From: (no author) <(no author)@unknown>
Date: Tue, 8 Jan 2002 23:34:58 +0000 (+0000)
Subject: This commit was manufactured by cvs2svn to create tag
X-Git-Tag: 2.0.30^0
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=895fa7331d05c91388e95aeede2b85f99aa99751;p=thirdparty%2Fapache%2Fhttpd.git
This commit was manufactured by cvs2svn to create tag
'APACHE_2_0_30'.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/tags/2.0.30@92781 13f79535-47bb-0310-9956-ffa450edef68
---
diff --git a/docs/manual/bind.html.en b/docs/manual/bind.html.en
deleted file mode 100644
index d587810315d..00000000000
--- a/docs/manual/bind.html.en
+++ /dev/null
@@ -1,75 +0,0 @@
-
-
-
-
-
-
- Setting which addresses and ports Apache uses
-
-
-
-
-
-
-
Setting which addresses and ports Apache
- uses
-
-
When Apache starts, it connects to some port and address on
- the local machine and waits for incoming requests. By default,
- it listens to all addresses on the machine. However, it needs to
- be told to listen to specific ports, or to listen to only selected
- addresses, or a combination. This is often combined with the
- Virtual Host feature which determines how Apache responds to
- different IP addresses, hostnames and ports.
-
-
The Listen directive tells the server to accept
- incoming requests only on the specified port or
- address-and-port combinations. If only a port number is
- specified in the Listen directive, the server
- listens to the given port on all interfaces. If an IP address
- is given as well as a port, the server will listen on the given
- port and interface. Multiple Listen directives may be used to
- specify a number of addresses and ports to listen to. The
- server will respond to requests from any of the listed
- addresses and ports.
-
-
For example, to make the server accept connections on both
- port 80 and port 8000, use:
-
- Listen 80
- Listen 8000
-
- To make the server accept connections on two specified
- interfaces and port numbers, use
-
Listen does not implement Virtual Hosts. It only tells the
- main server what addresses and ports to listen to. If no
- <VirtualHost> directives are used, the server will behave
- the same for all accepted requests. However,
- <VirtualHost> can be used to specify a different behavior
- for one or more of the addresses and ports. To implement a
- VirtualHost, the server must first be told to listen to the
- address and port to be used. Then a <VirtualHost> section
- should be created for a specified address and port to set the
- behavior of this virtual host. Note that if the
- <VirtualHost> is set for an address and port that the
- server is not listening to, it cannot be accessed.
-
-
See also
- See also the documentation on Listen directive, Virtual Hosts, DNS Issues and <VirtualHost>
- section.
-
-
-
diff --git a/docs/manual/cgi_path.html.en b/docs/manual/cgi_path.html.en
deleted file mode 100644
index 4ed74ade20a..00000000000
--- a/docs/manual/cgi_path.html.en
+++ /dev/null
@@ -1,98 +0,0 @@
-
-
-
-
-
-
- PATH_INFO Changes in the CGI Environment
-
-
-
-
-
-
-
As implemented in Apache 1.1.1 and earlier versions, the
- method Apache used to create PATH_INFO in the CGI environment
- was counterintuitive, and could result in crashes in certain
- cases. In Apache 1.2 and beyond, this behavior has changed.
- Although this results in some compatibility problems with
- certain legacy CGI applications, the Apache 1.2 behavior is
- still compatible with the CGI/1.1 specification, and CGI
- scripts can be easily modified (see
- below).
Apache 1.1.1 and earlier implemented the PATH_INFO and
- SCRIPT_NAME environment variables by looking at the filename,
- not the URL. While this resulted in the correct values in many
- cases, when the filesystem path was overloaded to contain path
- information, it could result in errant behavior. For example,
- if the following appeared in a config file:
-
- Alias /cgi-ralph /usr/local/httpd/cgi-bin/user.cgi/ralph
-
-
-
In this case, user.cgi is the CGI script, the
- "/ralph" is information to be passed onto the CGI. If this
- configuration was in place, and a request came for
- "/cgi-ralph/script/", the code would set PATH_INFO
- to "/ralph/script", and SCRIPT_NAME to
- "/cgi-". Obviously, the latter is incorrect. In
- certain cases, this could even cause the server to crash.
Apache 1.2 and later now determine SCRIPT_NAME and PATH_INFO
- by looking directly at the URL, and determining how much of the
- URL is client-modifiable, and setting PATH_INFO to it. To use
- the above example, PATH_INFO would be set to
- "/script", and SCRIPT_NAME to
- "/cgi-ralph". This makes sense and results in no
- server behavior problems. It also permits the script to be
- guaranteed that
- "http://$SERVER_NAME:$SERVER_PORT$SCRIPT_NAME$PATH_INFO"
- will always be an accessible URL that points to the current
- script, something which was not necessarily true with previous
- versions of Apache.
-
-
However, the "/ralph" information from the
- Alias directive is lost. This is unfortunate, but
- we feel that using the filesystem to pass along this sort of
- information is not a recommended method, and a script making
- use of it "deserves" not to work. Apache 1.2b3 and later,
- however, do provide a workaround.
It may be necessary for a script that was designed for
- earlier versions of Apache or other servers to need the
- information that the old PATH_INFO variable provided. For this
- purpose, Apache 1.2 (1.2b3 and later) sets an additional
- variable, FILEPATH_INFO. This environment variable contains the
- value that PATH_INFO would have had with Apache 1.1.1.
-
-
A script that wishes to work with both Apache 1.2 and
- earlier versions can simply test for the existence of
- FILEPATH_INFO, and use it if available. Otherwise, it can use
- PATH_INFO. For example, in Perl, one might use:
Apache's support for content negotiation has been updated to
- meet the HTTP/1.1 specification. It can choose the best
- representation of a resource based on the browser-supplied
- preferences for media type, languages, character set and
- encoding. It is also implements a couple of features to give
- more intelligent handling of requests from browsers which send
- incomplete negotiation information.
-
-
Content negotiation is provided by the mod_negotiation module,
- which is compiled in by default.
-
-
-
About Content Negotiation
-
-
A resource may be available in several different
- representations. For example, it might be available in
- different languages or different media types, or a combination.
- One way of selecting the most appropriate choice is to give the
- user an index page, and let them select. However it is often
- possible for the server to choose automatically. This works
- because browsers can send as part of each request information
- about what representations they prefer. For example, a browser
- could indicate that it would like to see information in French,
- if possible, else English will do. Browsers indicate their
- preferences by headers in the request. To request only French
- representations, the browser would send
-
- Accept-Language: fr
-
-
-
Note that this preference will only be applied when there is
- a choice of representations and they vary by language.
-
-
As an example of a more complex request, this browser has
- been configured to accept French and English, but prefer
- French, and to accept various media types, preferring HTML over
- plain text or other text types, and preferring GIF or JPEG over
- other media types, but also allowing any other media type as a
- last resort:
- Apache 1.2 supports 'server driven' content negotiation, as
- defined in the HTTP/1.1 specification. It fully supports the
- Accept, Accept-Language, Accept-Charset and Accept-Encoding
- request headers. Apache 1.3.4 also supports 'transparent'
- content negotiation, which is an experimental negotiation
- protocol defined in RFC 2295 and RFC 2296. It does not offer
- support for 'feature negotiation' as defined in these RFCs.
-
-
A resource is a conceptual entity
- identified by a URI (RFC 2396). An HTTP server like Apache
- provides access to representations of the
- resource(s) within its namespace, with each representation in
- the form of a sequence of bytes with a defined media type,
- character set, encoding, etc. Each resource may be associated
- with zero, one, or more than one representation at any given
- time. If multiple representations are available, the resource
- is referred to as negotiable and each of its
- representations is termed a variant. The ways
- in which the variants for a negotiable resource vary are called
- the dimensions of negotiation.
-
-
Negotiation in Apache
-
-
In order to negotiate a resource, the server needs to be
- given information about each of the variants. This is done in
- one of two ways:
-
-
-
Using a type map (i.e., a *.var
- file) which names the files containing the variants
- explicitly, or
-
-
Using a 'MultiViews' search, where the server does an
- implicit filename pattern match and chooses from among the
- results.
-
-
-
Using a type-map file
-
-
A type map is a document which is associated with the
- handler named type-map (or, for
- backwards-compatibility with older Apache configurations, the
- mime type application/x-type-map). Note that to
- use this feature, you must have a handler set in the
- configuration that defines a file suffix as
- type-map; this is best done with a
-
- AddHandler type-map .var
-
- in the server configuration file.
-
-
Type map files should have the same name as the resource
- which they are describing, and have an entry for each available
- variant; these entries consist of contiguous HTTP-format header
- lines. Entries for different variants are separated by blank
- lines. Blank lines are illegal within an entry. It is
- conventional to begin a map file with an entry for the combined
- entity as a whole (although this is not required, and if
- present will be ignored). An example map file is shown below.
- This file would be named foo.html, as it describes
- a resource named foo.
- Note also that a typemap file will take precedence over the
- filename's extension, even when Multiviews is on. If the
- variants have different source qualities, that may be indicated
- by the "qs" parameter to the media type, as in this picture
- (available as jpeg, gif, or ASCII-art):
-
qs values can vary in the range 0.000 to 1.000. Note that
- any variant with a qs value of 0.000 will never be chosen.
- Variants with no 'qs' parameter value are given a qs factor of
- 1.0. The qs parameter indicates the relative 'quality' of this
- variant compared to the other available variants, independent
- of the client's capabilities. For example, a jpeg file is
- usually of higher source quality than an ascii file if it is
- attempting to represent a photograph. However, if the resource
- being represented is an original ascii art, then an ascii
- representation would have a higher source quality than a jpeg
- representation. A qs value is therefore specific to a given
- variant depending on the nature of the resource it
- represents.
-
-
The full list of headers recognized is:
-
-
-
URI:
-
-
uri of the file containing the variant (of the given
- media type, encoded with the given content encoding). These
- are interpreted as URLs relative to the map file; they must
- be on the same server (!), and they must refer to files to
- which the client would be granted access if they were to be
- requested directly.
-
-
Content-Type:
-
-
media type --- charset, level and "qs" parameters may be
- given. These are often referred to as MIME types; typical
- media types are image/gif,
- text/plain, or
- text/html; level=3.
-
-
Content-Language:
-
-
The languages of the variant, specified as an Internet
- standard language tag from RFC 1766 (e.g.,
- en for English, kr for Korean,
- etc.).
-
-
Content-Encoding:
-
-
If the file is compressed, or otherwise encoded, rather
- than containing the actual raw data, this says how that was
- done. Apache only recognizes encodings that are defined by an
- AddEncoding
- directive. This normally includes the encodings
- x-compress for compress'd files, and
- x-gzip for gzip'd files. The x-
- prefix is ignored for encoding comparisons.
-
-
Content-Length:
-
-
The size of the file in bytes. Specifying content lengths
- in the type-map allows the server to compare file sizes
- without checking the actual files.
-
-
Description:
-
-
A human-readable textual description of the variant. If
- Apache cannot find any appropriate variant to return, it will
- return an error response which lists all available variants
- instead. Such a variant list will include the human-readable
- variant descriptions.
-
- Using a type map file is preferred over MultiViews
- because it requires less CPU time, and less file access, to
- parse a file explicitly listing the various resource variants,
- than to have to look at every matching file, and parse its file
- extensions.
-
-
Multiviews
-
-
MultiViews is a per-directory option, meaning
- it can be set with an Options directive within a
- <Directory>, <Location>
- or <Files> section in
- access.conf, or (if AllowOverride is
- properly set) in .htaccess files. Note that
- Options All does not set MultiViews;
- you have to ask for it by name.
-
-
The effect of MultiViews is as follows: if the
- server receives a request for /some/dir/foo, if
- /some/dir has MultiViews enabled, and
- /some/dir/foo does not exist, then the
- server reads the directory looking for files named foo.*, and
- effectively fakes up a type map which names all those files,
- assigning them the same media types and content-encodings it
- would have if the client had asked for one of them by name. It
- then chooses the best match to the client's requirements.
-
-
MultiViews may also apply to searches for the
- file named by the DirectoryIndex directive, if the
- server is trying to index a directory. If the configuration
- files specify
-
- DirectoryIndex index
-
- then the server will arbitrate between index.html
- and index.html3 if both are present. If neither
- are present, and index.cgi is there, the server
- will run it.
-
-
If one of the files found when reading the directive is a
- CGI script, it's not obvious what should happen. The code gives
- that case special treatment --- if the request was a POST, or a
- GET with QUERY_ARGS or PATH_INFO, the script is given an
- extremely high quality rating, and generally invoked; otherwise
- it is given an extremely low quality rating, which generally
- causes one of the other views (if any) to be retrieved.
-
-
The Negotiation Methods
- After Apache has obtained a list of the variants for a given
- resource, either from a type-map file or from the filenames in
- the directory, it invokes one of two methods to decide on the
- 'best' variant to return, if any. It is not necessary to know
- any of the details of how negotiation actually takes place in
- order to use Apache's content negotiation features. However the
- rest of this document explains the methods used for those
- interested.
-
-
There are two negotiation methods:
-
-
-
Server driven negotiation with the Apache
- algorithm is used in the normal case. The Apache
- algorithm is explained in more detail below. When this
- algorithm is used, Apache can sometimes 'fiddle' the quality
- factor of a particular dimension to achieve a better result.
- The ways Apache can fiddle quality factors is explained in
- more detail below.
-
-
Transparent content negotiation is used
- when the browser specifically requests this through the
- mechanism defined in RFC 2295. This negotiation method gives
- the browser full control over deciding on the 'best' variant,
- the result is therefore dependent on the specific algorithms
- used by the browser. As part of the transparent negotiation
- process, the browser can ask Apache to run the 'remote
- variant selection algorithm' defined in RFC 2296.
-
-
-
Dimensions of Negotiation
-
-
-
-
Dimension
-
-
Notes
-
-
-
-
Media Type
-
-
Browser indicates preferences with the Accept header
- field. Each item can have an associated quality factor.
- Variant description can also have a quality factor (the
- "qs" parameter).
-
-
-
-
Language
-
-
Browser indicates preferences with the Accept-Language
- header field. Each item can have a quality factor. Variants
- can be associated with none, one or more than one
- language.
-
-
-
-
Encoding
-
-
Browser indicates preference with the Accept-Encoding
- header field. Each item can have a quality factor.
-
-
-
-
Charset
-
-
Browser indicates preference with the Accept-Charset
- header field. Each item can have a quality factor. Variants
- can indicate a charset as a parameter of the media
- type.
-
-
-
-
Apache Negotiation Algorithm
-
-
Apache can use the following algorithm to select the 'best'
- variant (if any) to return to the browser. This algorithm is
- not further configurable. It operates as follows:
-
-
-
First, for each dimension of the negotiation, check the
- appropriate Accept* header field and assign a
- quality to each variant. If the Accept* header for
- any dimension implies that this variant is not acceptable,
- eliminate it. If no variants remain, go to step 4.
-
-
- Select the 'best' variant by a process of elimination. Each
- of the following tests is applied in order. Any variants
- not selected at each test are eliminated. After each test,
- if only one variant remains, select it as the best match
- and proceed to step 3. If more than one variant remains,
- move on to the next test.
-
-
-
Multiply the quality factor from the Accept header
- with the quality-of-source factor for this variant's
- media type, and select the variants with the highest
- value.
-
-
Select the variants with the highest language quality
- factor.
-
-
Select the variants with the best language match,
- using either the order of languages in the
- Accept-Language header (if present), or else the order of
- languages in the LanguagePriority directive
- (if present).
-
-
Select the variants with the highest 'level' media
- parameter (used to give the version of text/html media
- types).
-
-
Select variants with the best charset media
- parameters, as given on the Accept-Charset header line.
- Charset ISO-8859-1 is acceptable unless explicitly
- excluded. Variants with a text/* media type
- but not explicitly associated with a particular charset
- are assumed to be in ISO-8859-1.
-
-
Select those variants which have associated charset
- media parameters that are not ISO-8859-1. If
- there are no such variants, select all variants
- instead.
