it will not be stored unless the + header, it will not be stored unless the CacheStorePrivate has been used to require otherwise.
    7. -
  7. Likewise, if the response includes the "no-store" option in a - "Cache-Control:" header, it will not be stored unless the +
  8. Likewise, if the response includes the "no-store" option in a + "Cache-Control:" header, it will not be stored unless the CacheStoreNoStore has been used.
    9. @@ -278,7 +278,7 @@
    What Should Not be Cached? - +

    In short, any content which is highly time-sensitive, or which varies depending on the particulars of the request that are not covered by HTTP negotiation, should not be cached.

    @@ -295,11 +295,11 @@
    Variable/Negotiated Content -

    If a response with a "Vary" header is received by +

    If a response with a "Vary" header is received by mod_cache when requesting content by the backend it - will attempt to handle it intelligently. If possible, + will attempt to handle it intelligently. If possible, mod_cache will detect the headers attributed in the - "Vary" response in future requests and serve the correct cached + "Vary" response in future requests and serve the correct cached response.

    If for example, a response is received with a vary header such as;

    @@ -348,20 +348,20 @@ Vary: negotiate,accept-language,accept-charset

    As requests to end-users can be served from the cache, the cache itself can become a target for those wishing to deface or interfere with content. It is important to bear in mind that the cache must at all - times be writable by the user which httpd is running as. This is in + times be writable by the user which httpd is running as. This is in stark contrast to the usually recommended situation of maintaining all content unwritable by the Apache user.

    If the Apache user is compromised, for example through a flaw in a CGI process, it is possible that the cache may be targeted. When - using mod_cache_disk, it is relatively easy to + using mod_cache_disk, it is relatively easy to insert or modify a cached entity.

    -

    This presents a somewhat elevated risk in comparison to the other - types of attack it is possible to make as the Apache user. If you are - using mod_cache_disk you should bear this in mind - - ensure you upgrade httpd when security upgrades are announced and - run CGI processes as a non-Apache user using This presents a somewhat elevated risk in comparison to the other + types of attack it is possible to make as the Apache user. If you are + using mod_cache_disk you should bear this in mind - + ensure you upgrade httpd when security upgrades are announced and + run CGI processes as a non-Apache user using suEXEC if possible.

    @@ -370,8 +370,8 @@ Vary: negotiate,accept-language,accept-charset Cache Poisoning

    When running httpd as a caching proxy server, there is also the - potential for so-called cache poisoning. Cache Poisoning is a broad - term for attacks in which an attacker causes the proxy server to + potential for so-called cache poisoning. Cache Poisoning is a broad + term for attacks in which an attacker causes the proxy server to retrieve incorrect (and usually undesirable) content from the backend.

    @@ -402,33 +402,33 @@ Vary: negotiate,accept-language,accept-charset -

    The act of opening a file can itself be a source of delay, particularly +

    The act of opening a file can itself be a source of delay, particularly on network filesystems. By maintaining a cache of open file descriptors for commonly served files, httpd can avoid this delay. Currently httpd - provides one implementation of File-Handle Caching.

    + provides one implementation of File-Handle Caching.

    CacheFile

    The most basic form of caching present in httpd is the file-handle - caching provided by mod_file_cache. Rather than caching - file-contents, this cache maintains a table of open file descriptors. Files + caching provided by mod_file_cache. Rather than caching + file-contents, this cache maintains a table of open file descriptors. Files to be cached in this manner are specified in the configuration file using - the CacheFile + the CacheFile directive.

    -

    The - CacheFile directive - instructs httpd to open the file when it is started and to re-use +

    The + CacheFile directive + instructs httpd to open the file when it is started and to re-use this file-handle for all subsequent access to this file.

    CacheFile /usr/local/apache2/htdocs/index.html -

    If you intend to cache a large number of files in this manner, you - must ensure that your operating system's limit for the number of open +

    If you intend to cache a large number of files in this manner, you + must ensure that your operating system's limit for the number of open files is set appropriately.

    Although using CacheFile @@ -446,7 +446,7 @@ Vary: negotiate,accept-language,accept-charset

    - +
    In-Memory Caching @@ -460,7 +460,7 @@ Vary: negotiate,accept-language,accept-charset MMapFile - +

    Serving directly from system memory is universally the fastest method of serving content. Reading files from a disk controller or, even worse, from a remote network is orders of magnitude slower. Disk controllers @@ -470,12 +470,12 @@ Vary: negotiate,accept-language,accept-charset

    System memory isn't cheap though, byte for byte it's by far the most expensive type of storage and it's important to ensure that it is used - efficiently. By caching files in memory you decrease the amount of + efficiently. By caching files in memory you decrease the amount of memory available on the system. As we'll see, in the case of operating system caching, this is not so much of an issue, but when using httpd's own in-memory caching it is important to make sure that you do not allocate too much memory to a cache. Otherwise the system - will be forced to swap out memory, which will likely degrade + will be forced to swap out memory, which will likely degrade performance.

    @@ -502,28 +502,28 @@ sys 0m0.000s of time it takes to read the file. This is because the kernel has cached the file contents in memory.

    -

    By ensuring there is "spare" memory on your system, you can ensure - that more and more file-contents will be stored in this cache. This - can be a very efficient means of in-memory caching, and involves no +

    By ensuring there is "spare" memory on your system, you can ensure + that more and more file-contents will be stored in this cache. This + can be a very efficient means of in-memory caching, and involves no extra configuration of httpd at all.

    -

    Additionally, because the operating system knows when files are - deleted or modified, it can automatically remove file contents from the - cache when necessary. This is a big advantage over httpd's in-memory +

    Additionally, because the operating system knows when files are + deleted or modified, it can automatically remove file contents from the + cache when necessary. This is a big advantage over httpd's in-memory caching which has no way of knowing when a file has changed.

    Despite the performance and advantages of automatic operating system - caching there are some circumstances in which in-memory caching may be + caching there are some circumstances in which in-memory caching may be better performed by httpd.

    MMapFile Caching -

    mod_file_cache provides the +

    mod_file_cache provides the MMapFile directive, which allows you to have httpd map a static file's contents into memory at - start time (using the mmap system call). httpd will use the in-memory + start time (using the mmap system call). httpd will use the in-memory contents for all subsequent accesses to this file.

    @@ -535,7 +535,7 @@ sys 0m0.000s changes in these files will not be picked up by httpd after it has started.

    -

    The MMapFile +

    The MMapFile directive does not keep track of how much memory it allocates, so you must ensure not to over-use the directive. Each httpd child process will replicate this memory, so it is critically important @@ -543,7 +543,7 @@ sys 0m0.000s system to swap memory.

    - +
    Disk-based Caching @@ -556,14 +556,14 @@ sys 0m0.000s CacheDisable - -

    mod_cache_disk provides a disk-based caching mechanism + +

    mod_cache_disk provides a disk-based caching mechanism for mod_cache. This cache is intelligent and content will be served from the cache only as long as it is considered valid.

    Typically the module will be configured as so;

    - + CacheRoot /var/cache/apache/
    CacheEnable disk /
    CacheDirLevels 2
    @@ -571,8 +571,8 @@ CacheDirLength 1

    Importantly, as the cached files are locally stored, operating system - in-memory caching will typically be applied to their access also. So - although the files are stored on disk, if they are frequently accessed + in-memory caching will typically be applied to their access also. So + although the files are stored on disk, if they are frequently accessed it is likely the operating system will ensure that they are actually served from memory.

    @@ -590,68 +590,68 @@ CacheDirLength 1 as a prefix for the naming of the files specific to that URL within the cache, however first it is split up into directories as per the CacheDirLevels and - CacheDirLength + CacheDirLength directives.

    -

    CacheDirLevels +

    CacheDirLevels specifies how many levels of subdirectory there should be, and CacheDirLength specifies how many characters should be in each directory. With the example settings given above, the hash would be turned into - a filename prefix as + a filename prefix as /var/cache/apache/x/y/TGxSMO2b68mBCykqkp1w.

    The overall aim of this technique is to reduce the number of subdirectories or files that may be in a particular directory, as most file-systems slow down as this number increases. With - setting of "1" for + setting of "1" for CacheDirLength - there can at most be 64 subdirectories at any particular level. + there can at most be 64 subdirectories at any particular level. With a setting of 2 there can be 64 * 64 subdirectories, and so on. Unless you have a good reason not to, using a setting of "1" for CacheDirLength is recommended.

    -

    Setting +

    Setting CacheDirLevels depends on how many files you anticipate to store in the cache. With the setting of "2" used in the above example, a grand total of 4096 subdirectories can ultimately be created. With - 1 million files cached, this works out at roughly 245 cached + 1 million files cached, this works out at roughly 245 cached URLs per directory.

    Each URL uses at least two files in the cache-store. Typically - there is a ".header" file, which includes meta-information about + there is a ".header" file, which includes meta-information about the URL, such as when it is due to expire and a ".data" file which is a verbatim copy of the content to be served.

    In the case of a content negotiated via the "Vary" header, a - ".vary" directory will be created for the URL in question. This + ".vary" directory will be created for the URL in question. This directory will have multiple ".data" files corresponding to the differently negotiated content.

    Maintaining the Disk Cache - +

    Although mod_cache_disk will remove cached content as it is expired, it does not maintain any information on the total size of the cache or how little free space may be left.

    -

    Instead, provided with httpd is the Instead, provided with httpd is the htcacheclean tool which, as the name - suggests, allows you to clean the cache periodically. Determining - how frequently to run htcacheclean and what target size to + suggests, allows you to clean the cache periodically. Determining + how frequently to run htcacheclean and what target size to use for the cache is somewhat complex and trial and error may be needed to select optimal values.

    -

    htcacheclean has two modes of - operation. It can be run as persistent daemon, or periodically from - cron. htcacheclean can take up to an hour - or more to process very large (tens of gigabytes) caches and if you are - running it from cron it is recommended that you determine how long a typical +

    htcacheclean has two modes of + operation. It can be run as persistent daemon, or periodically from + cron. htcacheclean can take up to an hour + or more to process very large (tens of gigabytes) caches and if you are + running it from cron it is recommended that you determine how long a typical run takes, to avoid running more than one instance at a time.

    @@ -661,8 +661,8 @@ CacheDirLength 1 cache growth / clean sequence.

    Because mod_cache_disk does not itself pay attention - to how much space is used you should ensure that - htcacheclean is configured to + to how much space is used you should ensure that + htcacheclean is configured to leave enough "grow room" following a clean.

    diff --git a/docs/manual/content-negotiation.xml b/docs/manual/content-negotiation.xml index f0a007cc2e2..2076152d20e 100644 --- a/docs/manual/content-negotiation.xml +++ b/docs/manual/content-negotiation.xml @@ -74,7 +74,7 @@

    httpd supports 'server driven' content negotiation, as defined in the HTTP/1.1 specification. It fully supports the Accept, Accept-Language, - Accept-Charset andAccept-Encoding + Accept-Charset andAccept-Encoding request headers. httpd also supports 'transparent' content negotiation, which is an experimental negotiation protocol defined in RFC 2295 and RFC 2296. It does not offer @@ -129,7 +129,7 @@ .var. In the examples shown below, the resource is named foo, so the type map file is named foo.var.

    - +

    This file should have an entry for each available variant; these entries consist of contiguous HTTP-format header lines. Entries for different variants are separated by blank @@ -337,7 +337,7 @@ not selected at each test are eliminated. After each test, if only one variant remains, select it as the best match and proceed to step 3. If more than one variant remains, - move on to the next test. + move on to the next test.

    1. Multiply the quality factor from the Accept @@ -519,7 +519,7 @@
Extensions to Transparent Content -Negotiation +Negotiation

httpd extends the transparent content negotiation protocol (RFC 2295) as follows. A new {encoding ..} element is used in diff --git a/docs/manual/custom-error.xml b/docs/manual/custom-error.xml index d687d7e524a..c62ab13247f 100644 --- a/docs/manual/custom-error.xml +++ b/docs/manual/custom-error.xml @@ -29,7 +29,7 @@

Although the Apache HTTP Server provides generic error responses in the event of 4xx or 5xx HTTP status codes, these responses are rather stark, uninformative, and can be intimidating to site users. - You may wish to provide custom error responses which are either + You may wish to provide custom error responses which are either friendlier, or in some language other than English, or perhaps which are styled more in line with your site layout.

@@ -52,7 +52,7 @@ module="core">ErrorDocument directive, which may be used in global, virtualhost, or directory context. It may be used in .htaccess files - if AllowOverride is set to + if AllowOverride is set to FileInfo.

@@ -157,8 +157,8 @@

Note that if the response contains Location: header (in order to issue a client-side redirect), the script - must emit an appropriate Status: header - (such as 302 Found). Otherwise the + must emit an appropriate Status: header + (such as 302 Found). Otherwise the Location: header may have no effect.

@@ -191,7 +191,7 @@ provide more useful information to users about your site, and what they can expect to find there.

-

mod_include and mod_negotiation +

mod_include and mod_negotiation must be enabled to use this feature.

diff --git a/docs/manual/developer/API.xml b/docs/manual/developer/API.xml index 3278aa52d8f..ab9c5dd7072 100644 --- a/docs/manual/developer/API.xml +++ b/docs/manual/developer/API.xml @@ -53,7 +53,7 @@
diff --git a/docs/manual/dns-caveats.xml b/docs/manual/dns-caveats.xml index f9d9841b654..c715450f10c 100644 --- a/docs/manual/dns-caveats.xml +++ b/docs/manual/dns-caveats.xml @@ -123,7 +123,7 @@ users typed in URLs of the form http://www.example2.dom/whatever) will all be served by the example1.dom virtual host. To better understand why - this happens requires a more in-depth discussion of how httpd + this happens requires a more in-depth discussion of how httpd matches up incoming requests with the virtual host that will serve it. A rough document describing this is available.

@@ -152,7 +152,7 @@ or maybe /etc/nsswitch.conf.

If your server doesn't have to perform DNS for any other - reason then you might be able to get away with running httpd + reason then you might be able to get away with running httpd with the HOSTRESORDER environment variable set to "local". This all depends on what OS and resolver libraries you are using. It also affects CGIs unless you use diff --git a/docs/manual/dso.xml b/docs/manual/dso.xml index ef73294ef83..98bb1d5345c 100644 --- a/docs/manual/dso.xml +++ b/docs/manual/dso.xml @@ -117,7 +117,7 @@ $ make install Build and install a third-party Apache httpd module, say mod_foo.c, into its own DSO mod_foo.so outside of the Apache httpd - source tree using apxs: + source tree using apxs: $ cd /path/to/3rdparty
diff --git a/docs/manual/env.xml b/docs/manual/env.xml index 63d94008fce..369eaf8993a 100644 --- a/docs/manual/env.xml +++ b/docs/manual/env.xml @@ -140,7 +140,7 @@ not be a number. Characters which do not match this restriction will be replaced by an underscore when passed to CGI scripts and SSI pages. - +

  • A special case are HTTP headers which are passed to CGI scripts and the like via environment variables (see below). They are converted to uppercase and only dashes are replaced with @@ -346,7 +346,7 @@

    When set, mod_cache will not save an otherwise cacheable response. This environment variable does not influence - whether a response already in the cache will be served for the current + whether a response already in the cache will be served for the current request.

    @@ -432,7 +432,7 @@
    Passing broken headers to CGI scripts - +

    Starting with version 2.4, Apache is more strict about how HTTP headers are converted to environment variables in mod_cgi and other modules: Previously any invalid characters @@ -440,12 +440,12 @@ for some potential cross-site-scripting attacks via header injection (see Unusual Web Bugs, slide 19/20).

    - +

    If you have to support a client which sends broken headers and which can't be fixed, a simple workaround involving mod_setenvif and mod_header allows you to still accept these headers:

    - + #
    # The following works around a client sending a broken Accept_Encoding
    @@ -454,7 +454,7 @@ SetEnvIfNoCase ^Accept.Encoding$ ^(.*)$ fix_accept_encoding=$1
    RequestHeader set Accept-Encoding %{fix_accept_encoding}e env=fix_accept_encoding     - +
    diff --git a/docs/manual/filter.xml b/docs/manual/filter.xml index bfcdbc96d26..52281f77afa 100644 --- a/docs/manual/filter.xml +++ b/docs/manual/filter.xml @@ -143,9 +143,9 @@ an application server stack, where an output filter provides the transformation required on the request body. For example, the mod_deflate module might be used to provide a general compression service, or an image transformation filter might be turned into an image transformation service.

    - +
    - +
    Using Filters

    There are two ways to use filtering: Simple and Dynamic. diff --git a/docs/manual/glossary.xml b/docs/manual/glossary.xml index 91825abe7a7..3bc7dae09eb 100644 --- a/docs/manual/glossary.xml +++ b/docs/manual/glossary.xml @@ -39,13 +39,13 @@ href="howto/auth.html">Authentication, Authorization, and Access Control - +

    Algorithm
    An unambiguous formula or set of rules for solving a problem in a finite number of steps. Algorithms for encryption are usually called Ciphers.
    - +
    APache eXtension Tool (apxs)
    A perl script that aids in compiling - +
    Context
    An area in the configuration files where certain types of Certificate.
    See: SSL/TLS Encryption
    - +
    Directive
    A configuration command that controls one or more aspects of Apache's behavior. Directives are placed in the Filters
    -
    Fully-Qualified Domain-Name (FQDN)
    The unique name of a network entity, consisting of a hostname and a domain name that can resolve to an IP address. For example, www is a hostname, example.com is a domain name, and www.example.com is a fully-qualified domain name. -
    - + +
    Handler
    An internal Apache representation of the action to be performed when a file is called. Generally, files have implicit handlers, based on the file @@ -237,9 +237,9 @@
    The part of the HTTP request and response that is sent before the actual content, and that contains meta-information describing the content. -
    - -
    .htaccess
    + + +
    .htaccess
    A configuration file that is placed inside the web tree and applies configuration directives to the directory where it is @@ -269,15 +269,15 @@ communication mechanism on the World Wide Web. This is actually just HTTP over SSL.
    See: SSL/TLS Encryption -
    +
    Method
    In the context of HTTP, an action to perform on a resource, specified on the request line by the client. Some of the methods available in HTTP are GET, POST, and PUT. -
    - + +
    Message Digest
    A hash of a message, which can be used to verify that the contents of the message have not been altered in transit.
    @@ -343,7 +343,7 @@ sign outgoing ones.
    See: SSL/TLS Encryption
    - +
    Proxy
    An intermediate server that sits between the client and the origin server. It accepts requests from clients, transmits those requests @@ -398,7 +398,7 @@ as if it is an origin server. This is useful to hide the real origin server from the client for security reasons, or to load balance.
    - +
    Secure Sockets Layer (SSL)
    A protocol created by Netscape Communications Corporation for general diff --git a/docs/manual/handler.xml b/docs/manual/handler.xml index 726fb6e792e..08a59ea4ddf 100644 --- a/docs/manual/handler.xml +++ b/docs/manual/handler.xml @@ -66,7 +66,7 @@ Extensions.)

    Handlers can either be built into the server or included in - a module, or they can be added with the Action directive. The built-in handlers in the standard distribution are as follows:

    diff --git a/docs/manual/howto/access.xml b/docs/manual/howto/access.xml index 7cd538222af..fe386be2aaa 100644 --- a/docs/manual/howto/access.xml +++ b/docs/manual/howto/access.xml @@ -35,7 +35,7 @@

    Access control can be done by several different modules. The most important of these are mod_authz_core and - mod_authz_host. Also discussed in this document + mod_authz_host. Also discussed in this document is access control using mod_rewrite.

    @@ -58,7 +58,7 @@

    The Allow, - Deny, and + Deny, and Order directives, provided by mod_access_compat, are deprecated and will go away in a future version. You should avoid using them, and @@ -72,8 +72,8 @@ Require ip ip.address -

    In the first form, address is a fully qualified - domain name (or a partial domain name); you may provide multiple +

    In the first form, address is a fully qualified + domain name (or a partial domain name); you may provide multiple addresses or domain names, if desired.

    In the second form, ip.address is an IP address, a diff --git a/docs/manual/howto/cgi.xml b/docs/manual/howto/cgi.xml index 23cd9bac4c6..c917bdfc637 100644 --- a/docs/manual/howto/cgi.xml +++ b/docs/manual/howto/cgi.xml @@ -71,7 +71,7 @@

    ScriptAlias -

    The +

    The ScriptAlias directive tells Apache that a particular directory is set @@ -106,7 +106,7 @@

    For example, if the URL http://www.example.com/cgi-bin/test.pl - is requested, Apache will attempt to execute the file + is requested, Apache will attempt to execute the file /usr/local/apache2/cgi-bin/test.pl and return the output. Of course, the file will have to exist, and be executable, and return output in a particular @@ -122,7 +122,7 @@ use CGI programs. However, if the proper security precautions are taken, there is no reason why CGI programs cannot be run from arbitrary directories. For example, you may wish to let users - have web content in their home directories with the + have web content in their home directories with the UserDir directive. If they want to have their own CGI programs, but don't have access to the main cgi-bin directory, they will need to be able to @@ -134,7 +134,7 @@ module="mod_mime">AddHandler or SetHandler directive. Second, ExecCGI must be specified in the Options directive.

    + module="core">Options directive.

    @@ -235,7 +235,7 @@

    The following is an example CGI program that prints one line to your browser. Type in the following, save it to a - file called first.pl, and put it in your + file called first.pl, and put it in your cgi-bin directory.

    @@ -263,7 +263,7 @@ http://www.example.com/cgi-bin/first.pl -

    or wherever you put your file, you will see the one line +

    or wherever you put your file, you will see the one line Hello, World. appear in your browser window. It's not very exciting, but once you get that working, you'll have a good chance of getting just about anything working.

    @@ -285,7 +285,7 @@
    The source code of your CGI program or a "POST Method Not Allowed" message
    That means that you have not properly configured Apache - to process your CGI program. Reread the section on + to process your CGI program. Reread the section on configuring Apache and try to find what you missed.
    @@ -295,7 +295,7 @@ file permissions.
    A message saying "Internal Server Error"
    -
    If you check the +
    If you check the Apache error log, you will probably find that it says "Premature end of script headers", possibly along with an error message @@ -370,9 +370,9 @@ assure that those variables are passed by Apache.

    When you miss HTTP headers from the environment, make - sure they are formatted according to + sure they are formatted according to RFC 2616, - section 4.2: Header names must start with a letter, + section 4.2: Header names must start with a letter, followed only by letters, numbers or hyphen. Any header violating this rule will be dropped silently.

    @@ -462,7 +462,7 @@ (where the computer searches for the actual file implementing a command when you type it), your username, your terminal type, and so on. For a full list of your normal, - every day environment variables, type + every day environment variables, type env at a command prompt.

    During the CGI transaction, the server and the browser @@ -473,19 +473,19 @@

    These variables are available to the CGI programmer, and are half of the story of the client-server communication. The - complete list of required variables is at + complete list of required variables is at Common Gateway Interface RFC.

    This simple Perl CGI program will display all of the environment variables that are being passed around. Two - similar programs are included in the + similar programs are included in the cgi-bin directory of the Apache distribution. Note that some variables are required, while others are optional, so you may see some variables listed that were not in the official list. - In addition, Apache provides many different ways for you to + In addition, Apache provides many different ways for you to add your own environment variables to the basic ones provided by default.

    @@ -505,10 +505,10 @@

    Other communication between the server and the client happens over standard input (STDIN) and standard - output (STDOUT). In normal everyday context, - STDIN means the keyboard, or a file that a + output (STDOUT). In normal everyday context, + STDIN means the keyboard, or a file that a program is given to act on, and STDOUT - usually means the console or screen.

    + usually means the console or screen.

    When you POST a web form to a CGI program, the data in that form is bundled up into a special format @@ -530,10 +530,10 @@

    You'll sometimes also see this type of string appended to a URL. When that is done, the server puts that string - into the environment variable called + into the environment variable called QUERY_STRING. That's called a GET request. Your HTML form specifies whether a GET - or a POST is used to deliver the data, by setting the + or a POST is used to deliver the data, by setting the METHOD attribute in the FORM tag.

    Your program is then responsible for splitting that string @@ -557,7 +557,7 @@ set of functionality, which is all you need in most programs.

    If you're writing CGI programs in C, there are a variety of - options. One of these is the CGIC library, from + options. One of these is the CGIC library, from http://www.boutell.com/cgic/.

    @@ -565,7 +565,7 @@
    For more information -

    The current CGI specification is available in the +

    The current CGI specification is available in the Common Gateway Interface RFC.

    diff --git a/docs/manual/howto/public_html.xml b/docs/manual/howto/public_html.xml index 224c9911898..d2da191548e 100644 --- a/docs/manual/howto/public_html.xml +++ b/docs/manual/howto/public_html.xml @@ -27,7 +27,7 @@

    On systems with multiple users, each user can be permitted to have a - web site in their home directory using the UserDir directive. Visitors to a URL http://example.com/~username/ will get content out of the home directory of the user "username", out of @@ -109,30 +109,30 @@ UserDir public_html /var/html -

    For the URL http://example.com/~rbowen/file.html, - Apache will search for ~rbowen. If it isn't found, +

    For the URL http://example.com/~rbowen/file.html, + Apache will search for ~rbowen. If it isn't found, Apache will search for rbowen in /var/html. If - found, the above URL will then be translated to the file path + found, the above URL will then be translated to the file path /var/html/rbowen/file.html

    - +
    Redirecting to external URLs

    The UserDir directive can be used to redirect user directory requests to external URLs.

    - + UserDir http://example.org/users/*/ - +

    The above example will redirect a request for http://example.com/~bob/abc.html to http://example.org/users/bob/abc.html.

    - Restricting what users are permitted to use this + <title>Restricting what users are permitted to use this feature

    Using the syntax shown in the UserDir documentation, you can restrict diff --git a/docs/manual/howto/ssi.xml b/docs/manual/howto/ssi.xml index 577c5155a41..c9ef9234625 100644 --- a/docs/manual/howto/ssi.xml +++ b/docs/manual/howto/ssi.xml @@ -109,7 +109,7 @@ existing HTML documents.

    order to give it a .shtml extension, so that those directives would be executed.

    -

    The other method is to use the The other method is to use the XBitHack directive:

    XBitHack on @@ -129,7 +129,7 @@ existing HTML documents.

    see people recommending that you just tell Apache to parse all .html files for SSI, so that you don't have to mess with .shtml file names. These folks have - perhaps not heard about XBitHack. The thing to keep in mind is that, by doing this, you're requiring that Apache read through every single file that it sends out to @@ -152,7 +152,7 @@ existing HTML documents.

    only at the date of the originally requested file, ignoring the modification date of any included files.
    • -
  • Use the directives provided by +
  • Use the directives provided by mod_expires to set an explicit expiration time on your files, thereby letting browsers and proxies know that it is acceptable to cache them.
    • @@ -382,7 +382,7 @@ modified? discussed above (like LAST_MODIFIED, for example) to give values to your variables. You will specify that something is a variable, rather than a literal string, by using the dollar sign - ($) before the name of the variable.

    + ($) before the name of the variable.

    <!--#set var="modified" value="$LAST_MODIFIED" --> diff --git a/docs/manual/index.xml b/docs/manual/index.xml index 057939016bc..9df43e9e74a 100644 --- a/docs/manual/index.xml +++ b/docs/manual/index.xml @@ -47,7 +47,7 @@ Documentation Expression parser Server and Supporting Programs Glossary - + Users' Guide Binding to Addresses and Ports diff --git a/docs/manual/install.xml b/docs/manual/install.xml index 3ef876d60d6..53d51cb5e83 100644 --- a/docs/manual/install.xml +++ b/docs/manual/install.xml @@ -149,14 +149,14 @@
    For some of the support scripts like apxs or dbmmanage (which are written in Perl) the Perl 5 interpreter is required (versions - 5.003 or newer are sufficient). If you have multiple Perl - interpreters (for example, a systemwide install of Perl 4, and - your own install of Perl 5), you are advised to use the - --with-perl option (see below) to make sure the + 5.003 or newer are sufficient). If you have multiple Perl + interpreters (for example, a systemwide install of Perl 4, and + your own install of Perl 5), you are advised to use the + --with-perl option (see below) to make sure the correct one is used by configure. - If no Perl 5 interpreter is found by the - configure script, you will not be able to use - the affected support scripts. Of course, you will still be able to + If no Perl 5 interpreter is found by the + configure script, you will not be able to use + the affected support scripts. Of course, you will still be able to build and use Apache httpd.
    @@ -282,7 +282,7 @@ $ tar xvf httpd-NN.tar

    Please be patient here, since a base configuration takes several minutes to compile and the time will vary widely depending on your hardware and the number of modules that you - have enabled.

    + have enabled.

    Install @@ -309,7 +309,7 @@ $ tar xvf httpd-NN.tar $ vi PREFIX/conf/httpd.conf -

    Have a look at the Apache manual under +

    Have a look at the Apache manual under PREFIX/docs/manual/ or consult http://httpd.apache.org/docs/&httpd.docs;/ for the most recent diff --git a/docs/manual/logs.xml b/docs/manual/logs.xml index 6adad74c3e9..be260b311cf 100644 --- a/docs/manual/logs.xml +++ b/docs/manual/logs.xml @@ -27,7 +27,7 @@

    In order to effectively manage a web server, it is necessary to get feedback about the activity and performance of the - server as well as any problems that may be occurring. The Apache HTTP Server + server as well as any problems that may be occurring. The Apache HTTP Server provides very comprehensive and flexible logging capabilities. This document describes how to configure its logging capabilities, and how to understand what the logs @@ -114,11 +114,11 @@

    The format of the error log is defined by the ErrorLogFormat directive, with which you - can customize what values are logged. A default is format defined + can customize what values are logged. A default is format defined if you don't specify one. A typical log message follows:

    - [Fri Sep 09 10:42:29.902022 2011] [core:error] [pid 35708:tid 4328636416] + [Fri Sep 09 10:42:29.902022 2011] [core:error] [pid 35708:tid 4328636416] [client 72.15.99.187] File does not exist: /usr/local/apache2/htdocs/favicon.ico @@ -199,7 +199,7 @@ server. The location and content of the access log are controlled by the CustomLog directive. The LogFormat - directive can be used to simplify the selection of + directive can be used to simplify the selection of the contents of the logs. This section describes how to configure the server to record information in the access log.

    @@ -318,7 +318,7 @@
    The time that the request was received. - The format is: + The format is:

    [day/month/year:hour:minute:second zone]
    @@ -425,7 +425,7 @@ Multiple Access Logs

    Multiple access logs can be created simply by specifying - multiple CustomLog + multiple CustomLog directives in the configuration file. For example, the following directives will create three access logs. The first contains the basic CLF information, @@ -457,7 +457,7 @@ client request. This is easily accomplished with the help of environment variables. First, an environment variable must be set to indicate that the request - meets certain conditions. This is usually accomplished with + meets certain conditions. This is usually accomplished with SetEnvIf. Then the env= clause of the CustomLog directive is used to @@ -630,14 +630,14 @@ hosts, there are several options for dealing with log files. First, it is possible to use logs exactly as in a single-host server. Simply by placing the logging directives - outside the VirtualHost sections in the main server context, it is possible to log all requests in the same access log and error log. This technique does not allow for easy collection of statistics on individual virtual hosts.

    -

    If CustomLog +

    If CustomLog or ErrorLog directives are placed inside a VirtualHost @@ -722,7 +722,7 @@ terminating the daemon by sending signals to the parent process; on Windows, use the -k command line option instead. For more information see the Stopping - and Restarting page.

    + and Restarting page.

    diff --git a/docs/manual/misc/password_encryptions.xml b/docs/manual/misc/password_encryptions.xml index 912de895a8f..fa6fc4e4eab 100644 --- a/docs/manual/misc/password_encryptions.xml +++ b/docs/manual/misc/password_encryptions.xml @@ -22,31 +22,31 @@ Miscellaneous Documentation - + Password Formats - +

    Notes about the password encryption formats generated and understood by Apache.

     - +
    Basic Authentication

    There are four formats that Apache recognizes for basic-authentication passwords. Note that not all formats work on every platform:

    - +
    PLAIN TEXT (i.e. unencrypted)
    Windows & Netware only.
    - +
    CRYPT
    Unix only. Uses the traditional Unix crypt(3) function with a randomly-generated 32-bit salt (only 12 bits used) and the first 8 characters of the password.
    - +
    SHA1
    "{SHA}" + Base64-encoded SHA-1 digest of the password.
    - +
    MD5
    "$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a @@ -54,32 +54,32 @@ apr_md5.c for the details of the algorithm.
    - +
    Generating values with htpasswd - + MD5 $ htpasswd -nbm myName myPassword
    myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/     - + SHA1 $ htpasswd -nbs myName myPassword
    myName:{SHA}VBPuJHI7uixaa6LQGWx4s+5GKNE=     - + CRYPT $ htpasswd -nbd myName myPassword
    myName:rqXexS6ZhobKA     - +
    - +
    Generating CRYPT and MD5 values with the OpenSSL command-line program - +

    OpenSSL knows the Apache-specific MD5 algorithm.

    - + MD5 $ openssl passwd -apr1 myPassword
    $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0 @@ -90,75 +90,75 @@ qQ5vTYO3c8dsU
    - +
    Validating CRYPT or MD5 passwords with the OpenSSL command line program

    The salt for a CRYPT password is the first two characters (converted to a binary value). To validate myPassword against rqXexS6ZhobKA

    - + CRYPT $ openssl passwd -crypt -salt rq myPassword
    Warning: truncating password to 8 characters
    rqXexS6ZhobKA     - +

    Note that using myPasswo instead of myPassword will produce the same result because only the first 8 characters of CRYPT passwords are considered.

    - +

    The salt for an MD5 password is between $apr1$ and the following $ (as a Base64-encoded binary value - max 8 chars). To validate myPassword against $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/

    - + MD5 $ openssl passwd -apr1 -salt r31..... myPassword
    $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
    - +
    Database password fields for mod_dbd

    The SHA1 variant is probably the most useful format for DBD authentication. Since the SHA1 and Base64 functions are commonly available, other software can populate a database with encrypted passwords that are usable by Apache basic authentication.

    - +

    To create Apache SHA1-variant basic-authentication passwords in various languages:

    - + PHP '{SHA}' . base64_encode(sha1($password, TRUE)) - + Java "{SHA}" + new sun.misc.BASE64Encoder().encode(java.security.MessageDigest.getInstance("SHA1").digest(password.getBytes())) - + ColdFusion "{SHA}" & ToBase64(BinaryDecode(Hash(password, "SHA1"), "Hex")) - + Ruby require 'digest/sha1'
    require 'base64'
    '{SHA}' + Base64.encode64(Digest::SHA1.digest(password))     - + C or C++ Use the APR function: apr_sha1_base64 - + PostgreSQL (with the contrib/pgcrypto functions installed) '{SHA}'||encode(digest(password,'sha1'),'base64')
    - +
    - +
    Digest Authentication

    Apache recognizes one format for digest-authentication passwords - the MD5 hash of the string @@ -166,20 +166,20 @@ digits. realm is the Authorization Realm argument to the AuthName directive in httpd.conf.

    - +
    Database password fields for mod_dbd - +

    Since the MD5 function is commonly available, other software can populate a database with encrypted passwords that are usable by Apache digest authentication.

    - +

    To create Apache digest-authentication passwords in various languages:

    - + PHP md5($user . ':' . $realm . ':' .$password) - + Java byte b[] = java.security.MessageDigest.getInstance("MD5").digest( (user + ":" + realm + ":" + password ).getBytes());
    java.math.BigInteger bi = new java.math.BigInteger(1, b);
    @@ -190,22 +190,22 @@ // String s is the encrypted password     - + ColdFusion LCase(Hash( (user & ":" & realm & ":" & password) , "MD5")) - + Ruby require 'digest/md5'
    Digest::MD5.hexdigest(user + ':' + realm + ':' + password)     - + PostgreSQL (with the contrib/pgcrypto functions installed) encode(digest( user || ':' || realm || ':' || password , 'md5'), 'hex') - +
    - +     diff --git a/docs/manual/misc/perf-tuning.xml b/docs/manual/misc/perf-tuning.xml index 32aebeeec81..c9630446cfd 100644 --- a/docs/manual/misc/perf-tuning.xml +++ b/docs/manual/misc/perf-tuning.xml @@ -706,9 +706,9 @@ directives.

    The Mutex directive can - be used to change the mutex implementation of the + be used to change the mutex implementation of the mpm-accept mutex at run-time. Special considerations - for different mutex implementations are documented with that + for different mutex implementations are documented with that directive.

    Another solution that has been considered but never diff --git a/docs/manual/misc/relevant_standards.xml b/docs/manual/misc/relevant_standards.xml index 17903e06732..21dfae17302 100644 --- a/docs/manual/misc/relevant_standards.xml +++ b/docs/manual/misc/relevant_standards.xml @@ -24,7 +24,7 @@ Miscellaneous Documentation Relevant Standards - +

    This page documents all the relevant standards that the Apache HTTP Server follows, along with brief descriptions.

    @@ -53,7 +53,7 @@     - +
    HTTP Recommendations

    Regardless of what modules are compiled and used, Apache as a diff --git a/docs/manual/mod/event.xml b/docs/manual/mod/event.xml index e4f191c1a21..fc6154bd28b 100644 --- a/docs/manual/mod/event.xml +++ b/docs/manual/mod/event.xml @@ -88,7 +88,7 @@ of consuming threads only for connections with active processing moot.

      - +
    • To use this MPM on FreeBSD, FreeBSD 5.3 or higher is recommended. However, it is possible to run this MPM on FreeBSD 5.2.1, if you use libkse (see man libmap.conf).
      • diff --git a/docs/manual/mod/mod_access_compat.xml b/docs/manual/mod/mod_access_compat.xml index 58fefc99b76..a4b747a01fd 100644 --- a/docs/manual/mod/mod_access_compat.xml +++ b/docs/manual/mod/mod_access_compat.xml @@ -22,15 +22,15 @@ -mod_access_compat +mod_access_compat Group authorizations based on host (name or IP address) Extension mod_access_compat.c access_compat_module -Available in Apache HTTP Server 2.3 as a compatibility module with +Available in Apache HTTP Server 2.3 as a compatibility module with previous versions of Apache httpd 2.x. The directives provided by this module -have been deprecated by the new authz refactoring. Please see +have been deprecated by the new authz refactoring. Please see mod_authz_host @@ -59,7 +59,7 @@ have been deprecated by the new authz refactoring. Please see Note

      The directives provided by mod_access_compat have - been deprecated by the new authz refactoring. Please see + been deprecated by the new authz refactoring. Please see mod_authz_host.

       @@ -178,8 +178,8 @@ server href="../env.html">environment variable. When Allow from env=env-variable is specified, then the request is allowed access if the environment variable env-variable - exists. When Allow from env=!env-variable is - specified, then the request is allowed access if the environment + exists. When Allow from env=!env-variable is + specified, then the request is allowed access if the environment variable env-variable doesn't exist. The server provides the ability to set environment variables in a flexible way based on characteristics of the client @@ -440,7 +440,7 @@ later <Directory /var/www/private>
      - Require valid-user
      + Require valid-user
      </Directory>

      <Directory /var/www/private/public>
      diff --git a/docs/manual/mod/mod_actions.xml b/docs/manual/mod/mod_actions.xml index a5fa94ae578..110ded65543 100644 --- a/docs/manual/mod/mod_actions.xml +++ b/docs/manual/mod/mod_actions.xml @@ -22,7 +22,7 @@ -mod_actions +mod_actions This module provides for executing CGI scripts based on media type or request method. @@ -90,7 +90,7 @@ introduced in Apache 2.1

      In this example, requests for files with a file extension of - .xyz are handled by the specified cgi script + .xyz are handled by the specified cgi script /cgi-bin/program.cgi.

      The optional virtual modifier turns off the check @@ -127,7 +127,7 @@ method. module="mod_alias">ScriptAlias or AddHandler. The URL and file path of the requested document is sent using the standard CGI - PATH_INFO and PATH_TRANSLATED environment + PATH_INFO and PATH_TRANSLATED environment variables.

      @@ -137,10 +137,10 @@ method. effects. -

      Note that the Script command defines default +

      Note that the Script command defines default actions only. If a CGI script is called, or some other resource that is capable of handling the requested method internally, it will do - so. Also note that Script with a method of + so. Also note that Script with a method of GET will only be called if there are query arguments present (e.g., foo.html?hi). Otherwise, the request will proceed normally.

      diff --git a/docs/manual/mod/mod_alias.xml b/docs/manual/mod/mod_alias.xml index ed807959eef..fa45b751a63 100644 --- a/docs/manual/mod/mod_alias.xml +++ b/docs/manual/mod/mod_alias.xml @@ -202,7 +202,7 @@ expressions regular expression to match the entire request URI from beginning to end, and to use substitution on the right side.

      -

      In other words, just changing +

      In other words, just changing Alias to AliasMatch will not have the same effect. At a minimum, you need to @@ -260,8 +260,8 @@ a different URL

      The old URL-path is a case-sensitive (%-decoded) path beginning with a slash. A relative path is not allowed.

      - -

      The new URL may be either an absolute URL beginning + +

      The new URL may be either an absolute URL beginning with a scheme and hostname, or a URL-path beginning with a slash. In this latter case the scheme and hostname of the current server will be added.

      @@ -284,7 +284,7 @@ a different URL http://foo2.example.com/service/foo.txt instead. This includes requests with GET parameters, such as http://example.com/service/foo.pl?q=23&a=42, - it will be redirected to + it will be redirected to http://foo2.example.com/service/foo.pl?q=23&a=42. Note that POSTs will be discarded.
      Only complete path segments are matched, so the above @@ -451,14 +451,14 @@ target as a CGI script

      ScriptAlias can also be used in conjunction with a script or handler you have. For example:

      - + ScriptAlias /cgi-bin/ /web/cgi-handler.pl - +

      In this scenario all files requested in /cgi-bin/ will be - handled by the file you have configured, this allows you to use your own custom - handler. You may want to use this as a wrapper for CGI so that you can add + handled by the file you have configured, this allows you to use your own custom + handler. You may want to use this as a wrapper for CGI so that you can add content, or some other bespoke action.

      It is safer to avoid placing CGI scripts under the diff --git a/docs/manual/mod/mod_allowmethods.xml b/docs/manual/mod/mod_allowmethods.xml index 5a2cf8fa550..e9fcca004d1 100644 --- a/docs/manual/mod/mod_allowmethods.xml +++ b/docs/manual/mod/mod_allowmethods.xml @@ -1,6 +1,6 @@ - + - + - - - + mod_allowmethods Easily restrict what HTTP methods can be used on the server Experimental @@ -55,7 +55,7 @@ used on an server. The most common configuration would be:

      AllowMethods Restrict access to the listed HTTP methods -AllowMethods reset|HTTP-method +AllowMethods reset|HTTP-method [HTTP-method]... AllowMethods reset directory diff --git a/docs/manual/mod/mod_auth_basic.xml b/docs/manual/mod/mod_auth_basic.xml index 4c889e89178..d02bbc6d5a0 100644 --- a/docs/manual/mod/mod_auth_basic.xml +++ b/docs/manual/mod/mod_auth_basic.xml @@ -55,7 +55,7 @@ AuthConfig -

      The AuthBasicProvider directive sets +

      The AuthBasicProvider directive sets which provider is used to authenticate the users for this location. The default file provider is implemented by the mod_authn_file module. Make sure @@ -75,7 +75,7 @@

      Providers are queried in order until a provider finds a match - for the requested username, at which point this sole provider will + for the requested username, at which point this sole provider will attempt to check the password. A failure to verify the password does not result in control being passed on to subsequent providers.

      diff --git a/docs/manual/mod/mod_auth_digest.xml b/docs/manual/mod/mod_auth_digest.xml index 85b233f2553..8e06f6b9d7b 100644 --- a/docs/manual/mod/mod_auth_digest.xml +++ b/docs/manual/mod/mod_auth_digest.xml @@ -43,12 +43,12 @@
      Using Digest Authentication -

      To use MD5 Digest authentication, simply +

      To use MD5 Digest authentication, simply change the normal AuthType Basic and AuthBasicProvider to AuthType Digest and AuthDigestProvider, - when setting up authentication, then add a + when setting up authentication, then add a AuthDigestDomain directive containing at least the root URI(s) for this protection space.

      @@ -70,7 +70,7 @@ </Location> - Note + Note

      Digest authentication is more secure than Basic authentication, but only works with supporting browsers. As of September 2004, major browsers that support digest authentication include AuthConfig -

      The AuthDigestProvider directive sets +

      The AuthDigestProvider directive sets which provider is used to authenticate the users for this location. The default file provider is implemented by the mod_authn_file module. Make sure that the chosen provider module is present in the server.

      -

      See mod_authn_dbm, mod_authn_file, +

      See mod_authn_dbm, mod_authn_file, mod_authn_dbd and mod_authn_socache for providers.

      diff --git a/docs/manual/mod/mod_auth_form.xml b/docs/manual/mod/mod_auth_form.xml index 0048c1e218a..fedb6566315 100644 --- a/docs/manual/mod/mod_auth_form.xml +++ b/docs/manual/mod/mod_auth_form.xml @@ -55,7 +55,7 @@

      Once the user has been successfully authenticated, the user's login details will be stored in a session provided by mod_session.

      - +
      mod_session AuthName @@ -65,7 +65,7 @@ Authentication howto
      Basic Configuration - +

      To protect a particular URL with mod_auth_form, you need to decide where you will store your session, and you will need to decide what method you will use to authenticate. In this simple example, the @@ -73,7 +73,7 @@ mod_session_cookie, and authentication will be attempted against a file using mod_authn_file. If authentication is unsuccessful, the user will be redirected to the form login page.

      - + Basic example AuthFormProvider file
      AuthUserFile conf/passwd
      @@ -84,14 +84,14 @@ SessionCookieName session path=/
      SessionCryptoPassphrase secret
       - +

      The directive AuthType will enable the mod_auth_form authentication when set to the value form. The directives AuthFormProvider and AuthUserFile specify that usernames and passwords should be checked against the chosen file.

      -

      The directives Session, +

      The directives Session, SessionCookieName and SessionCryptoPassphrase create an encrypted session stored within an HTTP cookie on the browser. For more information @@ -104,18 +104,18 @@ dedicated standalone login page for this purpose, or for providing the login page inline.

      - +
      Standalone Login

      The login form can be hosted as a standalone page, or can be provided inline on the same page.

      - +

      When configuring the login as a standalone page, unsuccessful authentication attempts should be redirected to a login form created by the website for this purpose, using the AuthFormLoginRequiredLocation directive. Typically this login page will contain an HTML form, asking the user to provide their usename and password.

      - + Example login form <form method="POST" action="/dologin.html">
      Username: <input type="text" name="httpd_username" value="" />
      @@ -127,7 +127,7 @@

      The part that does the actual login is handled by the form-login-handler. The action of the form should point at this handler, which is configured within Apache httpd as follows:

      - + Form login handler example <Location /dologin.html> @@ -150,7 +150,7 @@ point to a page explaining to the user that their login attempt was unsuccessful, and they should try again. The AuthFormLoginSuccessLocation directive specifies the URL the user should be redirected to upon successful login.

      - +

      Alternatively, the URL to redirect the user to on success can be embedded within the login form, as in the example below. As a result, the same form-login-handler can be reused for different areas of a website.

      @@ -169,9 +169,9 @@
      Inline Login - + Warning -

      A risk exists that under certain circumstances, the login form configured +

      A risk exists that under certain circumstances, the login form configured using inline login may be submitted more than once, revealing login credentials to the application running underneath. The administrator must ensure that the underlying application is properly secured to prevent abuse. If in doubt, use the @@ -190,7 +190,7 @@ AuthFormLoginRequiredLocation directive, a HTTP_UNAUTHORIZED status code is returned to the browser indicating to the user that they are not authorized to view the page.

      - +

      To configure inline authentication, the administrator overrides the error document returned by the HTTP_UNAUTHORIZED status code with a custom error document containing the login form, as follows:

      @@ -206,7 +206,7 @@ SessionCookieName session path=/
      SessionCryptoPassphrase secret
      - +

      The error document page should contain a login form with an empty action property, as per the example below. This has the effect of submitting the form to the original protected URL, without the page having to know what that @@ -268,7 +268,7 @@

      One option is to use the mod_include module along with the KeptBodySize directive, along with a suitable CGI script to embed the variables in the form.

      - +

      Another option is to render the login form using a CGI script or other dynamic technology.

      @@ -339,7 +339,7 @@ AuthConfig -

      The AuthFormProvider directive sets +

      The AuthFormProvider directive sets which provider is used to authenticate the users for this location. The default file provider is implemented by the mod_authn_file module. Make sure @@ -454,9 +454,9 @@ lower level modules

      The AuthFormMethod directive specifies the name of an HTML field which, if present, will contain the method of the request to to submit should login be successful.

      - +

      By populating the form with fields described by - AuthFormMethod, + AuthFormMethod, AuthFormMimetype and AuthFormBody, a website can retry a request that may have been interrupted by the login screen, or by a session @@ -479,7 +479,7 @@ lower level modules mimetype of the request to to submit should login be successful.

      By populating the form with fields described by - AuthFormMethod, + AuthFormMethod, AuthFormMimetype and AuthFormBody, a website can retry a request that may have been interrupted by the login screen, or by a session @@ -502,7 +502,7 @@ lower level modules to submit should login be successful.

      By populating the form with fields described by - AuthFormMethod, + AuthFormMethod, AuthFormMimetype and AuthFormBody, a website can retry a request that may have been interrupted by the login screen, or by a session @@ -522,12 +522,12 @@ lower level modules

      The AuthFormSize directive specifies the maximum size of the body of the request that will be parsed to find the login form.

      - +

      If a login request arrives that exceeds this size, the whole request will be aborted with the HTTP response code HTTP_REQUEST_TOO_LARGE.

      If you have populated the form with fields described by - AuthFormMethod, + AuthFormMethod, AuthFormMimetype and AuthFormBody, you probably want to set this field to a similar size as the KeptBodySize @@ -552,7 +552,7 @@ lower level modules will be returned with the page specified by the ErrorDocument directive. This directive overrides this default.

      - +

      Use this directive if you have a dedicated login page to redirect users to.

       @@ -572,7 +572,7 @@ lower level modules specifies the URL to redirect to should the user have logged in successfully. This directive can be overridden if a form field has been defined containing another URL using the AuthFormLocation directive.

      - +

      Use this directive if you have a dedicated login URL, and you have not embedded the destination page in the login form.

      @@ -613,7 +613,7 @@ lower level modules

      When a URI is accessed that is served by the handler form-logout-handler, the page specified by this directive will be shown to the end user. For example:

      - + Example <Location /logout>
      @@ -624,7 +624,7 @@ lower level modules </Location>       - +

      An attempt to access the URI /logout/ will result in the user being logged out, and the page /loggedout.html will be displayed. Make sure that the page loggedout.html is not password protected, otherwise the page will not be @@ -667,7 +667,7 @@ lower level modules specifies a passphrase which, if present in the user session, causes Apache httpd to bypass authentication checks for the given URL. It can be used on high traffic websites to reduce the load induced on authentication infrastructure.

      - +

      The passphrase can be inserted into a user session by adding this directive to the configuration for the form-login-handler. The form-login-handler itself will always run the authentication checks, regardless of whether a passphrase diff --git a/docs/manual/mod/mod_authn_core.xml b/docs/manual/mod/mod_authn_core.xml index fd3284cdc6b..0edbfc915bd 100644 --- a/docs/manual/mod/mod_authn_core.xml +++ b/docs/manual/mod/mod_authn_core.xml @@ -22,7 +22,7 @@ -mod_authn_core +mod_authn_core Core Authentication Base mod_authn_core.c @@ -30,22 +30,22 @@ Available in Apache 2.3 and later

      -

      This module provides core authentication capabilities to - allow or deny access to portions of the web site. - mod_authn_core provides directives that are +

      This module provides core authentication capabilities to + allow or deny access to portions of the web site. + mod_authn_core provides directives that are common to all authentication providers.
      Creating Authentication Provider Aliases -

      Extended authentication providers can be created - within the configuration file and assigned an alias name. The alias - providers can then be referenced through the directives - AuthBasicProvider or +

      Extended authentication providers can be created + within the configuration file and assigned an alias name. The alias + providers can then be referenced through the directives + AuthBasicProvider or AuthDigestProvider in the same way as a base authentication provider. Besides the ability - to create and alias an extended provider, it also allows the same - extended authentication provider to be reference by multiple + to create and alias an extended provider, it also allows the same + extended authentication provider to be reference by multiple locations.

      Examples @@ -80,11 +80,11 @@ </Directory>
      -

      The example below creates two different ldap authentication +

      The example below creates two different ldap authentication provider aliases based on the ldap provider. This allows a single authenticated location to be serviced by multiple ldap hosts:

      - + Checking multiple LDAP servers <AuthnProviderAlias ldap ldap-alias1>
      @@ -100,15 +100,15 @@ AuthLDAPURL ldap://other.ldap.host/o=dev?cn
       </AuthnProviderAlias>

      - + Alias /secure /webpages/secure
      <Directory /webpages/secure>
      Order deny,allow
      Allow from all

      - + AuthBasicProvider ldap-other-alias ldap-alias1

      - + AuthType Basic
      AuthName LDAP_Protected_Place
      Require valid-user
      @@ -213,10 +213,10 @@ authentication tree will typically continue to send authentication HTTP headers or cookies with each request, regardless of whether the server actually requires authentication for every resource. - + Authentication, Authorization, - and Access Control + and Access Control @@ -232,7 +232,7 @@ the specified alias

      <AuthnProviderAlias> and </AuthnProviderAlias> are used to enclose a group of - authentication directives that can be referenced by the alias name + authentication directives that can be referenced by the alias name using one of the directives AuthBasicProvider or AuthDigestProvider.

      diff --git a/docs/manual/mod/mod_authn_file.xml b/docs/manual/mod/mod_authn_file.xml index f6e228b9f13..dd530946ff0 100644 --- a/docs/manual/mod/mod_authn_file.xml +++ b/docs/manual/mod/mod_authn_file.xml @@ -50,7 +50,7 @@ htpasswd htdigest Password Formats - + AuthUserFile Sets the name of a text file containing the list of users and diff --git a/docs/manual/mod/mod_authn_socache.xml b/docs/manual/mod/mod_authn_socache.xml index e1942d78c8e..7a1816ab267 100644 --- a/docs/manual/mod/mod_authn_socache.xml +++ b/docs/manual/mod/mod_authn_socache.xml @@ -1,4 +1,4 @@ - + @@ -183,6 +183,6 @@ the load on backends is not permitted in .htaccess contexts.

             - + diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml index d646625e3bd..a07ad318305 100644 --- a/docs/manual/mod/mod_authnz_ldap.xml +++ b/docs/manual/mod/mod_authnz_ldap.xml @@ -32,9 +32,9 @@ for HTTP Basic authentication.

      This module provides authentication front-ends such as - mod_auth_basic to authenticate users through + mod_auth_basic to authenticate users through an ldap directory.

      - +

      mod_authnz_ldap supports the following features:

        @@ -69,7 +69,7 @@ for HTTP Basic authentication.
        • - Operation + Operation
          • The Authentication @@ -81,7 +81,7 @@ for HTTP Basic authentication.
          • - The Require Directives + The Require Directives
            • Require ldap-user
              • @@ -99,7 +99,7 @@ for HTTP Basic authentication.
            • Using Active Directory
            • Using Microsoft FrontPage with - mod_authnz_ldap + mod_authnz_ldap
              • How It Works
                • @@ -113,7 +113,7 @@ for HTTP Basic authentication.

                There are two phases in granting access to a user. The first phase is authentication, in which the mod_authnz_ldap - authentication provider verifies that the user's credentials are valid. + authentication provider verifies that the user's credentials are valid. This is also called the search/bind phase. The second phase is authorization, in which mod_authnz_ldap determines if the authenticated user is allowed access to the resource in @@ -122,11 +122,11 @@ for HTTP Basic authentication.

                mod_authnz_ldap registers both an authn_ldap authentication provider and an authz_ldap authorization handler. The authn_ldap - authentication provider can be enabled through the - AuthBasicProvider directive - using the ldap value. The authz_ldap handler extends the + authentication provider can be enabled through the + AuthBasicProvider directive + using the ldap value. The authz_ldap handler extends the Require directive's authorization types - by adding ldap-user, ldap-dn and ldap-group + by adding ldap-user, ldap-dn and ldap-group values.

                The Authentication @@ -215,14 +215,14 @@ for HTTP Basic authentication.</description> one of its sub-groups.</li> <li>Grant access if there is a <a href="#reqattribute"> - <code>Require ldap-attribute</code></a> + <code>Require ldap-attribute</code></a> directive, and the attribute fetched from the LDAP directory - matches the given value.</li> + matches the given value.</li> <li>Grant access if there is a <a href="#reqfilter"> - <code>Require ldap-filter</code></a> + <code>Require ldap-filter</code></a> directive, and the search filter successfully finds a single user - object that matches the dn of the authenticated user.</li> + object that matches the dn of the authenticated user.</li> <li>otherwise, deny or decline access</li> </ul> @@ -231,16 +231,16 @@ for HTTP Basic authentication.</description> be used which may require loading additional authorization modules.</p> <ul> - <li>Grant access to all successfully authenticated users if - there is a <a href="#requser"><code>Require valid-user</code></a> + <li>Grant access to all successfully authenticated users if + there is a <a href="#requser"><code>Require valid-user</code></a> directive. (requires <module>mod_authz_user</module>)</li> <li>Grant access if there is a <a href="#reqgroup"><code>Require group</code></a> directive, and - <module>mod_authz_groupfile</module> has been loaded with the - <directive module="mod_authz_groupfile">AuthGroupFile</directive> + <module>mod_authz_groupfile</module> has been loaded with the + <directive module="mod_authz_groupfile">AuthGroupFile</directive> directive set.</li> - + <li>others...</li> </ul> @@ -317,10 +317,10 @@ for HTTP Basic authentication.</description> <p>Apache's <directive module="mod_authz_core">Require</directive> directives are used during the authorization phase to ensure that - a user is allowed to access a resource. mod_authnz_ldap extends the - authorization types with <code>ldap-user</code>, <code>ldap-dn</code>, - <code>ldap-group</code>, <code>ldap-attribute</code> and - <code>ldap-filter</code>. Other authorization types may also be + a user is allowed to access a resource. mod_authnz_ldap extends the + authorization types with <code>ldap-user</code>, <code>ldap-dn</code>, + <code>ldap-group</code>, <code>ldap-attribute</code> and + <code>ldap-filter</code>. Other authorization types may also be used but may require that additional authorization modules be loaded.</p> <section id="requser"><title>Require ldap-user @@ -412,7 +412,7 @@ uniqueMember: cn=Elliot Rhodes, o=Example

                The following directives would allow access for Bob Ellis, Tom Jackson, Barbara Jensen, Fred User, Allan Jefferson, and Paul Tilley but would not - allow access for Jim Swenson, or Elliot Rhodes (since they are at a + allow access for Jim Swenson, or Elliot Rhodes (since they are at a sub-group depth of 2):

                Require ldap-group cn=Employees, o-Example
                @@ -453,18 +453,18 @@ AuthLDAPSubGroupDepth 1
                administrator to grant access based on attributes of the authenticated user in the LDAP directory. If the attribute in the directory matches the value given in the configuration, access is granted.

                - +

                The following directive would grant access to anyone with the attribute employeeType = active

                Require ldap-attribute employeeType=active

                Multiple attribute/value pairs can be specified on the same line - separated by spaces or they can be specified in multiple - Require ldap-attribute directives. The effect of listing - multiple attribute/values pairs is an OR operation. Access will be - granted if any of the listed attribute values match the value of the - corresponding attribute in the user object. If the value of the + separated by spaces or they can be specified in multiple + Require ldap-attribute directives. The effect of listing + multiple attribute/values pairs is an OR operation. Access will be + granted if any of the listed attribute values match the value of the + corresponding attribute in the user object. If the value of the attribute contains a space, only the value must be within double quotes.

                The following directive would grant access to anyone with @@ -480,18 +480,18 @@ AuthLDAPSubGroupDepth 1
                administrator to grant access based on a complex LDAP search filter. If the dn returned by the filter search matches the authenticated user dn, access is granted.

                - +

                The following directive would grant access to anyone having a cell phone and is in the marketing department

                Require ldap-filter &(cell=*)(department=marketing) -

                The difference between the Require ldap-filter directive and the - Require ldap-attribute directive is that ldap-filter - performs a search operation on the LDAP directory using the specified search - filter rather than a simple attribute comparison. If a simple attribute - comparison is all that is required, the comparison operation performed by - ldap-attribute will be faster than the search operation +

                The difference between the Require ldap-filter directive and the + Require ldap-attribute directive is that ldap-filter + performs a search operation on the LDAP directory using the specified search + filter rather than a simple attribute comparison. If a simple attribute + comparison is all that is required, the comparison operation performed by + ldap-attribute will be faster than the search operation used by ldap-filter especially within a large directory.

                @@ -503,7 +503,7 @@ AuthLDAPSubGroupDepth 1
                • Grant access to anyone who exists in the LDAP directory, - using their UID for searches. + using their UID for searches. AuthLDAPURL "ldap://ldap1.example.com:389/ou=People, o=Example?uid?sub?(objectClass=*)"
                  Require valid-user @@ -513,7 +513,7 @@ Require valid-user
                • The next example is the same as above; but with the fields that have useful defaults omitted. Also, note the use of a - redundant LDAP server. + redundant LDAP server. AuthLDAPURL "ldap://ldap1.example.com ldap2.example.com/ou=People, o=Example"
                  Require valid-user                   @@ -527,7 +527,7 @@ Require valid-user must return exactly one entry. That's why this approach is not recommended: it's a better idea to choose an attribute that is guaranteed unique in your - directory, such as uid. + directory, such as uid. AuthLDAPURL "ldap://ldap.example.com/ou=People, o=Example?cn"
                  Require valid-user @@ -536,7 +536,7 @@ Require valid-user
                • Grant access to anybody in the Administrators group. The - users must authenticate using their UID. + users must authenticate using their UID. AuthLDAPURL ldap://ldap.example.com/o=Example?uid
                  Require ldap-group cn=Administrators, o=Example @@ -548,7 +548,7 @@ Require ldap-group cn=Administrators, o=Example carries an alphanumeric pager will have an LDAP attribute of qpagePagerID. The example will grant access only to people (authenticated via their UID) who have - alphanumeric pagers: + alphanumeric pagers: AuthLDAPURL ldap://ldap.example.com/o=Example?uid??(qpagePagerID=*)
                  Require valid-user @@ -597,10 +597,10 @@ Require valid-user module="mod_ldap">LDAPTrustedGlobalCert and LDAPTrustedMode.

                  -

                  An optional second parameter can be added to the +

                  An optional second parameter can be added to the AuthLDAPURL to override the default connection type set by LDAPTrustedMode. - This will allow the connection established by an ldap:// Url + This will allow the connection established by an ldap:// Url to be upgraded to a secure connection on the same port.