-
-
Select the variants with the best encoding. If there
- are variants with an encoding that is acceptable to the
- user-agent, select only these variants. Otherwise if
- there is a mix of encoded and non-encoded variants,
- select only the unencoded variants. If either all
- variants are encoded or all variants are not encoded,
- select all variants.
-
-
Select the variants with the smallest content
- length.
-
-
Select the first variant of those remaining. This
- will be either the first listed in the type-map file, or
- when variants are read from the directory, the one whose
- file name comes first when sorted using ASCII code
- order.
-
-
-
-
The algorithm has now selected one 'best' variant, so
- return it as the response. The HTTP response header Vary is
- set to indicate the dimensions of negotiation (browsers and
- caches can use this information when caching the resource).
- End.
-
-
To get here means no variant was selected (because none
- are acceptable to the browser). Return a 406 status (meaning
- "No acceptable representation") with a response body
- consisting of an HTML document listing the available
- variants. Also set the HTTP Vary header to indicate the
- dimensions of variance.
Apache sometimes changes the quality values from what would
- be expected by a strict interpretation of the Apache
- negotiation algorithm above. This is to get a better result
- from the algorithm for browsers which do not send full or
- accurate information. Some of the most popular browsers send
- Accept header information which would otherwise result in the
- selection of the wrong variant in many cases. If a browser
- sends full and correct information these fiddles will not be
- applied.
-
-
Media Types and Wildcards
-
-
The Accept: request header indicates preferences for media
- types. It can also include 'wildcard' media types, such as
- "image/*" or "*/*" where the * matches any string. So a request
- including:
-
- Accept: image/*, */*
-
- would indicate that any type starting "image/" is acceptable,
- as is any other type (so the first "image/*" is redundant).
- Some browsers routinely send wildcards in addition to explicit
- types they can handle. For example:
-
- The intention of this is to indicate that the explicitly listed
- types are preferred, but if a different representation is
- available, that is ok too. However under the basic algorithm,
- as given above, the */* wildcard has exactly equal preference
- to all the other types, so they are not being preferred. The
- browser should really have sent a request with a lower quality
- (preference) value for *.*, such as:
-
- The explicit types have no quality factor, so they default to a
- preference of 1.0 (the highest). The wildcard */* is given a
- low preference of 0.01, so other types will only be returned if
- no variant matches an explicitly listed type.
-
-
If the Accept: header contains no q factors at all,
- Apache sets the q value of "*/*", if present, to 0.01 to
- emulate the desired behavior. It also sets the q value of
- wildcards of the format "type/*" to 0.02 (so these are
- preferred over matches against "*/*". If any media type on the
- Accept: header contains a q factor, these special values are
- not applied, so requests from browsers which send the
- correct information to start with work as expected.
-
-
Variants with no Language
-
-
If some of the variants for a particular resource have a
- language attribute, and some do not, those variants with no
- language are given a very low language quality factor of
- 0.001.
-
-
The reason for setting this language quality factor for
- variant with no language to a very low value is to allow for a
- default variant which can be supplied if none of the other
- variants match the browser's language preferences. For example,
- consider the situation with three variants:
-
-
-
foo.en.html, language en
-
-
foo.fr.html, language en
-
-
foo.html, no language
-
-
-
The meaning of a variant with no language is that it is
- always acceptable to the browser. If the request
- Accept-Language header includes either en or fr (or both) one
- of foo.en.html or foo.fr.html will be returned. If the browser
- does not list either en or fr as acceptable, foo.html will be
- returned instead.
-
-
Extensions to Transparent Content Negotiation
- Apache extends the transparent content negotiation protocol
- (RFC 2295) as follows. A new {encoding ..} element
- is used in variant lists to label variants which are available
- with a specific content-encoding only. The implementation of
- the RVSA/1.0 algorithm (RFC 2296) is extended to recognize
- encoded variants in the list, and to use them as candidate
- variants whenever their encodings are acceptable according to
- the Accept-Encoding request header. The RVSA/1.0 implementation
- does not round computed quality factors to 5 decimal places
- before choosing the best variant.
-
-
Note on hyperlinks and naming conventions
-
-
If you are using language negotiation you can choose between
- different naming conventions, because files can have more than
- one extension, and the order of the extensions is normally
- irrelevant (see the mod_mime documentation
- for details).
-
-
A typical file has a MIME-type extension (e.g.,
- html), maybe an encoding extension (e.g.,
- gz), and of course a language extension
- (e.g., en) when we have different
- language variants of this file.
-
-
Examples:
-
-
-
foo.en.html
-
-
foo.html.en
-
-
foo.en.html.gz
-
-
-
Here some more examples of filenames together with valid and
- invalid hyperlinks:
-
-
-
-
Filename
-
-
Valid hyperlink
-
-
Invalid hyperlink
-
-
-
-
foo.html.en
-
-
foo
- foo.html
-
-
-
-
-
-
-
foo.en.html
-
-
foo
-
-
foo.html
-
-
-
-
foo.html.en.gz
-
-
foo
- foo.html
-
-
foo.gz
- foo.html.gz
-
-
-
-
foo.en.html.gz
-
-
foo
-
-
foo.html
- foo.html.gz
- foo.gz
-
-
-
-
foo.gz.html.en
-
-
foo
- foo.gz
- foo.gz.html
-
-
foo.html
-
-
-
-
foo.html.gz.en
-
-
foo
- foo.html
- foo.html.gz
-
-
foo.gz
-
-
-
-
Looking at the table above you will notice that it is always
- possible to use the name without any extensions in an hyperlink
- (e.g., foo). The advantage is that you
- can hide the actual type of a document rsp. file and can change
- it later, e.g., from html to
- shtml or cgi without changing any
- hyperlink references.
-
-
If you want to continue to use a MIME-type in your
- hyperlinks (e.g.foo.html) the language
- extension (including an encoding extension if there is one)
- must be on the right hand side of the MIME-type extension
- (e.g., foo.html.en).
-
-
Note on Caching
-
-
When a cache stores a representation, it associates it with
- the request URL. The next time that URL is requested, the cache
- can use the stored representation. But, if the resource is
- negotiable at the server, this might result in only the first
- requested variant being cached and subsequent cache hits might
- return the wrong response. To prevent this, Apache normally
- marks all responses that are returned after content negotiation
- as non-cacheable by HTTP/1.0 clients. Apache also supports the
- HTTP/1.1 protocol features to allow caching of negotiated
- responses.
-
-
For requests which come from a HTTP/1.0 compliant client
- (either a browser or a cache), the directive
- CacheNegotiatedDocs can be used to allow caching of
- responses which were subject to negotiation. This directive can
- be given in the server config or virtual host, and takes no
- arguments. It has no effect on requests from HTTP/1.1 clients.
-
-
- Additional functionality. Allows webmasters to configure
- the response of Apache to some error or problem.
-
-
Customizable responses can be defined to be activated in
- the event of a server detected error or problem.
-
-
e.g. if a script crashes and produces a "500 Server
- Error" response, then this response can be replaced with
- either some friendlier text or by a redirection to another
- URL (local or external).
-
-
-
Old behavior
-
-
NCSA httpd 1.3 would return some boring old error/problem
- message which would often be meaningless to the user, and
- would provide no means of logging the symptoms which caused
- it.
-
-
-
New behavior
-
-
- The server can be asked to;
-
-
-
Display some other text, instead of the NCSA hard
- coded messages, or
-
-
redirect to a local URL, or
-
-
redirect to an external URL.
-
-
-
Redirecting to another URL can be useful, but only if
- some information can be passed which can then be used to
- explain and/or log the error/problem more clearly.
-
-
To achieve this, Apache will define new CGI-like
- environment variables, e.g.
At least REDIRECT_URL and
- REDIRECT_QUERY_STRING will be passed to the
- new URL (assuming it's a cgi-script or a cgi-include). The
- other variables will exist only if they existed prior to
- the error/problem. None of these will be
- set if your ErrorDocument is an external redirect
- (i.e., anything starting with a scheme name like
- http:, even if it refers to the same host as
- the server).
-
-
-
Configuration
-
-
- Use of "ErrorDocument" is enabled for .htaccess files when
- the "FileInfo"
- override is allowed.
-
-
Text to be displayed. Prefix the text with a quote
- ("). Whatever follows the quote is displayed. Note:
- the (") prefix isn't displayed.
-
-
An external URL to redirect to.
-
-
A local URL to redirect to.
-
-
-
-
-
-
Custom error responses and redirects
-
-
-
Purpose
-
-
Apache's behavior to redirected URLs has been modified so
- that additional environment variables are available to a
- script/server-include.
-
-
Old behavior
-
-
Standard CGI vars were made available to a script which
- has been redirected to. No indication of where the
- redirection came from was provided.
-
-
New behavior
-
-
A new batch of environment variables will be initialized
- for use by a script which has been redirected to. Each new
- variable will have the prefix REDIRECT_.
- REDIRECT_ environment variables are created from
- the CGI environment variables which existed prior to the
- redirect, they are renamed with a REDIRECT_
- prefix, i.e., HTTP_USER_AGENT becomes
- REDIRECT_HTTP_USER_AGENT. In addition to these
- new variables, Apache will define REDIRECT_URL
- and REDIRECT_STATUS to help the script trace its
- origin. Both the original URL and the URL being redirected to
- can be logged in the access log.
-
-
-
If the ErrorDocument specifies a local redirect to a CGI
- script, the script should include a "Status:"
- header field in its output in order to ensure the propagation
- all the way back to the client of the error condition that
- caused it to be invoked. For instance, a Perl ErrorDocument
- script might include the following:
This is a first attempt at writing the lessons I learned
- when trying to convert the mod_mmap_static module to Apache
- 2.0. It's by no means definitive and probably won't even be
- correct in some ways, but it's a start.
-
-
-
The easier changes...
-
-
Cleanup Routines
-
-
These now need to be of type apr_status_t and return a value
- of that type. Normally the return value will be APR_SUCCESS
- unless there is some need to signal an error in the cleanup. Be
- aware that even though you signal an error not all code yet
- checks and acts upon the error.
-
-
Initialisation Routines
-
-
These should now be renamed to better signify where they sit
- in the overall process. So the name gets a small change from
- mmap_init to mmap_post_config. The arguments passed have
- undergone a radical change and now look like
-
-
-
apr_pool_t *p,
-
-
apr_pool_t *plog,
-
-
apr_pool_t *ptemp,
-
-
server_rec *s
-
-
-
Data Types
-
-
A lot of the data types have been moved into the APR. This
- means that some have had a name change, such as the one shown
- above. The following is a brief list of some of the changes
- that you are likely to have to make.
-
-
-
pool becomes apr_pool_t
-
-
table becomes apr_table_t
-
-
-
-
The messier changes...
-
-
Register Hooks
-
-
The new architecture uses a series of hooks to provide for
- calling your functions. These you'll need to add to your module
- by way of a new function, static void register_hooks(void). The
- function is really reasonably straightforward once you
- understand what needs to be done. Each function that needs
- calling at some stage in the processing of a request needs to
- be registered, handlers do not. There are a number of phases
- where functions can be added, and for each you can specify with
- a high degree of control the relative order that the function
- will be called in.
-
-
This is the code that was added to mod_mmap_static:
This registers 2 functions that need to be called, one in
- the post_config stage (virtually every module will need this
- one) and one for the translate_name phase. note that while
- there are different function names the format of each is
- identical. So what is the format?
To define the position you use the position and then modify
- it with the predecessors and successors. each of the modifiers
- can be a list of functions that should be called, either before
- the function is run (predecessors) or after the function has
- run (successors).
-
-
In the mod_mmap_static case I didn't care about the
- post_config stage, but the mmap_static_xlat MUST be called
- after the core module had done it's name translation, hence the
- use of the aszPre to define a modifier to the position
- HOOK_LAST.
-
-
Module Definition
-
-
There are now a lot fewer stages to worry about when
- creating your module definition. The old defintion looked
- like
The Apache HTTP Server is a modular program where the
- administrator can choose the functionality to include in the
- server by selecting a set of modules. The modules can be
- statically compiled into the httpd binary when the
- server is built. Alternatively, modules can be compiled as
- Dynamic Shared Objects (DSOs) that exist separately from the
- main httpd binary file. DSO modules may be
- compiled at the time the server is built, or they may be
- compiled and added at a later time using the Apache Extension
- Tool (apxs).
-
-
This document describes how to use DSO modules as well as
- the theory behind their use.
The DSO support for loading individual Apache modules is
- based on a module named mod_so.c which must be
- statically compiled into the Apache core. It is the only module
- besides core.c which cannot be put into a DSO
- itself. Practically all other distributed Apache modules then
- can then be placed into a DSO by individually enabling the DSO
- build for them via configure's
- --enable-module=shared option as disucussed
- in the install documentation. After
- a module is compiled into a DSO named mod_foo.so
- you can use mod_so's
- LoadModule
- command in your httpd.conf file to load this
- module at server startup or restart.
-
-
To simplify this creation of DSO files for Apache modules
- (especially for third-party modules) a new support program
- named apxs (APache
- eXtenSion) is available. It can be used to build DSO based
- modules outside of the Apache source tree. The idea is
- simple: When installing Apache the configure's
- make install procedure installs the Apache C
- header files and puts the platform-dependent compiler and
- linker flags for building DSO files into the apxs
- program. This way the user can use apxs to compile
- his Apache module sources without the Apache distribution
- source tree and without having to fiddle with the
- platform-dependent compiler and linker flags for DSO
- support.
On modern Unix derivatives there exists a nifty mechanism
- usually called dynamic linking/loading of Dynamic Shared
- Objects (DSO) which provides a way to build a piece of
- program code in a special format for loading it at run-time
- into the address space of an executable program.
-
-
This loading can usually be done in two ways: Automatically
- by a system program called ld.so when an
- executable program is started or manually from within the
- executing program via a programmatic system interface to the
- Unix loader through the system calls
- dlopen()/dlsym().
-
-
In the first way the DSO's are usually called shared
- libraries or DSO libraries and named
- libfoo.so or libfoo.so.1.2. They
- reside in a system directory (usually /usr/lib)
- and the link to the executable program is established at
- build-time by specifying -lfoo to the linker
- command. This hard-codes library references into the executable
- program file so that at start-time the Unix loader is able to
- locate libfoo.so in /usr/lib, in
- paths hard-coded via linker-options like -R or in
- paths configured via the environment variable
- LD_LIBRARY_PATH. It then resolves any (yet
- unresolved) symbols in the executable program which are
- available in the DSO.
-
-
Symbols in the executable program are usually not referenced
- by the DSO (because it's a reusable library of general code)
- and hence no further resolving has to be done. The executable
- program has no need to do anything on its own to use the
- symbols from the DSO because the complete resolving is done by
- the Unix loader. (In fact, the code to invoke
- ld.so is part of the run-time startup code which
- is linked into every executable program which has been bound
- non-static). The advantage of dynamic loading of common library
- code is obvious: the library code needs to be stored only once,
- in a system library like libc.so, saving disk
- space for every program.
-
-
In the second way the DSO's are usually called shared
- objects or DSO files and can be named with an
- arbitrary extension (although the canonical name is
- foo.so). These files usually stay inside a
- program-specific directory and there is no automatically
- established link to the executable program where they are used.
- Instead the executable program manually loads the DSO at
- run-time into its address space via dlopen(). At
- this time no resolving of symbols from the DSO for the
- executable program is done. But instead the Unix loader
- automatically resolves any (yet unresolved) symbols in the DSO
- from the set of symbols exported by the executable program and
- its already loaded DSO libraries (especially all symbols from
- the ubiquitous libc.so). This way the DSO gets
- knowledge of the executable program's symbol set as if it had
- been statically linked with it in the first place.
-
-
Finally, to take advantage of the DSO's API the executable
- program has to resolve particular symbols from the DSO via
- dlsym() for later use inside dispatch tables
- etc. In other words: The executable program has to
- manually resolve every symbol it needs to be able to use it.