      @@ -619,11 +619,11 @@ Require valid-user
      Exposing Login Information

      when this module performs authentication, ldap attributes specified - in the authldapurl + in the authldapurl directive are placed in environment variables with the prefix "AUTHENTICATE_".

      when this module performs authorization, ldap attributes specified - in the authldapurl + in the authldapurl directive are placed in environment variables with the prefix "AUTHORIZE_".

      If the attribute field contains the username, common name @@ -706,7 +706,7 @@ Require group mygroupfile the LDAP directory is considered a valid user, whereas FrontPage considers only those people in the local user file to be valid. By substituting the ldap-group with group file authorization, - Apache is allowed to consult the local user file (which is managed by + Apache is allowed to consult the local user file (which is managed by FrontPage) - instead of LDAP - when handling authorizing the user.

      Once directives have been added as specified above, @@ -735,7 +735,7 @@ Require group mygroupfile mod_authn_file and mod_authz_groupfile in order to use FrontPage support. This is because Apache will still use - the mod_authz_groupfile group file for determine + the mod_authz_groupfile group file for determine the extent of a user's access to the FrontPage web.

    • The directives must be put in the .htaccess @@ -772,7 +772,7 @@ authorization whether LDAP has performed authentication, authorization, or both.

      Note - No authorization variables are set when a user is authorized on the basis of + No authorization variables are set when a user is authorized on the basis of Require valid-user. @@ -788,14 +788,14 @@ authorization AuthConfig -

      By default, subsequent authentication providers are only queried if a +

      By default, subsequent authentication providers are only queried if a user cannot be mapped to a DN, but not if the user can be mapped to a DN and their - password cannot be verified with an LDAP bind. - If AuthLDAPBindAuthoritative - is set to off, other configured authentication modules will have - a chance to validate the user if the LDAP bind (with the current user's credentials) + password cannot be verified with an LDAP bind. + If AuthLDAPBindAuthoritative + is set to off, other configured authentication modules will have + a chance to validate the user if the LDAP bind (with the current user's credentials) fails for any reason.

      -

      This allows users present in both LDAP and +

      This allows users present in both LDAP and AuthUserFile to authenticate when the LDAP server is available but the user's account is locked or password is otherwise unusable.

      @@ -820,13 +820,13 @@ own username, instead of anonymously or with hard-coded credentials for the serv distinguished name (DN). This directive forces the server to use the verbatim username and password provided by the incoming user to perform the initial DN search.

      - +

      If the verbatim username can't directly bind, but needs some cosmetic transformation, see AuthLDAPInitialBindPattern.

      - -

      This directive should only be used when your LDAP server doesn't - accept anonymous searches and you cannot use a dedicated + +

      This directive should only be used when your LDAP server doesn't + accept anonymous searches and you cannot use a dedicated AuthLDAPBindDN.

      @@ -858,9 +858,9 @@ to perform a DN lookup

      The regular expression argument is compared against the current basic authentication username. The substitution argument may contain backreferences, but has no other variable interpolation.

      - -

      This directive should only be used when your LDAP server doesn't - accept anonymous searches and you cannot use a dedicated + +

      This directive should only be used when your LDAP server doesn't + accept anonymous searches and you cannot use a dedicated AuthLDAPBindDN.

      @@ -872,8 +872,8 @@ to perform a DN lookup has no effect when this module is used exclusively for authorization. debugging - The substituted DN is recorded in the environment variable - LDAP_BINDASUSER. If the regular expression does not match the input, + The substituted DN is recorded in the environment variable + LDAP_BINDASUSER. If the regular expression does not match the input, the verbatim username is used.       @@ -910,7 +910,7 @@ to perform a DN lookup properly protected. You should only use the AuthLDAPBindDN and AuthLDAPBindPassword if you - absolutely need them to search the directory.

      + absolutely need them to search the directory.

      @@ -953,16 +953,16 @@ to perform a DN lookup

      When set, and mod_authnz_ldap has authenticated the user, LDAP comparisons for authorization use the queried distinguished name (DN) - and HTTP basic authentication password of the authenticated user instead of + and HTTP basic authentication password of the authenticated user instead of the servers configured credentials.

      -

      The ldap-attribute, ldap-user, and ldap-group (single-level only) +

      The ldap-attribute, ldap-user, and ldap-group (single-level only) authorization checks use comparisons.

      This directive only has effect on the comparisons performed during nested group processing when AuthLDAPSearchAsUser is also enabled.

      - +

      This directive should only be used when your LDAP server doesn't accept anonymous comparisons and you cannot use a dedicated AuthLDAPBindDN. @@ -1085,10 +1085,10 @@ query to set the REMOTE_USER environment variable none directory.htaccess -AuthConfig - +AuthConfig + -

      If this directive is set, the value of the +

      If this directive is set, the value of the REMOTE_USER environment variable will be set to the value of the attribute specified. Make sure that this attribute is included in the list of attributes in the AuthLDAPUrl definition, @@ -1132,10 +1132,10 @@ environment variable

      When set, and mod_authnz_ldap has authenticated the user, LDAP searches for authorization use the queried distinguished name (DN) - and HTTP basic authentication password of the authenticated user instead of + and HTTP basic authentication password of the authenticated user instead of the servers configured credentials.

      -

      The ldap-filter and ldap-dn authorization +

      The ldap-filter and ldap-dn authorization checks use searches.

      This directive only has effect on the comparisons performed during @@ -1213,8 +1213,8 @@ objects that are groups during sub-group processing. ldap://host:port/basedn?attribute?scope?filter

      If you want to specify more than one LDAP URL that Apache should try in turn, the syntax is:

      AuthLDAPUrl "ldap://ldap1.example.com ldap2.example.com/dc=..." -

      Caveat: If you specify multiple servers, you need to enclose the entire URL string in quotes; -otherwise you will get an error: "AuthLDAPURL takes one argument, URL to define LDAP connection.." +

      Caveat: If you specify multiple servers, you need to enclose the entire URL string in quotes; +otherwise you will get an error: "AuthLDAPURL takes one argument, URL to define LDAP connection.." You can of course use search parameters on each of these.

      @@ -1234,7 +1234,7 @@ You can of course use search parameters on each of these.

      specify multiple, redundant LDAP servers, just list all servers, separated by spaces. mod_authnz_ldap will try connecting to each server in turn, until it makes a - successful connection. If multiple ldap servers are specified, + successful connection. If multiple ldap servers are specified, then entire LDAP URL must be encapsulated in double quotes.

      Once a connection has been made to a server, that @@ -1298,7 +1298,7 @@ You can of course use search parameters on each of these.

      Jenson, the resulting search filter will be (&(posixid=*)(cn=Babs Jenson)).

      -

      An optional parameter can be added to allow the LDAP Url to override +

      An optional parameter can be added to allow the LDAP Url to override the connection type. This parameter can be one of the following:

      @@ -1310,7 +1310,7 @@ You can of course use search parameters on each of these.

      This is the same as ldaps://
      TLS | STARTTLS
      Establish an upgraded secure connection on the default LDAP port. - This connection will be initiated on port 389 by default and then + This connection will be initiated on port 389 by default and then upgraded to a secure connection on the same port.
      diff --git a/docs/manual/mod/mod_authz_core.xml b/docs/manual/mod/mod_authz_core.xml index 79c5a9d240d..192444f8965 100644 --- a/docs/manual/mod/mod_authz_core.xml +++ b/docs/manual/mod/mod_authz_core.xml @@ -22,7 +22,7 @@ -mod_authz_core +mod_authz_core Core Authorization Base mod_authz_core.c @@ -32,12 +32,12 @@

      This module provides core authorization capabilities so that authenticated users can be allowed or denied access to portions - of the web site. mod_authz_core provides the + of the web site. mod_authz_core provides the functionality to register various authorization providers. It is usually used in conjunction with an authentication - provider module such as mod_authn_file and an + provider module such as mod_authn_file and an authorization module such as mod_authz_user. It - also allows for advanced logic to be applied to the + also allows for advanced logic to be applied to the authorization processing.

       @@ -57,36 +57,36 @@ allows a single authorization location to check group membership within multiple ldap hosts:

      - + Example <AuthzProviderAlias ldap-group ldap-group-alias1 cn=my-group,o=ctx>
      AuthLDAPBindDN cn=youruser,o=ctx
      AuthLDAPBindPassword yourpassword
      AuthLDAPURL ldap://ldap.host/o=ctx
      -       - </AuthzProviderAlias>

      + + </AuthzProviderAlias>

      <AuthzProviderAlias ldap-group ldap-group-alias2 cn=my-other-group,o=dev>
      AuthLDAPBindDN cn=yourotheruser,o=dev
      AuthLDAPBindPassword yourotherpassword
      AuthLDAPURL ldap://other.ldap.host/o=dev?cn
      -       + </AuthzProviderAlias>

      - + Alias /secure /webpages/secure
      <Directory /webpages/secure>
      Require all granted

      - + AuthBasicProvider file

      - + AuthType Basic
      AuthName LDAP_Protected_Place

      - #implied OR operation
      - Require ldap-group-alias1
      + #implied OR operation
      + Require ldap-group-alias1
      Require ldap-group-alias2
       </Directory>
       @@ -145,7 +145,7 @@ </RequireNone> </RequireAll> - + </Directory>
      • @@ -160,7 +160,7 @@

      The env provider allows access to the server to be controlled based on the existence of an environment variable. When Require + href="../env.html">environment variable. When Require env env-variable is specified, then the request is allowed access if the environment variable env-variable exists. The server provides the ability to set environment @@ -170,7 +170,7 @@ used to allow access based on such factors as the clients User-Agent (browser type), Referer, or other HTTP request header fields.

      - + Example: SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in
      <Directory /docroot>
      @@ -179,7 +179,7 @@ </Directory>       - +

      In this case, browsers with a user-agent string beginning with KnockKnock/2.0 will be allowed access, and all others will be denied.

      @@ -190,8 +190,8 @@

      The all provider mimics the functionality the was previously provided by the 'Allow from all' and 'Deny from all' - directives. This provider can take one of two arguments which are - 'granted' or 'denied'. The following examples will grant or deny + directives. This provider can take one of two arguments which are + 'granted' or 'denied'. The following examples will grant or deny access to all requests.

      @@ -302,17 +302,17 @@ an authorization provider.

      Other authorization modules that implement require options include mod_authnz_ldap, - mod_authz_dbm, mod_authz_dbd, - mod_authz_host, + mod_authz_dbm, mod_authz_dbd, + mod_authz_host, mod_authz_owner and mod_ssl.

      In most cases, for a complete authentication and authorization configuration, Require must be accompanied by AuthName, AuthType and + module="mod_authn_core">AuthType and AuthBasicProvider or - AuthDigestProvider - directives, and directives such as + AuthDigestProvider + directives, and directives such as AuthUserFile and AuthGroupFile (to define users and groups) in order to work correctly. Example:

      @@ -372,7 +372,7 @@ an authorization provider. Authentication, Authorization, - and Access Control + and Access Control Authorization Containers mod_authn_core mod_authz_host @@ -406,7 +406,7 @@ succeed. Authorization Containers Authentication, Authorization, - and Access Control + and Access Control @@ -444,7 +444,7 @@ must succeed for the enclosing directive to succeed. Authorization Containers Authentication, Authorization, - and Access Control + and Access Control @@ -485,7 +485,7 @@ must succeed for the enclosing directive to not fail. Authorization Containers Authentication, Authorization, - and Access Control + and Access Control @@ -569,7 +569,7 @@ sections. Enclose a group of directives that represent an extension of a base authorization provider and referenced by the specified alias -<AuthzProviderAlias baseProvider Alias Require-Parameters> +<AuthzProviderAlias baseProvider Alias Require-Parameters> ... </AuthzProviderAlias> server config diff --git a/docs/manual/mod/mod_authz_groupfile.xml b/docs/manual/mod/mod_authz_groupfile.xml index 1d5ed014381..5ebe885aad0 100644 --- a/docs/manual/mod/mod_authz_groupfile.xml +++ b/docs/manual/mod/mod_authz_groupfile.xml @@ -59,7 +59,7 @@ of user groups for authorization Example: mygroup: bob joe anne - +

      Note that searching large text files is very inefficient; -mod_authz_host +mod_authz_host Group authorizations based on host (name or IP address) Base @@ -33,9 +33,9 @@ address)

      The authorization providers implemented by mod_authz_host are registered using the Require - directive. The directive can be referenced within a + directive. The directive can be referenced within a Directory, - Files, + Files, or Location section as well as .htaccess files to control access to particular parts of the server. @@ -50,16 +50,16 @@ address)

      Authentication, Authorization, - and Access Control + and Access Control Require
      The Require Directives -

      Apache's Require +

      Apache's Require directive is used during the authorization phase to ensure that a user is allowed or - denied access to a resource. mod_authz_host extends the + denied access to a resource. mod_authz_host extends the authorization types with ip and host. - Other authorization types may also be + Other authorization types may also be used but may require that additional authorization modules be loaded.

      These authorization providers affect which hosts can @@ -69,50 +69,50 @@ address)

      Require ip

      The ip provider allows access to the server - to be controlled based on the IP address of the remote client. - When Require ip ip-address is specified, + to be controlled based on the IP address of the remote client. + When Require ip ip-address is specified, then the request is allowed access if the IP address matches.

      A full IP address:

      - + Require ip 10.1.2.3
      Require ip 192.168.1.104 192.168.1.205

      An IP address of a host allowed access

      - +

      A partial IP address:

      - + Require ip 10.1
      Require ip 10 172.20 192.168.2

      The first 1 to 3 bytes of an IP address, for subnet restriction.

      - +

      A network/netmask pair:

      - + Require ip 10.1.0.0/255.255.0.0

      A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet restriction.

      - +

      A network/nnn CIDR specification:

      - + Require ip 10.1.0.0/16

      Similar to the previous case, except the netmask consists of nnn high-order 1 bits.

      - +

      Note that the last three examples above match exactly the same set of hosts.

      - +

      IPv6 addresses and IPv6 subnets can be specified as shown below:

      - + Require ip 2001:db8::a00:20ff:fea7:ccea
      Require ip 2001:db8::a00:20ff:fea7:ccea/10 @@ -124,17 +124,17 @@ address)
      Require host

      The host provider allows access to the server - to be controlled based on the host name of the remote client. - When Require host host-name is specified, + to be controlled based on the host name of the remote client. + When Require host host-name is specified, then the request is allowed access if the host name matches.

      A (partial) domain-name

      - + Require host example.org
      Require host .net example.edu       - +

      Hosts whose names match, or end in, this string are allowed access. Only complete components are matched, so the above example will match foo.example.org but it will not diff --git a/docs/manual/mod/mod_authz_owner.xml b/docs/manual/mod/mod_authz_owner.xml index 5b7abda039c..2e91eb071f2 100644 --- a/docs/manual/mod/mod_authz_owner.xml +++ b/docs/manual/mod/mod_authz_owner.xml @@ -22,7 +22,7 @@ -mod_authz_owner +mod_authz_owner Authorization based on file ownership Extension mod_authz_owner.c diff --git a/docs/manual/mod/mod_authz_user.xml b/docs/manual/mod/mod_authz_user.xml index cad7e9bb5d3..fea8c72d9b1 100644 --- a/docs/manual/mod/mod_authz_user.xml +++ b/docs/manual/mod/mod_authz_user.xml @@ -22,7 +22,7 @@ -mod_authz_user +mod_authz_user User Authorization Base mod_authz_user.c diff --git a/docs/manual/mod/mod_autoindex.xml b/docs/manual/mod/mod_autoindex.xml index a4264f476f9..806a959c23a 100644 --- a/docs/manual/mod/mod_autoindex.xml +++ b/docs/manual/mod/mod_autoindex.xml @@ -552,7 +552,7 @@ a directory

      Review the default configuration for a list of - patterns that you might want to explicitly ignore after using this + patterns that you might want to explicitly ignore after using this directive.

      @@ -578,7 +578,7 @@ indexing
      AddAltClass
      Adds an additional CSS class declaration to each row of the - directory listing table when IndexOptions HTMLTable + directory listing table when IndexOptions HTMLTable is in effect and an IndexStyleSheet is defined. Rather than the standard even and odd classes that would otherwise be applied to each row of the table, @@ -656,7 +656,7 @@ indexing HTTP Server 2.0.23 and later)
      This option with FancyIndexing constructs - a simple table for the fancy directory listing. + a simple table for the fancy directory listing. It is necessary for utf-8 enabled platforms or if file names or description text will alternate between left-to-right and right-to-left reading order.
      @@ -979,7 +979,7 @@ Name|Date|Size|Description

      You can, if desired, prevent the client from reordering the list by also adding the SuppressColumnSorting + href="#indexoptions.suppresscolumnsorting">SuppressColumnSorting index option to remove the sort link from the top of the column, along with the IgnoreClient index diff --git a/docs/manual/mod/mod_buffer.xml b/docs/manual/mod/mod_buffer.xml index 4879033448c..7bef039f7aa 100644 --- a/docs/manual/mod/mod_buffer.xml +++ b/docs/manual/mod/mod_buffer.xml @@ -65,7 +65,7 @@ cause the request/response to be slower than not using a buffer at all. These filters should be used with care, and only where necessary. - + Filters diff --git a/docs/manual/mod/mod_cache.xml b/docs/manual/mod/mod_cache.xml index 943ef2f66e3..afc2c2e6d2f 100644 --- a/docs/manual/mod/mod_cache.xml +++ b/docs/manual/mod/mod_cache.xml @@ -31,12 +31,12 @@

      This module should be used with care, as when the CacheQuickHandler directive is - in its default value of on, the Allow and on, the Allow and Deny directives will be circumvented. You should not enable quick handler caching for any content to which you wish to limit access by client host name, address or environment - variable. + variable.

      mod_cache implements an RFC 2616 compliant @@ -228,11 +228,11 @@

      Under the default mode of cache operation, the cache runs as a quick handler, short circuiting the majority of server processing and offering the highest cache performance available.

      - +

      In this mode, the cache bolts onto the front of the server, acting as if a free standing RFC 2616 caching proxy had been placed in front of the server.

      - +

      While this mode offers the best performance, the administrator may find that under certain circumstances they may want to perform further processing on the request after the request is cached, such as to inject personalisation into the @@ -360,7 +360,7 @@ manager before globally defined CacheEnable directives.

      When acting as a forward proxy server, url-string can - also be used to specify remote sites and proxy protocols which + also be used to specify remote sites and proxy protocols which caching should be enabled for.

      @@ -395,7 +395,7 @@ manager CacheEnable disk http://.example.org/
       -

      The no-cache environment variable can be set to +

      The no-cache environment variable can be set to disable caching on a finer grained set of resources in versions 2.2.12 and later.

      @@ -432,7 +432,7 @@ manager </Location>
      -

      The no-cache environment variable can be set to +

      The no-cache environment variable can be set to disable caching on a finer grained set of resources in versions 2.2.12 and later.

      @@ -519,7 +519,7 @@ header. directory .htaccess - +

      Ordinarily, documents without a last-modified date are not cached. Under some circumstances the last-modified date is removed (during @@ -580,11 +580,11 @@ header.

      Ordinarily, requests with query string parameters are cached separately for each unique query string. This is according to RFC 2616/13.9 done only - if an expiration time is specified. The + if an expiration time is specified. The CacheIgnoreQueryString directive tells the cache to - cache requests even if no expiration time is specified, and to reply with + cache requests even if no expiration time is specified, and to reply with a cached reply even if the query string differs. From a caching point of - view the request is treated as if having no query string when this + view the request is treated as if having no query string when this directive is enabled.

      @@ -605,7 +605,7 @@ LastModified date. directory .htaccess - +

      In the event that a document does not provide an expiry date but does provide a last-modified date, an expiry date can be calculated based on @@ -830,7 +830,7 @@ LastModified date.

      The CacheLock directive enables the thundering herd lock for the given URL space.

      - +

      In a minimal configuration the following directive is all that is needed to enable the thundering herd lock in the default system temp directory.

      @@ -849,7 +849,7 @@ LastModified date. CacheLockPath /tmp/mod_cache-lock server configvirtual host - +

      The CacheLockPath directive allows you to specify the directory in which the locks are created. By default, the system's temporary @@ -867,16 +867,16 @@ LastModified date. CacheLockMaxAge 5 server configvirtual host - +

      The CacheLockMaxAge directive specifies the maximum age of any cache lock.

      - +

      A lock older than this value in seconds will be ignored, and the next incoming request will be given the opportunity to re-establish the lock. This mechanism prevents a slow client taking an excessively long time to refresh an entity.

      - +       @@ -936,7 +936,7 @@ LastModified date. .htaccess Available in Apache 2.3.9 and later - +

      When the CacheHeader directive is switched on, an X-Cache header will be added to the response @@ -978,17 +978,17 @@ LastModified date. .htaccess Available in Apache 2.3.9 and later - +

      When the CacheDetailHeader directive is switched on, an X-Cache-Detail header will be added to the response containing the detailed reason for a particular caching decision.

      - +

      It can be useful during development of cached RESTful services to have additional information about the caching decision written to the response headers, so as to confirm whether Cache-Control and other headers have been correctly used by the service and client.

      - +

      If the normal handler is used, this directive may appear within a <Directory> or <Location> directive. If the quick handler diff --git a/docs/manual/mod/mod_cache_disk.xml b/docs/manual/mod/mod_cache_disk.xml index 03335a549ad..b159c6ad1d0 100644 --- a/docs/manual/mod/mod_cache_disk.xml +++ b/docs/manual/mod/mod_cache_disk.xml @@ -181,7 +181,7 @@ cache directory .htaccess - +

      The CacheMaxFileSize directive sets the maximum size, in bytes, for a document to be considered for storage in @@ -204,7 +204,7 @@ cache directory .htaccess - +

      The CacheReadSize directive sets the minimum amount of data, in bytes, to be read from the backend before the @@ -216,7 +216,7 @@ cache

      This directive only takes effect when the data is being saved to the cache, as opposed to data being served from the cache.

      - + CacheReadSize 102400 @@ -256,5 +256,5 @@ cache       - + diff --git a/docs/manual/mod/mod_cgi.xml b/docs/manual/mod/mod_cgi.xml index aa100270722..ac1f2f59485 100644 --- a/docs/manual/mod/mod_cgi.xml +++ b/docs/manual/mod/mod_cgi.xml @@ -46,7 +46,7 @@ mod_cgid should be used in place of this module. At the user level, the two modules are essentially identical.

      - +

      For backward-compatibility, the cgi-script handler will also be activated for any file with the mime-type application/x-httpd-cgi. The use of the magic mime-type is deprecated.

      diff --git a/docs/manual/mod/mod_charset_lite.xml b/docs/manual/mod/mod_charset_lite.xml index 69d8a15cb7b..0fdcf1bc0c1 100644 --- a/docs/manual/mod/mod_charset_lite.xml +++ b/docs/manual/mod/mod_charset_lite.xml @@ -36,7 +36,7 @@ process locale to ISO-8859-1, but not the body of responses. In any environment, mod_charset_lite can be used to specify that response bodies should be translated. For example, - if files are stored in EBCDIC, then + if files are stored in EBCDIC, then mod_charset_lite can translate them to ISO-8859-1 before sending them to the client.

      @@ -100,7 +100,7 @@ as a valid character set name by the character set support in APR. Generally, this means that it must be supported by iconv.

      - + Example <Directory /export/home/trawick/apacheinst/htdocs/convert>
      @@ -112,7 +112,7 @@

      The character set names in this example work with the iconv translation support in Solaris 8.

      - + Specifying the same charset for both CharsetSourceEnc and CharsetDefault disables translation. The charset diff --git a/docs/manual/mod/mod_data.xml b/docs/manual/mod/mod_data.xml index 0c2c490d366..6de297478ec 100644 --- a/docs/manual/mod/mod_data.xml +++ b/docs/manual/mod/mod_data.xml @@ -62,7 +62,7 @@       </Location>
       - +       Filters diff --git a/docs/manual/mod/mod_dav.xml b/docs/manual/mod/mod_dav.xml index b598ba30567..ee56ec6b183 100644 --- a/docs/manual/mod/mod_dav.xml +++ b/docs/manual/mod/mod_dav.xml @@ -22,7 +22,7 @@ -mod_dav +mod_dav Distributed Authoring and Versioning (WebDAV) functionality Extension @@ -51,7 +51,7 @@ by the mod_dav_fs module. Therefore, that module must be compiled into the server or loaded at runtime using the LoadModule directive.

      - +

      In addition, a location for the DAV lock database must be specified in the global section of your httpd.conf file using the DavLockDB @@ -232,7 +232,7 @@ a DAV resource </Location> - + diff --git a/docs/manual/mod/mod_dav_fs.xml b/docs/manual/mod/mod_dav_fs.xml index 6fdfe1be390..84d10184d20 100644 --- a/docs/manual/mod/mod_dav_fs.xml +++ b/docs/manual/mod/mod_dav_fs.xml @@ -22,7 +22,7 @@ -mod_dav_fs +mod_dav_fs filesystem provider for mod_dav Extension mod_dav_fs.c diff --git a/docs/manual/mod/mod_dav_lock.xml b/docs/manual/mod/mod_dav_lock.xml index d1f0a9e86e1..5caaaf76ae8 100644 --- a/docs/manual/mod/mod_dav_lock.xml +++ b/docs/manual/mod/mod_dav_lock.xml @@ -22,7 +22,7 @@ -mod_dav_lock +mod_dav_lock generic locking module for mod_dav Extension mod_dav_lock.c diff --git a/docs/manual/mod/mod_dbd.xml b/docs/manual/mod/mod_dbd.xml index 7144a1fcef7..3021e298833 100644 --- a/docs/manual/mod/mod_dbd.xml +++ b/docs/manual/mod/mod_dbd.xml @@ -183,9 +183,9 @@ APR_DECLARE_OPTIONAL_FN(void, ap_dbd_prepare, (server_rec*, const char*, const c

      FreeTDS (for MSSQL and SyBase)
      username, password, appname, dbname, host, charset, lang, server
      MySQL
      -
      host, port, user, pass, dbname, sock, flags, fldsz, group, reconnect
      +
      host, port, user, pass, dbname, sock, flags, fldsz, group, reconnect
      Oracle
      -
      user, pass, dbname, server
      +
      user, pass, dbname, server
      PostgreSQL
      The connection string is passed straight through to PQconnectdb
      SQLite2
      diff --git a/docs/manual/mod/mod_deflate.xml b/docs/manual/mod/mod_deflate.xml index 2473be0d8b5..0eb3637c598 100644 --- a/docs/manual/mod/mod_deflate.xml +++ b/docs/manual/mod/mod_deflate.xml @@ -93,7 +93,7 @@ client 1 to only allow html files to be compressed (see below). If you set this to anything but 1 it will be ignored.

      - +

      If you want to restrict the compression to particular MIME types in general, you may use the AddOutputFilterByType directive. Here is an example of @@ -171,7 +171,7 @@ client

      This Example will uncompress gzip'ed output from example.com, so other filters can do further processing with it.

      - +
      Input Decompression

      The mod_deflate module also provides a filter for @@ -188,7 +188,7 @@ client </Location> - +

      Now if a request contains a Content-Encoding: gzip header, the body will be automatically decompressed. Few browsers have the ability to gzip request bodies. However, @@ -216,7 +216,7 @@ client not understand it.

      If you use some special exclusions dependent - on, for example, the User-Agent header, you must + on, for example, the User-Agent header, you must manually configure an addition to the Vary header to alert proxies of the additional restrictions. For example, in a typical configuration where the addition of the DEFLATE @@ -225,7 +225,7 @@ client Header append Vary User-Agent - +

      If your decision about compression depends on other information than request headers (e.g. HTTP version), you have to set the Vary header to the value *. This prevents @@ -347,7 +347,7 @@ client

      The DeflateCompressionLevel directive specifies - what level of compression should be used, the higher the value, + what level of compression should be used, the higher the value, the better the compression, but the more CPU time is required to achieve this.

      The value must between 1 (less compression) and 9 (more compression).

      diff --git a/docs/manual/mod/mod_dialup.xml b/docs/manual/mod/mod_dialup.xml index b5e9600df3b..5b5b5743c5e 100644 --- a/docs/manual/mod/mod_dialup.xml +++ b/docs/manual/mod/mod_dialup.xml @@ -1,13 +1,13 @@ - + - + - - + mod_dialup Send static content at a bandwidth rate limit, defined by the various old modem standards Experimental @@ -33,7 +33,7 @@ the document to validate. -->

      It is a module that sends static content at a bandwidth rate limit, defined -by the various old modem standards. So, you can browse your site with a 56k +by the various old modem standards. So, you can browse your site with a 56k V.92 modem, by adding something like this:

      @@ -43,9 +43,9 @@ ModemStandard V.92

      Previously to do bandwidth rate limiting modules would have to block an entire -thread, for each client, and insert sleeps to slow the bandwidth down. -Using the new suspend feature, a handler can get callback N milliseconds in -the future, and it will be invoked by the Event MPM on a different thread, +thread, for each client, and insert sleeps to slow the bandwidth down. +Using the new suspend feature, a handler can get callback N milliseconds in +the future, and it will be invoked by the Event MPM on a different thread, once the timer hits. From there the handler can continue to send data to the client.

       diff --git a/docs/manual/mod/mod_dir.xml b/docs/manual/mod/mod_dir.xml index c7c9da74673..c9d7c3a1dd8 100644 --- a/docs/manual/mod/mod_dir.xml +++ b/docs/manual/mod/mod_dir.xml @@ -43,7 +43,7 @@

    The two functions are separated so that you can completely remove (or replace) automatic index generation should you want - to.

    + to.

    A "trailing slash" redirect is issued when the server receives a request for a URL @@ -95,7 +95,7 @@ a directory executed if neither index.html or index.txt existed in a directory.

    -

    A single argument of "disabled" prevents mod_dir from +

    A single argument of "disabled" prevents mod_dir from searching for an index. An argument of "disabled" will be interpeted literally if it has any arguments before or after it, even if they are "disabled" as well.

    @@ -107,7 +107,7 @@ a directory DirectoryIndexRedirect Configures an external redirect for directory indexes. -DirectoryIndexRedirect on | off | permanent | temp | seeother | +DirectoryIndexRedirect on | off | permanent | temp | seeother | 3xx-code DirectoryIndexRedirect off @@ -128,7 +128,7 @@ a directory

    A request for http://example.com/docs/ would return a temporary redirect to http://example.com/docs/index.html + >http://example.com/docs/index.html if it exists.

    diff --git a/docs/manual/mod/mod_dumpio.xml b/docs/manual/mod/mod_dumpio.xml index 9d14c8eca31..362fe7a23f5 100644 --- a/docs/manual/mod/mod_dumpio.xml +++ b/docs/manual/mod/mod_dumpio.xml @@ -62,7 +62,7 @@ DumpIOInput On|Off DumpIOInput Off server config -DumpIOInput is only available in Apache 2.1.3 and +DumpIOInput is only available in Apache 2.1.3 and later. @@ -82,7 +82,7 @@ later. DumpIOOutput On|Off DumpIOOutput Off server config -DumpIOOutput is only available in Apache 2.1.3 and +DumpIOOutput is only available in Apache 2.1.3 and later. diff --git a/docs/manual/mod/mod_echo.xml b/docs/manual/mod/mod_echo.xml index ef15bfc0d4c..46c6975772e 100644 --- a/docs/manual/mod/mod_echo.xml +++ b/docs/manual/mod/mod_echo.xml @@ -23,7 +23,7 @@ mod_echo -A simple echo server to illustrate protocol +A simple echo server to illustrate protocol modules Experimental mod_echo.c diff --git a/docs/manual/mod/mod_env.xml b/docs/manual/mod/mod_env.xml index 97bac32d8e8..7a48c9061fb 100644 --- a/docs/manual/mod/mod_env.xml +++ b/docs/manual/mod/mod_env.xml @@ -32,8 +32,8 @@ SSI pages

    This module allows for control of internal environment variables that are used by various Apache HTTP Server modules. These variables are also provided to CGI scripts as native system environment variables, and available - for use in SSI pages. Environment variables may be passed from the shell - which invoked the httpd process. Alternatively, + for use in SSI pages. Environment variables may be passed from the shell + which invoked the httpd process. Alternatively, environment variables may be set or unset within the configuration process.