- The advantage of such a mechanism is that optional program
- parts need not be loaded (and thus do not spend memory) until
- they are needed by the program in question. When required,
- these program parts can be loaded dynamically to extend the
- base program's functionality.
-
-
Although this DSO mechanism sounds straightforward there is
- at least one difficult step here: The resolving of symbols from
- the executable program for the DSO when using a DSO to extend a
- program (the second way). Why? Because "reverse resolving" DSO
- symbols from the executable program's symbol set is against the
- library design (where the library has no knowledge about the
- programs it is used by) and is neither available under all
- platforms nor standardized. In practice the executable
- program's global symbols are often not re-exported and thus not
- available for use in a DSO. Finding a way to force the linker
- to export all global symbols is the main problem one has to
- solve when using DSO for extending a program at run-time.
-
-
The shared library approach is the typical one, because it
- is what the DSO mechanism was designed for, hence it is used
- for nearly all types of libraries the operating system
- provides. On the other hand using shared objects for extending
- a program is not used by a lot of programs.
-
-
As of 1998 there are only a few software packages available
- which use the DSO mechanism to actually extend their
- functionality at run-time: Perl 5 (via its XS mechanism and the
- DynaLoader module), Netscape Server, etc. Starting
- with version 1.3, Apache joined the crew, because Apache
- already uses a module concept to extend its functionality and
- internally uses a dispatch-list-based approach to link external
- modules into the Apache core functionality. So, Apache is
- really predestined for using DSO to load its modules at
- run-time.
The above DSO based features have the following
- advantages:
-
-
-
The server package is more flexible at run-time because
- the actual server process can be assembled at run-time via LoadModule
- httpd.conf configuration commands instead of
- configure options at build-time. For instance
- this way one is able to run different server instances
- (standard & SSL version, minimalistic & powered up
- version [mod_perl, PHP3], etc.) with only one Apache
- installation.
-
-
The server package can be easily extended with
- third-party modules even after installation. This is at least
- a great benefit for vendor package maintainers who can create
- a Apache core package and additional packages containing
- extensions like PHP3, mod_perl, mod_fastcgi,
- etc.
-
-
Easier Apache module prototyping because with the
- DSO/apxs pair you can both work outside the
- Apache source tree and only need an apxs -i
- command followed by an apachectl restart to
- bring a new version of your currently developed module into
- the running Apache server.
-
-
-
DSO has the following disadvantages:
-
-
-
The DSO mechanism cannot be used on every platform
- because not all operating systems support dynamic loading of
- code into the address space of a program.
-
-
The server is approximately 20% slower at startup time
- because of the symbol resolving overhead the Unix loader now
- has to do.
-
-
The server is approximately 5% slower at execution time
- under some platforms because position independent code (PIC)
- sometimes needs complicated assembler tricks for relative
- addressing which are not necessarily as fast as absolute
- addressing.
-
-
Because DSO modules cannot be linked against other
- DSO-based libraries (ld -lfoo) on all platforms
- (for instance a.out-based platforms usually don't provide
- this functionality while ELF-based platforms do) you cannot
- use the DSO mechanism for all types of modules. Or in other
- words, modules compiled as DSO files are restricted to only
- use symbols from the Apache core, from the C library
- (libc) and all other dynamic or static libraries
- used by the Apache core, or from static library archives
- (libfoo.a) containing position independent code.
- The only chances to use other code is to either make sure the
- Apache core itself already contains a reference to it or
- loading the code yourself via dlopen().
A filter is a process which is applied to data that
- is sent or received by the server. Data sent by clients to the
- server is processed by input filters while data sent
- by the server to the client is processed by output
- filters. Multiple filters can be applied to the data, and
- the order of the filters can be explicitly specified.
-
-
Filters are used internally by Apache to perform functions
- such as chunking and byte-range request handling. In addition,
- modules can provide filters which are selectable using run-time
- configuration directives. The set of filters which apply to
- data can be manipulated with the SetInputFilter
- and SetOutputFilter directives.
-
-
The only configurable filter currently included with the
- Apache distribution is the INCLUDES filter which
- is provided by mod_include
- to process output for Server Side Includes. There is also an
- experimental module called mod_ext_filter which allows
- for external programs to be defined as filters.
Authentication is any process by which you verify that
- someone is who they claim they are. Authorization is any
- process by which someone is allowed to be where they want to
- go, or to have information that they want to have.
If you have information on your web site that is sensitive
- or intended for only a small group of people, the techniques in
- this article will help you make sure that the people that see
- those pages are the people that you wanted to see them.
-
-
This article covers the "standard" way of protecting parts
- of your web site that most of you are going to use.
The directives discussed in this article will need to go
- either in your main server configuration file (typically in a
- <Directory> section), or in per-directory configuration
- files (.htaccess files).
-
-
If you plan to use .htaccess files, you will
- need to have a server configuration that permits putting
- authentication directives in these files. This is done with the
- AllowOverride
- directive, which specifies which directives, if any, may be put
- in per-directory configuration files.
-
-
Since we're talking here about authentication, you will need
- an AllowOverride directive like the following:
-
- AllowOverride AuthConfig
-
-
-
Or, if you are just going to put the directives directly in
- your main server configuration file, you will of course need to
- have write permission to that file.
-
-
And you'll need to know a little bit about the directory
- structure of your server, in order to know where some files are
- kept. This should not be terribly difficult, and I'll try to
- make this clear when we come to that point.
Here's the basics of password protecting a directory on your
- server.
-
-
You'll need to create a password file. This file should be
- placed somewhere not accessible from the web. This is so that
- folks cannot download the password file. For example, if your
- documents are served out of
- /usr/local/apache/htdocs you might want to put the
- password file(s) in /usr/local/apache/passwd.
-
-
To create the file, use the htpasswd utility that came
- with Apache. This be located in the bin directory
- of wherever you installed Apache. To create the file, type:
htpasswd will ask you for the password, and
- then ask you to type it again to confirm it:
-
- # htpasswd -c /usr/local/apache/passwd/passwords rbowen
- New password: mypassword
- Re-type new password: mypassword
- Adding password for user rbowen
-
-
-
If htpasswd is not in your path, of course
- you'll have to type the full path to the file to get it to run.
- On my server, it's located at
- /usr/local/apache/bin/htpasswd
-
-
Next, you'll need to configure the server to request a
- password and tell the server which users are allowed access.
- You can do this either by editing the httpd.conf
- file or using an .htaccess file. For example, if
- you wish to protect the directory
- /usr/local/apache/htdocs/secret, you can use the
- following directives, either placed in the file
- /usr/local/apache/htdocs/secret/.htaccess, or
- placed in httpd.conf inside a <Directory
- /usr/local/apache/apache/htdocs/secret> section.
Let's examine each of those directives individually. The AuthType directive selects
- that method that is used to authenticate the user. The most
- common method is Basic, and this is the method
- implemented by mod_auth. It
- is important to be aware, however, that Basic authentication
- sends the password from the client to the browser unencrypted.
- This method should therefore not be used for highly sensitive
- data. Apache supports one other authentication method:
- AuthType Digest. This method is implemented by mod_auth_digest and is
- much more secure. Only the most recent versions of clients are
- known to support Digest authentication.
-
-
The AuthName
- directive sets the Realm to be used in the
- authentication. The realm serves two major functions. First,
- the client often presents this information to the user as part
- of the password dialog box. Second, it is used by the client to
- determine what password to send for a given authenticated area.
- So, for example, once a client has authenticated in the
- "Restricted Files" area, it will automatically
- retry the same password for any area on the same server that is
- marked with the "Restricted Files" Realm.
- Therefore, you can prevent a user from being prompted more than
- once for a password by letting multiple restricted areas share
- the same realm. Of course, for security reasons, the client
- will always need to ask again for the password whenever the
- hostname of the server changes.
-
-
The AuthUserFile
- directive sets the path to the password file that we just
- created with htpasswd. If you have a large number
- of users, it can be quite slow to search through a plain text
- file to authenticate the user on each request. Apache also has
- the ability to store user information in fast database files.
- The modules mod_auth_db
- and mod_auth_dbm provide
- the AuthDBUserFile
- and AuthDBMUserFile
- directives respectively. These files can be created and
- manipulated with the dbmmanage program. Many
- other types of authentication options are available from third
- party modules in the Apache Modules
- Database.
-
-
Finally, the require
- directive provides the authorization part of the process by
- setting the user that is allowed to access this region of the
- server. In the next section, we discuss various ways to use the
- require directive.
The directives above only let one person (specifically
- someone with a username of rbowen) into the
- directory. In most cases, you'll want to let more than one
- person in. This is where the AuthGroupFile
- comes in.
-
-
If you want to let more than one person in, you'll need to
- create a group file that associates group names with a list of
- users in that group. The format of this file is pretty simple,
- and you can create it with your favorite editor. The contents
- of the file will look like this:
-
- GroupName: rbowen dpitts sungo rshersey
-
-
-
That's just a list of the members of the group in a long
- line separated by spaces.
-
-
To add a user to your already existing password file,
- type:
You'll get the same response as before, but it will be
- appended to the existing file, rather than creating a new file.
- (It's the -c that makes it create a new password
- file.
-
-
Now, you need to modify your .htaccess file to
- look like the following:
Now, anyone that is listed in the group
- GroupName, and has an entry in the
- password file, will be let in, if they type the
- correct password.
-
-
There's another way to let multiple users in that is less
- specific. Rather than creating a group file, you can just use
- the following directive:
-
- require valid-user
-
-
-
Using that rather than the require user rbowen
- line will allow anyone in that is listed in the password file,
- and who correctly enters their password. You can even emulate
- the group behavior here, by just keeping a separate password
- file for each group. The advantage of this approach is that
- Apache only has to check one file, rather than two. The
- disadvantage is that you have to maintain a bunch of password
- files, and remember to reference th right one in the
- AuthUserFile directive.
Because of the way that Basic authentication is specified,
- your username and password must be verified every time you
- request a document from the server. This is even if you're
- reloading the same page, and for every image on the page (if
- they come from a protected directory). As you can imagine, this
- slows things down a little. The amount that it slows things
- down is proportional to the size of the password file, because
- it has to open up that file, and go down the list of users
- until it gets to your name. And it has to do this every time a
- page is loaded.
-
-
A consequence of this is that there's a practical limit to
- how many users you can put in one password file. This limit
- will vary depending on the performance of your particular
- server machine, but you can expect to see slowdowns once you
- get above a few hundred entries, and may wish to consider a
- different authentication method at that time.
Authentication by username and password is only part of the
- story. Frequently you want to let people in based on something
- other than who they are. Something such as where they are
- coming from.
-
-
The allow and deny directives let
- you allow and deny access based on the host name, or host
- address, of the machine requesting a document. The
- order directive goes hand-in-hand with these two,
- and tells Apache in which order to apply the filters.
-
-
The usage of these directives is:
-
- allow from address
-
-
-
where address is an IP address (or a partial IP
- address) or a fully qualified domain name (or a partial domain
- name); you may provide multiple addresses or domain names, if
- desired.
-
-
For example, if you have someone spamming your message
- board, and you want to keep them out, you could do the
- following:
-
- deny from 205.252.46.165
-
-
-
Visitors coming from that address will not be able to see
- the content covered by this directive. If, instead, you have a
- machine name, rather than an IP address, you can use that.
-
- deny from host.example.com
-
-
-
And, if you'd like to block access from an entire domain,
- you can specify just part of an address or domain name:
-
- deny from 192.101.205
- deny from cyberthugs.com moreidiots.com
- deny from ke
-
-
-
Using order will let you be sure that you are
- actually restricting things to the group that you want to let
- in, by combining a deny and an allow
- directive:
-
- order deny,allow
- deny from all
- allow from dev.example.com
-
-
-
Listing just the allow directive would not do
- what you want, because it will let folks from that host in, in
- addition to letting everyone in. What you want is to let
- only those folks in.
This document covers compilation and installation of Apache
- on Unix and Unix-like systems only. For compiling and
- installation on Windows, see Using Apache with Microsoft
- Windows. For other platforms, see the platform documentation.
-
-
Apache 2.0's configuration and installation environment has
- changed completely from Apache 1.3. Apache 1.3 used a custom
- set of scripts to achieve easy installation. Apache 2.0 now
- uses libtool and autoconf to create an environment that looks
- like many other Open Source projects.
NN must be replaced with the current minor version
- number, and PREFIX must be replaced with the
- filesystem path under which the server should be installed. If
- PREFIX is not specified, it defaults to
- /usr/local/apache2.
-
-
Each section of the compilation and installation process is
- described in more detail below, beginning with the requirements
- for compiling and installing Apache HTTPD.
The following requirements exist for building Apache:
-
-
-
Disk Space
-
- Make sure you have at least 50 MB of temporary free disk
- space available. After installation Apache occupies
- approximately 10 MB of disk space. The actual disk space
- requirements will vary considerably based on your chosen
- configuration options and any third-party modules.
-
-
-
-
ANSI-C Compiler and Build System
-
- Make sure you have an ANSI-C compiler installed. The GNU C
- compiler (GCC) from the Free Software Foundation (FSF)
- is recommended (version 2.7.2 is fine). If you don't have GCC
- then at least make sure your vendor's compiler is ANSI
- compliant. In addition, your PATH must contain
- basic build tools such as make.
-
-
-
-
Accurate time keeping
-
- Elements of the HTTP protocol are expressed as the time of
- day. So, it's time to investigate setting some time
- synchronization facility on your system. Usually the ntpdate
- or xntpd programs are used for this purpose which are based
- on the Network Time Protocol (NTP). See the Usenet newsgroup
- comp.protocols.time.ntp
- and the NTP
- homepage for more details about NTP software and public
- time servers.
-
-
-
-
Perl 5
- [OPTIONAL]
-
- For some of the support scripts like apxs or dbmmanage (which are
- written in Perl) the Perl 5 interpreter is required (versions
- 5.003 and 5.004 are fine). If no such interpreter is found by
- the `configure' script there is no harm. Of course, you still
- can build and install Apache 2.0. Only those support scripts
- cannot be used. If you have multiple Perl interpreters
- installed (perhaps a Perl 4 from the vendor and a Perl 5 from
- your own), then it is recommended to use the --with-perl
- option (see below) to make sure the correct one is selected
- by ./configure.
-
-
Version numbers that end in alpha indicate
- early pre-test versions which may or may not work. Version
- numbers ending in beta indicate more reliable
- releases that still require further testing or bug fixing. If
- you wish to download the best available production release of
- the Apache HTTP Server, you should choose the latest version
- with neither alpha nor beta in its
- filename.
-
-
After downloading, especially if a mirror site is used, it
- is important to verify that you have a complete and unmodified
- version of the Apache HTTP Server. This can be accomplished by
- testing the downloaded tarball against the PGP signature. This,
- in turn, is a two step procedure. First, you must obtain the
- KEYS file from the Apache distribution
- site. (To assure that the KEYS file itself has
- not been modified, it may be a good idea to use a file from a
- previous distribution of Apache or import the keys from a
- public key server.) The keys are imported into your personal
- key ring using one of the following commands (depending on your
- pgp version):
-
-
- $ pgp < KEYS
-
- or
-
-
- $ gpg --import KEYS
-
-
-
The next step is to test the tarball against the PGP
- signature, which should always be obtained from the main Apache
- website. The signature file has a filename identical to the
- source tarball with the addition of .asc. Then you
- can check the distribution with one of the following commands
- (again, depending on your pgp version):
-
-
- $ pgp httpd-2_0_NN.tar.gz.asc
-
- or
-
-
- $ gpg --verify httpd-2_0_NN.tar.gz.asc
-
- You should receive a message like
-
-
-
-
- Good signature from user "Martin Kraemer
- <martin@apache.org>".
-
-
-
Depending on the trust relationships contained in your key
- ring, you may also receive a message saying that the
- relationship between the key and the signer of the key cannot
- be verified. This is not a problem if you trust the
- authenticity of the KEYS file.
This will create a new directory under the current directory
- containing the source code for the distribution. You should
- cd into that directory before proceeding with
- compiling the server.
The next step is to configure the Apache source tree for
- your particular platform and personal requirements. This is
- done using the script configure included in the
- root directory of the distribution. (Developers downloading the
- CVS version of the Apache source tree will need to have
- autoconf and libtool installed and
- will need to run buildconf before proceeding with
- the next steps. This is not necessary for official
- releases.)
-
-
To configure the source tree using all the default options,
- simply type ./configure. To change the default
- options, configure accepts a variety of variables
- and command line options. Environment variables are generally
- placed before the ./configure command, while other
- options are placed after. The most important option here is the
- location prefix where Apache is to be installed later, because
- Apache has to be configured for this location to work
- correctly. But there are a lot of other options available for
- your pleasure.
-
-
For a short impression of what possibilities you have, here
- is a typical example which compiles Apache for the installation
- tree /sw/pkg/apache with a particular compiler and flags plus
- the two additional modules mod_rewrite and mod_speling for
- later loading through the DSO mechanism:
When configure is run it will take several minutes to test
- for the availability of features on your system and build
- Makefiles which will later be used to compile the server.
-
-
The easiest way to find all of the configuration flags for
- Apache is to run ./configure --help. What follows is a brief
- description of most of the arguments and environment
- variables.
The autoconf build process uses several environment
- variables to configure the build environment. In general, these
- variables change the method used to build Apache, but not the
- eventual features of the server. These variables can be placed
- in the environment before invoking configure, but
- it is usually easier to specify them on the
- configure command line as demonstrated in the
- example above.
-
-
-
CC=...
-
-
The name of the C compiler command.
-
-
CPPFLAGS=...
-
-
Miscellaneous C preprocessor and compiler options.
-
-
CFLAGS=...
-
-
Debugging and optimization options for the C
- compiler.
-
-
LDFLAGS=...
-
-
Miscellaneous options to be passed to the linker.
-
-
LIBS=...
-
-
Library location information ("-L" and "-l" options) to
- pass to the linker.
-
-
INCLUDES=...
-
-
Header file search directories ("-Idir").
-
-
TARGET=... [Default: apache]
-
-
Name of the executable which will be built.
-
-
NOTEST_CPPFLAGS=...
-
-
NOTEST_CFLAGS=...
-
-
NOTEST_LDFLAGS=...
-
-
NOTEST_LIBS=...
-
-
These variables share the same function as their
- non-NOTEST namesakes. However, the variables are applied to
- the build process only after autoconf has performed its
- feature testing. This allows the inclusion of flags which
- will cause problems during feature testing, but must be used
- for the final compilation.
-
-
SHLIB_PATH=...
-
-
Options which specify shared library paths for the
- compiler and linker.
There are currently two ways to configure the pathnames
- under which Apache will install its files. First, you can
- specify a directory and have Apache install itself under that
- directory in its default locations.
-
-
-
--prefix=PREFIX [Default:
- /usr/local/apache2]
-
-
Specifies the directory under which the Apache files will
- be installed.
-
-
-
It is possible to specify that architecture-dependent files
- should be placed under a different directory.
-
-
-
--exec-prefix=EPREFIX [Default:
- PREFIX]
-
-
Specifies the directory under which
- architecture-dependent files will be placed.
-
-
-
The second, and more flexible way to configure the install
- path locations for Apache is using the
- config.layout file. Using this method, it is
- possible to separately specify the location for each type of
- file within the Apache installation. The
- config.layout file contains several example
- configurations, and you can also create your own custom
- configuration following the examples. The different layouts in
- this file are grouped into <Layout
- FOO>...</Layout> sections and referred to by
- name as in FOO.
-
-
-
--enable-layout=LAYOUT
-
-
Use the named layout in the config.layout
- file to specify the installation paths.
-
-
-
Presently it is not possible to mix the
- --enable-layout and --prefix options.
- Nor is it possible to individually specify detailed pathnames
- on the configure command line. If you want just a
- basic install, you can simply use the --prefix
- option on its own. If you want to customize your install, you
- should edit the config.layout file and use the
- --enable-layout option.
Apache is a modular server. Only the most basic
- functionality is included in the core server. Extended features
- are available in various modules. During the configuration
- process, you must select which modules to compile for use with
- your server. You can view a list of modules included in
- the documentation. Those modules with a status of "Base" are
- included by default and must be specifically disabled if you do
- not want them. Modules with any other status must be
- specifically enabled if you wish to use them.
-
-
There are two ways for a module to be compiled and used with
- Apache. Modules may be statically compiled, which
- means that they are permanently included in the Apache binary.
- Alternatively, if your operating system supports Dynamic Shared
- Objects (DSOs) and autoconf can detect that support, then
- modules may be dynamically compiled. DSO modules are
- stored separately from the Apache binary, and may be included
- or excluded from the server using the run-time configuration
- directives provided by mod_so.
- The mod_so is automatically included in the server if any
- dynamic modules are included in the compilation. If you would
- like to make your server capable of loading DSOs without
- actually compiling any dynamic modules, you can explicitly
- --enable-so.
-
-
-
--enable-MODULE[=shared]
-
-
Compile and include the module MODULE. The
- identifier MODULE is the Module
- Identifier from the module documentation without the
- "_module" string. To compile the module as a DSO, add the
- option =shared.
-
-
--disable-MODULE
-
-
Remove the module MODULE which would otherwise
- be compiled and included.
-
-
--enable-modules=MODULE-LIST
-
-
Compile and include the modules listed in the
- space-separated MODULE-LIST.
-
-
- --enable-mods-shared=MODULE-LIST
-
-
Compile and include the modules in the space-separated
- MODULE-LIST as dynamically loadable (DSO)
- modules.
-
-
-
The MODULE-LIST in the
- --enable-modules and
- --enable-mods-shared options is usually a
- space-separated list of module identifiers. For example, to
- enable mod_dav and mod_info, you can either use
-
-
- ./configure --enable-dav --enable-info
-
-
-
or, equivalently,
-
-
- ./configure --enable-modules="dav info"
-
-
-
In addition, the special keywords all or
- most can be used to add all or most of the modules
- in one step. You can then remove any modules that you do not
- want with the --disable-MODULE option.
- For example, to include all modules as DSOs with the exception
- of mod_info, you can use
In addition to the standard set of modules, Apache 2.0 also
- includes a choice of Multi-Processing
- Modules (MPMs). One, and only one MPM must be included in
- the compilation process. The default MPMs for each platform are
- listed on the MPM documentation page,
- but can be overridden on the configure command
- line.
Apache includes a support program called suexec which can be used to isolate user
- CGI programs. However, if suexec is improperly configured, it
- can cause serious security problems. Therefore, you should
- carefully read and consider the suexec
- documentation before implementing this feature.
Now you can build the various parts which form the Apache
- package by simply running the command:
-
-
- $ make
-
-
-
Please be patient here, since a base configuration takes
- approximately 3 minutes to compile under a Pentium III/Linux
- 2.2 system, but this will vary widely depending on your
- hardware and the number of modules which you have enabled.
Now you can start your Apache
- HTTP server by immediately running:
-
-
- $ PREFIX/bin/apachectl start
-
-
-
and then you should be able to request your first document
- via URL http://localhost/. The web page you see is located
- under the DocumentRoot
- which will usually be PREFIX/htdocs/.
- Then stop the server again by
- running:
On Windows, Apache is normally run as a service on Windows
- NT, or as a console application on Windows 95. For details, see
- running Apache for
- Windows.
On Unix, the httpd program
- is run as a daemon which executes continuously in the
- background to handle requests.
-
-
If the Listen specified in
- the configuration file is default of 80 (or any other port
- below 1024), then it is necessary to have root privileges in
- order to start apache, so that it can bind to this privileged
- port. Once the server has started and performed a few
- preliminary activities such as opening its log files, it will
- launch several child processes which do the work of
- listening for and answering requests from clients. The main
- httpd process continues to run as the root user,
- but the child processes run as a less privileged user. This is
- controlled by the selected Multi-Processing
- Module.
-
-
The first thing that httpd does when it is
- invoked is to locate and read the configuration file
- httpd.conf. The location of this file is set at
- compile-time, but it is possible to specify its location at run
- time using the -f command-line option as in
As an alternative to invoking the httpd binary
- directly, a shell script called apachectl is provided which
- can be used to control the daemon process with simple commands
- such as apachectl start and apachectl
- stop.
-
-
If all goes well during startup, the server will detach from
- the terminal and the command prompt will return almost
- immediately. This indicates that the server is up and running.
- You can then use your browser to connect to the server and view
- the test page in the DocumentRoot directory
- and the local copy of the documentation linked from that
- page.
If Apache suffers a fatal problem during startup, it will
- write a message describing the problem either to the console or
- to the ErrorLog before
- exiting. One of the most common error messages is "Unable
- to bind to Port ...". This message is usually caused by
- either:
-
-
-
Trying to start the server on a privileged port when not
- logged in as the root user; or
-
-
Trying to start the server when there is another instance
- of Apache or some other web server already bound to the same
- Port.
-
-
-
For further trouble-shooting instructions, consult the
- Apache FAQ.
If you want your server to continue running after a system
- reboot, you should add a call to httpd or
- apachectl to your system startup files (typically
- rc.local or a file in an rc.N
- directory). This will start Apache as root. Before doing this
- ensure that your server is properly configured for security and
- access restrictions. The apachectl script is
- designed so that it can often be linked directly as an init
- script, but be sure to check the exact requirements of your
- system.
Additional information about the command-line options of httpd and apachectl as well as other
- support programs included with the server is available on the
- Server and Supporting Programs page.
- There is also documentation on all the modules included with the Apache distribution
- and the directives that they
- provide.
In order to effectively manage a web server, it is necessary
- to get feedback about the activity and performance of the
- server as well as any problems that may be occuring. The Apache
- HTTP Server provides very comprehensive and flexible logging
- capabilities. This document describes how to configure its
- logging capabilities, and how to understand what the logs
- contain.
Anyone who can write to the directory where Apache is
- writing a log file can almost certainly gain access to the uid
- that the server is started as, which is normally root. Do
- NOT give people write access to the directory the logs
- are stored in without being aware of the consequences; see the
- security tips document
- for details.
-
-
In addition, log files may contain information supplied
- directly by the client, without escaping. Therefore, it is
- possible for malicious clients to insert control-characters in
- the log files, so care must be taken in dealing with raw
- logs.
The server error log, whose name and location is set by the
- ErrorLog directive, is the
- most important log file. This is the place where Apache httpd
- will send diagnostic information and record any errors that it
- encounters in processing requests. It is the first place to
- look when a problem occurs with starting the server or with the
- operation of the server, since it will often contain details of
- what went wrong and how to fix it.
-
-
The error log is usually written to a file (typically
- error_log on unix systems and
- error.log on Windows and OS/2). On unix systems it
- is also possible to have the server send errors to
- syslog or pipe them to a
- program.
-
-
The format of the error log is relatively free-form and
- descriptive. But there is certain information that is contained
- in most error log entries. For example, here is a typical
- message.
-
-
- [Wed Oct 11 14:32:52 2000] [error] [client 127.0.0.1]
- client denied by server configuration:
- /export/home/live/ap/htdocs/test
-
-
-
The first item in the log entry is the date and time of the
- message. The second entry lists the severity of the error being
- reported. The LogLevel
- directive is used to control the types of errors that are sent
- to the error log by restricting the severity level. The third
- entry gives the IP address of the client that generated the
- error. Beyond that is the message itself, which in this case
- indicates that the server has been configured to deny the
- client access. The server reports the file-system path (as
- opposed to the web path) of the requested document.
-
-
A very wide variety of different messages can appear in the
- error log. Most look similar to the example above. The error
- log will also contain debugging output from CGI scripts. Any
- information written to stderr by a CGI script will
- be copied directly to the error log.
-
-
It is not possible to customize the error log by adding or
- removing information. However, error log entries dealing with
- particular requests have corresponding entries in the access log. For example, the above example
- entry corresponds to an access log entry with status code 403.
- Since it is possible to customize the access log, you can
- obtain more information about error conditions using that log
- file.
-
-
During testing, it is often useful to continuously monitor
- the error log for any problems. On unix systems, you can
- accomplish this using:
The server access log records all requests processed by the
- server. The location and content of the access log are
- controlled by the CustomLog
- directive. The LogFormat
- directive can be used to simplify the selection of the contents
- of the logs. This section describes how to configure the server
- to record information in the access log.
-
-
Of course, storing the information in the access log is only
- the start of log management. The next step is to analyze this
- information to produce useful statistics. Log analysis in
- general is beyond the scope of this document, and not really
- part of the job of the web server itself. For more information
- about this topic, and for applications which perform log
- analysis, check the
- Open Directory or
- Yahoo.
-
-
Various versions of Apache httpd have used other modules and
- directives to control access logging, including
- mod_log_referer, mod_log_agent, and the
- TransferLog directive. The CustomLog
- directive now subsumes the functionality of all the older
- directives.
-
-
The format of the access log is highly configurable. The
- format is specified using a format string that
- looks much like a C-style printf(1) format string. Some
- examples are presented in the next sections. For a complete
- list of the possible contents of the format string, see the mod_log_config
- documentation.
A typical configuration for the access log might look as
- follows.
-
-
- LogFormat "%h %l %u %t \"%r\" %>s %b" common
- CustomLog logs/access_log common
-
-
-
This defines the nicknamecommon and
- associates it with a particular log format string. The format
- string consists of percent directives, each of which tell the
- server to log a particular piece of information. Literal
- characters may also be placed in the format string and will be
- copied directly into the log output. The quote character
- (") must be escaped by placing a back-slash before
- it to prevent it from being interpreted as the end of the
- format string. The format string may also contain the special
- control characters "\n" for new-line and
- "\t" for tab.
-
-
The CustomLog directive sets up a new log file
- using the defined nickname. The filename for the
- access log is relative to the ServerRoot unless it begins
- with a slash.
-
-
The above configuration will write log entries in a format
- known as the Common Log Format (CLF). This standard format can
- be produced by many different web servers and read by many log
- analysis programs. The log file entries produced in CLF will
- look something like this:
This is the IP address of the client (remote host) which
- made the request to the server. If HostnameLookups is
- set to On, then the server will try to determine
- the hostname and log it in place of the IP address. However,
- this configuration is not recommended since it can
- significantly slow the server. Instead, it is best to use a
- log post-processor such as logresolve to determine
- the hostnames. The IP address reported here is not
- necessarily the address of the machine at which the user is
- sitting. If a proxy server exists between the user and the
- server, this address will be the address of the proxy, rather
- than the originating machine.
-
-
- (%l)
-
-
The "hyphen" in the output indicates that the requested
- piece of information is not available. In this case, the
- information that is not available is the RFC 1413 identity of
- the client determined by identd on the clients
- machine. This information is highly unreliable and should
- almost never be used except on tightly controlled internal
- networks. Apache httpd will not even attempt to determine
- this information unless IdentityCheck is set
- to On.
-
-
frank (%u)
-
-
This is the userid of the person requesting the document
- as determined by HTTP authentication. The same value is
- typically provided to CGI scripts in the
- REMOTE_USER environment variable. If the status
- code for the request (see below) is 401, then this value
- should not be trusted because the user is not yet
- authenticated. If the document is not password protected,
- this entry will be "-" just like the previous
- one.
-
-
[10/Oct/2000:13:55:36 -0700]
- (%t)
-
-
- The time that the server finished processing the request.
- The format is:
-
-
- [day/month/year:hour:minute:second zone]
- day = 2*digit
- month = 3*letter
- year = 4*digit
- hour = 2*digit
- minute = 2*digit
- second = 2*digit
- zone = (`+' | `-') 4*digit
-
- It is possible to have the time displayed in another format
- by specifying %{format}t in the log format
- string, where format is as in
- strftime(3) from the C standard library.