    Environment Variables @@ -51,8 +51,8 @@ SSI pages

    Specifies one or more native system environment variables to make available as internal environment variables, which are available to Apache HTTP Server modules - as well as propogated to CGI scripts and SSI pages. Values come from the - native OS environment of the shell which invoked the + as well as propogated to CGI scripts and SSI pages. Values come from the + native OS environment of the shell which invoked the httpd process.

    Example @@ -70,7 +70,7 @@ SSI pages FileInfo -

    Sets an internal environment variable, which is then available to Apache +

    Sets an internal environment variable, which is then available to Apache HTTP Server modules, and passed on to CGI scripts and SSI pages.

    Example @@ -81,11 +81,11 @@ SSI pages after most early request processing directives are run, such as access control and URI-to-filename mapping. If the environment variable you're setting is meant as input into this early phase of processing such as the - RewriteRule directive, you should + RewriteRule directive, you should instead set the environment variable with SetEnvIf.

    - +     Environment Variables diff --git a/docs/manual/mod/mod_expires.xml b/docs/manual/mod/mod_expires.xml index cb63bfd4a58..514f76781d1 100644 --- a/docs/manual/mod/mod_expires.xml +++ b/docs/manual/mod/mod_expires.xml @@ -43,7 +43,7 @@ criteria be fetched from the cache rather than from the source until this time has passed. After that, the cache copy is considered "expired" and invalid, and a new copy must be obtained from the - source.

    + source.

    To modify Cache-Control directives other than max-age (see module="mod_headers">Header directive.

    When the Expires header is already part of the response - generated by the server, for example when generated by a CGI script or + generated by the server, for example when generated by a CGI script or proxied from an origin server, this module does not change or add an Expires or Cache-Control header.

    @@ -151,7 +151,7 @@ headers generated. If the criteria aren't met, no header will be sent, and the effect will be as though this directive wasn't even specified.

    -     +     diff --git a/docs/manual/mod/mod_ext_filter.xml b/docs/manual/mod/mod_ext_filter.xml index 1d0e206593f..8a1ea123778 100644 --- a/docs/manual/mod/mod_ext_filter.xml +++ b/docs/manual/mod/mod_ext_filter.xml @@ -242,7 +242,7 @@ delivery to the client escape blanks which should be part of a program argument. Any backslashes which are part of the argument must be escaped with backslash themselves. In addition to the standard CGI environment - variables, DOCUMENT_URI, DOCUMENT_PATH_INFO, and + variables, DOCUMENT_URI, DOCUMENT_PATH_INFO, and QUERY_STRING_UNESCAPED will also be set for the program.
    mode=mode
    diff --git a/docs/manual/mod/mod_file_cache.xml b/docs/manual/mod/mod_file_cache.xml index b279cb53722..d5d10c899b4 100644 --- a/docs/manual/mod/mod_file_cache.xml +++ b/docs/manual/mod/mod_file_cache.xml @@ -124,7 +124,7 @@ Note

    Don't bother asking for a directive which recursively - caches all the files in a directory. Try this instead... See the + caches all the files in a directory. Try this instead... See the Include directive, and consider this command:

    diff --git a/docs/manual/mod/mod_headers.xml b/docs/manual/mod/mod_headers.xml index 2f6b9e18d6b..837573939bb 100644 --- a/docs/manual/mod/mod_headers.xml +++ b/docs/manual/mod/mod_headers.xml @@ -313,25 +313,25 @@ headers components of the server may have stored their response headers in either the table that corresponds to onsuccess or the table that corresponds to always. "Always" in this context refers to - whether headers you add will be sent during both a successful and unsucessful + whether headers you add will be sent during both a successful and unsucessful response, but if your action is a function of an existing header, you will have to read on for further complications.

    -

    The default value of onsuccess may need to be changed to +

    The default value of onsuccess may need to be changed to always under the circumstances similar to those listed below. Note also that repeating this directive with both conditions makes sense in - some scenarios because always is not a superset of + some scenarios because always is not a superset of onsuccess with respect to existing headers:

      -
    • You're adding a header to a non-success (non-2xx) response, such - as a redirect, in which case only the table corresponding to +
    • You're adding a header to a non-success (non-2xx) response, such + as a redirect, in which case only the table corresponding to always is used in the ultimate response.
    • You're modifying or removing a header generated by a CGI script, - in which case the CGI scripts are in the table corresponding to + in which case the CGI scripts are in the table corresponding to always and not in the default table.
      • -
    • You're modifying or removing a header generated by some piece of - the server but that header is not being found by the default +
    • You're modifying or removing a header generated by some piece of + the server but that header is not being found by the default onsuccess condition.
    diff --git a/docs/manual/mod/mod_heartbeat.xml b/docs/manual/mod/mod_heartbeat.xml index 3a488d0879d..d1485fc90bd 100644 --- a/docs/manual/mod/mod_heartbeat.xml +++ b/docs/manual/mod/mod_heartbeat.xml @@ -41,7 +41,7 @@ This document is still under development. - +     diff --git a/docs/manual/mod/mod_heartmonitor.xml b/docs/manual/mod/mod_heartmonitor.xml index a0c81ded661..6ba3380a645 100644 --- a/docs/manual/mod/mod_heartmonitor.xml +++ b/docs/manual/mod/mod_heartmonitor.xml @@ -41,7 +41,7 @@ This document is still under development. - + @@ -53,7 +53,7 @@ This document is still under development. - + diff --git a/docs/manual/mod/mod_imagemap.xml b/docs/manual/mod/mod_imagemap.xml index bedc73f2043..fab7a715d4e 100644 --- a/docs/manual/mod/mod_imagemap.xml +++ b/docs/manual/mod/mod_imagemap.xml @@ -32,7 +32,7 @@

    This module processes .map files, thereby replacing the functionality of the imagemap CGI program. Any directory or document type configured to use the - handler imap-file (using either + handler imap-file (using either AddHandler or SetHandler) will be processed by this module.

    diff --git a/docs/manual/mod/mod_include.xml b/docs/manual/mod/mod_include.xml index 4dd0ac70b90..7bf6c63bdda 100644 --- a/docs/manual/mod/mod_include.xml +++ b/docs/manual/mod/mod_include.xml @@ -174,7 +174,7 @@ >SSIUndefinedEcho directive. Any dates printed are subject to the currently configured timefmt.

    -

    Attributes:

    +

    Attributes:

    var
    @@ -197,7 +197,7 @@

    The decoding attribute must precede the corresponding var attribute to be effective.

    - +
    encoding

    Specifies how Apache should encode special characters contained in the variable before outputting them. If set @@ -434,7 +434,7 @@ precede the corresponding var attribute to be effective.

    - +
    encoding

    Specifies how Apache should encode special characters contained in the variable before setting them. The default is @@ -631,7 +631,7 @@

    string1 = string2
    string1 == string2
    string1 != string2
    - +

    Compare string1 with string2. If string2 has the form /string2/ then it is treated as a regular expression. Regular expressions are @@ -737,7 +737,7 @@ parsed expression tokenizer information, the parse tree and how it is evaluated into the output sent to the client.

    - + Escaping slashes in regex strings

    All slashes which are not intended to act as delimiters in your regex must be escaped. This is regardless of their meaning to the regex engine.

    @@ -829,7 +829,7 @@ directive]"

    You may want to use this option if you have 2 servers parsing the output of a file each processing different commands (possibly at - different times).

    + different times).

    Example SSIStartTag "<%"
    @@ -837,8 +837,8 @@ directive]"

    The example given above, which also specifies a matching - SSIEndTag, will - allow you to use SSI directives as shown in the example + SSIEndTag, will + allow you to use SSI directives as shown in the example below:

    SSI directives with alternate start and end tags @@ -861,7 +861,7 @@ displayed Available in version 2.0.30 and later. -

    This directive changes the format in which date strings are displayed +

    This directive changes the format in which date strings are displayed when echoing DATE environment variables. The formatstring is as in strftime(3) from the C standard library.

    @@ -972,23 +972,23 @@ server. if already present, or set if the header is not already present. This can be used to enable caching of the output. SSILastModified can take on the following values:

    - +
    - +
    off
    The Last-Modified header will be stripped from responses, unless the XBitHack directive is set to full as described below.
    - +
    on
    The Last-Modified header will be respected if already present in a response, and added to the response if the response is a file and the header is missing. The SSILastModified directive takes precedence over XBitHack.
    - +
    - +     @@ -1005,7 +1005,7 @@ server. new     ap_expr syntax for conditional expressions in #if flow control elements. This directive allows to switch to the old syntax which is compatible - with Apache HTTPD version 2.2.x and earlier. + with Apache HTTPD version 2.2.x and earlier.

    @@ -1040,14 +1040,14 @@ set returned file to be the last modified time of the file. If it is not set, then no last-modified date is sent. Setting this bit allows clients and proxies to cache the result of - the request. + the request. Note

    You would not want to use the full option, unless you assure the group-execute bit is unset for every SSI script which might #include a CGI or otherwise produces different output on each hit (or could potentially change on subsequent requests).

    - +

    The SSILastModified directive takes precedence over the XBitHack directive when diff --git a/docs/manual/mod/mod_info.xml b/docs/manual/mod/mod_info.xml index 4bd6037bc98..0bfd6d645be 100644 --- a/docs/manual/mod/mod_info.xml +++ b/docs/manual/mod/mod_info.xml @@ -72,9 +72,9 @@ configuration this module should only be used in a controlled environment and always with caution.

    -

    You will probably want to use mod_authz_host +

    You will probably want to use mod_authz_host to limit access to your server configuration information.

    - + Access control <Location /server-info>
    @@ -95,12 +95,12 @@ configuration the directives understood by that module, the hooks implemented by that module, and the relevant directives from the current configuration.

    - +

    Other views of the configuration information are available by appending a query to the server-info request. For example, http://your.host.example.com/server-info?config will show all configuration directives.

    - +
    ?<module-name>
    Only information relevant to the named module
    diff --git a/docs/manual/mod/mod_lbmethod_byrequests.xml b/docs/manual/mod/mod_lbmethod_byrequests.xml index 10cb7f806ee..a9a718153b9 100644 --- a/docs/manual/mod/mod_lbmethod_byrequests.xml +++ b/docs/manual/mod/mod_lbmethod_byrequests.xml @@ -76,7 +76,7 @@ candidate lbstatus -= total factor

    If a balancer is configured as follows:

    - + diff --git a/docs/manual/mod/mod_lbmethod_bytraffic.xml b/docs/manual/mod/mod_lbmethod_bytraffic.xml index 989328b9c23..ddf982dbba5 100644 --- a/docs/manual/mod/mod_lbmethod_bytraffic.xml +++ b/docs/manual/mod/mod_lbmethod_bytraffic.xml @@ -52,7 +52,7 @@ provides the bytraffic load balancing method..

    or produced.

    If a balancer is configured as follows:

    - +
    worker a
    diff --git a/docs/manual/mod/mod_lbmethod_heartbeat.xml b/docs/manual/mod/mod_lbmethod_heartbeat.xml index 71eaf16624a..7e831c55e54 100644 --- a/docs/manual/mod/mod_lbmethod_heartbeat.xml +++ b/docs/manual/mod/mod_lbmethod_heartbeat.xml @@ -46,7 +46,7 @@ This document is still under development. - + diff --git a/docs/manual/mod/mod_ldap.xml b/docs/manual/mod/mod_ldap.xml index 323e17eea27..7d850fb4c3c 100644 --- a/docs/manual/mod/mod_ldap.xml +++ b/docs/manual/mod/mod_ldap.xml @@ -203,7 +203,7 @@ by other LDAP modules
    Using SSL/TLS -

    The ability to create an SSL and TLS connections to an LDAP server +

    The ability to create an SSL and TLS connections to an LDAP server is defined by the directives LDAPTrustedGlobalCert, LDAPTrustedClientCert and @@ -350,8 +350,8 @@ by other LDAP modules binary DER or Base64 (PEM) encoded files.

    Both CA and client certificates may be specified globally - (LDAPTrustedGlobalCert) or per-connection (LDAPTrustedClientCert). - When any settings are specified per-connection, the global + (LDAPTrustedGlobalCert) or per-connection (LDAPTrustedClientCert). + When any settings are specified per-connection, the global settings are superceded.

    The documentation for the SDK claims to support both SSL and @@ -472,7 +472,7 @@ by other LDAP modules LDAPOpCacheEntries -Number of entries used to cache LDAP compare +Number of entries used to cache LDAP compare operations LDAPOpCacheEntries number LDAPOpCacheEntries 1024 @@ -533,7 +533,7 @@ valid LDAPReferralHopLimit works in conjunction with this directive to limit the number of referral hops to follow before terminating the LDAP query. When referral processing is enabled client credentials will be provided, via a rebind callback, for any LDAP server - requiring them.

    + requiring them.

    @@ -643,17 +643,17 @@ connection client certificates. typically controls how long the LDAP client library will wait for the TCP connection to the LDAP server to complete.

    -

    If a connection is not successful with the timeout period, either an error will be - returned or the LDAP client library will attempt to connect to a secondary LDAP - server if one is specified (via a space-separated list of hostnames in the +

    If a connection is not successful with the timeout period, either an error will be + returned or the LDAP client library will attempt to connect to a secondary LDAP + server if one is specified (via a space-separated list of hostnames in the AuthLDAPURL).

    -

    The default is 10 seconds, if the LDAP client library linked with the +

    The default is 10 seconds, if the LDAP client library linked with the server supports the LDAP_OPT_NETWORK_TIMEOUT option.

    LDAPConnectionTimeout is only available when the LDAP client library linked - with the server supports the LDAP_OPT_NETWORK_TIMEOUT - (or LDAP_OPT_CONNECT_TIMEOUT) option, and the ultimate behavior is + with the server supports the LDAP_OPT_NETWORK_TIMEOUT + (or LDAP_OPT_CONNECT_TIMEOUT) option, and the ultimate behavior is dictated entirely by the LDAP client library. @@ -691,8 +691,8 @@ connection client certificates. server config -

    Specifies whether to force the verification of a - server certificate when establishing an SSL connection to the +

    Specifies whether to force the verification of a + server certificate when establishing an SSL connection to the LDAP server.

     @@ -708,11 +708,11 @@ connection client certificates.

    Specifies the maximum age, in seconds, that a pooled LDAP connection can remain idle - and still be available for use. Connections are cleaned up when they are next needed, + and still be available for use. Connections are cleaned up when they are next needed, not asynchronously.

    -

    A setting of 0 causes connections to never be saved in the backend - connection pool. The default value of -1, and any other negative value, +

    A setting of 0 causes connections to never be saved in the backend + connection pool. The default value of -1, and any other negative value, allows connections of any age to be reused.

    This timeout defaults to units of seconds, but accepts @@ -730,22 +730,22 @@ connection client certificates. server config -

    Turns on SDK-specific LDAP debug options that generally cause the LDAP - SDK to log verbose trace information to the main Apache error log. +

    Turns on SDK-specific LDAP debug options that generally cause the LDAP + SDK to log verbose trace information to the main Apache error log. The trace messages from the LDAP SDK provide gory details that can be useful during debugging of connectivity problems with backend LDAP servers

    -

    This option is only configurable when Apache HTTP Server is linked with - an LDAP SDK that implements LDAP_OPT_DEBUG or - LDAP_OPT_DEBUG_LEVEL, such as OpenLDAP (a value of 7 is verbose) +

    This option is only configurable when Apache HTTP Server is linked with + an LDAP SDK that implements LDAP_OPT_DEBUG or + LDAP_OPT_DEBUG_LEVEL, such as OpenLDAP (a value of 7 is verbose) or Tivoli Directory Server (a value of 65535 is verbose).

    -

    The logged information will likely contain plaintext credentials being used or +

    The logged information will likely contain plaintext credentials being used or validated by LDAP authentication, so care should be taken in protecting and purging the error log when this directive is used.

     - +     diff --git a/docs/manual/mod/mod_log_config.xml b/docs/manual/mod/mod_log_config.xml index ed7d15aa008..136f9dcd42b 100644 --- a/docs/manual/mod/mod_log_config.xml +++ b/docs/manual/mod/mod_log_config.xml @@ -151,9 +151,9 @@
    - @@ -173,7 +173,7 @@ for the final status. - @@ -248,7 +248,7 @@ comma-separated list of status codes immediately following the "%". The status code list may be peceded by a "!" to indicate negation.

    - +
    worker a The process ID of the child that serviced the request.
    %{format}PThe process ID or thread ID of the child that serviced the + The process ID or thread ID of the child that serviced the request. Valid formats are pid, tid, - and hextid. hextid requires APR 1.2.0 or + and hextid. hextid requires APR 1.2.0 or higher.
    %tTime the request was received, in the format [18/Sep/2011:19:18:28 -0400]. + Time the request was received, in the format [18/Sep/2011:19:18:28 -0400]. The last number indicates the timezone offset from GMT
    %{format}t
    @@ -260,9 +260,9 @@ - + - @@ -415,7 +415,7 @@ Note

    When entering a file path on non-Unix platforms, care should be taken to make sure that only forward slashed are used even though the platform - may allow the use of back slashes. In general it is a good idea to always + may allow the use of back slashes. In general it is a good idea to always use forward slashes throughout the configuration files.

     @@ -452,7 +452,7 @@ example, if you want to record requests for all GIF images on your server in a separate logfile but not in your main log, you can use:

    - + SetEnvIf Request_URI \.gif$ gif-image
    CustomLog gif-requests.log common env=gif-image
    @@ -493,7 +493,7 @@ previous LogFormat directive as described below.

    -

    The second form of the LogFormat +

    The second form of the LogFormat directive associates an explicit format with a nickname. This nickname can then be used in subsequent LogFormat or diff --git a/docs/manual/mod/mod_log_forensic.xml b/docs/manual/mod/mod_log_forensic.xml index ad5831c7a96..ab9ac6d69a6 100644 --- a/docs/manual/mod/mod_log_forensic.xml +++ b/docs/manual/mod/mod_log_forensic.xml @@ -136,7 +136,7 @@ version 2.1 Note

    When entering a file path on non-Unix platforms, care should be taken to make sure that only forward slashes are used even though the platform - may allow the use of back slashes. In general it is a good idea to always + may allow the use of back slashes. In general it is a good idea to always use forward slashes throughout the configuration files.

    diff --git a/docs/manual/mod/mod_lua.xml b/docs/manual/mod/mod_lua.xml index d8682111bf0..ef02cc20699 100644 --- a/docs/manual/mod/mod_lua.xml +++ b/docs/manual/mod/mod_lua.xml @@ -32,14 +32,14 @@ request processing 2.3 and later -

    This module allows the server to be extended with scripts written in the +

    This module allows the server to be extended with scripts written in the Lua programming language. The extension points (hooks) available with mod_lua include many of the hooks available to natively compiled Apache HTTP Server modules, such as mapping requests to -files, generating dynamic responses, access control, authentication, and +files, generating dynamic responses, access control, authentication, and authorization

    -

    More information on the Lua programming language can be found at the +

    More information on the Lua programming language can be found at the the Lua website.

    mod_lua is still in experimental state. @@ -77,8 +77,8 @@ ending in .lua by invoking that file's
    Writing Handlers

    In the Apache HTTP Server API, the handler is a specific kind of hook -responsible for generating the response. Examples of modules that include a -handler are mod_proxy, mod_cgi, +responsible for generating the response. Examples of modules that include a +handler are mod_proxy, mod_cgi, and mod_status.

    mod_lua always looks to invoke a Lua function for the handler, rather than @@ -90,9 +90,9 @@ something like this:

    require "string" ---[[ - This is the default method name for Lua handlers, see the optional - function-name in the LuaMapHandler directive to choose a different +--[[ + This is the default method name for Lua handlers, see the optional + function-name in the LuaMapHandler directive to choose a different entry point. --]] function handle(r) @@ -109,7 +109,7 @@ function handle(r) end else r:puts("unknown HTTP method " .. r.method) - end + end end @@ -128,8 +128,8 @@ handlers (or hooks, or filters) in the same script.
    Writing Hooks

    Hook functions are how modules (and Lua scripts) participate in the -processing of requests. Each type of hook exposed by the server exists for -a specific purposes such as mapping requests to the filesystem, +processing of requests. Each type of hook exposed by the server exists for +a specific purposes such as mapping requests to the filesystem, performing access control, or setting mimetypes. General purpose hooks that simply run at handy times in the request lifecycle exist as well.

    @@ -158,7 +158,7 @@ end --[[ example hook that rewrites one URI to another URI. It returns a apache2.DECLINED to give other URL mappers a chance to work on the substitution, including the core translate_name hook which maps based - on the DocumentRoot. + on the DocumentRoot. Note: It is currently undefined as to whether this runs before or after mod_alias. @@ -183,7 +183,7 @@ end

    The request_rec is mapped in as a userdata. It has a metatable which lets you do useful things with it. For the most part it - has the same fields as the request_rec struct (see httpd.h + has the same fields as the request_rec struct (see httpd.h until we get better docs here) many of which are writeable as well as readable. (The table fields' content can be changed, but the fields themselves cannot be set to different tables.)

    @@ -314,7 +314,7 @@ end r:addoutputfilter(name|function) -- add an output filter - + r:parseargs() -- returns a lua table containing the request's query string arguments @@ -334,7 +334,7 @@ end
    - +
    Logging Functions @@ -403,16 +403,16 @@ end

    Specify the lifecycle scope of the Lua interpreter which will be used by handlers in this "Directory." The default is "once"

    - +
    once:
    use the interpreter once and throw it away.
    - -
    request:
    use the interpreter to handle anything based on - the same file within this request, which is also + +
    request:
    use the interpreter to handle anything based on + the same file within this request, which is also request scoped.
    - +
    conn:
    Same as request but attached to the connection_rec
    - +
    server:
    This one is different than others because the server scope is quite long lived, and multiple threads will have the same server_rec. To accommodate this @@ -445,7 +445,7 @@ end to the file /scripts/photos.lua and invoke the handler function handle_show on the lua vm after loading that file.

    - + LuaMapHandler /bingo /scripts/wombat.lua @@ -464,9 +464,9 @@ end All

    Add a path to lua's module search path. Follows the same - conventions as lua. This just munges the package.path in the + conventions as lua. This just munges the package.path in the lua vms.

    - + Examples: LuaPackagePath /scripts/lib/?.lua
    LuaPackagePath /scripts/lib/?/init.lua @@ -485,9 +485,9 @@ end

    Add a path to lua's shared library search path. Follows the same - conventions as lua. This just munges the package.cpath in the + conventions as lua. This just munges the package.cpath in the lua vms.

    - +     @@ -507,12 +507,12 @@ end ones) each time that file is needed, and reloads it if the modified time indicates it is newer than the one it has already loaded. The other values cause it to keep the file - cached forever (don't stat and replace) or to never cache the + cached forever (don't stat and replace) or to never cache the file.

    - +

    In general stat or forever is good for production, and stat or never for development.

    - + Examples: LuaCodeCache stat
    LuaCodeCache forever
    @@ -534,7 +534,7 @@ end

    Add a hook (at APR_HOOK_MIDDLE) to the translate name phase of request processing. The hook function receives a single - argument, the request_rec, and should return a status code, + argument, the request_rec, and should return a status code, which is either an HTTP error code, or the constants defined in the apache2 module: apache2.OK, apache2.DECLINED, or apache2.DONE.

    diff --git a/docs/manual/mod/mod_mime.xml b/docs/manual/mod/mod_mime.xml index 4f138101691..7edfe134fe4 100644 --- a/docs/manual/mod/mod_mime.xml +++ b/docs/manual/mod/mod_mime.xml @@ -204,11 +204,11 @@ module="mod_mime_magic">MimeMagicFile displayed as such. This information, also, is transmitted in HTTP headers.

    -

    The character set, language, encoding and mime type are all - used in the process of content negotiation (See +

    The character set, language, encoding and mime type are all + used in the process of content negotiation (See mod_negotiation) to determine which document to give to the client, when there are - alternative documents in more than one character set, language, + alternative documents in more than one character set, language, encoding or mime type. All filename extensions associations created with AddCharset, AddEncoding, It is recommended that new media types be added using the - AddType directive rather than changing the + AddType directive rather than changing the TypesConfig file. - + Example AddType image/gif .gif @@ -567,8 +567,8 @@ type the content returned by the server.

    This directive primarily configures the content types generated for - static files served out of the filesystem. For resources other than - static files, where the generator of the response typically specifies + static files served out of the filesystem. For resources other than + static files, where the generator of the response typically specifies a Content-Type, this directive has no effect.

     @@ -824,7 +824,7 @@ extensions RemoveInputFilter is only available in Apache 2.0.26 and later. - +

    The RemoveInputFilter directive removes any input filter associations for files with the given extensions. @@ -875,7 +875,7 @@ extensions RemoveOutputFilter is only available in Apache 2.0.26 and later. - +

    The RemoveOutputFilter directive removes any output filter associations for files with the given extensions. diff --git a/docs/manual/mod/mod_negotiation.xml b/docs/manual/mod/mod_negotiation.xml index 73fa3664a92..ef9593b1f52 100644 --- a/docs/manual/mod/mod_negotiation.xml +++ b/docs/manual/mod/mod_negotiation.xml @@ -153,7 +153,7 @@ Negotiation document.html.de, respectively. The type map file will be called document.html.var, and will contain the following:

    - + URI: document.html

    @@ -208,7 +208,7 @@ Negotiation CacheNegotiatedDocs -Allows content-negotiated documents to be +Allows content-negotiated documents to be cached by proxy servers CacheNegotiatedDocs On|Off CacheNegotiatedDocs Off @@ -232,7 +232,7 @@ cached by proxy servers ForceLanguagePriority -Action to take if a single acceptable document is not +Action to take if a single acceptable document is not found ForceLanguagePriority None|Prefer|Fallback [Prefer|Fallback] ForceLanguagePriority Prefer diff --git a/docs/manual/mod/mod_nw_ssl.xml b/docs/manual/mod/mod_nw_ssl.xml index cfe3d1f7917..9a152dcec43 100644 --- a/docs/manual/mod/mod_nw_ssl.xml +++ b/docs/manual/mod/mod_nw_ssl.xml @@ -31,7 +31,7 @@

    This module enables SSL encryption for a specified port. It - takes advantage of the SSL encryption functionality that is + takes advantage of the SSL encryption functionality that is built into the NetWare operating system.

     @@ -58,7 +58,7 @@

    Specifies a list of client certificate files (DER format) that are used when creating a proxied SSL connection. Each - client certificate used by a server must be listed separately + client certificate used by a server must be listed separately in its own .der file.

         @@ -70,10 +70,10 @@ server config -

    Allow a connection that was created on the specified address +

    Allow a connection that was created on the specified address and/or port to be upgraded to an SSL connection upon request from - the client. The address and/or port must have already be defined - previously with a Listen + the client. The address and/or port must have already be defined + previously with a Listen directive.

         diff --git a/docs/manual/mod/mod_proxy_ajp.xml b/docs/manual/mod/mod_proxy_ajp.xml index bfe59602a66..8a9db925bcd 100644 --- a/docs/manual/mod/mod_proxy_ajp.xml +++ b/docs/manual/mod/mod_proxy_ajp.xml @@ -32,7 +32,7 @@

    This module requires the service of mod_proxy. It provides support for the + >mod_proxy. It provides support for the Apache JServ Protocol version 1.3 (hereafter AJP13).

    @@ -52,8 +52,8 @@ Environment Variable documentation
    Environment Variables -

    Environment variables whose names have the prefix AJP_ - are forwarded to the origin server as AJP request attributes +

    Environment variables whose names have the prefix AJP_ + are forwarded to the origin server as AJP request attributes (with the AJP_ prefix removed from the name of the key).

    @@ -296,7 +296,7 @@ AJP13_FORWARD_REQUEST :=

    The request_headers have the following structure: 

    -req_header_name := 
+req_header_name :=
     sc_req_header_name | (string)  [see below for how this is parsed]
 
 sc_req_header_name := 0xA0xx (integer)
@@ -352,7 +352,7 @@ attribute_value := (string)
    Logs User-agent on 400 errors and 501 errors only. For other status codes, the literal string "-" will be logged.
    %!200,304,302{Referer}iLogs Referer on all requests that do + Logs Referer on all requests that do not return one of the three specified codes, "-" otherwise.
    BASELINE_CONTROL26
    MKACTIVITY27
    -

    Later version of ajp13, will transport +

    Later version of ajp13, will transport additional methods, even if they are not in this list.

    protocol, req_uri, remote_addr, remote_host, server_name, diff --git a/docs/manual/mod/mod_proxy_balancer.xml b/docs/manual/mod/mod_proxy_balancer.xml index 90eef4500fc..97fed366675 100644 --- a/docs/manual/mod/mod_proxy_balancer.xml +++ b/docs/manual/mod/mod_proxy_balancer.xml @@ -61,7 +61,7 @@ <p>At present, there are 3 load balancer scheduler algorithms available for use: Request Counting, Weighted Traffic Counting and Pending Request Counting. These are controlled via the <code>lbmethod</code> value of - the Balancer definition. See the <directive module="mod_proxy">ProxyPass</directive> + the Balancer definition. See the <directive module="mod_proxy">ProxyPass</directive> directive for more information, especially regarding how to configure the Balancer and BalancerMembers.</p> </section> @@ -132,14 +132,14 @@ <!-- ============= BALANCER_SESSION_ROUTE ================ --> <dt><var><a name="balancer_session_route" id="balancer_session_route">BALANCER_SESSION_ROUTE</a></var></dt> <dd> - <p>This is assigned the <var>route</var> parsed from the current + <p>This is assigned the <var>route</var> parsed from the current request.</p> </dd> <!-- ============= BALANCER_NAME ========================= --> <dt><var><a name="balancer_name" id="balancer_name">BALANCER_NAME</a></var></dt> <dd> - <p>This is assigned the name of the balancer used for the current + <p>This is assigned the name of the balancer used for the current request. The value is something like <code>balancer://foo</code>.</p> </dd> @@ -153,7 +153,7 @@ <!-- ============= BALANCER_WORKER_ROUTE ================= --> <dt><var><a name="balancer_worker_route" id="balancer_worker_route">BALANCER_WORKER_ROUTE</a></var></dt> <dd> - <p>This is assigned the <var>route</var> of the worker that will be + <p>This is assigned the <var>route</var> of the worker that will be used for the current request.</p> </dd> @@ -172,7 +172,7 @@ <section id="balancer_manager"> <title>Enabling Balancer Manager Support -

    This module requires the service of +

    This module requires the service of mod_status. Balancer manager enables dynamic update of balancer members. You can use balancer manager to change the balance diff --git a/docs/manual/mod/mod_proxy_express.xml b/docs/manual/mod/mod_proxy_express.xml index 1ca43e184f9..50c991024bf 100644 --- a/docs/manual/mod/mod_proxy_express.xml +++ b/docs/manual/mod/mod_proxy_express.xml @@ -39,7 +39,7 @@ dynamic growth, but is intended to handle much, much larger numbers of backends. It is ideally suited as a front-end HTTP switch.

    - +

    This module requires the service of mod_proxy.

    @@ -74,7 +74,7 @@ mod_proxy - + ProxyExpressEnable Enable the module functionality. @@ -107,7 +107,7 @@ Note

    The file is constructed from a plain text file format using - the httxt2dbm + the httxt2dbm utility.