-
-
-
"GET /apache_pb.gif HTTP/1.0"
- (\"%r\")
-
-
The request line from the client is given in double
- quotes. The request line contains a great deal of useful
- information. First, the method used by the client is
- GET. Second, the client requested the resource
- /apache_pb.gif, and third, the client used the
- protocol HTTP/1.0. It is also possible to log
- one or more parts of the request line independently. For
- example, the format string "%m %U%q %H" will log
- the method, path, query-string, and protocol, resulting in
- exactly the same output as "%r".
-
-
200 (%>s)
-
-
This is the status code that the server sends back to the
- client. This information is very valuable, because it reveals
- whether the request resulted in a successful response (codes
- beginning in 2), a redirection (codes beginning in 3), an
- error caused by the client (codes beginning in 4), or an
- error in the server (codes beginning in 5). The full list of
- possible status codes can be found in the HTTP
- specification (RFC2616 section 10).
-
-
2326 (%b)
-
-
The last entry indicates the size of the object returned
- to the client, not including the response headers. If no
- content was returned to the client, this value will be
- "-". To log "0" for no content, use
- %B instead.
This format is exactly the same as the Common Log Format,
- with the addition of two more fields. Each of the additional
- fields uses the percent-directive
- %{header}i, where header can be
- any HTTP request header. The access log under this format will
- look like:
The "Referer" (sic) HTTP request header. This gives the
- site that the client reports having been referred from. (This
- should be the page that links to or includes
- /apache_pb.gif).
-
-
"Mozilla/4.08 [en] (Win98; I ;Nav)"
- (\"%{User-agent}i\")
-
-
The User-Agent HTTP request header. This is the
- identifying information that the client browser reports about
- itself.
Multiple access logs can be created simply by specifying
- multiple CustomLog directives in the configuration
- file. For example, the following directives will create three
- access logs. The first contains the basic CLF information,
- while the second and third contain referer and browser
- information. The last two CustomLog lines show how
- to mimic the effects of the ReferLog and
- AgentLog directives.
This example also shows that it is not necessary to define a
- nickname with the LogFormat directive. Instead,
- the log format can be specified directly in the
- CustomLog directive.
There are times when it is convenient to exclude certain
- entries from the access logs based on characteristics of the
- client request. This is easily accomplished with the help of environment variables. First, an
- environment variable must be set to indicate that the request
- meets certain conditions. This is usually accomplished with SetEnvIf. Then the
- env= clause of the CustomLog
- directive is used to include or exclude requests where the
- environment variable is set. Some examples:
-
-
- # Mark requests from the loop-back interface
- SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
- # Mark requests for the robots.txt file
- SetEnvIf Request_URI "^/robots\.txt$" dontlog
- # Log what remains
- CustomLog logs/access_log common env=!dontlog
-
-
-
As another example, consider logging requests from
- english-speakers to one log file, and non-english speakers to a
- different log file.
-
-
- SetEnvIf Accept-Language "en" english
- CustomLog logs/english_log common env=english
- CustomLog logs/non_english_log common env=!english
-
-
-
Although we have just shown that conditional logging is very
- powerful and flexibly, it is not the only way to control the
- contents of the logs. Log files are more useful when they
- contain a complete record of server activity. It is often
- easier to simply post-process the log files to remove requests
- that you do not want to consider.
On even a moderately busy server, the quantity of
- information stored in the log files is very large. The access
- log file typically grows 1 MB or more per 10,000 requests. It
- will consequently be necessary to periodically rotate the log
- files by moving or deleting the existing logs. This cannot be
- done while the server is running, because Apache will continue
- writing to the old log file as long as it holds the file open.
- Instead, the server must be restarted after the log files are
- moved or deleted so that it will open new log files.
-
-
By using a graceful restart, the server can be
- instructed to open new log files without losing any existing or
- pending connections from clients. However, in order to
- accomplish this, the server must continue to write to the old
- log files while it finishes serving old requests. It is
- therefore necessary to wait for some time after the restart
- before doing any processing on the log files. A typical
- scenario that simply rotates the logs and compresses the old
- logs to save space is:
Apache httpd is capable of writing error and access log
- files through a pipe to another process, rather than directly
- to a file. This capability dramatically increases the
- flexibility of logging, without adding code to the main server.
- In order to write logs to a pipe, simply replace the filename
- with the pipe character "|", followed by the name
- of the executable which should accept log entries on its
- standard input. Apache will start the piped-log process when
- the server starts, and will restart it if it crashes while the
- server is running. (This last feature is why we can refer to
- this technique as "reliable piped logging".)
-
-
Piped log processes are spawned by the parent Apache httpd
- process, and inherit the userid of that process. This means
- that piped log programs usually run as root. It is therefore
- very important to keep the programs simple and secure.
-
-
Some simple examples using piped logs:
-
-
- # compressed logs
- CustomLog "|/usr/bin/gzip -c >>
- /var/log/access_log.gz" common
- # almost-real-time name resolution
- CustomLog "|/usr/local/apache/bin/logresolve >>
- /var/log/access_log" common
-
-
-
Notice that quotes are used to enclose the entire command
- that will be called for the pipe. Although these examples are
- for the access log, the same technique can be used for the
- error log.
-
-
One important use of piped logs is to allow log rotation
- without having to restart the server. The Apache HTTP Server
- includes a simple program called rotatelogs for this
- purpose. For example, to rotate the logs every 24 hours, you
- can use:
-
-
- CustomLog "|/usr/local/apache/bin/rotatelogs
- /var/log/access_log 86400" common
-
-
-
A similar, but much more flexible log rotation program
- called cronolog
- is available at an external site.
-
-
As with conditional logging, piped logs are a very powerful
- tool, but they should not be used where a simpler solution like
- off-line post-processing is available.
When running a server with many virtual
- hosts, there are several options for dealing with log
- files. First, it is possible to use logs exactly as in a
- single-host server. Simply by placing the logging directives
- outside the <VirtualHost> sections in the
- main server context, it is possible to log all requests in the
- same access log and error log. This technique does not allow
- for easy collection of statistics on individual virtual
- hosts.
-
-
If CustomLog or ErrorLog
- directives are placed inside a <VirtualHost>
- section, all requests or errors for that virtual host will be
- logged only to the specified file. Any virtual host which does
- not have logging directives will still have its requests sent
- to the main server logs. This technique is very useful for a
- small number of virtual hosts, but if the number of hosts is
- very large, it can be complicated to manage. In addition, it
- can often create problems with insufficient file
- descriptors.
-
-
For the access log, there is a very good compromise. By
- adding information on the virtual host to the log format
- string, it is possible to log all hosts to the same log, and
- later split the log into individual files. For example,
- consider the following directives.
The %v is used to log the name of the virtual
- host that is serving the request. Then a program like split-logfile can be used to
- post-process the access log in order to split it into one file
- per virtual host.
-
-
Unfortunately, no similar technique is available for the
- error log, so you must choose between mixing all virtual hosts
- in the same error log and using one error log per virtual
- host.
On startup, Apache httpd saves the process id of the parent
- httpd process to the file logs/httpd.pid. This
- filename can be changed with the PidFile directive. The
- process-id is for use by the administrator in restarting and
- terminating the daemon by sending signals to the parent
- process; on Windows, use the -k command line option instead.
- For more information see the Stopping
- and Restarting page.
In order to aid in debugging, the ScriptLog directive
- allows you to record the input to and output from CGI scripts.
- This should only be used in testing - not for live servers.
- More information is available in the mod_cgi documentation.
When using the powerful and complex features of mod_rewrite, it is almost
- always necessary to use the RewriteLog to help
- in debugging. This log file produces a detailed analysis of how
- the rewriting engine transforms requests. The level of detail
- is controlled by the RewriteLogLevel
- directive.
This indicates the format of the directive as it would
- appear in a configuration file. This syntax is extremely
- directive-specific, and is described in detail in the
- directive's definition. Generally, the directive name is
- followed by a series of one or more space-separated arguments.
- If an argument contains a space, the argument must be enclosed
- in double quotes. Optional arguments are enclosed in square
- brackets. Where an argument can take on more than one possible
- value, the possible values are separated by vertical bars "|".
- Literal text is presented in the default font, while
- argument-types for which substitution is necessary are
- emphasized. Directives which can take a variable
- number of arguments will end in "..." indicating that the last
- argument is repeated.
-
-
Directives use a great number of different argument types. A
- few common ones are defined below.
-
-
-
URL
-
-
A complete Uniform Resource Locator including a scheme,
- hostname, and optional pathname as in
- http://www.example.com/path/to/file.html
-
-
URL-path
-
-
The part of a url which follows the scheme and
- hostname as in /path/to/file.html. The
- url-path represents a web-view of a resource, as
- opposed to a file-system view.
-
-
file-path
-
-
The path to a file in the local file-system beginning
- with the root directory as in
- /usr/local/apache/htdocs/path/to/file.html.
- Unless otherwise specified, a file-path which does
- not begin with a slash will be treated as relative to the ServerRoot.
-
-
directory-path
-
-
The path to a directory in the local file-system
- beginning with the root directory as in
- /usr/local/apache/htdocs/path/to/.
-
-
filename
-
-
The name of a file with no accompanying path information
- as in file.html.
-
-
regex
-
-
A regular expression, which is a way of describing a
- pattern to match in text. The directive definition will
- specify what the regex is matching against.
-
-
extension
-
-
In general, this is the part of the filename
- which follows the last dot. However, Apache recognizes
- multiple filename extensions, so if a filename
- contains more than one dot, each dot-separated part of the
- filename following the first dot is an extension.
- For example, the filenamefile.html.en
- contains two extensions: .html and
- .en. For Apache directives, you may specify
- extensions with or without the leading dot. In
- addition, extensions are not case sensitive.
-
-
MIME-type
-
-
A method of describing the format of a file which
- consists of a major format type and a minor format type,
- separated by a slash as in text/html.
-
-
env-variable
-
-
The name of an environment
- variable defined in the Apache configuration process.
- Note this is not necessarily the same as an operating system
- environment variable. See the environment variable documentation for
- more details.
If the directive has a default value (i.e., if you
- omit it from your configuration entirely, the Apache Web server
- will behave as though you set it to a particular value), it is
- described here. If there is no default value, this section
- should say "None". Note that the default listed here
- is not necessarily the same as the value the directive takes in
- the default httpd.conf distributed with the server.
This indicates where in the server's configuration files the
- directive is legal. It's a comma-separated list of one or more
- of the following values:
-
-
-
server config
-
-
This means that the directive may be used in the server
- configuration files (e.g., httpd.conf,
- srm.conf, and access.conf), but
- not within any
- <VirtualHost> or <Directory>
- containers. It is not allowed in .htaccess files
- at all.
-
-
virtual host
-
-
This context means that the directive may appear inside
- <VirtualHost> containers in the server
- configuration files.
-
-
directory
-
-
A directive marked as being valid in this context may be
- used inside <Directory>,
- <Location>, and <Files>
- containers in the server configuration files, subject to the
- restrictions outlined in How
- Directory, Location and Files sections work.
-
-
.htaccess
-
-
If a directive is valid in this context, it means that it
- can appear inside per-directory
- .htaccess files. It may not be processed, though
- depending upon the overrides currently active.
-
-
-
The directive is only allowed within the designated
- context; if you try to use it elsewhere, you'll get a
- configuration error that will either prevent the server from
- handling requests in that context correctly, or will keep the
- server from operating at all -- i.e., the server won't
- even start.
-
-
The valid locations for the directive are actually the
- result of a Boolean OR of all of the listed contexts. In other
- words, a directive that is marked as being valid in
- "server config, .htaccess" can be used in the
- httpd.conf file and in .htaccess
- files, but not within any <Directory> or
- <VirtualHost> containers.
This directive attribute indicates which configuration
- override must be active in order for the directive to be
- processed when it appears in a .htaccess file. If
- the directive's context
- doesn't permit it to appear in .htaccess files,
- this attribute should say "Not applicable".
-
-
Overrides are activated by the AllowOverride directive, and apply
- to a particular scope (such as a directory) and all
- descendants, unless further modified by other
- AllowOverride directives at lower levels. The
- documentation for that directive also lists the possible
- override names available.
This indicates how tightly bound into the Apache Web server
- the directive is; in other words, you may need to recompile the
- server with an enhanced set of modules in order to gain access
- to the directive and its functionality. Possible values for
- this attribute are:
-
-
-
Core
-
-
If a directive is listed as having "Core" status, that
- means it is part of the innermost portions of the Apache Web
- server, and is always available.
-
-
MPM
-
-
A directive labeled as having "MPM" status is provided by
- a Multi-Processing Module. This
- type of directive will be available if and only if you are
- using one of the MPMs listed on the Module line of the directive
- definition.
-
-
Base
-
-
A directive labeled as having "Base" status is supported
- by one of the standard Apache modules which is compiled into
- the server by default, and is therefore normally available
- unless you've taken steps to remove the module from your
- configuration.
-
-
Extension
-
-
A directive with "Extension" status is provided by one of
- the modules included with the Apache server kit, but the
- module isn't normally compiled into the server. To enable the
- directive and its functionality, you will need to change the
- server build configuration files and re-compile Apache.
-
-
Experimental
-
-
"Experimental" status indicates that the directive is
- available as part of the Apache kit, but you're on your own
- if you try to use it. The directive is being documented for
- completeness, and is not necessarily supported. The module
- which provides the directive may or may not be compiled in by
- default; check the top of the page which describes the
- directive and its module to see if it remarks on the
- availability.
If the directive wasn't part of the original Apache version
- 1 distribution, the version in which it was introduced should
- be listed here. If the directive has the same name as one from
- the NCSA HTTPd server, any inconsistencies in behavior between
- the two should also be mentioned. Otherwise, this attribute
- should say "No compatibility issues."
If this directive is eliminated since the Apache version 1
- distribution, the directive or option that replaces the
- behavior should be cited here. In general, directives,
- features, and options are only deprecated to minimize debugging
- of conflicting features, or if the feature can only continue to
- be supported in an alternate manner.
This indicates how tightly bound into the Apache Web server
- the module is; in other words, you may need to recompile the
- server in order to gain access to the module and its
- functionality. Possible values for this attribute are:
-
-
-
MPM
-
-
A module with status "MPM" is a Multi-Processing Module. Unlike the
- other types of modules, Apache must have one and only one MPM
- in use at any time. This type of module is responsible for
- basic request handling and dispatching.
-
-
Base
-
-
A module labeled as having "Base" status is compiled and
- loaded into the server by default, and is therefore normally
- available unless you have taken steps to remove the module
- from your configuration.
-
-
Extension
-
-
A module with "Extension" status is not normally compiled
- and loaded into the server. To enable the module and its
- functionality, you may need to change the server build
- configuration files and re-compile Apache.
-
-
Experimental
-
-
"Experimental" status indicates that the module is
- available as part of the Apache kit, but you are on your own
- if you try to use it. The module is being documented for
- completeness, and is not necessarily supported.
-
-
External
-
-
Modules which are not included with the base Apache
- distribution ("third-party modules") may use the "External"
- status. We are not responsible for, nor do we support such
- modules.
This quite simply lists the name of the source file which
- contains the code for the module. This is also the name used by
- the <IfModule>
- directive.
This is a string which identifies the module for use in the
- LoadModule directive when
- dynamically loading modules. In particular, it is the name of
- the external variable of type module in the source file.
The Apache HTTP Server is designed to be a powerful and
- flexible web server that can work on a very wide variety of
- platforms in a range of different environments. Different
- platforms and different environments often require different
- features, or may have different ways of implementing the same
- feature most efficiently. Apache has always accommodated a wide
- variety of environments through its modular design. This design
- allows the webmaster to choose which features will be included
- in the server by selecting which modules to load either at
- compile-time or at run-time.
-
-
Apache 2.0 extends this modular design to the most basic
- functions of a web server. The server ships with a selection of
- Multi-Processing Modules (MPMs) which are responsible for
- binding to network ports on the machine, accepting requests,
- and dispatching children to handle the requests.