    ProxyExpress map file diff --git a/docs/manual/mod/mod_proxy_fcgi.xml b/docs/manual/mod/mod_proxy_fcgi.xml index 150c44f32b2..5de04b121ef 100644 --- a/docs/manual/mod/mod_proxy_fcgi.xml +++ b/docs/manual/mod/mod_proxy_fcgi.xml @@ -32,7 +32,7 @@

    This module requires the service of mod_proxy. It provides support for the + >mod_proxy. It provides support for the FastCGI protocol.

    Thus, in order to get the ability of handling the FastCGI @@ -40,7 +40,7 @@ mod_proxy_fcgi have to be present in the server.

    Unlike mod_fcgid - and mod_fastcgi, + and mod_fastcgi, mod_proxy_fcgi has no provision for starting the application process; fcgistarter is provided for that purpose.

    @@ -65,10 +65,10 @@

    This application should be able to handle multiple concurrent - connections. mod_proxy enables connection reuse by + connections. mod_proxy enables connection reuse by default, so after a request has been completed the connection will be held open by that httpd child process and won't be reused until that - httpd process routes another request to the application. If the + httpd process routes another request to the application. If the FastCGI application is unable to handle enough concurrent connections from httpd, requests can block waiting for the application to close an existing connection. One way to resolve this is to disable connection @@ -80,7 +80,7 @@

    The balanced gateway needs mod_proxy_balancer and - at least one load balancer algorithm module, such as + at least one load balancer algorithm module, such as mod_lbmethod_byrequests, in addition to the proxy modules listed above. mod_lbmethod_byrequests is the default, and will be used for this example configuration.

    diff --git a/docs/manual/mod/mod_proxy_fdpass.xml b/docs/manual/mod/mod_proxy_fdpass.xml index cad8cfc7694..5d61836d79b 100644 --- a/docs/manual/mod/mod_proxy_fdpass.xml +++ b/docs/manual/mod/mod_proxy_fdpass.xml @@ -35,19 +35,19 @@ >mod_proxy. It provides support for the passing the socket of the client to another process.

    -

    mod_proxy_fdpass uses the ability of AF_UNIX domain - sockets to pass an +

    mod_proxy_fdpass uses the ability of AF_UNIX domain + sockets to pass an open file descriptor to allow another process to finish handling a request.

    -

    The module has a proxy_fdpass_flusher provider interface, +

    The module has a proxy_fdpass_flusher provider interface, which allows another module to optionally send the response headers, or even the start of the response body. The default flush provider disables keep-alive, and sends the response headers, letting the external process just send a response body.

    -

    At this time the only data passed to the external process is the client - socket. To receive a client socket, call recvfrom with an allocated +

    At this time the only data passed to the external process is the client + socket. To receive a client socket, call recvfrom with an allocated struct cmsghdr. Future versions of this module may include more data after the client socket, but this is not implemented at this time. diff --git a/docs/manual/mod/mod_proxy_ftp.xml b/docs/manual/mod/mod_proxy_ftp.xml index 9c2e012f52a..77582e711b5 100644 --- a/docs/manual/mod/mod_proxy_ftp.xml +++ b/docs/manual/mod/mod_proxy_ftp.xml @@ -154,7 +154,7 @@ See the ProxyFtpListOnWildcard directive.

    - + ProxyFtpListOnWildcard Whether wildcards in requested filenames trigger a file listing diff --git a/docs/manual/mod/mod_proxy_scgi.xml b/docs/manual/mod/mod_proxy_scgi.xml index 1010f336a63..4fd0b532505 100644 --- a/docs/manual/mod/mod_proxy_scgi.xml +++ b/docs/manual/mod/mod_proxy_scgi.xml @@ -59,7 +59,7 @@

    The balanced gateway needs mod_proxy_balancer and - at least one load balancer algorithm module, such as + at least one load balancer algorithm module, such as mod_lbmethod_byrequests, in addition to the proxy modules listed above. mod_lbmethod_byrequests is the default, and will be used for this example configuration.

    diff --git a/docs/manual/mod/mod_ratelimit.xml b/docs/manual/mod/mod_ratelimit.xml index 614e5369a28..079c4464b53 100644 --- a/docs/manual/mod/mod_ratelimit.xml +++ b/docs/manual/mod/mod_ratelimit.xml @@ -1,13 +1,13 @@ - + - + - - + mod_ratelimit Bandwidth Rate Limiting for Clients Extension @@ -33,8 +33,8 @@ the document to validate. --> -

    Provides a rate_limit filter to limit client bandwidth. -The connection speed to be simulated is specified, in kb/s, using the environment +

    Provides a rate_limit filter to limit client bandwidth. +The connection speed to be simulated is specified, in kb/s, using the environment variable rate-limit.

    Example Configuration diff --git a/docs/manual/mod/mod_remoteip.xml b/docs/manual/mod/mod_remoteip.xml index 40104b743be..695f4b22054 100644 --- a/docs/manual/mod/mod_remoteip.xml +++ b/docs/manual/mod/mod_remoteip.xml @@ -23,8 +23,8 @@ mod_remoteip -Replaces the apparent client remote IP address and hostname -for the request with the IP address list presented by a proxies or a load +Replaces the apparent client remote IP address and hostname +for the request with the IP address list presented by a proxies or a load balancer via the request headers. @@ -33,12 +33,12 @@ balancer via the request headers. remoteip_module -

    This module is used to treat the remote host which initiated the +

    This module is used to treat the remote host which initiated the request as the originating remote host as identified by httpd for the purposes of authorization and logging, even where that remote host is behind a load balancer, front end server, or proxy server.

    -

    The module replaces the apparent remote (client) IP/hostname for +

    The module replaces the apparent remote (client) IP/hostname for the request with the IP address reported in the request header configured with the RemoteIPHeader directive.

    @@ -48,8 +48,8 @@ balancer via the request headers. and Require ip, is reported by mod_status, and is recorded by mod_log_config %a and %h - directives. It also determines the machine probed for an inetd - identity by mod_ident based on the + directives. It also determines the machine probed for an inetd + identity by mod_ident based on the IdentityCheck configuration.

    It is critical to only enable this behavior from @@ -66,19 +66,19 @@ balancer via the request headers.
    Remote IP Processing

    Apache identifies the client with the connection's remote_ip value, - and the connection remote_host and remote_logname are derived from this - value. These fields play a role in authentication, authorization and + and the connection remote_host and remote_logname are derived from this + value. These fields play a role in authentication, authorization and logging and other purposes by other loadable modules.

    mod_remoteip replaces the true remote_ip with the advertised remote_ip as provided by a proxy, for every evaluation of the client that occurs in the - server, and resets the remote_host and remote_logname values to trigger a + server, and resets the remote_host and remote_logname values to trigger a fresh dns or ident query of the remote IP address.

    -

    When multiple, comma delimited remote IP addresses are listed in the +

    When multiple, comma delimited remote IP addresses are listed in the header value, they are processed in Right-to-Left order. Processing halts when a given remote IP address is not trusted to present the - preceeding IP address. The header field is updated to this remaining + preceeding IP address. The header field is updated to this remaining list of unconfirmed IP addresses, or if all IP addresses were trusted, this header is removed from the request altogether.

    @@ -97,7 +97,7 @@ balancer via the request headers. All internal addresses 10/8, 172.16/12, 192.168/16, 169.254/16 and 127/8 blocks (and IPv6 addresses outside of the public 2000::/3 block) are only evaluated by mod_remoteip when RemoteIPInternalProxy - internal (intranet) proxies are registered. + internal (intranet) proxies are registered.
    @@ -108,10 +108,10 @@ balancer via the request headers. server configvirtual host -

    The RemoteIPHeader directive triggers +

    The RemoteIPHeader directive triggers mod_remoteip to treat the value of the specified header-field header as the client IP address, or list - of intermediate client IP addresses, subject to further configuration + of intermediate client IP addresses, subject to further configuration of the RemoteIPInternalProxy and RemoteIPTrustedProxy directives. Unless these other directives are used, mod_remoteip will trust all @@ -138,7 +138,7 @@ balancer via the request headers. or more addresses (or address blocks) to trust as presenting a valid RemoteIPHeader value of the client IP. Unlike the RemoteIPTrustedProxy directive, any IP address - presented in this header, including private intranet addresses, are + presented in this header, including private intranet addresses, are trusted when passed from these proxies.

    Internal (Load Balancer) Example @@ -188,7 +188,7 @@ balancer via the request headers. a header into which mod_remoteip will collect a list of all of the intermediate client IP addresses trusted to resolve the actual remote IP. Note that intermediate RemoteIPTrustedProxy - addresses are recorded in this header, while any intermediate + addresses are recorded in this header, while any intermediate RemoteIPInternalProxy addresses are discarded.

    Example @@ -208,10 +208,10 @@ balancer via the request headers.

    The RemoteIPTrustedProxy directive adds one or more addresses (or address blocks) to trust as presenting a valid RemoteIPHeader value of the client IP. Unlike the - RemoteIPInternalProxy directive, any intranet + RemoteIPInternalProxy directive, any intranet or private IP address reported by such proxies, including the 10/8, 172.16/12, 192.168/16, 169.254/16 and 127/8 blocks (or outside of the IPv6 public - 2000::/3 block) are not trusted as the remote IP, and are left in the + 2000::/3 block) are not trusted as the remote IP, and are left in the RemoteIPHeader header's value.

    Trusted (Load Balancer) Example diff --git a/docs/manual/mod/mod_rewrite.xml b/docs/manual/mod/mod_rewrite.xml index 80d35938890..a77091a5423 100644 --- a/docs/manual/mod/mod_rewrite.xml +++ b/docs/manual/mod/mod_rewrite.xml @@ -32,21 +32,21 @@ URLs on the fly rewrite_module -

    The mod_rewrite module uses a rule-based rewriting +

    The mod_rewrite module uses a rule-based rewriting engine, based on a regular-expression parser, to rewrite requested URLs on - the fly. By default, mod_rewrite maps a URL to a filesystem + the fly. By default, mod_rewrite maps a URL to a filesystem path. However, it can also be used to redirect one URL to another URL, or to invoke an internal proxy fetch.

    -

    mod_rewrite provides a flexible and powerful way to - manipulate URLs using an unlimited number of rules. Each rule can have an +

    mod_rewrite provides a flexible and powerful way to + manipulate URLs using an unlimited number of rules. Each rule can have an unlimited number of attached rule conditions, to allow you to rewrite URL - based on server variables, environment variables, HTTP headers, or time + based on server variables, environment variables, HTTP headers, or time stamps.

    mod_rewrite operates on the full URL path, including the - path-info section. A rewrite rule can be invoked in - httpd.conf or in .htaccess. The path generated - by a rewrite rule can include a query string, or can lead to internal - sub-processing, external request redirection, or internal proxy + path-info section. A rewrite rule can be invoked in + httpd.conf or in .htaccess. The path generated + by a rewrite rule can include a query string, or can lead to internal + sub-processing, external request redirection, or internal proxy throughput.

    Further details, discussion, and examples, are provided in the @@ -142,7 +142,7 @@ later

    Inherit
    - +

    This forces the current configuration to inherit the configuration of the parent. In per-virtual-server context, this means that the maps, conditions and rules of the main @@ -157,7 +157,7 @@ later of local rules - has no influence on this behavior. If local rules forced the rewriting to stop, the inherited rules won't be processed.

    - + Rules inherited from the parent scope are applied after rules specified in the child scope. @@ -167,10 +167,10 @@ later
    InheritBefore

    Like Inherit above, but the rules from the parent scope - are applied before rules specified in the child scope. + are applied before rules specified in the child scope. Available in Apache HTTP Server 2.3.10 and later.

    - +
    @@ -245,7 +245,7 @@ Apache HTTP Server 2.0.41 and later
    dbm
    Looks up an entry in a dbm file containing name, value pairs. Hash is constructed from a plain text file format using - the httxt2dbm + the httxt2dbm utility. (Details ...)
    int
    @@ -283,13 +283,13 @@ Apache HTTP Server 2.0.41 and later that result in the substitution of a relative path. When you use a RewriteRule in a .htaccess file, mod_rewrite strips off - the local directory prefix before processing, then rewrites the rest of + the local directory prefix before processing, then rewrites the rest of the URL. When the rewrite is completed, mod_rewrite automatically adds the local directory prefix (or the - RewriteBase when set) back on to the substitution + RewriteBase when set) back on to the substitution before handing it back to the core of the server as if it were the original URL.

    - +

    This directive is required for per-directory rewrites whose context is a directory made available via the Alias directive, when the substitution uses a relative path.

    @@ -300,9 +300,9 @@ Apache HTTP Server 2.0.41 and later .htaccess file where you want to use RewriteRule directives.

    -

    The example below demonstrates how to map - http://example.com/myapp/index.html to - /home/www/example/newsite.html, in a .htaccess file. This +

    The example below demonstrates how to map + http://example.com/myapp/index.html to + /home/www/example/newsite.html, in a .htaccess file. This assumes that the content available at http://example.com/ is on disk at /home/www/example/

    @@ -452,7 +452,7 @@ RewriteRule ^index\.html$ newsite.html Most are documented elsewhere in the Manual or in the CGI specification.

    -

    SERVER_NAME and SERVER_PORT depend on the values of +

    SERVER_NAME and SERVER_PORT depend on the values of UseCanonicalName and UseCanonicalPhysicalPort respectively.

    @@ -485,7 +485,7 @@ RewriteRule ^index\.html$ newsite.html browser to the server (e.g., "GET /index.html HTTP/1.1"). This does not include any additional headers sent by the - browser. This value has not been unescaped + browser. This value has not been unescaped (decoded), unlike most other variables below.
    REQUEST_URI
    @@ -499,9 +499,9 @@ RewriteRule ^index\.html$ newsite.html
    The full local filesystem path to the file or script matching the request, if this has already - been determined by the server at the time - REQUEST_FILENAME is referenced. Otherwise, - such as when used in virtual host context, the same + been determined by the server at the time + REQUEST_FILENAME is referenced. Otherwise, + such as when used in virtual host context, the same value as REQUEST_URI.
    HTTPS
    @@ -685,7 +685,7 @@ RewriteRule ^index\.html$ newsite.html numerically compared to the CondPattern. True if the TestString is numerically greater than or equal to the CondPattern. - +
  • '-gt' (is numerically greater than)
    The TestString is treated as an integer, and is @@ -701,7 +701,7 @@ RewriteRule ^index\.html$ newsite.html to the CondPattern. Avoid confusion with the -l by using the -L or -h variant.
    • - +
  • '-lt' (is numerically less than)
    The TestString is treated as an integer, and is @@ -902,16 +902,16 @@ RewriteRule ^/$ /homepage.std.html [L] RewriteRule.

    What is matched? -

    In VirtualHost context, +

    In VirtualHost context, The Pattern will initially be matched against the part of the URL after the hostname and port, and before the query string (e.g. "/app1/index.html").

    In Directory and htaccess context, - the Pattern will initially be matched against the + the Pattern will initially be matched against the filesystem path, after removing the prefix that lead the server - to the current RewriteRule (e.g. "app1/index.html" + to the current RewriteRule (e.g. "app1/index.html" or "index.html" depending on where the directives are defined).

    - +

    If you wish to match against the hostname, port, or query string, use a RewriteCond with the %{HTTP_HOST}, %{SERVER_PORT}, or @@ -937,12 +937,12 @@ restriction is required for security reasons.

    • per-directory prefix (which always is the same for a specific directory) is automatically removed for the RewriteRule pattern matching and automatically added after any relative (not starting with a -slash or protocol name) substitution encounters the end of a rule set. -See the RewriteBase -directive for more information regarding what prefix will be added back to +slash or protocol name) substitution encounters the end of a rule set. +See the RewriteBase +directive for more information regarding what prefix will be added back to relative substutions. -
  • If you wish to match against the full URL-path in a per-directory +
  • If you wish to match against the full URL-path in a per-directory (htaccess) RewriteRule, use the %{REQUEST_URI} variable in a RewriteCond.
    • @@ -1100,14 +1100,14 @@ cannot use $N in the substitution string! cookie|CO=NAME:VAL - Sets a cookie in the client browser. Full syntax is: + Sets a cookie in the client browser. Full syntax is: CO=NAME:VAL:domain[:lifetime[:path[:secure[:httponly]]]] details ... discardpath|DPI Causes the PATH_INFO portion of the rewritten URI to be - discarded. details + discarded. details ... diff --git a/docs/manual/mod/mod_session.xml b/docs/manual/mod/mod_session.xml index c65870cc295..e81286b5f3f 100644 --- a/docs/manual/mod/mod_session.xml +++ b/docs/manual/mod/mod_session.xml @@ -42,7 +42,7 @@ interface. Sessions can be used for keeping track of whether a user has been logged in, or for other per user information that should be kept available across requests.

    - +

    Sessions may be stored on the server, or may be stored on the browser. Sessions may also be optionally encrypted for added security. These features are divided into several modules in addition to @@ -55,7 +55,7 @@

    Sessions may be manipulated from other modules that depend on the session, or the session may be read from and written to using environment variables and HTTP headers, as appropriate.

    - +     mod_session_cookie mod_session_crypto @@ -64,10 +64,10 @@
    What is a session?

    At the core of the session interface is a table of key and value pairs that are made accessible across browser requests.

    - +

    These pairs can be set to any valid string, as needed by the application making use of the session.

    - +
    Who can use a session?

    The session interface is primarily developed for the use by other @@ -82,31 +82,31 @@

    Apache can be configured to keep track of per user sessions stored on a particular server or group of servers. This functionality is similar to the sessions available in typical application servers.

    - +

    If configured, sessions are tracked through the use of a session ID that is stored inside a cookie, or extracted from the parameters embedded within the URL query string, as found in a typical GET request.

    - +

    As the contents of the session are stored exclusively on the server, there is an expectation of privacy of the contents of the session. This does have performance and resource implications should a large number of sessions be present, or where a large number of webservers have to share sessions with one another.

    - +

    The mod_session_dbd module allows the storage of user sessions within a SQL database via mod_dbd.

    - +
    Keeping sessions on the browser

    Where keeping track of a session on a server is too resource intensive or inconvenient, the option exists to store the contents of the session within a cookie on the client browser instead.

    - +

    This has the advantage that minimal resources are required on the server to keep track of sessions, and multiple servers within a server farm have no need to share session information.

    - +

    The contents of the session however are exposed to the client, with a corresponding risk of a loss of privacy. The mod_session_crypto module can be configured to encrypt the @@ -118,11 +118,11 @@

    Basic Examples - +

    Creating a session is as simple as turning the session on, and deciding where the session will be stored. In this example, the session will be stored on the browser, in a cookie called session.

    - + Browser based session Session On
    SessionCookieName session path=/
    @@ -132,7 +132,7 @@ following example shows how values can be injected into the session through the use of a predetermined HTTP response header called X-Replace-Session.

    - + Writing to a session Session On
    SessionCookieName session path=/
    @@ -142,7 +142,7 @@

    The header should contain name value pairs expressed in the same format as a query string in a URL, as in the example below. Setting a key to the empty string has the effect of removing that key from the session.

    - + CGI to write to a session #!/bin/bash
    echo "Content-Type: text/plain"
    @@ -155,7 +155,7 @@ environment variable. By default, the session is kept private, so this has to be explicitly turned on with the SessionEnv directive.

    - + Read from a session Session On
    SessionEnv On
    @@ -168,32 +168,32 @@
    Session Privacy - +

    Using the "show cookies" feature of your browser, you would have seen a clear text representation of the session. This could potentially be a problem should the end user need to be kept unaware of the contents of the session, or where a third party could gain unauthorised access to the data within the session.

    - +

    The contents of the session can be optionally encrypted before being placed on the browser using the mod_session_crypto module.

    - + Browser based encrypted session Session On
    SessionCryptoPassphrase secret
    SessionCookieName session path=/
     - +

    The session will be automatically decrypted on load, and encrypted on save by Apache, the underlying application using the session need have no knowledge that encryption is taking place.

    - +

    Sessions stored on the server rather than on the browser can also be encrypted as needed, offering privacy where potentially sensitive information is being shared between webservers in a server farm using the mod_session_dbd module.

    - +
    Cookie Privacy @@ -201,7 +201,7 @@ ability to restrict cookie transport to SSL protected pages only, or to prevent browser based javascript from gaining access to the contents of the cookie.

    - + Warning

    Some of the HTTP cookie privacy features are either non-standard, or are not implemented consistently across browsers. The session modules @@ -214,13 +214,13 @@

    Standard cookie parameters can be specified after the name of the cookie, as in the example below.

    - + Setting cookie parameters Session On
    SessionCryptoPassphrase secret
    SessionCookieName session path=/private;domain=example.com;httponly;secure;
     - +

    In cases where the Apache server forms the frontend for backend origin servers, it is possible to have the session cookies removed from the incoming HTTP headers using the SessionCookieRemove directive. @@ -246,7 +246,7 @@ AuthName realm
    ...
    - +

    See the mod_auth_form module for documentation and complete examples.

    @@ -289,7 +289,7 @@ the session, the session will time out and be removed. Where a session is used to stored user login details, this has the effect of logging the user out automatically after the given time.

    - +

    Setting the maxage to zero disables session expiry.

    @@ -310,7 +310,7 @@

    If set to On, the SessionEnv directive causes the contents of the session to be written to a CGI environment variable called HTTP_SESSION.

    - +

    The string is written in the URL query format, for example:

    @@ -335,13 +335,13 @@

    The SessionHeader directive defines the name of an HTTP response header which, if present, will be parsed and written to the current session.

    - +

    The header value is expected to be in the URL query format, for example:

    key1=foo&key2=&key3=bar - +

    Where a key is set to the empty string, that key will be removed from the session.

    @@ -365,7 +365,7 @@ website more efficient, by targeting a more precise URL space for which a session should be maintained. By default, all URLs within the directory or location are included in the session.

    - + Warning

    This directive has a similar purpose to the path attribute in HTTP cookies, but should not be confused with this attribute. This diff --git a/docs/manual/mod/mod_session_cookie.xml b/docs/manual/mod/mod_session_cookie.xml index a048c33ac51..5eadd4ffdb2 100644 --- a/docs/manual/mod/mod_session_cookie.xml +++ b/docs/manual/mod/mod_session_cookie.xml @@ -40,38 +40,38 @@

    This submodule of mod_session provides support for the storage of user sessions on the remote browser within HTTP cookies.

    - +

    Using cookies to store a session removes the need for the server or a group of servers to store the session locally, or collaborate to share a session, and can be useful for high traffic environments where a server based session might be too resource intensive.

    - +

    If session privacy is required, the mod_session_crypto module can be used to encrypt the contents of the session before writing the session to the client.

    - +

    For more details on the session interface, see the documentation for the mod_session module.

    - +
    mod_session mod_session_crypto mod_session_dbd
    Basic Examples - +

    To create a simple session and store it in a cookie called session, configure the session as follows:

    - + Browser based session Session On
    SessionCookieName session path=/
     - +

    For more examples on how the session can be configured to be read from and written to by a CGI application, see the mod_session examples section.

    - +

    For documentation on how the session can be used to store username and password details, see the mod_auth_form module.

    @@ -93,12 +93,12 @@ optional attributes of an RFC2109 compliant cookie inside which the session will be stored. RFC2109 cookies are set using the Set-Cookie HTTP header.

    - +

    An optional list of cookie attributes can be specified, as per the example below. These attributes are inserted into the cookie as is, and are not interpreted by Apache. Ensure that your attributes are defined correctly as per the cookie specification.

    - + Cookie with attributes Session On
    SessionCookieName session path=/private;domain=example.com;httponly;secure;version=1;
    @@ -123,12 +123,12 @@ optional attributes of an RFC2965 compliant cookie inside which the session will be stored. RFC2965 cookies are set using the Set-Cookie2 HTTP header.

    - +

    An optional list of cookie attributes can be specified, as per the example below. These attributes are inserted into the cookie as is, and are not interpreted by Apache. Ensure that your attributes are defined correctly as per the cookie specification.

    - + Cookie2 with attributes Session On
    SessionCookieName2 session path=/private;domain=example.com;httponly;secure;version=1;
    @@ -151,7 +151,7 @@

    The SessionCookieRemove flag controls whether the cookies containing the session will be removed from the headers during request processing.

    - +

    In a reverse proxy situation where the Apache server acts as a server frontend for a backend origin server, revealing the contents of the session cookie to the backend could be a potential privacy violation. When set to on, the session cookie will be diff --git a/docs/manual/mod/mod_session_crypto.xml b/docs/manual/mod/mod_session_crypto.xml index 2ef8c333a68..b1e5cbfaefb 100644 --- a/docs/manual/mod/mod_session_crypto.xml +++ b/docs/manual/mod/mod_session_crypto.xml @@ -41,37 +41,37 @@

    This submodule of mod_session provides support for the encryption of user sessions before being written to a local database, or written to a remote browser via an HTTP cookie.

    - +

    This can help provide privacy to user sessions where the contents of the session should be kept private from the user, or where protection is needed against the effects of cross site scripting attacks.

    - +

    For more details on the session interface, see the documentation for the mod_session module.

    - +
    mod_session mod_session_cookie mod_session_dbd
    Basic Usage - +

    To create a simple encrypted session and store it in a cookie called session, configure the session as follows:

    - + Browser based encrypted session Session On
    SessionCookieName session path=/
    SessionCryptoPassphrase secret     - +

    The session will be encrypted with the given key. Different servers can be configured to share sessions by ensuring the same encryption key is used on each server.

    - +

    If the encryption key is changed, sessions will be invalidated automatically.

    - +

    For documentation on how the session can be used to store username and password details, see the mod_auth_form module.

    @@ -146,7 +146,7 @@

    The cipher can be set to 3des192 or aes256 using the cipher parameter as per the example below. If not set, the cipher defaults to aes256.

    - + Cipher SessionCryptoPassphrase secret cipher=aes256 diff --git a/docs/manual/mod/mod_session_dbd.xml b/docs/manual/mod/mod_session_dbd.xml index 7d3e62bd145..b1663ed66ab 100644 --- a/docs/manual/mod/mod_session_dbd.xml +++ b/docs/manual/mod/mod_session_dbd.xml @@ -49,13 +49,13 @@

    SQL based sessions are hidden from the browser, and so offer a measure of privacy without the need for encryption.

    - +

    Different webservers within a server farm may choose to share a database, and so share sessions with one another.

    - +

    For more details on the session interface, see the documentation for the mod_session module.

    - + mod_session mod_session_crypto @@ -67,7 +67,7 @@

    Before the mod_session_dbd module can be configured to maintain a session, the mod_dbd module must be configured to make the various database queries available to the server.

    - +

    There are four queries required to keep a session maintained, to select an existing session, to update an existing session, to insert a new session, and to delete an expired or empty session. These queries are configured as per the example below.

    @@ -85,58 +85,58 @@
    Anonymous Sessions - +

    Anonymous sessions are keyed against a unique UUID, and stored on the browser within an HTTP cookie. This method is similar to that used by most application servers to store session information.

    - +

    To create a simple anonymous session and store it in a postgres database table called apachesession, and save the session ID in a cookie called session, configure the session as follows:

    - + SQL based anonymous session Session On
    SessionDBDCookieName session path=/
     - +

    For more examples on how the session can be configured to be read from and written to by a CGI application, see the mod_session examples section.

    - +

    For documentation on how the session can be used to store username and password details, see the mod_auth_form module.

    Per User Sessions - +

    Per user sessions are keyed against the username of a successfully authenticated user. It offers the most privacy, as no external handle to the session exists outside of the authenticated realm.

    - +

    Per user sessions work within a correctly configured authenticated environment, be that using basic authentication, digest authentication or SSL client certificates. Due to the limitations of who came first, the chicken or the egg, per user sessions cannot be used to store authentication credentials from a module like mod_auth_form.

    - +

    To create a simple per user session and store it in a postgres database table called apachesession, and with the session keyed to the userid, configure the session as follows:

    - + SQL based per user session Session On
    SessionDBDPerUser On
     - +
    Database Housekeeping

    Over the course of time, the database can be expected to start accumulating expired sessions. At this point, the mod_session_dbd module is not yet able to handle session expiry automatically.

    - + Warning

    The administrator will need to set up an external process via cron to clean out expired sessions.

    @@ -190,12 +190,12 @@ optional attributes of an RFC2965 compliant cookie inside which the session ID will be stored. RFC2965 cookies are set using the Set-Cookie2 HTTP header.

    - +

    An optional list of cookie attributes can be specified, as per the example below. These attributes are inserted into the cookie as is, and are not interpreted by Apache. Ensure that your attributes are defined correctly as per the cookie specification.

    - + Cookie2 with attributes Session On
    SessionDBDCookieName2 session path=/private;domain=example.com;httponly;secure;version=1;
    diff --git a/docs/manual/mod/mod_setenvif.xml b/docs/manual/mod/mod_setenvif.xml index 33a0fd4da6c..2e0fd11086c 100644 --- a/docs/manual/mod/mod_setenvif.xml +++ b/docs/manual/mod/mod_setenvif.xml @@ -70,8 +70,8 @@ on characteristics of the request User-Agent HTTP request header. The following two lines have the same effect:

    - BrowserMatchNoCase Robot is_a_robot
    - SetEnvIfNoCase User-Agent Robot is_a_robot
    + BrowserMatchNoCase Robot is_a_robot
    + SetEnvIfNoCase User-Agent Robot is_a_robot

    Some additional examples:

    @@ -140,7 +140,7 @@ respect to case
  • An HTTP request header field (see RFC2616 for more information about these); for example: Host, - User-Agent, Referer, and + User-Agent, Referer, and Accept-Language. A regular expression may be used to specify a set of request headers.
    • @@ -301,7 +301,7 @@ results. SetEnvIfNoCase Sets environment variables based on attributes of the request without respect to case -SetEnvIfNoCase attribute regex +SetEnvIfNoCase attribute regex [!]env-variable[=value] [[!]env-variable[=value]] ... server config diff --git a/docs/manual/mod/mod_so.xml b/docs/manual/mod/mod_so.xml index 8b4fa97faf9..cef79cb8dad 100644 --- a/docs/manual/mod/mod_so.xml +++ b/docs/manual/mod/mod_so.xml @@ -28,7 +28,7 @@ modules into the server at start-up or restart time Extension mod_so.c so_module -This is a Base module (always included) on +This is a Base module (always included) on Windows diff --git a/docs/manual/mod/mod_speling.xml b/docs/manual/mod/mod_speling.xml index 8fec10d9f7b..4219c2f66c6 100644 --- a/docs/manual/mod/mod_speling.xml +++ b/docs/manual/mod/mod_speling.xml @@ -66,7 +66,7 @@ misspellings. CheckSpelling -Enables the spelling +Enables the spelling module CheckSpelling on|off CheckSpelling Off @@ -126,7 +126,7 @@ module Options -

    When set, this directive limits the action of the spelling correction to lower/upper case changes. +

    When set, this directive limits the action of the spelling correction to lower/upper case changes. Other potential corrections are not performed.

     diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index 00a7c146a7d..9a9b4a96fef 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -43,10 +43,10 @@ to provide the cryptography engine.

    Environment Variables -

    This module can be configured to provide several items of SSL information +

    This module can be configured to provide several items of SSL information as additional environment variables to the SSI and CGI namespace. This information is not provided by default for performance reasons. (See -SSLOptions StdEnvVars, below.) The generated variables +SSLOptions StdEnvVars, below.) The generated variables are listed in the table below. For backward compatibility the information can be made available under different names, too. Look in the Compatibility chapter for details on the @@ -146,7 +146,7 @@ REQUEST_URI REMOTE_USER

    ENV:variablename
    This will expand to the standard environment variable variablename.
    - +
    HTTP:headername
    This will expand to the value of the request header with name headername.
    @@ -158,7 +158,7 @@ REQUEST_URI REMOTE_USER

    When mod_ssl is built into Apache or at least loaded (under DSO situation) additional functions exist for the Custom Log Format of +href="mod_log_config.html#formats">Custom Log Format of mod_log_config. First there is an additional ``%{varname}x'' eXtension format function which can be used to expand any variables @@ -241,7 +241,7 @@ string in mod_log_config.