-
-
Extending the modular design to this level of the server
- allows two important benefits:
-
-
-
Apache can more cleanly and efficiently support a wide
- variety of operating systems. In particular, the Windows
- version of Apache is now much more efficient, since mpm_winnt can use native
- networking features in place of the POSIX layer used in
- Apache 1.3. This benefit also extends to other operating
- systems that implement specialized MPMs.
-
-
The server can be better customized for the needs of the
- particular site. For example, sites that need a great deal of
- scalability can choose to use a threaded MPM like worker, while sites requiring
- stability or compatibility with older software can use a preforking MPM. In addition,
- special features like serving different hosts under different
- userids (perchild) can be
- provided.
-
-
-
At the user level, MPMs appear much like other Apache
- modules. The main difference is that one and only one MPM must
- be loaded into the server at any time. The list of available
- MPMs appears on the module index page.
-
-
Choosing an MPM
-
-
MPMs must be chosen during configuration, and compiled into
- the server. Compilers are capable of optimizing a lot of
- functions if threads are used, but only if they know that
- threads are being used. Because some MPMs use threads on Unix
- and others don't, Apache will always perform better if the MPM
- is chosen at configuration time and built into Apache.
-
-
To actually choose the desired MPM, use the argument
- --with-mpm= NAME with the ./configure script.
- NAME is the name of the desired MPM.
-
-
Once the server has been compiled, it is possible to
- determine which MPM was chosen by using ./httpd
- -l. This command will list every module that is compiled
- into the server, including the MPM.
The sections <Directory>,
- <Location>
- and <Files> can
- contain directives which only apply to specified directories,
- URLs or files respectively. Also htaccess files can be used
- inside a directory to apply directives to that directory. This
- document explains how these different sections differ and how
- they relate to each other when Apache decides which directives
- apply for a particular directory or request URL.
-
-
Directives allowed in the sections
-
-
Everything that is syntactically allowed in
- <Directory> is also allowed in
- <Location> (except a
- sub-<Files> section). Semantically, however
- some things, most notably AllowOverride and the
- two options FollowSymLinks and
- SymLinksIfOwnerMatch, make no sense in
- <Location>,
- <LocationMatch> or
- <DirectoryMatch>. The same for
- <Files> -- syntactically everything is fine,
- but semantically some things are different.
-
-
How the sections are merged
-
-
The order of merging is:
-
-
-
<Directory> (except regular
- expressions) and .htaccess done simultaneously (with
- .htaccess, if allowed, overriding
- <Directory>)
-
-
<DirectoryMatch>, and
- <Directory> with regular expressions
-
-
<Files> and
- <FilesMatch> done simultaneously
-
-
<Location> and
- <LocationMatch> done simultaneously
-
-
-
Apart from <Directory>, each group is
- processed in the order that they appear in the configuration
- files. <Directory> (group 1 above) is
- processed in the order shortest directory component to longest.
- If multiple <Directory> sections apply to
- the same directory they they are processed in the configuration
- file order. The configuration files are read in the order
- httpd.conf, srm.conf and access.conf. Configurations included
- via the Include directive will be treated as if
- they were inside the including file at the location of the
- Include directive.
-
-
Sections inside <VirtualHost> sections
- are applied after the corresponding sections outside
- the virtual host definition. This allows virtual hosts to
- override the main server configuration.
-
-
Later sections override earlier ones.
-
-
Notes about using sections
-
-
The general guidelines are:
-
-
-
If you are attempting to match objects at the filesystem
- level then you must use <Directory> and/or
- <Files>.
-
-
If you are attempting to match objects at the URL level
- then you must use <Location>
-
-
-
But a notable exception is:
-
-
-
proxy control is done via <Directory>.
- This is a legacy mistake because the proxy existed prior to
- <Location>. A future version of the config
- language should probably switch this to
- <Location>.
-
-
-
Note about .htaccess parsing:
-
-
-
Modifying .htaccess parsing during Location doesn't do
- anything because .htaccess parsing has already occurred.
-
-
-
<Location> and symbolic links:
-
-
-
It is not possible to use "Options
- FollowSymLinks" or "Options
- SymLinksIfOwnerMatch" inside a
- <Location>,
- <LocationMatch> or
- <DirectoryMatch> section (the options are
- simply ignored). Using the options in question is only
- possible inside a <Directory> section (or
- a .htaccess file).
-
-
-
<Files> and Options:
-
-
-
Apache won't check for it, but using an
- Options directive inside a
- <Files> section has no effect.
-
-
-
Another note:
-
-
-
There is actually a
- <Location>/<LocationMatch>
- sequence performed just before the name translation phase
- (where Aliases and DocumentRoots
- are used to map URLs to filenames). The results of this
- sequence are completely thrown away after the translation has
- completed.
-
-
-
-
\ No newline at end of file
diff --git a/docs/manual/ssl/index.html.en b/docs/manual/ssl/index.html.en
deleted file mode 100644
index 971686a1b71..00000000000
--- a/docs/manual/ssl/index.html.en
+++ /dev/null
@@ -1,36 +0,0 @@
-
-
-
-
-Apache SSL/TLS Encryption
-
-
-
-
-
-
SSL/TLS Strong Encryption
-
-
The Apache HTTP Server module mod_ssl
-provides an interface to the OpenSSL library, which provides
-Strong Encryption using the Secure Sockets Layer and Transport Layer
-Security protocols. The module and this documentation are based on
-Ralf S. Engelschall's mod_ssl project.
Extensive documentation on the directives and environment variables
-provided by this module is provided in the mod_ssl reference documentation.
-
-
-
-
-
diff --git a/docs/manual/stopping.html.en b/docs/manual/stopping.html.en
deleted file mode 100644
index 89c1a58a3e3..00000000000
--- a/docs/manual/stopping.html.en
+++ /dev/null
@@ -1,209 +0,0 @@
-
-
-
-
-
-
- Stopping and Restarting the Server
-
-
-
-
-
-
-
Stopping and Restarting the Server
-
-
This document covers stopping and restarting Apache on
- Unix-like systems. Windows users should see Signalling Apache when
- running.
-
-
You will notice many httpd executables running
- on your system, but you should not send signals to any of them
- except the parent, whose pid is in the PidFile. That is to say you
- shouldn't ever need to send signals to any process except the
- parent. There are three signals that you can send the parent:
- TERM, HUP, and USR1,
- which will be described in a moment.
-
-
To send a signal to the parent you should issue a command
- such as:
- Modify those examples to match your ServerRoot and PidFile settings.
-
-
A shell script called apachectl is provided which
- automates the processing of signalling Apache. For details
- about this script, see the documentation on starting Apache.
-
-
Stop Now
-
-
Signal: TERM
- apachectl stop
-
-
Sending the TERM signal to the parent causes it
- to immediately attempt to kill off all of its children. It may
- take it several seconds to complete killing off its children.
- Then the parent itself exits. Any requests in progress are
- terminated, and no further requests are served.
-
-
Graceful Restart
-
-
Signal: USR1
- apachectl graceful
-
-
The USR1 signal causes the parent process to
- advise the children to exit after their current
- request (or to exit immediately if they're not serving
- anything). The parent re-reads its configuration files and
- re-opens its log files. As each child dies off the parent
- replaces it with a child from the new generation of
- the configuration, which begins serving new requests
- immediately.
- On certain platforms that do not allow USR1 to be used for a
- graceful restart, an alternative signal may be used (such as
- WINCH). apachectl graceful will send the right signal for your
- platform.
-
-
This code is designed to always respect the MaxClients, MinSpareServers,
- and MaxSpareServers
- settings. Furthermore, it respects StartServers in the
- following manner: if after one second at least StartServers new
- children have not been created, then create enough to pick up
- the slack. This is to say that the code tries to maintain both
- the number of children appropriate for the current load on the
- server, and respect your wishes with the StartServers
- parameter.
-
-
Users of the status module
- will notice that the server statistics are not
- set to zero when a USR1 is sent. The code was
- written to both minimize the time in which the server is unable
- to serve new requests (they will be queued up by the operating
- system, so they're not lost in any event) and to respect your
- tuning parameters. In order to do this it has to keep the
- scoreboard used to keep track of all children across
- generations.
-
-
The status module will also use a G to indicate
- those children which are still serving requests started before
- the graceful restart was given.
-
-
At present there is no way for a log rotation script using
- USR1 to know for certain that all children writing
- the pre-restart log have finished. We suggest that you use a
- suitable delay after sending the USR1 signal
- before you do anything with the old log. For example if most of
- your hits take less than 10 minutes to complete for users on
- low bandwidth links then you could wait 15 minutes before doing
- anything with the old log.
-
-
Note: If your configuration file has errors
- in it when you issue a restart then your parent will not
- restart, it will exit with an error. In the case of graceful
- restarts it will also leave children running when it exits.
- (These are the children which are "gracefully exiting" by
- handling their last request.) This will cause problems if you
- attempt to restart the server -- it will not be able to bind to
- its listening ports. Before doing a restart, you can check the
- syntax of the configuration files with the -t
- command line argument (see httpd). This still will not
- guarantee that the server will restart correctly. To check the
- semantics of the configuration files as well as the syntax, you
- can try starting httpd as a non-root user. If there are no
- errors it will attempt to open its sockets and logs and fail
- because it's not root (or because the currently running httpd
- already has those ports bound). If it fails for any other
- reason then it's probably a config file error and the error
- should be fixed before issuing the graceful restart.
-
-
Restart Now
-
-
Signal: HUP
- apachectl restart
-
-
Sending the HUP signal to the parent causes it
- to kill off its children like in TERM but the
- parent doesn't exit. It re-reads its configuration files, and
- re-opens any log files. Then it spawns a new set of children
- and continues serving hits.
-
-
Users of the status module
- will notice that the server statistics are set to zero when a
- HUP is sent.
-
-
Note: If your configuration file has errors
- in it when you issue a restart then your parent will not
- restart, it will exit with an error. See below for a method of
- avoiding this.
-
-
Appendix: signals and race conditions
-
-
Prior to Apache 1.2b9 there were several race
- conditions involving the restart and die signals (a simple
- description of race condition is: a time-sensitive problem, as
- in if something happens at just the wrong time it won't behave
- as expected). For those architectures that have the "right"
- feature set we have eliminated as many as we can. But it should
- be noted that there still do exist race conditions on certain
- architectures.
-
-
Architectures that use an on disk ScoreBoardFile have the
- potential to corrupt their scoreboards. This can result in the
- "bind: Address already in use" (after HUP) or
- "long lost child came home!" (after USR1). The
- former is a fatal error, while the latter just causes the
- server to lose a scoreboard slot. So it might be advisable to
- use graceful restarts, with an occasional hard restart. These
- problems are very difficult to work around, but fortunately
- most architectures do not require a scoreboard file. See the ScoreBoardFile
- documentation for a architecture uses it.
-
-
NEXT and MACHTEN (68k only) have
- small race conditions which can cause a restart/die signal to
- be lost, but should not cause the server to do anything
- otherwise problematic.
-
-
-
-
All architectures have a small race condition in each child
- involving the second and subsequent requests on a persistent
- HTTP connection (KeepAlive). It may exit after reading the
- request line but before reading any of the request headers.
- There is a fix that was discovered too late to make 1.2. In
- theory this isn't an issue because the KeepAlive client has to
- expect these events because of network latencies and server
- timeouts. In practice it doesn't seem to affect anything either
- -- in a test case the server was restarted twenty times per
- second and clients successfully browsed the site without
- getting broken images or empty documents.
-
-
The suEXEC feature --
- introduced in Apache 1.2 -- provides Apache users the ability
- to run CGI and SSI programs
- under user IDs different from the user ID of the calling
- web-server. Normally, when a CGI or SSI program executes, it
- runs as the same user who is running the web server.
-
-
Used properly, this feature can reduce
- considerably the security risks involved with allowing users to
- develop and run private CGI or SSI programs. However, if suEXEC
- is improperly configured, it can cause any number of problems
- and possibly create new holes in your computer's security. If
- you aren't familiar with managing setuid root programs and the
- security issues they present, we highly recommend that you not
- consider using suEXEC.
Before jumping head-first into this document,
- you should be aware of the assumptions made on the part of the
- Apache Group and this document.
-
-
First, it is assumed that you are using a UNIX
- derivate operating system that is capable of
- setuid and setgid operations.
- All command examples are given in this regard. Other platforms,
- if they are capable of supporting suEXEC, may differ in their
- configuration.
-
-
Second, it is assumed you are familiar with
- some basic concepts of your computer's security and its
- administration. This involves an understanding of
- setuid/setgid operations and the various
- effects they may have on your system and its level of
- security.
-
-
Third, it is assumed that you are using an
- unmodified version of suEXEC code. All code
- for suEXEC has been carefully scrutinized and tested by the
- developers as well as numerous beta testers. Every precaution
- has been taken to ensure a simple yet solidly safe base of
- code. Altering this code can cause unexpected problems and new
- security risks. It is highly recommended you
- not alter the suEXEC code unless you are well versed in the
- particulars of security programming and are willing to share
- your work with the Apache Group for consideration.
-
-
Fourth, and last, it has been the decision of
- the Apache Group to NOT make suEXEC part of
- the default installation of Apache. To this end, suEXEC
- configuration requires of the administrator careful attention
- to details. After due consideration has been given to the
- various settings for suEXEC, the administrator may install
- suEXEC through normal installation methods. The values for
- these settings need to be carefully determined and specified by
- the administrator to properly maintain system security during
- the use of suEXEC functionality. It is through this detailed
- process that the Apache Group hopes to limit suEXEC
- installation only to those who are careful and determined
- enough to use it.
Before we begin configuring and installing
- suEXEC, we will first discuss the security model you are about
- to implement. By doing so, you may better understand what
- exactly is going on inside suEXEC and what precautions are
- taken to ensure your system's security.
-
-
suEXEC is based on a setuid
- "wrapper" program that is called by the main Apache web server.
- This wrapper is called when an HTTP request is made for a CGI
- or SSI program that the administrator has designated to run as
- a userid other than that of the main server. When such a
- request is made, Apache provides the suEXEC wrapper with the
- program's name and the user and group IDs under which the
- program is to execute.
-
-
The wrapper then employs the following process
- to determine success or failure -- if any one of these
- conditions fail, the program logs the failure and exits with an
- error, otherwise it will continue:
-
-
-
- Was the wrapper called with the proper number of
- arguments?
-
-
- The wrapper will only execute if it is given the proper
- number of arguments. The proper argument format is known
- to the Apache web server. If the wrapper is not receiving
- the proper number of arguments, it is either being
- hacked, or there is something wrong with the suEXEC
- portion of your Apache binary.
-
-
-
-
- Is the user executing this wrapper a valid user of
- this system?
-
-
- This is to ensure that the user executing the wrapper is
- truly a user of the system.
-
-
-
-
- Is this valid user allowed to run the
- wrapper?
-
-
- Is this user the user allowed to run this wrapper? Only
- one user (the Apache user) is allowed to execute this
- program.
-
-
-
-
- Does the target program have an unsafe hierarchical
- reference?
-
-
- Does the target program contain a leading '/' or have a
- '..' backreference? These are not allowed; the target
- program must reside within the Apache webspace.
-
-
-
-
- Is the target user name valid?
-
-
- Does the target user exist?
-
-
-
-
- Is the target group name valid?
-
-
- Does the target group exist?
-
-
-
-
- Is the target user NOT superuser?
-
-
-
- Presently, suEXEC does not allow 'root' to execute
- CGI/SSI programs.
-
-
-
-
- Is the target userid ABOVE the minimum ID
- number?
-
-
- The minimum user ID number is specified during
- configuration. This allows you to set the lowest possible
- userid that will be allowed to execute CGI/SSI programs.
- This is useful to block out "system" accounts.
-
-
-
-
- Is the target group NOT the superuser
- group?
-
-
- Presently, suEXEC does not allow the 'root' group to
- execute CGI/SSI programs.
-
-
-
-
- Is the target groupid ABOVE the minimum ID
- number?
-
-
- The minimum group ID number is specified during
- configuration. This allows you to set the lowest possible
- groupid that will be allowed to execute CGI/SSI programs.
- This is useful to block out "system" groups.
-
-
-
-
- Can the wrapper successfully become the target user
- and group?
-
-
- Here is where the program becomes the target user and
- group via setuid and setgid calls. The group access list
- is also initialized with all of the groups of which the
- user is a member.
-
-
-
-
- Does the directory in which the program resides
- exist?
-
-
- If it doesn't exist, it can't very well contain files.
-
-
-
-
- Is the directory within the Apache
- webspace?
-
-
- If the request is for a regular portion of the server, is
- the requested directory within the server's document
- root? If the request is for a UserDir, is the requested
- directory within the user's document root?
-
-
-
-
- Is the directory NOT writable by anyone
- else?
-
-
- We don't want to open up the directory to others; only
- the owner user may be able to alter this directories
- contents.
-
-
-
-
- Does the target program exist?
-
-
- If it doesn't exists, it can't very well be executed.
-
-
-
-
- Is the target program NOT writable by
- anyone else?
-
-
- We don't want to give anyone other than the owner the
- ability to change the program.
-
-
-
-
- Is the target program NOT setuid or
- setgid?
-
-
- We do not want to execute programs that will then change
- our UID/GID again.
-
-
-
-
- Is the target user/group the same as the program's
- user/group?
-
-
- Is the user the owner of the file?
-
-
-
-
- Can we successfully clean the process environment
- to ensure safe operations?
-
-
- suEXEC cleans the process' environment by establishing a
- safe execution PATH (defined during configuration), as
- well as only passing through those variables whose names
- are listed in the safe environment list (also created
- during configuration).
-
-
-
-
- Can we successfully become the target program and
- execute?
-
-
- Here is where suEXEC ends and the target program begins.
-
-
-
-
-
-
-
-
This is the standard operation of the the
- suEXEC wrapper's security model. It is somewhat stringent and
- can impose new limitations and guidelines for CGI/SSI design,
- but it was developed carefully step-by-step with security in
- mind.
-
-
For more information as to how this security
- model can limit your possibilities in regards to server
- configuration, as well as what security risks can be avoided
- with a proper suEXEC setup, see the "Beware the Jabberwock" section of this
- document.
Here's where we begin the fun. If you use
- Apache 1.2 or prefer to configure Apache 1.3 with the
- "src/Configure" script you have to edit the suEXEC
- header file and install the binary in its proper location
- manually. The following sections describe the configuration and
- installation for Apache 1.3 with the AutoConf-style interface
- (APACI).
-
-
APACI's suEXEC configuration
- options
-
-
-
-
--enable-suexec
-
-
This option enables the suEXEC feature which is never
- installed or activated by default. At least one
- --suexec-xxxxx option has to be provided together with the
- --enable-suexec option to let APACI accept your request for
- using the suEXEC feature.
-
-
--suexec-caller=UID
-
-
The username under which
- Apache normally runs. This is the only user allowed to
- execute this program.
-
-
--suexec-docroot=DIR
-
-
Define as the DocumentRoot set for Apache. This will be
- the only hierarchy (aside from UserDirs) that can be used for
- suEXEC behavior. The default directory is the --datadir value
- with the suffix "/htdocs", e.g. if you configure
- with "--datadir=/home/apache" the directory
- "/home/apache/htdocs" is used as document root for the suEXEC
- wrapper.
-
-
--suexec-logfile=FILE
-
-
This defines the filename to which all suEXEC
- transactions and errors are logged (useful for auditing and
- debugging purposes). By default the logfile is named
- "suexec_log" and located in your standard logfile directory
- (--logfiledir).
-
-
--suexec-userdir=DIR
-
-
Define to be the subdirectory under users' home
- directories where suEXEC access should be allowed. All
- executables under this directory will be executable by suEXEC
- as the user so they should be "safe" programs. If you are
- using a "simple" UserDir directive (ie. one without a "*" in
- it) this should be set to the same value. suEXEC will not
- work properly in cases where the UserDir directive points to
- a location that is not the same as the user's home directory
- as referenced in the passwd file. Default value is
- "public_html".
- If you have virtual hosts with a different UserDir for each,
- you will need to define them to all reside in one parent
- directory; then name that parent directory here. If
- this is not defined properly, "~userdir" cgi requests will
- not work!
-
-
--suexec-uidmin=UID
-
-
Define this as the lowest UID allowed to be a target user
- for suEXEC. For most systems, 500 or 100 is common. Default
- value is 100.
-
-
--suexec-gidmin=GID
-
-
Define this as the lowest GID allowed to be a target
- group for suEXEC. For most systems, 100 is common and
- therefore used as default value.
-
-
--suexec-safepath=PATH
-
-
Define a safe PATH environment to pass to CGI
- executables. Default value is
- "/usr/local/bin:/usr/bin:/bin".
-
-
-
-
-
-
Checking your suEXEC
- setup
- Before you compile and install the suEXEC wrapper you can
- check the configuration with the --layout option.
- Example output:
Compiling and installing the suEXEC
- wrapper
- If you have enabled the suEXEC feature with the
- --enable-suexec option the suexec binary (together with Apache
- itself) is automatically built if you execute the command
- "make".
- After all components have been built you can execute the
- command "make install" to install them. The binary image
- "suexec" is installed in the directory defined by the --sbindir
- option. Default location is
- "/usr/local/apache/sbin/suexec".
- Please note that you need root
- privileges for the installation step. In order
- for the wrapper to set the user ID, it must be installed as
- owner root and must have the setuserid
- execution bit set for file modes.
Upon startup of Apache, it looks for the file
- "suexec" in the "sbin" directory (default is
- "/usr/local/apache/sbin/suexec"). If Apache finds a properly
- configured suEXEC wrapper, it will print the following message
- to the error log:
- If you don't see this message at server startup, the server is
- most likely not finding the wrapper program where it expects
- it, or the executable is not installed setuid root.
-
- If you want to enable the suEXEC mechanism for the first time
- and an Apache server is already running you must kill and
- restart Apache. Restarting it with a simple HUP or USR1 signal
- will not be enough.
- If you want to disable suEXEC you should kill and restart
- Apache after you have removed the "suexec" file.
-
-
-
-
Virtual Hosts:
- One way to use the suEXEC wrapper is through the User and Group directives in VirtualHost definitions.
- By setting these directives to values different from the main
- server user ID, all requests for CGI resources will be executed
- as the User and Group defined for that
- <VirtualHost>. If only one or neither of
- these directives are specified for a
- <VirtualHost> then the main server userid is
- assumed.
-
-
User directories:
- The suEXEC wrapper can also be used to execute CGI programs as
- the user to which the request is being directed. This is
- accomplished by using the "~"
- character prefixing the user ID for whom execution is desired.
- The only requirement needed for this feature to work is for CGI
- execution to be enabled for the user and that the script must
- meet the scrutiny of the security checks
- above.
The suEXEC wrapper will write log information
- to the file defined with the --suexec-logfile option as
- indicated above. If you feel you have configured and installed
- the wrapper properly, have a look at this log and the error_log
- for the server to see where you may have gone astray.
NOTE! This section may not be
- complete. For the latest revision of this section of the
- documentation, see the Apache Group's Online
- Documentation version.
-
-
There are a few points of interest regarding
- the wrapper that can cause limitations on server setup. Please
- review these before submitting any "bugs" regarding suEXEC.
-
-
-
suEXEC Points Of Interest
-
-
- Hierarchy limitations
-
-
- For security and efficiency reasons, all suexec requests
- must remain within either a top-level document root for
- virtual host requests, or one top-level personal document
- root for userdir requests. For example, if you have four
- VirtualHosts configured, you would need to structure all
- of your VHosts' document roots off of one main Apache
- document hierarchy to take advantage of suEXEC for
- VirtualHosts. (Example forthcoming.)
-
-
-
-
- suEXEC's PATH environment variable
-
-
- This can be a dangerous thing to change. Make certain
- every path you include in this define is a
- trusted directory. You don't want to
- open people up to having someone from across the world
- running a trojan horse on them.
-
-
-
-
- Altering the suEXEC code
-
-
- Again, this can cause Big Trouble if you
- try this without knowing what you are doing. Stay away
- from it if at all possible.
-
In deciding what file to serve for a given request, Apache's
- default behavior is to take the URL-Path for the request (the
- part of the URL following the hostname and port) and add it to
- the end of the DocumentRoot specified in
- your configuration files. Therefore, the files and directories
- underneath the DocumentRoot make up the basic
- document tree which will be visible from the web.
-
-
Apache is also capable of Virtual
- Hosting, where the server receives requests for more than
- one host. In this case, a different DocumentRoot
- can be specified for each virtual host, or alternatively, the
- directives provided by the module mod_vhost_alias can be used
- to dynamically determine the appropriate place from which to
- serve content based on the requested IP address or
- hostname.
There are frequently circumstances where it is necessary to
- allow web access to parts of the filesystem that are not
- strictly underneath the DocumentRoot. Apache
- offers several different ways to accomplish this. On Unix
- systems, symbolic links can bring other parts of the filesystem
- under the DocumentRoot. For security reasons,
- Apache will follow symbolic links only if the Options setting for the
- relevant directory includes FollowSymLinks or
- SymLinksIfOwnerMatch.
-
-
Alternatively, the Alias directive will map
- any part of the filesystem into the web space. For example,
- with
-
-
- Alias /docs /var/web/
-
-
-
the URL
- http://www.example.com/docs/dir/file.html will be
- served from /var/web/dir/file.html. The ScriptAlias directive
- works the same way, with the additional effect that all content
- located at the target path is treated as CGI scripts.
-
-
For situations where you require additional flexibility, you
- can use the AliasMatch and ScriptAliasMatch
- directives to do powerful regular-expression based matching and
- substitution. For example,
will map a request to
- http://example.com/~user/cgi-bin/script.cgi to the
- path /home/user/cgi-bin/script.cgi and will treat
- the resulting file as a CGI script.
Traditionally on Unix systems, the home directory of a
- particular user can be referred to as
- ~user/. The module mod_userdir extends this idea
- to the web by allowing files under each user's home directory
- to be accessed using URLs such as the following.
-
-
- http://www.example.com/~user/file.html
-
-
-
For security reasons, it is inappropriate to give direct
- access to a user's home directory from the web. Therefore, the
- UserDir directive
- specifies a directory underneath the user's home directory
- where web files are located. Using the default setting of
- Userdir public_html, the above URL maps to a file
- at a directory like
- /home/user/public_html/file.html where
- /home/user/ is the user's home directory as
- specified in /etc/passwd.
-
-
There are also several other forms of the
- Userdir directive which you can use on systems
- where /etc/passwd does not contain the location of
- the home directory.
-
-
Some people find the "~" symbol (which is often encoded on
- the web as %7e) to be awkward and prefer to use an
- alternate string to represent user directories. This
- functionality is not supported by mod_userdir. However, if
- users' home directories are structured in a regular way, then
- it is possible to use the AliasMatch directive
- to achieve the desired effect. For example, to make
- http://www.example.com/upages/user/file.html map
- to /home/user/public_html/file.html, use the
- following AliasMatch directive:
The configuration directives discussed in the above sections
- tell Apache to get content from a specific place in the
- filesystem and return it to the client. Sometimes, it is
- desirable instead to inform the client that the requested
- content is located at a different URL, and instruct the client
- to make a new request with the new URL. This is called
- redirection and is implemented by the Redirect directive. For
- example, if the contents of the directory /foo/
- under the DocumentRoot are moved to the new
- directory /bar/, you can instruct clients to
- request the content at the new location as follows:
This will redirect any URL-Path starting in
- /foo/ to the same URL path on the
- www.example.com server with /bar/
- substituted for /foo/. You can redirect clients to
- any server, not only the origin server.
-
-
Apache also provides a RedirectMatch
- directive for more complicated rewriting problems. For example,
- to redirect requests for the site home page to a different
- site, but leave all other requests alone, use the following
- configuration:
When even more powerful substitution is required, the
- rewriting engine provided by mod_rewrite can be useful. The
- directives provided by this module use characteristics of the
- request such as browser type or source IP address in deciding
- from where to serve content. In addition, mod_rewrite can use
- external database files or programs to determine how to handle
- a request. Many practical examples employing mod_rewrite are
- discussed in the URL Rewriting
- Guide.
Inevitably, URLs will be requested for which no matching
- file can be found in the filesystem. This can happen for
- several reasons. In some cases, it can be a result of moving
- documents from one location to another. In this case, it is
- best to use URL redirection to inform
- clients of the new location of the resource. In this way, you
- can assure that old bookmarks and links will continue to work,
- even though the resource is at a new location.
-
-
Another common cause of "File Not Found" errors is
- accidental mistyping of URLs, either directly in the browser,
- or in HTML links. Apache provides the module mod_speling (sic) to help with
- this problem. When this module is activated, it will intercept
- "File Not Found" errors and look for a resource with a similar
- filename. If one such file is found, mod_speling will send an
- HTTP redirect to the client informing it of the correct
- location. If several "close" files are found, a list of
- available alternatives will be presented to the client.
-
-
An especially useful feature of mod_speling, is that it will
- compare filenames without respect to case. This can help
- systems where users are unaware of the case-sensitive nature of
- URLs and the unix filesystem. But using mod_speling for
- anything more than the occasional URL correction can place
- additional load on the server, since each "incorrect" request
- is followed by a URL redirection and a new request from the
- client.
-
-
If all attempts to locate the content fail, Apache returns
- an error page with HTTP status code 404 (file not found). The
- appearance of this page is controlled with the ErrorDocument directive
- and can be customized in a flexible manner as discussed in the
- Custom error responses and International Server Error
- Responses documents.
When using a large number of Virtual Hosts, Apache may run
- out of available file descriptors (sometimes called file
- handles if each Virtual Host specifies different log
- files. The total number of file descriptors used by Apache is
- one for each distinct error log file, one for every other log
- file directive, plus 10-20 for internal use. Unix operating
- systems limit the number of file descriptors that may be used
- by a process; the limit is typically 64, and may usually be
- increased up to a large hard-limit.
-
-
Although Apache attempts to increase the limit as required,
- this may not work if:
-
-
-
Your system does not provide the setrlimit() system
- call.
-
-
The setrlimit(RLIMIT_NOFILE) call does not function on
- your system (such as Solaris 2.3)
-
-
The number of file descriptors required exceeds the hard
- limit.
-
-
Your system imposes other limits on file descriptors,
- such as a limit on stdio streams only using file descriptors
- below 256. (Solaris 2)
-
- In the event of problems you can:
-
-
-
Reduce the number of log files; don't specify log files
- in the VirtualHost sections, but only log to the main log
- files.
-
-
- If you system falls into 1 or 2 (above), then increase the
- file descriptor limit before starting Apache, using a
- script like
-
-
- #!/bin/sh
- ulimit -S -n 100
- exec httpd
-
-
-
-
-
Please see the Descriptors and Apache
- document containing further details about file descriptor
- problems and how they can be solved on your operating
- system.
The term Virtual Host refers to the practice of
- maintaining more than one server on one machine, as
- differentiated by their apparent hostname. For example, it is
- often desirable for companies sharing a web server to have
- their own domains, with web servers accessible as
- www.company1.com and
- www.company2.com, without requiring the user to
- know any extra path information.
-
-
Apache was one of the first servers to support IP-based
- virtual hosts right out of the box. Versions 1.1 and later of
- Apache support both, IP-based and name-based virtual hosts
- (vhosts). The latter variant of virtual hosts is sometimes also
- called host-based or non-IP virtual hosts.
-
-
Below is a list of documentation pages which explain all
- details of virtual host support in Apache version 1.3 and
- later.
Folks trying to debug their virtual host configuration may
- find the Apache -t -D DUMP_VHOSTS command line switch
- useful. It will dump out a description of how Apache parsed the
- configuration file. Careful examination of the IP addresses and
- server names may help uncover configuration mistakes.
-
-
IP-based virtual hosts use the IP address of the connection to
-determine the correct virtual host to serve. Therefore you need to
-have a separate IP address for each host. With name-based virtual
-hosting, the server relies on the client to report the hostname as
-part of the HTTP headers. Using this technique, many different hosts
-can share the same IP address.