    SSLPassPhraseDialog -Type of pass phrase dialog for encrypted private +Type of pass phrase dialog for encrypted private keys SSLPassPhraseDialog type SSLPassPhraseDialog builtin @@ -278,7 +278,7 @@ query can be done in two ways which can be configured by dialog (i.e. when you use a single Pass Phrase for all N Private Key files this Pass Phrase is queried only once).

    -
  • |/path/to/program [args...] +
  • |/path/to/program [args...]

    This mode allows an external program to be used which acts as a pipe to a particular input device; the program is sent the standard @@ -319,9 +319,9 @@ SSLPassPhraseDialog exec:/usr/local/apache/sbin/pp-filter SSLRandomSeed -Pseudo Random Number Generator (PRNG) seeding +Pseudo Random Number Generator (PRNG) seeding source -SSLRandomSeed context source +SSLRandomSeed context source [bytes] server config @@ -414,7 +414,7 @@ SSLRandomSeed connect file:/dev/urandom 1024
    SSLSessionCache -Type of the global/inter-process SSL Session +Type of the global/inter-process SSL Session Cache SSLSessionCache type SSLSessionCache none @@ -527,9 +527,9 @@ SSLEngine on
    ...
    </VirtualHost> -

    In Apache 2.1 and later, SSLEngine can be set to -optional. This enables support for -RFC 2817, Upgrading to TLS +

    In Apache 2.1 and later, SSLEngine can be set to +optional. This enables support for +RFC 2817, Upgrading to TLS Within HTTP/1.1. At this time no web browsers support RFC 2817.

    @@ -545,7 +545,7 @@ Within HTTP/1.1. At this time no web browsers support RFC 2817.

    This directive toggles the usage of the SSL library FIPS_mode flag. It must be set in the global server context and cannot be configured -with conflicting settings (SSLFIPS on followed by SSLFIPS off or +with conflicting settings (SSLFIPS on followed by SSLFIPS off or similar). The mode applies to all SSL library operations.

    @@ -571,7 +571,7 @@ by the applicable Security Policy.

    -This directive can be used to control which versions of the SSL protocol +This directive can be used to control which versions of the SSL protocol will be accepted in new connections.

    The available (case-insensitive) protocols are:

    @@ -585,21 +585,21 @@ The available (case-insensitive) protocols are:

  • SSLv3

    This is the Secure Sockets Layer (SSL) protocol, version 3.0, from - the Netscape Corporation. + the Netscape Corporation. It is the successor to SSLv2 and the predecessor to TLSv1. It's supported by almost all popular browsers.

  • TLSv1

    This is the Transport Layer Security (TLS) protocol, version 1.0. It is the - successor to SSLv3 and is defined in RFC2246. + successor to SSLv3 and is defined in RFC2246. Which has been obsoleted by RFC4346.

  • All

    This is a shortcut for ``+SSLv2 +SSLv3 +TLSv1'' and a convenient way for enabling all protocols except one when used in - combination with the minus sign on a protocol as the example above + combination with the minus sign on a protocol as the example above shows.

    • Example @@ -611,7 +611,7 @@ SSLProtocol all -SSLv2 SSLCipherSuite -Cipher Suite available for negotiation in SSL +Cipher Suite available for negotiation in SSL handshake SSLCipherSuite cipher-spec SSLCipherSuite DEFAULT (depends on OpenSSL version) @@ -864,7 +864,7 @@ SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/ca.crt SSLCACertificatePath -Directory of PEM-encoded CA Certificates for +Directory of PEM-encoded CA Certificates for Client Auth SSLCACertificatePath directory-path server config @@ -890,7 +890,7 @@ SSLCACertificatePath /usr/local/apache2/conf/ssl.crt/ SSLCACertificateFile -File of concatenated PEM-encoded CA Certificates +File of concatenated PEM-encoded CA Certificates for Client Auth SSLCACertificateFile file-path server config @@ -902,7 +902,7 @@ This directive sets the all-in-one file where you can assemble the Certificates of Certification Authorities (CA) whose clients you deal with. These are used for Client Authentication. Such a file is simply the concatenation of the various PEM-encoded Certificate files, in order of -preference. This can be used alternatively and/or additionally to +preference. This can be used alternatively and/or additionally to SSLCACertificatePath.

    Example SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt @@ -912,7 +912,7 @@ SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt SSLCADNRequestFile -File of concatenated PEM-encoded CA Certificates +File of concatenated PEM-encoded CA Certificates for defining acceptable CA names SSLCADNRequestFile file-path server config @@ -957,7 +957,7 @@ SSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt SSLCADNRequestPath -Directory of PEM-encoded CA Certificates for +Directory of PEM-encoded CA Certificates for defining acceptable CA names SSLCADNRequestPath directory-path server config @@ -986,7 +986,7 @@ SSLCADNRequestPath /usr/local/apache2/conf/ca-names.crt/ SSLCARevocationPath -Directory of PEM-encoded CA CRLs for +Directory of PEM-encoded CA CRLs for Client Auth SSLCARevocationPath directory-path server config @@ -1012,7 +1012,7 @@ SSLCARevocationPath /usr/local/apache2/conf/ssl.crl/ SSLCARevocationFile -File of concatenated PEM-encoded CA CRLs for +File of concatenated PEM-encoded CA CRLs for Client Auth SSLCARevocationFile file-path server config @@ -1116,7 +1116,7 @@ SSLVerifyClient require SSLVerifyDepth -Maximum depth of CA Certificates in Client +Maximum depth of CA Certificates in Client Certificate verification SSLVerifyDepth number SSLVerifyDepth 1 @@ -1260,7 +1260,7 @@ SSLOptions +FakeBasicAuth -StrictRequire
    SSLRequireSSL -Deny access when SSL is not used for the +Deny access when SSL is not used for the HTTP request SSLRequireSSL directory @@ -1282,7 +1282,7 @@ SSLRequireSSL SSLRequire -Allow access only when an arbitrarily complex +Allow access only when an arbitrarily complex boolean expression is true SSLRequire expression directory @@ -1499,8 +1499,8 @@ comes with mod_ssl to accomplish this task. Example SSLProxyMachineCertificatePath /usr/local/apache2/conf/proxy.crt/ - - +     +     @@ -1713,7 +1713,7 @@ for additional information. SSLProxyCipherSuite -Cipher Suite available for negotiation in SSL +Cipher Suite available for negotiation in SSL proxy handshake SSLProxyCipherSuite cipher-spec SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP @@ -1731,7 +1731,7 @@ for additional information.

     SSLProxyCACertificatePath -Directory of PEM-encoded CA Certificates for +Directory of PEM-encoded CA Certificates for Remote Server Auth SSLProxyCACertificatePath directory-path server config @@ -1757,7 +1757,7 @@ SSLProxyCACertificatePath /usr/local/apache2/conf/ssl.crt/ SSLProxyCACertificateFile -File of concatenated PEM-encoded CA Certificates +File of concatenated PEM-encoded CA Certificates for Remote Server Auth SSLProxyCACertificateFile file-path server config @@ -1769,7 +1769,7 @@ This directive sets the all-in-one file where you can assemble the Certificates of Certification Authorities (CA) whose remote servers you deal with. These are used for Remote Server Authentication. Such a file is simply the concatenation of the various PEM-encoded Certificate files, in order of -preference. This can be used alternatively and/or additionally to +preference. This can be used alternatively and/or additionally to SSLProxyCACertificatePath.

    Example SSLProxyCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-remote-server.crt @@ -1779,7 +1779,7 @@ SSLProxyCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-remote-serve SSLProxyCARevocationPath -Directory of PEM-encoded CA CRLs for +Directory of PEM-encoded CA CRLs for Remote Server Auth SSLProxyCARevocationPath directory-path server config @@ -1805,7 +1805,7 @@ SSLProxyCARevocationPath /usr/local/apache2/conf/ssl.crl/ SSLProxyCARevocationFile -File of concatenated PEM-encoded CA CRLs for +File of concatenated PEM-encoded CA CRLs for Remote Server Auth SSLProxyCARevocationFile file-path server config diff --git a/docs/manual/mod/mod_status.xml b/docs/manual/mod/mod_status.xml index 4129db8ce89..20c7cc90499 100644 --- a/docs/manual/mod/mod_status.xml +++ b/docs/manual/mod/mod_status.xml @@ -64,8 +64,8 @@ performance
  • The current hosts and requests being processed (*)
    • -

    The lines marked "(*)" are only available if - ExtendedStatus +

    The lines marked "(*)" are only available if + ExtendedStatus is On. In version 2.3.6, loading mod_status will toggle ExtendedStatus On by default.

    @@ -109,7 +109,7 @@ performance     accessing the page http://your.server.name/server-status?auto. This is useful when automatically run, see the Perl program - log_server_status, which you will find in the + log_server_status, which you will find in the /support directory of your Apache HTTP Server installation.

    @@ -125,7 +125,7 @@ performance
    Using server-status to troubleshoot - +

    The server-status page may be used as a starting place for troubleshooting a situation where your server is consuming all available resources (CPU or memory), and you wish to identify diff --git a/docs/manual/mod/mod_substitute.xml b/docs/manual/mod/mod_substitute.xml index 5507ff80444..0e0ab41e48e 100644 --- a/docs/manual/mod/mod_substitute.xml +++ b/docs/manual/mod/mod_substitute.xml @@ -46,10 +46,10 @@

    The Substitute directive specifies a search and replace pattern to apply to the response body.

    - +

    The meaning of the pattern can be modified by using any combination of these flags:

    - +
    i
    Perform a case-insensitive match.
    @@ -69,7 +69,7 @@ that the result of one substitution will ever match a pattern or regex of a subsequent one.
    - + Example <Location /> @@ -78,10 +78,10 @@ </Location> - +

    If either the pattern or the substitution contain a slash character then an alternative delimiter should be used:

    - + Example of using an alternate delimiter <Location /> diff --git a/docs/manual/mod/mod_userdir.xml b/docs/manual/mod/mod_userdir.xml index faed9c3c35a..4937aa9733e 100644 --- a/docs/manual/mod/mod_userdir.xml +++ b/docs/manual/mod/mod_userdir.xml @@ -160,7 +160,7 @@ host directive was present.

    Merging details -

    Lists of specific enabled and disabled users are replaced, not merged, +

    Lists of specific enabled and disabled users are replaced, not merged, from global to virtual host scope

     diff --git a/docs/manual/mod/mod_usertrack.xml b/docs/manual/mod/mod_usertrack.xml index 734b866b989..173fd1ba75f 100644 --- a/docs/manual/mod/mod_usertrack.xml +++ b/docs/manual/mod/mod_usertrack.xml @@ -68,20 +68,20 @@

    The domain string must begin with a dot, and must include at least one embedded dot. That is, - .example.com is legal, but www.example.com and + .example.com is legal, but www.example.com and .com are not.

    Most browsers in use today will not allow cookies to be set - for a two-part top level domain, such as .co.uk, + for a two-part top level domain, such as .co.uk, although such a domain ostensibly fulfills the requirements - above.
    - + above.
    + These domains are equivalent to top level domains such as .com, and allowing such cookies may be a security risk. Thus, if you are under a two-part top level domain, you should still use your actual domain, as you would with any other top level domain (for example .example.co.uk). -     + CookieDomain .example.com @@ -212,7 +212,7 @@ user-tracking cookie for all new requests. This directive can be used to turn this behavior on or off on a per-server or per-directory basis. By default, enabling - mod_usertrack will not + mod_usertrack will not activate cookies.

    diff --git a/docs/manual/mod/mod_version.xml b/docs/manual/mod/mod_version.xml index 1e8ae427b2e..3b6b41a3b17 100644 --- a/docs/manual/mod/mod_version.xml +++ b/docs/manual/mod/mod_version.xml @@ -97,8 +97,8 @@ </IfVersion> -

    Besides the numerical comparison it is possible to match a - regular expression +

    Besides the numerical comparison it is possible to match a + regular expression against the httpd version. There are two ways to write it:

    diff --git a/docs/manual/mod/mod_vhost_alias.xml b/docs/manual/mod/mod_vhost_alias.xml index 878bb0a6821..35164eb6487 100644 --- a/docs/manual/mod/mod_vhost_alias.xml +++ b/docs/manual/mod/mod_vhost_alias.xml @@ -35,7 +35,7 @@ hosting the HTTP request to be used as part of the pathname to determine what files to serve. This allows for easy use of a huge number of virtual hosts with similar configurations.

    - + Note

    If mod_alias or mod_userdir are used for translating URIs to filenames, they will override the @@ -52,7 +52,7 @@ hosting UseCanonicalName -Dynamically configured mass +Dynamically configured mass virtual hosting

    @@ -77,7 +77,7 @@ hosting
    - +
    %N.M insert (part of) the name

    N and M are used to specify @@ -135,7 +135,7 @@ hosting http://www.example.com/directory/file.html will be satisfied by the file /usr/local/apache/vhosts/www.example.com/directory/file.html. -

    +

    For a very large number of virtual hosts it is a good idea to arrange the files to reduce the size of the @@ -203,7 +203,7 @@ hosting http://www.domain.example.com/directory/file.html will be satisfied by the file /usr/local/apache/vhosts/domain.example/directory/file.html.

    - +

    The LogFormat directives %V and %A are useful in conjunction with this module.

    @@ -227,9 +227,9 @@ for a given virtual host value of the server name. The result of expanding interpolated-directory is used as the root of the document tree in a similar manner to the DocumentRoot directive's argument. + module="core">DocumentRoot directive's argument. If interpolated-directory is none then - VirtualDocumentRoot is turned off. This directive + VirtualDocumentRoot is turned off. This directive cannot be used in the same context as VirtualDocumentRootIP.

    diff --git a/docs/manual/mod/mpm_common.xml b/docs/manual/mod/mpm_common.xml index 2d94317482c..3a5031628b8 100644 --- a/docs/manual/mod/mpm_common.xml +++ b/docs/manual/mod/mpm_common.xml @@ -40,16 +40,16 @@ switch before dumping core

    This controls the directory to which Apache httpd attempts to switch before dumping core. If your operating system is configured to - create core files in the working directory of the crashing process, + create core files in the working directory of the crashing process, CoreDumpDirectory is necessary to change working - directory from the default ServerRoot + directory from the default ServerRoot directory, which should not be writable by the user the server runs as.

    -

    If you want a core dump for debugging, you can use this directive to +

    If you want a core dump for debugging, you can use this directive to place it in a different location. This directive has no effect if your operating system is not configured to write core files to the working directory of the crashing processes.

    - + Core Dumps on Linux

    If Apache httpd starts as root and switches to another user, the Linux kernel disables core dumps even if the directory is @@ -66,8 +66,8 @@ switch before dumping core Specific signals -

    CoreDumpDirectory processing only occurs for - a select set of fatal signals: SIGFPE, SIGILL, SIGABORT, +

    CoreDumpDirectory processing only occurs for + a select set of fatal signals: SIGFPE, SIGILL, SIGABORT, SIGSEGV, and SIGBUS.

    On some operating systems, SIGQUIT also results in a core dump but does not go through CoreDumpDirectory or @@ -95,7 +95,7 @@ after a crash configured with the --enable-exception-hook option. It enables a hook that allows external modules to plug in and do something after a child crashed.

    - +

    There are already two modules, mod_whatkilledus and mod_backtrace that make use of this hook. Please have a look at Jeff Trawick's

    The GracefulShutdownTimeout specifies - how many seconds after receiving a "graceful-stop" signal, a + how many seconds after receiving a "graceful-stop" signal, a server should continue to run, handling the existing connections.

    Setting this value to zero means that the server will wait @@ -222,14 +222,14 @@ The protocol argument was added in 2.1.5 Listen [2001:db8::a00:20ff:fea7:ccea]:80 -

    The optional protocol argument is not required for most - configurations. If not specified, https is the default for - port 443 and http the default for all other ports. The +

    The optional protocol argument is not required for most + configurations. If not specified, https is the default for + port 443 and http the default for all other ports. The protocol is used to determine which module should handle a request, and - to apply protocol specific optimizations with the + to apply protocol specific optimizations with the AcceptFilter directive.

    -

    You only need to set the protocol if you are running on non-standard +

    You only need to set the protocol if you are running on non-standard ports. For example, running an https site on port 8443:

    @@ -381,7 +381,7 @@ will handle during its life

    Maximum number of idle threads. Different MPMs deal with this directive differently.

    -

    For worker, the default is +

    For worker, the default is MaxSpareThreads 250. This MPM deals with idle threads on a server-wide basis. If there are too many idle threads in the server then child processes are killed until the number of idle @@ -515,7 +515,7 @@ Apache HTTP Server

    Sets the server's TCP send buffer size to the number of bytes specified. It is often useful to set this past the OS's standard - default value on high speed, high latency conections + default value on high speed, high latency conections (i.e., 100ms or so, such as transcontinental fast pipes).

    If set to the value of 0, the server will use the @@ -611,7 +611,7 @@ Apache HTTP Server there is usually little reason to adjust this parameter.

    The default value differs from MPM to MPM. worker - defaults to StartServers 3; prefork + defaults to StartServers 3; prefork defaults to 5; mpmt_os2 defaults to 2.

     @@ -717,8 +717,8 @@ and later ThreadStackSize -The size in bytes of the stack used by threads handling -client connections +The size in bytes of the stack used by threads handling +client connections ThreadStackSize size 65536 on NetWare; varies on other operating systems server config @@ -729,11 +729,11 @@ client connections Available in Apache HTTP Server 2.1 and later -

    The ThreadStackSize directive sets the +

    The ThreadStackSize directive sets the size of the stack (for autodata) of threads which handle client - connections and call modules to help process those connections. - In most cases the operating system default for stack size is - reasonable, but there are some conditions where it may need to be + connections and call modules to help process those connections. + In most cases the operating system default for stack size is + reasonable, but there are some conditions where it may need to be adjusted:

      @@ -742,13 +742,13 @@ client connections which use a relatively large amount of autodata storage. Those same modules may have worked fine on other platforms where the default thread stack size is larger. This type of crash is - resolved by setting ThreadStackSize to a - value higher than the operating system default. This type of - adjustment is necessary only if the provider of the third-party + resolved by setting ThreadStackSize to a + value higher than the operating system default. This type of + adjustment is necessary only if the provider of the third-party module specifies that it is required, or if diagnosis of an Apache httpd crash indicates that the thread stack size was too small. -
    • On platforms where the default thread stack size is +
    • On platforms where the default thread stack size is significantly larger than necessary for the web server configuration, a higher number of threads per child process will be achievable if ThreadStackSize is @@ -761,9 +761,9 @@ client connections the current ThreadStackSize setting.
    • On Linux, this directive can only be used to increase the default - stack size, as the underlying system call uses the value as a - minimum stack size. The (often large) soft limit for - ulimit -s (8MB if unlimited) is used as the default stack + stack size, as the underlying system call uses the value as a + minimum stack size. The (often large) soft limit for + ulimit -s (8MB if unlimited) is used as the default stack size.
    diff --git a/docs/manual/mod/mpmt_os2.xml b/docs/manual/mod/mpmt_os2.xml index c7da33ddfe3..63a41290ef1 100644 --- a/docs/manual/mod/mpmt_os2.xml +++ b/docs/manual/mod/mpmt_os2.xml @@ -36,7 +36,7 @@ involves spawning children as required to ensure there are always StartServers processes accepting connections.

    - +

    Each child process consists of a a pool of worker threads and a main thread that accepts connections and passes them to the workers via a work queue. The worker thread pool is dynamic, managed by a diff --git a/docs/manual/mod/worker.xml b/docs/manual/mod/worker.xml index bd0baf1a694..f95f4c21f7e 100644 --- a/docs/manual/mod/worker.xml +++ b/docs/manual/mod/worker.xml @@ -46,9 +46,9 @@ Setting which addresses and ports Apache HTTP Server uses

    How it Works -

    A single control process (the parent) is responsible for launching +

    A single control process (the parent) is responsible for launching child processes. Each child process creates a fixed number of server - threads as specified in the ThreadsPerChild directive, as well as a listener thread which listens for connections and passes them to a server thread for processing when they arrive.

    @@ -76,25 +76,25 @@

    Two directives set hard limits on the number of active child processes and the number of server threads in a child process, - and can only be changed by fully stopping the server and then + and can only be changed by fully stopping the server and then starting it again. ServerLimit - is a hard limit on the number of active child - processes, and must be greater than or equal to the + is a hard limit on the number of active child + processes, and must be greater than or equal to the MaxRequestWorkers directive divided by the - ThreadsPerChild directive. + ThreadsPerChild directive. ThreadLimit is a hard limit of the number of server threads, and must be greater than - or equal to the ThreadsPerChild directive.

    -

    In addition to the set of active child processes, there may +

    In addition to the set of active child processes, there may be additional child processes which are terminating, but where at least one server thread is still handling an existing client - connection. Up to MaxRequestWorkers terminating processes - may be present, though the actual number can be expected to be - much smaller. This behavior can be avoided by disabling the + connection. Up to MaxRequestWorkers terminating processes + may be present, though the actual number can be expected to be + much smaller. This behavior can be avoided by disabling the termination of individual child processes, which is achieved using the following:

    diff --git a/docs/manual/mpm.xml b/docs/manual/mpm.xml index 8661a27b3eb..21c0a186114 100644 --- a/docs/manual/mpm.xml +++ b/docs/manual/mpm.xml @@ -62,7 +62,7 @@ how they are used by the Apache HTTP Server.

  • The server can be better customized for the needs of the particular site. For example, sites that need a great deal of - scalability can choose to use a threaded MPM like + scalability can choose to use a threaded MPM like worker or event, while sites requiring stability or compatibility with older software can use a prefork.
    • @@ -85,7 +85,7 @@ choice at compile-time.

    Netwarempm_netware OS/2mpmt_os2 -Unixprefork, worker, or +Unixprefork, worker, or event, depending on platform capabilities Windowsmpm_winnt @@ -113,7 +113,7 @@ choice at compile-time.

    On Unix and similar platforms, MPMs can be built as DSO modules and dynamically loaded into the server in the same manner as other DSO modules. Building MPMs as DSO modules allows the MPM to be changed by - updating the LoadModule directive + updating the LoadModule directive for the MPM instead of by rebuilding the server.

    This feature is enabled using the diff --git a/docs/manual/new_features_2_4.xml b/docs/manual/new_features_2_4.xml index 352273f85ac..99c0fd8d275 100644 --- a/docs/manual/new_features_2_4.xml +++ b/docs/manual/new_features_2_4.xml @@ -38,11 +38,11 @@

    It is now possible to specify KeepAliveTimeout in milliseconds.
    - +
    Loadable MPMs
    -
    Multiple MPMs can now be built as loadable modules at compile time. +
    Multiple MPMs can now be built as loadable modules at compile time. The MPM of choice can be configured at run time.
    - +
    Per-module and per-directory LogLevel configuration
    The LogLevel can now be configured per module and per directory. New levels trace1 @@ -51,13 +51,13 @@
    Event MPM
    The Event MPM is no longer experimental but is now fully supported.
    - +
    Asynchronous support
    Better support for asynchronous read/write for supporting MPMs and platforms.
    Per-request configuration sections
    -
    <If> sections can be used to +
    <If> sections can be used to set the configuration based on per-request criteria
    NameVirtualHost directive
    @@ -80,7 +80,7 @@
    Convert response body into an RFC2397 data URL
    mod_lua
    -
    Embeds the Lua language into httpd, +
    Embeds the Lua language into httpd, for configuration and small business logic functions.
    mod_proxy_express
    @@ -129,14 +129,14 @@ certificate. The default responder is configurable, along with the decision on whether to prefer the responder designated in the client certificate itself. - -
    mod_ssl now also supports OCSP stapling, where the - server pro-actively obtains an OCSP verification of its certificate and + +
    mod_ssl now also supports OCSP stapling, where the + server pro-actively obtains an OCSP verification of its certificate and transmits that to the client during the handshake.
    - -
    mod_ssl can now be configured to share SSL Session + +
    mod_ssl can now be configured to share SSL Session data between servers through memcached
    - +
    mod_proxy
    The ProxyPass directive @@ -182,7 +182,7 @@
    mod_cgi, mod_include, mod_isapi, ...
    -
    Translation of headers to environment variables is more strict than +
    Translation of headers to environment variables is more strict than before to mitigate some possible cross-site-scripting attacks via header injection. Headers containing invalid characters (including underscores) are now silently dropped. Environment Variables @@ -252,7 +252,7 @@ mod_ssl.
    Authorization Logic Containers
    - +
    Authorization modules now register as a provider, via ap_register_auth_provider(), to support advanced authorization logic, such as
    Cache Status Hook Added
    - +
    The mod_cache module now includes a new cache_status hook, which is called when the caching decision becomes known. A default implementation is provided diff --git a/docs/manual/platform/netware.xml b/docs/manual/platform/netware.xml index c3d2fc313be..39e16edf889 100644 --- a/docs/manual/platform/netware.xml +++ b/docs/manual/platform/netware.xml @@ -54,9 +54,9 @@ Requirements -

    Apache 2.0 is designed to run on NetWare 6.0 service pack 3 +

    Apache 2.0 is designed to run on NetWare 6.0 service pack 3 and above. If you are running a service pack less - than SP3, you must install the latest + than SP3, you must install the latest NetWare Libraries for C (LibC).

    @@ -66,7 +66,7 @@

    Apache 2.0 for NetWare can also be run in a NetWare 5.1 environment as long as the latest service pack or the latest version of the NetWare Libraries - for C (LibC) has been installed . WARNING: Apache 2.0 + for C (LibC) has been installed . WARNING: Apache 2.0 for NetWare has not been targeted for or tested in this environment.

    @@ -81,7 +81,7 @@ will list the current release, any more recent alpha or beta-test releases, together with details of mirror web and anonymous ftp sites. Binary builds of the latest releases of - Apache 2.0 for NetWare can be downloaded from + Apache 2.0 for NetWare can be downloaded from here.

    @@ -91,7 +91,7 @@ Installing Apache for NetWare

    There is no Apache install program for NetWare currently. If you - are building Apache 2.0 for NetWare from source, you will need to + are building Apache 2.0 for NetWare from source, you will need to copy the files over to the server manually.

    Follow these steps to install Apache on NetWare from the @@ -127,7 +127,7 @@

  • Create a directory under SYS:/APACHE2 called BIN
    • -
  • Copy HTDIGEST.NLM, HTPASSWD.NLM, +
  • Copy HTDIGEST.NLM, HTPASSWD.NLM, HTDBM.NLM, LOGRES.NLM, ROTLOGS.NLM to SYS:/APACHE2/BIN
    • @@ -138,7 +138,7 @@ SYS:/APACHE2/CONF directory and rename to HTTPD.CONF -
  • Copy the MIME.TYPES, CHARSET.CONV and +
  • Copy the MIME.TYPES, CHARSET.CONV and MAGIC files to SYS:/APACHE2/CONF directory
  • Copy all files and subdirectories in \HTTPD-2.0\DOCS\ICONS @@ -174,9 +174,9 @@

    Apache may be installed to other volumes besides the default SYS volume.

    During the build process, adding the keyword "install" to the makefile command line - will automatically produce a complete distribution package under the subdirectory - DIST. Install Apache by simply copying the distribution that was produced - by the makfiles to the root of a NetWare volume (see: Compiling Apache for + will automatically produce a complete distribution package under the subdirectory + DIST. Install Apache by simply copying the distribution that was produced + by the makfiles to the root of a NetWare volume (see: Compiling Apache for NetWare below).

    • @@ -277,7 +277,7 @@

    Apache 2.0 for NetWare includes a set of command line directives that can be used to modify or display information about the running instance of the - web server. These directives are only available while Apache is running. Each + web server. These directives are only available while Apache is running. Each of these directives must be preceded by the keyword APACHE2.

    @@ -299,7 +299,7 @@
    SETTINGS
    Enables or disables the thread status display - on the console. When enabled, the state of each running threads is displayed + on the console. When enabled, the state of each running threads is displayed on the Apache console screen.
    SHUTDOWN
    @@ -322,7 +322,7 @@ Configuring Apache for NetWare

    Apache is configured by reading configuration files usually stored - in the conf directory. These are the same as files used + in the conf directory. These are the same as files used to configure the Unix version, but there are a few different directives for Apache on NetWare. See the Apache documentation for all the available directives.

    @@ -370,11 +370,11 @@
  • -

    The directives that accept filenames as arguments must use - NetWare filenames instead of Unix names. However, because Apache - uses Unix-style names internally, forward slashes must be used - rather than backslashes. It is recommended that all rooted file paths - begin with a volume name. If omitted, Apache will assume the +

    The directives that accept filenames as arguments must use + NetWare filenames instead of Unix names. However, because Apache + uses Unix-style names internally, forward slashes must be used + rather than backslashes. It is recommended that all rooted file paths + begin with a volume name. If omitted, Apache will assume the SYS: volume which may not be correct.

    • @@ -427,8 +427,8 @@ Compiling Apache for NetWare -

    Compiling Apache requires MetroWerks CodeWarrior 6.x or higher. Once - Apache has been built, it can be installed to the root of any NetWare +

    Compiling Apache requires MetroWerks CodeWarrior 6.x or higher. Once + Apache has been built, it can be installed to the root of any NetWare volume. The default is the sys:/Apache2 directory.

    Before running the server you must fill out the conf @@ -497,7 +497,7 @@ for example: Set ZLIBSDK=D:\NOVELL\zlib - +

  • Set the environment variable PCRESDK to the location where you installed the source code for the PCRE Library, for example: Set PCRESDK=D:\NOVELL\pcre @@ -529,11 +529,11 @@
  • Change directory to \httpd-2.0 and build the prebuild utilities by running "gmake -f nwgnumakefile prebuild". This target will create - the directory \httpd-2.0\nwprebuild and copy each of the utilities + the directory \httpd-2.0\nwprebuild and copy each of the utilities to this location that are necessary to complete the following build steps.
    • -
  • Copy the files \httpd-2.0\nwprebuild\GENCHARS.nlm and +
  • Copy the files \httpd-2.0\nwprebuild\GENCHARS.nlm and \httpd-2.0\nwprebuild\DFTABLES.nlm to the SYS: volume of a NetWare server and run them using the following commands: @@ -591,7 +591,7 @@ Additional environment variable options
    • - + diff --git a/docs/manual/rewrite/advanced.xml b/docs/manual/rewrite/advanced.xml index 61870104ef8..8ddf03bc971 100644 --- a/docs/manual/rewrite/advanced.xml +++ b/docs/manual/rewrite/advanced.xml @@ -27,8 +27,8 @@ -

    This document supplements the mod_rewrite -reference documentation. It provides +

    This document supplements the mod_rewrite +reference documentation. It provides a few advanced techniques using mod_rewrite.

    Note that many of these examples won't work unchanged in your @@ -55,8 +55,8 @@ configuration.
    Description:
    -

    A common technique for distributing the burden of - server load or storage space is called "sharding". +

    A common technique for distributing the burden of + server load or storage space is called "sharding". When using this method, a front-end server will use the url to consistently "shard" users or objects to separate backend servers.

    @@ -140,7 +140,7 @@ RewriteRule ^(.+)\.html$ /regenerate_page.cgi [PT,L] the CGI program /regenerate_page.cgi, which generates the requested resource and saves it into the document directory, so that the next time it is requested, a static copy can be served.

    - +

    In this way, documents that are infrequently updated can be served in static form. if documents need to be refreshed, they can be deleted from the document directory, and they will then be regenerated the @@ -413,7 +413,7 @@ RewriteRule ^/~(([a-z])[a-z0-9]+)(.*) /home/$2

    Discussion:
    -
    This technique will of course also work with other +
    This technique will of course also work with other special characters that mod_rewrite, by default, URL-encodes.
    @@ -506,4 +506,4 @@ RewriteCond %{ENV:rewritten} =1
    - + diff --git a/docs/manual/rewrite/avoid.xml b/docs/manual/rewrite/avoid.xml index da6578ec981..c16f598f745 100644 --- a/docs/manual/rewrite/avoid.xml +++ b/docs/manual/rewrite/avoid.xml @@ -27,7 +27,7 @@ -

    This document supplements the mod_rewrite +

    This document supplements the mod_rewrite reference documentation. It describes perhaps one of the most important concepts about mod_rewrite - namely, when to avoid using it.

    @@ -235,5 +235,5 @@ use in <If> sections, and in certain other directives.

    - + diff --git a/docs/manual/rewrite/flags.xml b/docs/manual/rewrite/flags.xml index b907ef348e7..d2e19e5351a 100644 --- a/docs/manual/rewrite/flags.xml +++ b/docs/manual/rewrite/flags.xml @@ -54,7 +54,7 @@ RewriteRule pattern target [Flag1,Flag2,Flag3] a longer form, such as cookie. Some flags take one or more arguments. Flags are not case sensitive.

    -

    Each flag (with a few exceptions) +

    Each flag (with a few exceptions) has a long and short form. While it is most common to use the short form, it is recommended that you familiarize yourself with the long form, so that you remember what each flag is supposed to do.

    @@ -277,7 +277,7 @@ redirects.

    F|forbidden

    Using the [F] flag causes the server to return a 403 Forbidden status code to the client. While the same behavior can be accomplished using -the Deny directive, this +the Deny directive, this allows more flexibility in assigning a Forbidden status.

    The following rule will forbid .exe files from being @@ -353,13 +353,13 @@ immediately without considering further rules.

    If you are using RewriteRule in either -.htaccess files or in +.htaccess files or in Directory sections, it is important to have some understanding of how the rules are processed. The simplified form of this is that once the rules have been processed, the rewritten request is handed back to the URL parsing engine to do what it may with it. It is possible that as the rewritten -request is handled, the .htaccess file or +request is handled, the .htaccess file or Directory section may be encountered again, and thus the ruleset may be run again from the start. Most commonly this will happen if one of the rules causes a @@ -381,7 +381,7 @@ redirects.

    The example given here will rewrite any request to index.php, giving the original request as a query string argument to index.php, however, the RewriteCond ensures that if the request +module="mod_rewrite">RewriteCond ensures that if the request is already for index.php, the RewriteRule will be skipped.

    @@ -463,7 +463,7 @@ On subrequests, it is not always useful, and can even cause errors, if the complete set of rules are applied. Use this flag to exclude problematic rules.

    -

    To decide whether or not to use this rule: if you prefix URLs with +

    To decide whether or not to use this rule: if you prefix URLs with CGI-scripts, to force them to be processed by the CGI-script, it's likely that you will run into problems (or significant overhead) on sub-requests. In these cases, use this flag.

    @@ -513,17 +513,17 @@ use of the [PT] flag causes the result of the RewriteRule to be passed back through URL mapping, so that location-based mappings, such as Alias, Redirect, or ScriptAlias, for example, might have a +module="core">Redirect, or ScriptAlias, for example, might have a chance to take effect.

    -If, for example, you have an +If, for example, you have an Alias for /icons, and have a RewriteRule pointing there, you should -use the [PT] flag to ensure that the +use the [PT] flag to ensure that the Alias is evaluated.

    @@ -605,8 +605,8 @@ will be used to generate the URL sent with the redirect.

    -Any valid HTTP response status code may be specified, -using the syntax [R=305], with a 302 status code being used by +Any valid HTTP response status code may be specified, +using the syntax [R=305], with a 302 status code being used by default if none is specified. The status code specified need not necessarily be a redirect (3xx) status code.

    @@ -616,7 +616,7 @@ substitution string is dropped entirely, and rewriting is stopped as if the L were used.

    In addition to response status codes, you may also specify redirect -status using their symbolic names: temp (default), +status using their symbolic names: temp (default), permanent, or seeother.

    @@ -652,9 +652,9 @@ module="mod_rewrite">RewriteCond only applies to the RewriteRule immediately following it. Thus, if you want to make a RewriteCond apply to several RewriteRules, one possible technique is to -negate those conditions and use a [Skip] flag. So, you can -use this to make pseudo if-then-else constructs: The last rule of -the then-clause becomes skip=N, where N is the +negate those conditions and use a [Skip] flag. So, you can +use this to make pseudo if-then-else constructs: The last rule of +the then-clause becomes skip=N, where N is the number of rules in the else-clause.

    @@ -688,10 +688,10 @@ invariably be a less efficient solution than the alternatives.

    If used in per-directory context, use only - (dash) -as the substitution for the entire round of mod_rewrite processing, -otherwise the MIME-type set with this flag is lost due to an internal +as the substitution for the entire round of mod_rewrite processing, +otherwise the MIME-type set with this flag is lost due to an internal re-processing (including subsequent rounds of mod_rewrite processing). -The L flag can be useful in this context to end the +The L flag can be useful in this context to end the current round of mod_rewrite processing.

    diff --git a/docs/manual/rewrite/htaccess.xml b/docs/manual/rewrite/htaccess.xml index 8448746bf8b..1160f31aa85 100644 --- a/docs/manual/rewrite/htaccess.xml +++ b/docs/manual/rewrite/htaccess.xml @@ -27,7 +27,7 @@     -

    This document supplements the mod_rewrite +

    This document supplements the mod_rewrite reference documentation. It describes the way that the rules change when you use mod_rewrite in .htaccess files, and how to deal with these changes.

    @@ -43,4 +43,4 @@ and how to deal with these changes.

    Advanced techniques When not to use mod_rewrite - + diff --git a/docs/manual/rewrite/index.xml b/docs/manual/rewrite/index.xml index 591dc031fd1..a5b323a37e2 100644 --- a/docs/manual/rewrite/index.xml +++ b/docs/manual/rewrite/index.xml @@ -28,7 +28,7 @@

    mod_rewrite provides a way to modify incoming - URL requests, dynamically, based on regular + URL requests, dynamically, based on regular expression rules. This allows you to map arbitrary URLs onto your internal URL structure in any way you like.

    diff --git a/docs/manual/rewrite/intro.xml b/docs/manual/rewrite/intro.xml index f8370b015dc..8c705be04c8 100644 --- a/docs/manual/rewrite/intro.xml +++ b/docs/manual/rewrite/intro.xml @@ -107,7 +107,7 @@ well as write your own.

    characterc.t will match cat, cot, cut, etc. +Repeats the previous match one or more -timesa+ matches a, aa, +timesa+ matches a, aa, aaa, etc *Repeats the previous match zero or more times.a* matches all the same things @@ -122,7 +122,7 @@ of the string^a matches a string that begins with the string.a$ matches a string that ends with a. ( )Groups several characters into a single -unit, and captures a match for use in a backreference.(ab)+ +unit, and captures a match for use in a backreference.(ab)+ matches ababab - that is, the + applies to the group. For more on backreferences see below. [ ]A character class - matches one of the @@ -151,7 +151,7 @@ the expression.

    RewriteRule, RewriteCond matching.

    - Flow of RewriteRule and RewriteCond matching
    Figure 1: The back-reference flow through a rule.

    @@ -174,7 +174,7 @@ expression matched against the URL-Path of the incoming request the beginning of a query string).

    - Syntax of the RewriteRule directive
    Figure 2: Syntax of the RewriteRule directive.

    @@ -260,7 +260,7 @@ expression that must match the variable, and a third optional argument is a list of flags that modify how the match is evaluated.

    - Syntax of the RewriteCond directive
    Figure 3: Syntax of the RewriteCond directive

    diff --git a/docs/manual/rewrite/proxy.xml b/docs/manual/rewrite/proxy.xml index d262b68ba32..c7a8663e6ac 100644 --- a/docs/manual/rewrite/proxy.xml +++ b/docs/manual/rewrite/proxy.xml @@ -27,7 +27,7 @@     -

    This document supplements the mod_rewrite +

    This document supplements the mod_rewrite reference documentation. It describes how to use the RewriteRule's [P] flag to proxy content to another server. A number of recipes are provided that describe common scenarios.

    @@ -91,7 +91,7 @@ ProxyPassReverse / http://old.example.com/ module="mod_proxy">ProxyPassReverse directive to ensure that any redirects issued by the backend are correctly passed on to the client.

    - +

    Consider using either ProxyPass or ProxyPassMatch whenever possible in @@ -101,4 +101,4 @@ ProxyPassReverse / http://old.example.com/ - + diff --git a/docs/manual/rewrite/remapping.xml b/docs/manual/rewrite/remapping.xml index 19d98128a2b..974fb1030e4 100644 --- a/docs/manual/rewrite/remapping.xml +++ b/docs/manual/rewrite/remapping.xml @@ -27,7 +27,7 @@

    -

    This document supplements the mod_rewrite +

    This document supplements the mod_rewrite reference documentation. It describes how you can use mod_rewrite to redirect and remap request. This includes many examples of common uses of mod_rewrite, @@ -296,7 +296,7 @@ hostname(s).

    </VirtualHost> -

    You can alternatively accomplish this using the +

    You can alternatively accomplish this using the If directive:

    @@ -320,7 +320,7 @@ Redirect /admin/ https://www.example.com/admin/

    If, for whatever reason, you still want to use mod_rewrite -- if, for example, you need this to work with a larger set of RewriteRules - +- if, for example, you need this to work with a larger set of RewriteRules - you might use one of the recipes below.

    For sites running on a port other than 80:

    @@ -444,8 +444,8 @@ com http://www.example.com/
    Discussion
    - This ruleset relies on - HostNameLookups + This ruleset relies on + HostNameLookups being set on, which can be a significant performance hit. @@ -564,7 +564,7 @@ using the following ruleset:

    We redirect the URL / to /about/:

    - + RewriteEngine on
    RewriteRule ^/$ /about/ [R] @@ -579,9 +579,9 @@ RedirectMatch ^/$ http://example.com/about/

    Note also that the example rewrites only the root URL. That is, it rewrites a request for http://example.com/, but not a -request for http://example.com/page.html. If you have in -fact changed your document root - that is, if all of -your content is in fact in that subdirectory, it is greatly preferable +request for http://example.com/page.html. If you have in +fact changed your document root - that is, if all of +your content is in fact in that subdirectory, it is greatly preferable to simply change your DocumentRoot directive, or move all of the content up one directory, rather than rewriting URLs.

    @@ -644,4 +644,4 @@ file, as well as in a <Directory> block.

    - + diff --git a/docs/manual/rewrite/rewritemap.xml b/docs/manual/rewrite/rewritemap.xml index 6590baca133..42ddcbf9b89 100644 --- a/docs/manual/rewrite/rewritemap.xml +++ b/docs/manual/rewrite/rewritemap.xml @@ -23,7 +23,7 @@ Using RewriteMap     -

    This document supplements the mod_rewrite +

    This document supplements the mod_rewrite reference documentation. It describes the use of the RewriteMap directive, and provides examples of each of the various RewriteMap types.

    @@ -63,7 +63,7 @@ configuration. RewriteMap MapName MapType:MapSource - +

    The MapName is an arbitray name that you assign to the map, and which you will use in directives later on. Arguments are passed to the map via the @@ -298,9 +298,9 @@ by many requests. int: Internal Function

    When a MapType of int is used, the MapSource is one - of the available internal RewriteMap functions. Module authors can provide + of the available internal RewriteMap functions. Module authors can provide additional internal functions by registering them with the - ap_register_rewrite_mapfunc API. + ap_register_rewrite_mapfunc API. The functions that are provided by default are:

    @@ -435,7 +435,7 @@ RewriteMap myquery "fastdbd:SELECT destination FROM rewrite WHERE source = %s" once. For each mapping-function use one RewriteMap directive to declare its rewriting mapfile.

    - +

    While you cannot declare a map in per-directory context (.htaccess files or <Directory> blocks) it is possible to diff --git a/docs/manual/rewrite/tech.xml b/docs/manual/rewrite/tech.xml index b664943cdfe..27c6aea5487 100644 --- a/docs/manual/rewrite/tech.xml +++ b/docs/manual/rewrite/tech.xml @@ -100,7 +100,7 @@ and URL matching.

    the RewriteBase directive below for the trick to achieve this) and then initiates a new internal sub-request with the new URL. This restarts processing of - the API phases. + the API phases.

    Again mod_rewrite tries hard to make this complicated step totally transparent to the user, but you should @@ -117,7 +117,7 @@ and URL matching.

    Ruleset Processing - +

    Now when mod_rewrite is triggered in these two API phases, it reads the configured rulesets from its configuration structure (which itself was either created on startup for diff --git a/docs/manual/rewrite/vhosts.xml b/docs/manual/rewrite/vhosts.xml index f52f55c555d..7a463dd8318 100644 --- a/docs/manual/rewrite/vhosts.xml +++ b/docs/manual/rewrite/vhosts.xml @@ -27,9 +27,9 @@

    -

    This document supplements the mod_rewrite +

    This document supplements the mod_rewrite reference documentation. It describes -how you can use mod_rewrite to create dynamically +how you can use mod_rewrite to create dynamically configured virtual hosts.

    mod_rewrite is not the best way to configure @@ -83,9 +83,9 @@ RewriteRule ^(.*) /home/%1/www$1
    Discussion
    - You will need to take care of the DNS + You will need to take care of the DNS resolution - Apache does - not handle name resolution. You'll need either to create CNAME + not handle name resolution. You'll need either to create CNAME records for each hostname, or a DNS wildcard record. Creating DNS records is beyond the scope of this document. @@ -105,7 +105,7 @@ As with many techniques discussed in this document, mod_rewrite really isn't the best way to accomplish this task. You should, instead, consider using mod_vhost_alias instead, as it will much more gracefully handle anything beyond serving static files, such as any -dynamic content, and Alias resolution. +dynamic content, and Alias resolution.

    @@ -208,4 +208,4 @@ RewriteRule ^/(.*)$ %1/cgi-bin/$1 [H=cgi-script]
    - + diff --git a/docs/manual/sections.xml b/docs/manual/sections.xml index 91e6ea9e800..33de9b9bbbe 100644 --- a/docs/manual/sections.xml +++ b/docs/manual/sections.xml @@ -156,7 +156,7 @@ counterparts, apply directives to parts of the filesystem. Directives enclosed in a Directory section apply to the named filesystem directory and all subdirectories of that -directory (as well as the files in those directories). +directory (as well as the files in those directories). The same effect can be obtained using .htaccess files. For example, in the following configuration, directory indexes will be enabled for the @@ -259,7 +259,7 @@ directives:

    ProxyPass /special-area http://special.example.com smax=5 max=10
    ProxyPass / balancer://mycluster/ stickysession=JSESSIONID|jsessionid nofailover=On - +
    Wildcards and Regular Expressions @@ -417,7 +417,7 @@ Deny from all

    To find out what directives are allowed in what types of configuration sections, check the Context of the directive. -Everything that is allowed in +Everything that is allowed in Directory sections is also syntactically allowed in DirectoryMatch, diff --git a/docs/manual/ssl/ssl_compat.xml b/docs/manual/ssl/ssl_compat.xml index 366b6c5a417..4da63284318 100644 --- a/docs/manual/ssl/ssl_compat.xml +++ b/docs/manual/ssl/ssl_compat.xml @@ -76,10 +76,10 @@ doesn't provide.

    SSLLogFile fileSSLLog filecompactified SSLRequiredCiphers specSSLCipherSuite specrenamed -SSLRequireCipher c1 ...SSLRequire %{SSL_CIPHER} in {"c1", +SSLRequireCipher c1 ...SSLRequire %{SSL_CIPHER} in {"c1", ...}generalized -SSLBanCipher c1 ...SSLRequire not (%{SSL_CIPHER} in {"c1", +SSLBanCipher c1 ...SSLRequire not (%{SSL_CIPHER} in {"c1", ...})generalized SSLFakeBasicAuthSSLOptions +FakeBasicAuthmerged SSLCacheServerPath dir-functionality removed @@ -135,7 +135,7 @@ doesn't provide.

    -
    Environment Variables +
    Environment Variables

    The mapping between environment variable names used by the older SSL solutions and the names used by mod_ssl is given in

    Installation -
    Why do I get permission errors related to +<section id="mutex"><title>Why do I get permission errors related to SSLMutex when I start Apache?

    Errors such as ``mod_ssl: Child could not open SSLMutex lockfile /opt/apache/logs/ssl_mutex.18332 (System error follows) @@ -55,7 +55,7 @@ generate temporary 512 bit RSA private key" when I start Apache?

    Why does mod_ssl stop with the error - "Failed to generate temporary 512 bit RSA private key" when I start + "Failed to generate temporary 512 bit RSA private key" when I start Apache?

    Cryptographic software needs a source of unpredictable data to work correctly. Many open source operating systems provide @@ -66,9 +66,9 @@ generate temporary 512 bit RSA private key" when I start Apache? encryption. As of version 0.9.5, the OpenSSL functions that need randomness report an error if the PRNG has not been seeded with at least 128 bits of randomness.

    -

    To prevent this error, mod_ssl has to provide - enough entropy to the PRNG to allow it to work correctly. This can - be done via the SSLRandomSeed +

    To prevent this error, mod_ssl has to provide + enough entropy to the PRNG to allow it to work correctly. This can + be done via the SSLRandomSeed directive.

    @@ -76,29 +76,29 @@ generate temporary 512 bit RSA private key" when I start Apache?
    Configuration -
    Is it possible to provide HTTP and HTTPS +<section id="parallel"><title>Is it possible to provide HTTP and HTTPS from the same server? -

    Yes. HTTP and HTTPS use different server ports (HTTP binds to - port 80, HTTPS to port 443), so there is no direct conflict between - them. You can either run two separate server instances bound to - these ports, or use Apache's elegant virtual hosting facility to - create two virtual servers, both served by the same instance of Apache - - one responding over HTTP to requests on port 80, and the other +

    Yes. HTTP and HTTPS use different server ports (HTTP binds to + port 80, HTTPS to port 443), so there is no direct conflict between + them. You can either run two separate server instances bound to + these ports, or use Apache's elegant virtual hosting facility to + create two virtual servers, both served by the same instance of Apache + - one responding over HTTP to requests on port 80, and the other responding over HTTPS to requests on port 443.

    @@ -112,15 +112,15 @@ relative hyperlinks?
    How do I speak HTTPS manually for testing purposes?

    While you usually just use

    - + $ telnet localhost 80
    GET / HTTP/1.0

    for simple testing of Apache via HTTP, it's not so easy for HTTPS because of the SSL protocol between TCP and HTTP. With the - help of OpenSSL's s_client command, however, you can + help of OpenSSL's s_client command, however, you can do a similar check via HTTPS:

    - + $ openssl s_client -connect localhost:443 -state -debug
    GET / HTTP/1.0     @@ -137,7 +137,7 @@ relative hyperlinks? $ curl https://localhost/
    -
    Why does the connection hang when I connect +<section id="hang"><title>Why does the connection hang when I connect to my SSL-aware Apache server?

    This can happen when you try to connect to a HTTPS server (or virtual @@ -148,29 +148,29 @@ relative hyperlinks? or which supports it on a non-standard port). Make sure that you're connecting to a (virtual) server that supports SSL.

    -
    Why do I get ``Connection Refused'' messages, +<section id="refused"><title>Why do I get ``Connection Refused'' messages, when trying to access my newly installed Apache+mod_ssl server via HTTPS?

    This error can be caused by an incorrect configuration. Please make sure that your Listen directives match your + >Listen directives match your VirtualHost - directives. If all else fails, please start afresh, using the default + directives. If all else fails, please start afresh, using the default configuration provided by mod_ssl.

    -
    Why are the <code>SSL_XXX</code> variables +<section id="envvars"><title>Why are the <code>SSL_XXX</code> variables not available to my CGI & SSI scripts?

    Please make sure you have ``SSLOptions +StdEnvVars'' enabled for the context of your CGI/SSI requests.

    -How can I switch between HTTP and HTTPS in relative +<title>How can I switch between HTTP and HTTPS in relative hyperlinks? -

    Usually, to switch between HTTP and HTTPS, you have to use - fully-qualified hyperlinks (because you have to change the URL - scheme). Using mod_rewrite however, you can +

    Usually, to switch between HTTP and HTTPS, you have to use + fully-qualified hyperlinks (because you have to change the URL + scheme). Using mod_rewrite however, you can manipulate relative hyperlinks, to achieve the same effect.

    RewriteEngine on
    @@ -187,24 +187,24 @@ relative hyperlinks?
    Certificates
    -
    Is there a difference on startup between +<section id="startup"><title>Is there a difference on startup between a non-SSL-aware Apache and an SSL-aware Apache? -

    Yes. In general, starting Apache with - mod_ssl built-in is just like starting Apache - without it. However, if you have a passphrase on your SSL private - key file, a startup dialog will pop up which asks you to enter the +

    Yes. In general, starting Apache with + mod_ssl built-in is just like starting Apache + without it. However, if you have a passphrase on your SSL private + key file, a startup dialog will pop up which asks you to enter the pass phrase.

    - -

    Having to manually enter the passphrase when starting the server - can be problematic - for example, when starting the server from the + +

    Having to manually enter the passphrase when starting the server + can be problematic - for example, when starting the server from the system boot scripts. In this case, you can follow the steps below to remove the passphrase from your private key. Bear in mind that doing so brings additional security risks - proceed with caution!

    -
    How do I create a self-signed SSL +<section id="selfcert"><title>How do I create a self-signed SSL Certificate for testing purposes?
    1. Make sure OpenSSL is installed and in your PATH.
      @@ -251,23 +251,23 @@ Certificate for testing purposes?
    2. Run the following command, to create server.key and server.crt files:
      - $ openssl req -new -x509 -nodes -out server.crt + $ openssl req -new -x509 -nodes -out server.crt -keyout server.key
      - These can be used as follows in your httpd.conf + These can be used as follows in your httpd.conf file: 
                    SSLCertificateFile    /path/to/this/server.crt
              SSLCertificateKeyFile /path/to/this/server.key
      3. -
    3. It is important that you are aware that this +
    4. It is important that you are aware that this server.key does not have any passphrase. - To add a passphrase to the key, you should run the following + To add a passphrase to the key, you should run the following command, and enter & verify the passphrase as requested.
      -

      $ openssl rsa -des3 -in server.key -out +

      $ openssl rsa -des3 -in server.key -out server.key.new
      $ mv server.key.new server.key

      - Please backup the server.key file, and the passphrase + Please backup the server.key file, and the passphrase you entered, in a secure location.
    @@ -292,7 +292,7 @@ Certificate for testing purposes?
    $ openssl rsa -noout -text -in server.key

    - If necessary, you can also create a decrypted PEM version (not + If necessary, you can also create a decrypted PEM version (not recommended) of this RSA private key with:

    $ openssl rsa -in server.key -out server.key.unsecure
    @@ -315,18 +315,18 @@ Certificate for testing purposes?
  • You now have to send this Certificate Signing Request (CSR) to - a Certifying Authority (CA) to be signed. Once the CSR has been + a Certifying Authority (CA) to be signed. Once the CSR has been signed, you will have a real Certificate, which can be used by - Apache. You can have a CSR signed by a commercial CA, or you can + Apache. You can have a CSR signed by a commercial CA, or you can create your own CA to sign it.
    - Commercial CAs usually ask you to post the CSR into a web form, - pay for the signing, and then send a signed Certificate, which + Commercial CAs usually ask you to post the CSR into a web form, + pay for the signing, and then send a signed Certificate, which you can store in a server.crt file.
    For details on how to create your own CA, and use this to sign a CSR, see below.
    - - Once your CSR has been signed, you can see the details of the + + Once your CSR has been signed, you can see the details of the Certificate as follows:

    $ openssl x509 -noout -text -in server.crt
    @@ -347,10 +347,10 @@ Certificate for testing purposes?
    How do I create and use my own Certificate Authority (CA)?

    The short answer is to use the CA.sh or CA.pl - script provided by OpenSSL. Unless you have a good reason not to, + script provided by OpenSSL. Unless you have a good reason not to, you should use these for preference. If you cannot, you can create a self-signed Certificate as follows:

    - +
    1. Create a RSA private key for your server (will be Triple-DES encrypted and PEM formatted):
      @@ -359,11 +359,11 @@ Certificate for testing purposes?
      Please backup this host.key file and the pass-phrase you entered in a secure location. - You can see the details of this RSA private key by using the + You can see the details of this RSA private key by using the command:
      $ openssl rsa -noout -text -in server.key

      - If necessary, you can also create a decrypted PEM version (not + If necessary, you can also create a decrypted PEM version (not recommended) of this RSA private key with:

      $ openssl rsa -in server.key -out server.key.unsecure
      @@ -372,7 +372,7 @@ Certificate for testing purposes?
    2. Create a self-signed Certificate (X509 structure) with the RSA key you just created (output will be PEM formatted):

      - $ openssl req -new -x509 -nodes -sha1 -days 365 + $ openssl req -new -x509 -nodes -sha1 -days 365 -key server.key -out server.crt

      This signs the server CSR and results in a server.crt file.
      @@ -389,14 +389,14 @@ Certificate for testing purposes? specifying the new pass-phrase. You can accomplish this with the following commands:

      - +

      $ openssl rsa -des3 -in server.key -out server.key.new
      $ mv server.key.new server.key

      - +

      The first time you're asked for a PEM pass-phrase, you should - enter the old pass-phrase. After that, you'll be asked again to + enter the old pass-phrase. After that, you'll be asked again to enter a pass-phrase - this time, use the new pass-phrase. If you - are asked to verify the pass-phrase, you'll need to enter the new + are asked to verify the pass-phrase, you'll need to enter the new pass-phrase a second time.

    @@ -404,7 +404,7 @@ Certificate for testing purposes?

    The reason this dialog pops up at startup and every re-start is that the RSA private key inside your server.key file is stored in encrypted format for security reasons. The pass-phrase is needed to decrypt - this file, so it can be read and parsed. Removing the pass-phrase + this file, so it can be read and parsed. Removing the pass-phrase removes a layer of security from your server - proceed with caution!

    1. Remove the encryption from the RSA private key (while @@ -429,7 +429,7 @@ Certificate for testing purposes? file are such that only root or the web server user can read it (preferably get your web server to start as root but run as another user, and have the key readable only by root).

      - +

      As an alternative approach you can use the ``SSLPassPhraseDialog exec:/path/to/program'' facility. Bear in mind that this is neither more nor less secure, of course.

      @@ -441,28 +441,28 @@ Certificate for testing purposes? key" bits are included when you generate a CSR, and subsequently form part of the associated Certificate.

      To check that the public key in your Certificate matches the public - portion of your private key, you simply need to compare these numbers. + portion of your private key, you simply need to compare these numbers. To view the Certificate and the key run the commands:

      - +

      $ openssl x509 -noout -text -in server.crt
      $ openssl rsa -noout -text -in server.key

      - +

      The `modulus' and the `public exponent' portions in the key and the Certificate must match. As the public exponent is usually 65537 and it's difficult to visually check that the long modulus numbers are the same, you can use the following approach:

      - +

      $ openssl x509 -noout -modulus -in server.crt | openssl md5
      $ openssl rsa -noout -modulus -in server.key | openssl md5

      - +

      This leaves you with two rather shorter numbers to compare. It is, - in theory, possible that these numbers may be the same, without the - modulus numbers being the same, but the chances of this are + in theory, possible that these numbers may be the same, without the + modulus numbers being the same, but the chances of this are overwhelmingly remote.

      -

      Should you wish to check to which key or certificate a particular - CSR belongs you can perform the same calculation on the CSR as +

      Should you wish to check to which key or certificate a particular + CSR belongs you can perform the same calculation on the CSR as follows:

      - +

      $ openssl req -noout -modulus -in server.csr | openssl md5

    • @@ -475,15 +475,15 @@ Certificate for testing purposes? $ openssl x509 -in cert.pem -out cert.der -outform DER

    -
    Why do browsers complain that they cannot +<section id="gid"><title>Why do browsers complain that they cannot verify my Verisign Global ID server certificate? -

    Verisign uses an intermediate CA certificate between the root CA - certificate (which is installed in the browsers) and the server - certificate (which you installed on the server). You should have +

    Verisign uses an intermediate CA certificate between the root CA + certificate (which is installed in the browsers) and the server + certificate (which you installed on the server). You should have received this additional CA certificate from Verisign. If not, complain to them. Then, configure this certificate with the - SSLCertificateChainFile - directive. This ensures that the intermediate CA certificate is + SSLCertificateChainFile + directive. This ensures that the intermediate CA certificate is sent to the browser, filling the gap in the certificate chain.

    @@ -491,7 +491,7 @@ verify my Verisign Global ID server certificate?
    The SSL Protocol -
    Why do I get lots of random SSL protocol +<section id="random"><title>Why do I get lots of random SSL protocol errors under heavy server load?

    There can be a number of reasons for this, but the main one is problems with the SSL session Cache specified by the @@ -524,7 +524,7 @@ errors under heavy server load? no cache at all) may help.

    -
    Why does my webserver have a higher load, now +<section id="load"><title>Why does my webserver have a higher load, now that it serves SSL encrypted traffic?

    SSL uses strong cryptographic encryption, which necessitates a lot of number crunching. When you request a webpage via HTTPS, everything (even @@ -532,63 +532,63 @@ that it serves SSL encrypted traffic? traffic leads to load increases.

    -
    Why do HTTPS connections to my server +<section id="establishing"><title>Why do HTTPS connections to my server sometimes take up to 30 seconds to establish a connection?

    This is usually caused by a /dev/random device for - SSLRandomSeed which blocks the - read(2) call until enough entropy is available to service the + SSLRandomSeed which blocks the + read(2) call until enough entropy is available to service the request. More information is available in the reference manual for the SSLRandomSeed directive.

    What SSL Ciphers are supported by mod_ssl? -

    Usually, any SSL ciphers supported by the version of OpenSSL in use, - are also supported by mod_ssl. Which ciphers are - available can depend on the way you built OpenSSL. Typically, at +

    Usually, any SSL ciphers supported by the version of OpenSSL in use, + are also supported by mod_ssl. Which ciphers are + available can depend on the way you built OpenSSL. Typically, at least the following ciphers are supported:

    - +
    1. RC4 with SHA1
    2. AES with SHA1
    3. Triple-DES with SHA1
    - -

    To determine the actual list of ciphers available, you should run + +

    To determine the actual list of ciphers available, you should run the following:

    $ openssl ciphers -v
    -
    Why do I get ``no shared cipher'' errors, when +<section id="adh"><title>Why do I get ``no shared cipher'' errors, when trying to use Anonymous Diffie-Hellman (ADH) ciphers?

    By default, OpenSSL does not allow ADH ciphers, for security - reasons. Please be sure you are aware of the potential side-effects + reasons. Please be sure you are aware of the potential side-effects if you choose to enable these ciphers.

    -

    In order to use Anonymous Diffie-Hellman (ADH) ciphers, you must +

    In order to use Anonymous Diffie-Hellman (ADH) ciphers, you must build OpenSSL with ``-DSSL_ALLOW_ADH'', and then add ``ADH'' into your SSLCipherSuite.

    -
    Why do I get a 'no shared ciphers' +<section id="sharedciphers"><title>Why do I get a 'no shared ciphers' error when connecting to my newly installed server? -

    Either you have made a mistake with your +

    Either you have made a mistake with your SSLCipherSuite directive (compare it with the pre-configured example in extra/httpd-ssl.conf) or you chose to use DSA/DH algorithms instead of RSA when you generated your private key and ignored or overlooked the warnings. If you have chosen - DSA/DH, then your server cannot communicate using RSA-based SSL + DSA/DH, then your server cannot communicate using RSA-based SSL ciphers (at least until you configure an additional RSA-based - certificate/key pair). Modern browsers like NS or IE can only - communicate over SSL using RSA ciphers. The result is the - "no shared ciphers" error. To fix this, regenerate your server + certificate/key pair). Modern browsers like NS or IE can only + communicate over SSL using RSA ciphers. The result is the + "no shared ciphers" error. To fix this, regenerate your server certificate/key pair, using the RSA algorithm.

    Why can't I use SSL with name-based/non-IP-based virtual hosts? -

    The reason is very technical, and a somewhat "chicken and egg" problem. - The SSL protocol layer stays below the HTTP protocol layer and +

    The reason is very technical, and a somewhat "chicken and egg" problem. + The SSL protocol layer stays below the HTTP protocol layer and encapsulates HTTP. When an SSL connection (HTTPS) is established Apache/mod_ssl has to negotiate the SSL protocol parameters with the client. For this, mod_ssl has to consult the configuration of the virtual @@ -596,7 +596,7 @@ error when connecting to my newly installed server? certificate, etc.). But in order to go to the correct virtual server Apache has to know the Host HTTP header field. To do this, the HTTP request header has to be read. This cannot be done before the SSL - handshake is finished, but the information is needed in order to + handshake is finished, but the information is needed in order to complete the SSL handshake phase. See the next question for how to circumvent this issue.

    @@ -615,12 +615,12 @@ Virtual Hosting to identify different SSL virtual hosts? specification added, called Server Name Indication (SNI).

    The reason is that the SSL protocol is a separate layer which - encapsulates the HTTP protocol. So the SSL session is a separate - transaction, that takes place before the HTTP session has begun. - The server receives an SSL request on IP address X and port Y - (usually 443). Since the SSL request did not contain any Host: + encapsulates the HTTP protocol. So the SSL session is a separate + transaction, that takes place before the HTTP session has begun. + The server receives an SSL request on IP address X and port Y + (usually 443). Since the SSL request did not contain any Host: field, the server had no way to decide which SSL virtual host to use. - Usually, it just used the first one it found which matched the + Usually, it just used the first one it found which matched the port and IP address specified.

    If you are using a version of the web server and OpenSSL that @@ -629,19 +629,19 @@ Virtual Hosting to identify different SSL virtual hosts? web server can select the correct SSL virtual host.

    You can, of course, use Name-Based Virtual Hosting to identify many - non-SSL virtual hosts (all on port 80, for example) and then + non-SSL virtual hosts (all on port 80, for example) and then have a single SSL virtual host (on port 443). But if you do this, you must make sure to put the non-SSL port number on the NameVirtualHost - directive, e.g.

    + directive, e.g.

    NameVirtualHost 192.168.1.1:80 - +

    Other workaround solutions include:

    -

    Using separate IP addresses for different SSL hosts. - Using different port numbers for different SSL hosts.

    +

    Using separate IP addresses for different SSL hosts. + Using different port numbers for different SSL hosts.

    How do I get SSL compression working? @@ -655,50 +655,50 @@ it will be used. However, most clients still try to initially connect with an SSLv2 Hello. As SSLv2 did not include an array of prefered compression algorithms in its handshake, compression cannot be negotiated with these clients. If the client disables support for SSLv2, either an SSLv3 or TLS Hello -may be sent, depending on which SSL library is used, and compression may -be set up. You can verify whether clients make use of SSL compression by +may be sent, depending on which SSL library is used, and compression may +be set up. You can verify whether clients make use of SSL compression by logging the %{SSL_COMPRESS_METHOD}x variable.

    -
    When I use Basic Authentication over HTTPS -the lock icon in Netscape browsers stays unlocked when the dialog pops up. +<section id="lockicon"><title>When I use Basic Authentication over HTTPS +the lock icon in Netscape browsers stays unlocked when the dialog pops up. Does this mean the username/password is being sent unencrypted?

    No, the username/password is transmitted encrypted. The icon in Netscape browsers is not actually synchronized with the SSL/TLS layer. - It only toggles to the locked state when the first part of the actual - webpage data is transferred, which may confuse people. The Basic - Authentication facility is part of the HTTP layer, which is above - the SSL/TLS layer in HTTPS. Before any HTTP data communication takes - place in HTTPS, the SSL/TLS layer has already completed its handshake + It only toggles to the locked state when the first part of the actual + webpage data is transferred, which may confuse people. The Basic + Authentication facility is part of the HTTP layer, which is above + the SSL/TLS layer in HTTPS. Before any HTTP data communication takes + place in HTTPS, the SSL/TLS layer has already completed its handshake phase, and switched to encrypted communication. So don't be confused by this icon.

    -
    Why do I get I/O errors when connecting via +<section id="msie"><title>Why do I get I/O errors when connecting via HTTPS to an Apache+mod_ssl server with older versions of Microsoft Internet Explorer (MSIE)?

    The first reason is that the SSL implementation in some MSIE versions has some subtle bugs related to the HTTP keep-alive facility and the SSL close notify alerts on socket connection close. Additionally the interaction - between SSL and HTTP/1.1 features are problematic in some MSIE versions. - You can work around these problems by forcing Apache not to use HTTP/1.1, - keep-alive connections or send the SSL close notify messages to MSIE clients. - This can be done by using the following directive in your SSL-aware + between SSL and HTTP/1.1 features are problematic in some MSIE versions. + You can work around these problems by forcing Apache not to use HTTP/1.1, + keep-alive connections or send the SSL close notify messages to MSIE clients. + This can be done by using the following directive in your SSL-aware virtual host section:

    SetEnvIf User-Agent "MSIE [2-5]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0     -

    Further, some MSIE versions have problems with particular ciphers. - Unfortunately, it is not possible to implement a MSIE-specific - workaround for this, because the ciphers are needed as early as the - SSL handshake phase. So a MSIE-specific - SetEnvIf won't solve these +

    Further, some MSIE versions have problems with particular ciphers. + Unfortunately, it is not possible to implement a MSIE-specific + workaround for this, because the ciphers are needed as early as the + SSL handshake phase. So a MSIE-specific + SetEnvIf won't solve these problems. Instead, you will have to make more drastic adjustments to the global parameters. Before you decide to do - this, make sure your clients really have problems. If not, do not + this, make sure your clients really have problems. If not, do not make these changes - they will affect all your clients, MSIE or otherwise.

    @@ -708,11 +708,11 @@ Explorer (MSIE)?
    mod_ssl Support
    -
    What support contacts are available in case +<section id="contact"><title>What support contacts are available in case of mod_ssl problems?

    The following lists all support possibilities for mod_ssl, in order of - preference. Please go through these possibilities + preference. Please go through these possibilities in this order - don't just pick the one you like the look of.

      @@ -775,22 +775,22 @@ provide when writing a bug report?
      The details on how you built and installed Apache httpd and OpenSSL
      For this you can provide a logfile of your terminal session which shows - the configuration and install steps. If this is not possible, you + the configuration and install steps. If this is not possible, you should at least provide the configure command line you used.
      In case of core dumps please include a Backtrace
      If your Apache httpd dumps its core, please attach - a stack-frame ``backtrace'' (see below + a stack-frame ``backtrace'' (see below for information on how to get this). This information is required in order to find a reason for your core dump.
      - +
      A detailed description of your problem
      -
      Don't laugh, we really mean it! Many problem reports don't +
      Don't laugh, we really mean it! Many problem reports don't include a description of what the actual problem is. Without this, - it's very difficult for anyone to help you. So, it's in your own - interest (you want the problem be solved, don't you?) to include as + it's very difficult for anyone to help you. So, it's in your own + interest (you want the problem be solved, don't you?) to include as much detail as possible, please. Of course, you should still include all the essentials above too.
      @@ -805,7 +805,7 @@ provide when writing a bug report? fixing it.

    -
    How do I get a backtrace, to help find +<section id="backtrace"><title>How do I get a backtrace, to help find the reason for my core dump?

    Following are the steps you will need to complete, to get a backtrace:

      @@ -819,7 +819,7 @@ the reason for my core dump? want to use a directive like ``CoreDumpDirectory /tmp'' to make sure that the core-dump file can be written. This should result in a /tmp/core or /tmp/httpd.core file. If you - don't get one of these, try running your server under a non-root UID. + don't get one of these, try running your server under a non-root UID. Many modern kernels do not allow a process to dump core after it has done a setuid() (unless it does an exec()) for security reasons (there can be privileged information left over in @@ -828,9 +828,9 @@ the reason for my core dump?
    1. Analyze the core-dump. For this, run gdb /path/to/httpd - /tmp/httpd.core or a similar command. In GDB, all you + /tmp/httpd.core or a similar command. In GDB, all you have to do then is to enter bt, and voila, you get the - backtrace. For other debuggers consult your local debugger manual. + backtrace. For other debuggers consult your local debugger manual.
    diff --git a/docs/manual/ssl/ssl_howto.xml b/docs/manual/ssl/ssl_howto.xml index 9c787f87a01..6ac014641c5 100644 --- a/docs/manual/ssl/ssl_howto.xml +++ b/docs/manual/ssl/ssl_howto.xml @@ -57,7 +57,7 @@ following directives.

    Cipher Suites and Enforcing Strong Security @@ -88,8 +88,8 @@ only? in general, but requires a strong ciphers for access to a particular URL?

    Obviously, a server-wide SSLCipherSuite which restricts - ciphers to the strong variants, isn't the answer here. However, + module="mod_ssl">SSLCipherSuite which restricts + ciphers to the strong variants, isn't the answer here. However, mod_ssl can be reconfigured within Location blocks, to give a per-directory solution, and can automatically force a renegotiation of the SSL parameters to meet the new configuration. @@ -112,7 +112,7 @@ URL? Client Authentication and Access Control

    • How can I force clients to authenticate using certificates?
      • -
    • How can I force clients to authenticate using certificates for a +
    • How can I force clients to authenticate using certificates for a particular URL, but still allow arbitrary clients to access the rest of the server?
    • How can I allow only clients who have certificates to access a particular URL, but allow all clients to access the rest of the server?
      • @@ -165,14 +165,14 @@ Intranet website, for clients coming from the Internet? matches what you expect. Usually this means checking all or part of the Distinguished Name (DN), to see if it contains some known string. There are two ways to do this, using either mod_auth_basic or - SSLRequire.

      - + SSLRequire.

      +

      The mod_auth_basic method is generally required when the certificates are completely arbitrary, or when their DNs have no common fields (usually the organisation, etc.). In this case, you should establish a password database containing all clients allowed, as follows:

      - + httpd.conf
       SSLVerifyClient      none
 <Directory /usr/local/apache2/htdocs/secure/area>
@@ -190,11 +190,11 @@ AuthUserFile         /usr/local/apache2/conf/httpd.passwd
 Require              valid-user
 </Directory>
       - +

      The password used in this example is the DES encrypted string "password". - See the SSLOptions docs for more + See the SSLOptions docs for more information.

      - + httpd.passwd
       /C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA
 /C=US/L=S.F./O=Snake Oil, Ltd./OU=CA/CN=Bar:xxj31ZMTZzkVA
@@ -227,10 +227,10 @@ SSLVerifyClient      none
 authentication or client certificates, for access to part of the
 Intranet website, for clients coming from the Internet? I still want to allow
 plain HTTP access for clients on the Intranet.
-   
-   
      These examples presume that clients on the Intranet have IPs in the range 
+
+   
      These examples presume that clients on the Intranet have IPs in the range
    192.168.1.0/24, and that the part of the Intranet website you want to allow
-   internet access to is /usr/local/apache2/htdocs/subarea. 
+   internet access to is /usr/local/apache2/htdocs/subarea.
    This configuration should remain outside of your HTTPS virtual host, so
    that it applies to both HTTPS and HTTP.
      
 
diff --git a/docs/manual/ssl/ssl_intro.xml b/docs/manual/ssl/ssl_intro.xml
index 56a034c319a..9e779cf1eb1 100644
--- a/docs/manual/ssl/ssl_intro.xml
+++ b/docs/manual/ssl/ssl_intro.xml
@@ -41,7 +41,7 @@ intended to be a definitive guide to the SSL protocol, nor does it discuss
 specific techniques for managing certificates in an organization, or the
 important legal issues of patents and import and export restrictions.
 Rather, it is intended to provide a common background to mod_ssl users by pulling together various concepts, definitions, 
+>mod_ssl users by pulling together various concepts, definitions,
 and examples as a starting point for further exploration.
      
 
 
      The presented content is mainly derived, with the author's permission,
@@ -75,7 +75,7 @@ integrity, and authentication.
      
     solution is to use a cryptographic algorithm, a technique that would
     transform her message into an encrypted form, unreadable until it is
     decrypted. Once in this form, the message can only be
-    decrypted by using a secret key. Without the key the message is useless: 
+    decrypted by using a secret key. Without the key the message is useless:
     good cryptographic algorithms make it so difficult
     for intruders to decode the original text that it isn't worth their
     effort.
      
@@ -87,11 +87,11 @@ integrity, and authentication.
      
     
      Conventional cryptography
      
     
      also known as symmetric cryptography, requires the sender and
     receiver to share a key: a secret piece of information that may be
-    used to encrypt or decrypt a message. As long as this key is kept 
-    secret, nobody other than the sender or recipient can read the message. 
+    used to encrypt or decrypt a message. As long as this key is kept
+    secret, nobody other than the sender or recipient can read the message.
     If Alice and the bank know a secret key, then they can send each other
     private messages. The task of sharing a key between sender and recipient
-    before communicating, while also keeping it secret from others, can be 
+    before communicating, while also keeping it secret from others, can be
     problematic.
      
 
     
      Public key cryptography
      
@@ -116,9 +116,9 @@ integrity, and authentication.
      
     is still a concern that someone might modify her original message or
     substitute it with a different one, in order to transfer the money
     to themselves, for instance. One way of guaranteeing the integrity
-    of Alice's message is for her to create a concise summary of her 
-    message and send this to the bank as well. Upon receipt of the message, 
-    the bank creates its own summary and compares it with the one Alice 
+    of Alice's message is for her to create a concise summary of her
+    message and send this to the bank as well. Upon receipt of the message,
+    the bank creates its own summary and compares it with the one Alice
     sent. If the summaries are the same then the message has been received
     intact.
      
 
@@ -126,10 +126,10 @@ integrity, and authentication.
      
     function or hash function. Message digests are used to create
     a short, fixed-length representation of a longer, variable-length message.
     Digest algorithms are designed to produce a unique digest for each
-    message. Message digests are designed to make it impractically difficult 
-    to determine the message from the digest and (in theory) impossible to 
-    find two different messages which create the same digest -- thus 
-    eliminating the possibility of substituting one message for another while 
+    message. Message digests are designed to make it impractically difficult
+    to determine the message from the digest and (in theory) impossible to
+    find two different messages which create the same digest -- thus
+    eliminating the possibility of substituting one message for another while
     maintaining the same digest.
      
 
     
      Another challenge that Alice faces is finding a way to send the digest
@@ -137,8 +137,8 @@ integrity, and authentication.
      
     be compromised and with it the possibility for the bank to determine the
     integrity of the original message. Only if the digest is sent securely can
     the integrity of the associated message be determined.
      
-    
-    
      One way to send the digest securely is to include it in a digital 
+
+    
      One way to send the digest securely is to include it in a digital
     signature.
    @@ -168,7 +168,7 @@ the bank from a fraudulent claim from Alice that she did not send the message

    Although Alice could have sent a private message to the bank, signed it and ensured the integrity of the message, she still needs to be sure that she is really communicating with the bank. This means that she needs -to be sure that the public key she is using is part of the bank's key-pair, +to be sure that the public key she is using is part of the bank's key-pair, and not an intruder's. Similarly, the bank needs to verify that the message signature really was signed by the private key that belongs to Alice.

    @@ -257,7 +257,7 @@ certificates are used for authentication.

    distinguished field names are optional and which are required. It may also place requirements upon the field contents, as may users of certificates. For example, a Netscape browser requires that the - Common Name for a certificate representing a server matches a wildcard + Common Name for a certificate representing a server matches a wildcard pattern for the domain name of that server, such as *.snakeoil.com.

    @@ -300,9 +300,9 @@ dUHzICxBVC1lnHyYGjDuAMhe396lYAn8bCld1/L4NMGBCQ== Certificate Authorities

    By verifying the information in a certificate request before granting the certificate, the Certificate Authority assures - itself of the identity of the private key owner of a key-pair. - For instance, if Alice requests a personal certificate, the - Certificate Authority must first make sure that Alice really is the + itself of the identity of the private key owner of a key-pair. + For instance, if Alice requests a personal certificate, the + Certificate Authority must first make sure that Alice really is the person the certificate request claims she is.

    @@ -356,17 +356,17 @@ dUHzICxBVC1lnHyYGjDuAMhe396lYAn8bCld1/L4NMGBCQ== they also manage them -- that is, they determine for how long certificates remain valid, they renew them and keep lists of certificates that were issued in the past but are no longer valid - (Certificate Revocation Lists, or CRLs).

    + (Certificate Revocation Lists, or CRLs).

    -

    For example, if Alice is entitled to a certificate as an +

    For example, if Alice is entitled to a certificate as an employee of a company but has now left that company, her certificate may need to be revoked. Because certificates are only issued after the subject's identity has - been verified and can then be passed around to all those with whom - the subject may communicate, it is impossible to tell from the - certificate alone that it has been revoked. - Therefore when examining certificates for validity - it is necessary to contact the issuing Certificate Authority to + been verified and can then be passed around to all those with whom + the subject may communicate, it is impossible to tell from the + certificate alone that it has been revoked. + Therefore when examining certificates for validity + it is necessary to contact the issuing Certificate Authority to check CRLs -- this is usually not an automated part of the process.

    Note @@ -433,14 +433,14 @@ establishing a protocol session.

    -

    There are a number of versions of the SSL protocol, as shown in +

    There are a number of versions of the SSL protocol, as shown in Table 4. As noted there, one of the benefits in SSL 3.0 is that it adds support of certificate chain loading. This feature allows a server to pass a server certificate along with issuer certificates to the browser. Chain loading also permits the browser to validate the server certificate, even if Certificate Authority certificates are not installed for the intermediate issuers, since they are included in the -certificate chain. SSL 3.0 is the basis for the Transport Layer Security +certificate chain. SSL 3.0 is the basis for the Transport Layer Security [TLS] protocol standard, currently in development by the Internet Engineering Task Force (IETF).

    @@ -506,14 +506,14 @@ the Internet Engineering Task Force (IETF).

    One variable in the choice of key exchange methods is digital signatures -- whether or not to use them, and if so, what kind of - signatures to use. Signing with a private key provides protection + signatures to use. Signing with a private key provides protection against a man-in-the-middle-attack during the information exchange used to generating the shared key [AC96, p516].

    Cipher for Data Transfer -

    SSL uses conventional symmetric cryptography, as described earlier, +

    SSL uses conventional symmetric cryptography, as described earlier, for encrypting messages in a session. There are nine choices of how to encrypt, including the option not to encrypt:

    @@ -539,8 +539,8 @@ the Internet Engineering Task Force (IETF).

    portion of the previously encrypted cipher text is used in the encryption of the current block. "DES" refers to the Data Encryption Standard [AC96, ch12], which has a number of - variants (including DES40 and 3DES_EDE). "Idea" is currently one of - the best and cryptographically strongest algorithms available, + variants (including DES40 and 3DES_EDE). "Idea" is currently one of + the best and cryptographically strongest algorithms available, and "RC2" is a proprietary algorithm from RSA DSI [AC96, ch13].

    @@ -589,7 +589,7 @@ the Internet Engineering Task Force (IETF).

    The encapsulation of SSL control protocols by the record protocol means that if an active session is renegotiated the control protocols - will be transmitted securely. If there was no previous session, + will be transmitted securely. If there was no previous session, the Null cipher suite is used, which means there will be no encryption and messages will have no integrity digests, until the session has been established.

    @@ -617,8 +617,8 @@ the Internet Engineering Task Force (IETF).

    Securing HTTP Communication

    One common use of SSL is to secure Web HTTP communication between a browser and a webserver. This does not preclude the use of - non-secured HTTP - the secure version (called HTTPS) is the same as - plain HTTP over SSL, but uses the URL scheme https + non-secured HTTP - the secure version (called HTTPS) is the same as + plain HTTP over SSL, but uses the URL scheme https rather than http, and a different server port (by default, port 443). This functionality is a large part of what mod_ssl provides for the Apache webserver.

    @@ -650,7 +650,7 @@ href="http://www.itu.int/rec/recommendation.asp?type=folders&lang=e&pare
    [PKCS]
    -
    Public Key Cryptography Standards (PKCS), +
    Public Key Cryptography Standards (PKCS), RSA Laboratories Technical Notes, See http://www.rsasecurity.com/rsalabs/pkcs/.
    diff --git a/docs/manual/stopping.xml b/docs/manual/stopping.xml index 87147e6bb7f..d169d2288be 100644 --- a/docs/manual/stopping.xml +++ b/docs/manual/stopping.xml @@ -116,7 +116,7 @@ been created, then create enough to pick up the slack. Hence the code tries to maintain both the number of children appropriate for the current load on the server, and respect your wishes with the - StartServers + StartServers parameter.

    Users of mod_status @@ -147,7 +147,7 @@ ensure that there are no errors in the configuration files. If your configuration file has errors in it, you will get an error message about that syntax error, and the server will refuse to - restart. This avoids the situation where the server halts and then + restart. This avoids the situation where the server halts and then cannot restart, leaving you with a non-functioning server.

    This still will not @@ -192,35 +192,35 @@ syntax error(s).

    The WINCH or graceful-stop signal causes the parent process to advise the children to exit after their current request (or to exit immediately if they're not - serving anything). The parent will then remove its PidFile and cease listening on all ports. The parent will continue to run, and monitor children which are handling requests. Once all children have finalised - and exited or the timeout specified by the GracefulShutdownTimeout has been reached, the parent will also exit. If the timeout is reached, any remaining children will be sent the TERM signal to force them to exit.

    - -

    A TERM signal will immediately terminate the + +

    A TERM signal will immediately terminate the parent process and all children when in the "graceful" state. However as the PidFile will - have been removed, you will not be able to use + have been removed, you will not be able to use apachectl or httpd to send this signal.

    The graceful-stop signal allows you to run multiple - identically configured instances of httpd at the - same time. This is a powerful feature when performing graceful - upgrades of httpd, however it can also cause deadlocks and race - conditions with some configurations.

    + identically configured instances of httpd at the + same time. This is a powerful feature when performing graceful + upgrades of httpd, however it can also cause deadlocks and race + conditions with some configurations.

    Care has been taken to ensure that on-disk files such as lock files (Mutex) and Unix socket files (ScriptSock) contain the server PID, and should coexist without problem. However, if a configuration - directive, third-party module or persistent CGI utilises any other on-disk - lock or state files, care should be taken to ensure that multiple running - instances of httpd do not clobber each other's files.

    + directive, third-party module or persistent CGI utilises any other on-disk + lock or state files, care should be taken to ensure that multiple running + instances of httpd do not clobber each other's files.

    You should also be wary of other potential race conditions, such as using rotatelogs style piped logging. Multiple running diff --git a/docs/manual/style/lang/de.xml b/docs/manual/style/lang/de.xml index 8201737bed0..dea4e44d019 100644 --- a/docs/manual/style/lang/de.xml +++ b/docs/manual/style/lang/de.xml @@ -108,7 +108,7 @@ siehe Glossar - + - Apache HTTP Server Apache HTTP Server Version diff --git a/docs/manual/style/lang/fr.xml b/docs/manual/style/lang/fr.xml index 387013d9d77..1a8ada058ae 100644 --- a/docs/manual/style/lang/fr.xml +++ b/docs/manual/style/lang/fr.xml @@ -136,7 +136,7 @@ Autorisé sous Langues Disponibles - + Cette traduction peut être périmée. Vérifiez la version anglaise pour les changements récents. diff --git a/docs/manual/style/lang/pt-br.xml b/docs/manual/style/lang/pt-br.xml index 2edcba1a7a6..ec98a1406fc 100644 --- a/docs/manual/style/lang/pt-br.xml +++ b/docs/manual/style/lang/pt-br.xml @@ -133,9 +133,9 @@ Licenciado sob a Línguas Disponíveis - + - Esta tradução pode estar desatualizada. + Esta tradução pode estar desatualizada. Confira a versão em Inglês para mudanças recentes. The documentation for this directive has diff --git a/docs/manual/upgrading.xml b/docs/manual/upgrading.xml index e44bee3abef..1c9564a196c 100644 --- a/docs/manual/upgrading.xml +++ b/docs/manual/upgrading.xml @@ -57,7 +57,7 @@ found in build/config.nice in the installed server directory) can be used in most cases. There are some changes in the default settings. Some details of changes:

    - +
    • These modules have been removed: mod_authn_default, mod_authz_default, mod_mem_cache. If you were using diff --git a/docs/manual/vhosts/details.xml b/docs/manual/vhosts/details.xml index 4036af603b0..c84f4aba313 100644 --- a/docs/manual/vhosts/details.xml +++ b/docs/manual/vhosts/details.xml @@ -69,7 +69,7 @@

      The address can be specified as *, which will match a request if no other vhost has the explicit address on which the request was - received.

      + received.

      The address appearing in the VirtualHost directive can have an optional port. If the port is unspecified, @@ -83,9 +83,9 @@ Use the Listen directive to control the addresses and ports on which the server listens.)

      - +

      Collectively the - entire set of addresses (including multiple + entire set of addresses (including multiple results from DNS lookups) are called the vhost's address set.

      @@ -94,7 +94,7 @@ whenever the most specific match for an IP address and port combination is listed in multiple virtual hosts.

      -

      The +

      The ServerName directive may appear anywhere within the definition of a server. However, each appearance overrides the previous appearance (within that @@ -195,7 +195,7 @@

      If there are multiple VirtualHost directives listing the IP address and port combination that was determined to be the - best match, the "list" in the remaining steps refers to the list of vhosts + best match, the "list" in the remaining steps refers to the list of vhosts that matched, in the order they were in the configuration file.

      If the connection is using SSL, the server supports

    • If two vhosts have an address in common, those common addresses - act as name-based virtual hosts implicitly. This is new behavior as of + act as name-based virtual hosts implicitly. This is new behavior as of 2.3.11.
    • The main server is only used to serve a request if the IP - address and port number to which the client connected + address and port number to which the client connected does not match any vhost (including a * vhost). In other words, the main server only catches a request for an unspecified address/port diff --git a/docs/manual/vhosts/fd-limits.xml b/docs/manual/vhosts/fd-limits.xml index a0f2f341b99..2c08d079563 100644 --- a/docs/manual/vhosts/fd-limits.xml +++ b/docs/manual/vhosts/fd-limits.xml @@ -48,7 +48,7 @@
    • The number of file descriptors required exceeds the hard limit.
      • - +
    • Your system imposes other limits on file descriptors, such as a limit on stdio streams only using file descriptors below 256. (Solaris 2)
      • diff --git a/docs/manual/vhosts/ip-based.xml b/docs/manual/vhosts/ip-based.xml index b57abab3f69..5a5571a8d41 100644 --- a/docs/manual/vhosts/ip-based.xml +++ b/docs/manual/vhosts/ip-based.xml @@ -52,7 +52,7 @@ Virtual Hosts to help you decide.

      most commonly used to set them up), and/or using multiple port numbers.

      -

      In the terminology of Apache HTTP Server, using a single IP address +

      In the terminology of Apache HTTP Server, using a single IP address but multiple TCP ports, is also IP-based virtual hosting.

      @@ -157,7 +157,7 @@ Virtual Hosts to help you decide.

      Specific IP addresses or ports have precedence over their wildcard equivalents, and any virtual host that matches has precedence over - the servers base configuration.

      + the servers base configuration.

      Almost any configuration directive can be put in the VirtualHost directive, with the exception of diff --git a/docs/manual/vhosts/mass.xml b/docs/manual/vhosts/mass.xml index dec084a6733..3df4e2531c3 100644 --- a/docs/manual/vhosts/mass.xml +++ b/docs/manual/vhosts/mass.xml @@ -82,7 +82,7 @@

      The main disadvantage is that you cannot have a different log file for each virtual host; however, if you have many virtual hosts, doing this can be a bad idea anyway, because of the number of file descriptors needed. + href="fd-limits.html">number of file descriptors needed. It is better to log to a pipe or a fifo, and arrange for the process at the other end to split up the log files into one per virtual host. One example of such a process can @@ -99,9 +99,9 @@ in the HTTP request. The dynamic mass virtual hosting technique used here is based on automatically inserting this information into the pathname of the file that is used to satisfy the request. This - can be most easily done by using mod_vhost_alias - with Apache httpd. Alternatively, - mod_rewrite can + can be most easily done by using mod_vhost_alias + with Apache httpd. Alternatively, + mod_rewrite can be used.

      Both of these modules are disabled by default; you must enable one of them when configuring and building Apache httpd if you want to @@ -263,7 +263,7 @@ LogFormat "%V %h %l %u %t \"%r\" %s %b" vcommon
      Note

      If the first VirtualHost block does not include a ServerName directive, the reverse - DNS of the relevant IP will be used instead. + DNS of the relevant IP will be used instead. If this is not the server name you wish to use, a bogus entry (eg. ServerName none.example.com) can be added to get around this diff --git a/docs/manual/vhosts/name-based.xml b/docs/manual/vhosts/name-based.xml index 2c6fe4451f7..da8598e2481 100644 --- a/docs/manual/vhosts/name-based.xml +++ b/docs/manual/vhosts/name-based.xml @@ -39,8 +39,8 @@ determine the correct virtual host to serve. Therefore you need to have a separate IP address for each host.

      -

      With name-based virtual hosting, the server relies on the client to - report the hostname as part of the HTTP headers. Using this technique, +

      With name-based virtual hosting, the server relies on the client to + report the hostname as part of the HTTP headers. Using this technique, many different hosts can share the same IP address.

      Name-based virtual hosting is usually simpler, since you need @@ -67,19 +67,19 @@ after narrowing down the candidates to the best IP-based match. Using a wildcard (*) for the IP address in all of the VirtualHost directives makes this IP-based mapping irrelevant.

      - -

      When a request arrives, the server will find the best (most specific) matching + +

      When a request arrives, the server will find the best (most specific) matching VirtualHost argument based on the IP address and port used by the request. If there is more than one virtual host containing this best-match address and port combination, Apache will further - compare the ServerName and ServerName and ServerAlias directives to the server name present in the request.

      The default name-based vhost for an IP and port combination -

      If no matching ServerName or ServerAlias is found in the set of - virtual hosts containing the most specific matching IP address and port - combination, then the first listed virtual host that +

      If no matching ServerName or ServerAlias is found in the set of + virtual hosts containing the most specific matching IP address and port + combination, then the first listed virtual host that matches that will be used.

      @@ -112,11 +112,11 @@ module="core">VirtualHost is handled by the global server configuration, regardless of the hostname or ServerName.

      -

      When you add a name-based virtual host to an existing server, and - the virtual host arguments match preexisting IP and port combinations, +

      When you add a name-based virtual host to an existing server, and + the virtual host arguments match preexisting IP and port combinations, requests will now be handled by an explicit virtual host. In this case, it's usually wise to create a default virtual host - with a ServerName matching that of + with a ServerName matching that of the base server. New domains on the same interface and port, but requiring separate configurations, can then be added as subsequent (non-default) virtual hosts.