-
-
Name-based virtual hosting is usually simpler, since you need
-only configure your DNS server to map each hostname to the correct
-IP address and then configure the Apache HTTP Server to recognize
-the different hostnames. Name-based virtual hosting also eases
-the demand for scarce IP addresses. Therefore you should use
-name-based virtual hosting unless there is a specific reason to
-choose IP-based virtual hosting. Some reasons why you might consider
-using IP-based virtual hosting:
-
-
-
-
Some ancient clients are not compatible with name-based virtual
-hosting. For name-based virtual hosting to work, the client must send
-the HTTP Host header. This is required by HTTP/1.1, and is
-implemented by all modern HTTP/1.0 browsers as an extension. If you
-need to support obsolete clients and still use name-based virtual
-hosting, a possible technique is discussed at the end of this
-document.
-
-
Name-based virtual hosting cannot be used with SSL secure servers
-because of the nature of the SSL protocol.
-
-
Some operating systems and network equipment implement bandwidth
-management techniques that cannot differentiate between hosts unless
-they are on separate IP addresses.
To use name-based virtual hosting, you must designate the IP
-address (and possibly port) on the server that will be accepting
-requests for the hosts. This is configured using the NameVirtualHost directive.
-In the normal case where any and all IP addresses on the server should
-be used, you can use * as the argument to
-NameVirtualHost. Note that mentioning an IP address in a
-NameVirtualHost directive does not automatically make the
-server listen to that IP address. See Setting
-which addresses and ports Apache uses for more details. In addition,
-any IP address specified here must be associated with a network interface
-on the server.
-
-
The next step is to create a <VirtualHost> block for
-each different host that you would like to serve. The argument to the
-<VirtualHost> directive should be the same as the
-argument to the NameVirtualHost directive (ie, an IP
-address, or * for all addresses). Inside each
-<VirtualHost> block, you will need at minimum a ServerName directive to
-designate which host is served and a DocumentRoot directive to
-show where in the filesystem the content for that host lives.
-
-
For example, suppose that both www.domain.tld and
-www.otherdomain.tld point at an IP address
-that the server is listening to. Then you simply add the following
-to httpd.conf:
You can alternatively specify an explicit IP address in place of
-the * in both the NameVirtualHost and
-<VirtualHost> directives.
-
-
Many servers want to be accessible by more than one name. This is
-possible with the ServerAlias
-directive, placed inside the <VirtualHost> section. For
-example if you add this to the first <VirtualHost> block
-above
-
-
-ServerAlias domain.tld *.domain.tld
-
-
-
then requests for all hosts in the domain.tld domain
-will be served by the www.domain.tld virtual host. The
-wildcard characters * and ? can be used to match names. Of course,
-you can't just make up names and place them in ServerName
-or ServerAlias. You must first have your DNS server
-properly configured to map those names to an IP address associated
-with your server.
-
-
Finally, you can fine-tune the configuration of the virtual hosts
-by placing other directives inside the
-<VirtualHost> containers. Most directives can be
-placed in these containers and will then change the configuration only
-of the relevant virtual host. To find out if a particular directive
-is allowed, check the Context of the
-directive. Configuration directives set in the main server
-context (outside any <VirtualHost> container)
-will be used only if they are not overriden by the virtual host
-settings.
-
-
Now when a request arrives, the server will first check if it is
-using an IP address that matches the NameVirtualHost. If
-it is, then it will look at each <VirtualHost>
-section with a matching IP address and try to find one where the
-ServerName or ServerAlias matches the
-requested hostname. If it finds one, then it uses the configuration
-for that server. If no matching virtual host is found, then
-the first listed virtual host that matches the IP
-address will be used.
-
-
As a consequence, the first listed virtual host is the
-default virtual host. The DocumentRoot from the
-main server will never be used when an IP
-address matches the NameVirtualHost directive. If you
-would like to have a special configuration for requests that do not
-match any particular virtual host, simply put that configuration in a
-<VirtualHost> container and list it first in the
-configuration file.
As mentioned earlier, there are some clients
- who do not send the required data for the name-based virtual
- hosts to work properly. These clients will always be sent the
- pages from the first virtual host listed for that IP address
- (the primary name-based virtual host).
-
-
There is a possible workaround with the ServerPath
- directive, albeit a slightly cumbersome one:
What does this mean? It means that a request for any URI
- beginning with "/domain" will be served from the
- virtual host www.domain.tld This means that the
- pages can be accessed as
- http://www.domain.tld/domain/ for all clients,
- although clients sending a Host: header can also
- access it as http://www.domain.tld/.
-
-
In order to make this work, put a link on your primary
- virtual host's page to
- http://www.domain.tld/domain/ Then, in the virtual
- host's pages, be sure to use either purely relative links
- (e.g., "file.html" or
- "../icons/image.gif" or links containing the
- prefacing /domain/ (e.g.,
- "http://www.domain.tld/domain/misc/file.html" or
- "/domain/misc/file.html").
-
-
This requires a bit of discipline, but adherence to these
- guidelines will, for the most part, ensure that your pages will
- work with all browsers, new and old.
-
-
-
-
diff --git a/modules/experimental/mod_auth_ldap.c b/modules/experimental/mod_auth_ldap.c
deleted file mode 100644
index 6be891cf172..00000000000
--- a/modules/experimental/mod_auth_ldap.c
+++ /dev/null
@@ -1,862 +0,0 @@
-/* ====================================================================
- * The Apache Software License, Version 1.1
- *
- * Copyright (c) 2000-2001 The Apache Software Foundation. All rights
- * reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. The end-user documentation included with the redistribution,
- * if any, must include the following acknowledgment:
- * "This product includes software developed by the
- * Apache Software Foundation (http://www.apache.org/)."
- * Alternately, this acknowledgment may appear in the software itself,
- * if and wherever such third-party acknowledgments normally appear.
- *
- * 4. The names "Apache" and "Apache Software Foundation" must
- * not be used to endorse or promote products derived from this
- * software without prior written permission. For written
- * permission, please contact apache@apache.org.
- *
- * 5. Products derived from this software may not be called "Apache",
- * nor may "Apache" appear in their name, without prior written
- * permission of the Apache Software Foundation.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
- * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
- * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
- * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * ====================================================================
- *
- * This software consists of voluntary contributions made by many
- * individuals on behalf of the Apache Software Foundation. For more
- * information on the Apache Software Foundation, please see
- * .
- */
-
-/*
- * mod_auth_ldap.c: LDAP authentication module
- *
- * Original code from auth_ldap module for Apache v1.3:
- * Copyright 1998, 1999 Enbridge Pipelines Inc.
- * Copyright 1999-2001 Dave Carrigan
- */
-
-#include
-#include
-
-#include "ap_config.h"
-#if APR_HAVE_UNISTD_H
-/* for getpid() */
-#include
-#endif
-#include
-
-#include "httpd.h"
-#include "http_config.h"
-#include "http_core.h"
-#include "http_log.h"
-#include "http_protocol.h"
-#include "http_request.h"
-#include "util_ldap.h"
-
-/* per directory configuration */
-typedef struct {
- apr_pool_t *pool; /* Pool that this config is allocated from */
- apr_lock_t *lock; /* Lock for this config */
- int auth_authoritative; /* Is this auth method the one and only? */
- int enabled; /* Is auth_ldap enabled in this directory? */
-
- /* These parameters are all derived from the AuthLDAPURL directive */
- char *url; /* String representation of the URL */
-
- char *host; /* Name of the LDAP server (or space separated list) */
- int port; /* Port of the LDAP server */
- char *basedn; /* Base DN to do all searches from */
- char *attribute; /* Attribute to search for */
- char **attributes; /* Array of all the attributes to return */
- int scope; /* Scope of the search */
- char *filter; /* Filter to further limit the search */
- deref_options deref; /* how to handle alias dereferening */
- char *binddn; /* DN to bind to server (can be NULL) */
- char *bindpw; /* Password to bind to server (can be NULL) */
-
- int frontpage_hack; /* Hack for frontpage support */
- int user_is_dn; /* If true, connection->user is DN instead of userid */
- int compare_dn_on_server; /* If true, will use server to do DN compare */
-
- int have_ldap_url; /* Set if we have found an LDAP url */
-
- apr_array_header_t *groupattr; /* List of Group attributes */
- int group_attrib_is_dn; /* If true, the group attribute is the DN, otherwise,
- it's the exact string passed by the HTTP client */
-
- int netscapessl; /* True if Netscape SSL is enabled */
- int starttls; /* True if StartTLS is enabled */
-} mod_auth_ldap_config_t;
-
-typedef struct mod_auth_ldap_request_t {
- char *dn; /* The saved dn from a successful search */
- char *user; /* The username provided by the client */
-} mod_auth_ldap_request_t;
-
-/* maximum group elements supported */
-#define GROUPATTR_MAX_ELTS 10
-
-struct mod_auth_ldap_groupattr_entry_t {
- char *name;
-};
-
-module AP_MODULE_DECLARE_DATA auth_ldap_module;
-
-/* function prototypes */
-void mod_auth_ldap_build_filter(char *filtbuf,
- request_rec *r,
- mod_auth_ldap_config_t *sec);
-int mod_auth_ldap_check_user_id(request_rec *r);
-int mod_auth_ldap_auth_checker(request_rec *r);
-void *mod_auth_ldap_create_dir_config(apr_pool_t *p, char *d);
-
-/* ---------------------------------------- */
-
-
-/*
- * Build the search filter, or at least as much of the search filter that
- * will fit in the buffer. We don't worry about the buffer not being able
- * to hold the entire filter. If the buffer wasn't big enough to hold the
- * filter, ldap_search_s will complain, but the only situation where this
- * is likely to happen is if the client sent a really, really long
- * username, most likely as part of an attack.
- *
- * The search filter consists of the filter provided with the URL,
- * combined with a filter made up of the attribute provided with the URL,
- * and the actual username passed by the HTTP client. For example, assume
- * that the LDAP URL is
- *
- * ldap://ldap.airius.com/ou=People, o=Airius?uid??(posixid=*)
- *
- * Further, assume that the userid passed by the client was `userj'. The
- * search filter will be (&(posixid=*)(uid=userj)).
- */
-#define FILTER_LENGTH MAX_STRING_LEN
-void mod_auth_ldap_build_filter(char *filtbuf,
- request_rec *r,
- mod_auth_ldap_config_t *sec)
-{
- char *p, *q, *filtbuf_end;
- /*
- * Create the first part of the filter, which consists of the
- * config-supplied portions.
- */
- apr_snprintf(filtbuf, FILTER_LENGTH, "(&(%s)(%s=", sec->filter, sec->attribute);
-
- /*
- * Now add the client-supplied username to the filter, ensuring that any
- * LDAP filter metachars are escaped.
- */
- filtbuf_end = filtbuf + FILTER_LENGTH - 1;
- for (p = r->user, q=filtbuf + strlen(filtbuf);
- *p && q < filtbuf_end; *q++ = *p++) {
- if (strchr("*()\\", *p) != NULL) {
- *q++ = '\\';
- if (q >= filtbuf_end) {
- break;
- }
- }
- }
- *q = '\0';
-
- /*
- * Append the closing parens of the filter, unless doing so would
- * overrun the buffer.
- */
- if (q + 2 <= filtbuf_end)
- strcat(filtbuf, "))");
-}
-
-
-/*
- * Authentication Phase
- * --------------------
- *
- * This phase authenticates the credentials the user has sent with
- * the request (ie the username and password are checked). This is done
- * by making an attempt to bind to the LDAP server using this user's
- * DN and the supplied password.
- *
- */
-int mod_auth_ldap_check_user_id(request_rec *r)
-{
- const char **vals = NULL;
- char filtbuf[FILTER_LENGTH];
- mod_auth_ldap_config_t *sec =
- (mod_auth_ldap_config_t *)ap_get_module_config(r->per_dir_config, &auth_ldap_module);
-
- util_ldap_connection_t *ldc = NULL;
- const char *sent_pw;
- int result = 0;
- const char *dn = NULL;
-
- mod_auth_ldap_request_t *req =
- (mod_auth_ldap_request_t *)apr_pcalloc(r->pool, sizeof(mod_auth_ldap_request_t));
- ap_set_module_config(r->request_config, &auth_ldap_module, req);
-
- if (!sec->enabled) {
- return DECLINED;
- }
-
- /*
- * Basic sanity checks before any LDAP operations even happen.
- */
- if (!sec->have_ldap_url) {
- return DECLINED;
- }
-
- /* There is a good AuthLDAPURL, right? */
- if (sec->host) {
- ldc = util_ldap_connection_find(r, sec->host, sec->port,
- sec->binddn, sec->bindpw, sec->deref,
- sec->netscapessl, sec->starttls);
- }
- else {
- ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authenticate: no sec->host - weird...?", getpid());
- return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
- }
-
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authenticate: using URL %s", getpid(), sec->url);
-
- /* Get the password that the client sent */
- if ((result = ap_get_basic_auth_pw(r, &sent_pw))) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authenticate: "
- "ap_get_basic_auth_pw() returns %d", getpid(), result);
- util_ldap_connection_close(ldc);
- return result;
- }
-
- /* build the username filter */
- mod_auth_ldap_build_filter(filtbuf, r, sec);
-
- /* do the user search */
- result = util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope,
- sec->attributes, filtbuf, sent_pw, &dn, &vals);
- util_ldap_connection_close(ldc);
-
- if (result != LDAP_SUCCESS) {
- ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authenticate: "
- "user %s authentication failed; URI %s [%s][%s]",
- getpid(), r->user, r->uri, ldc->reason, ldap_err2string(result));
- if (LDAP_INVALID_CREDENTIALS == result) {
- ap_note_basic_auth_failure(r);
- return HTTP_UNAUTHORIZED;
- }
- else {
- return sec->auth_authoritative? HTTP_UNAUTHORIZED: DECLINED;
- }
- }
-
- /* mark the user and DN */
- req->dn = apr_pstrdup(r->pool, dn);
- req->user = r->user;
- if (sec->user_is_dn) {
- r->user = req->dn;
- }
-
- /* add environment variables */
- if (sec->attributes && vals) {
- apr_table_t *e = r->subprocess_env;
- int i = 0;
- while (sec->attributes[i]) {
- char *str = apr_pstrcat(r->pool, "AUTHENTICATE_", sec->attributes[i], NULL);
- int j = 13;
- while (str[j]) {
- if (str[j] >= 'a' && str[j] <= 'z') {
- str[j] = str[j] - ('a' - 'A');
- }
- j++;
- }
- apr_table_setn(e, str, vals[i]);
- i++;
- }
- }
-
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authenticate: accepting %s", getpid(), r->user);
-
- return OK;
-}
-
-
-/*
- * Authorisation Phase
- * -------------------
- *
- * After checking whether the username and password are correct, we need
- * to check whether that user is authorised to view this resource. The
- * require directive is used to do this:
- *
- * require valid-user Any authenticated is allowed in.
- * require user This particular user is allowed in.
- * require group The user must be a member of this group
- * in order to be allowed in.
- * require dn The user must have the following DN in the
- * LDAP tree to be let in.
- *
- */
-int mod_auth_ldap_auth_checker(request_rec *r)
-{
- int result = 0;
- mod_auth_ldap_request_t *req =
- (mod_auth_ldap_request_t *)ap_get_module_config(r->request_config,
- &auth_ldap_module);
- mod_auth_ldap_config_t *sec =
- (mod_auth_ldap_config_t *)ap_get_module_config(r->per_dir_config,
- &auth_ldap_module);
-
- util_ldap_connection_t *ldc = NULL;
- int m = r->method_number;
-
- const apr_array_header_t *reqs_arr = ap_requires(r);
- require_line *reqs = reqs_arr ? (require_line *)reqs_arr->elts : NULL;
-
- register int x;
- const char *t;
- char *w;
- int method_restricted = 0;
-
- if (!sec->enabled) {
- return DECLINED;
- }
-
- if (!sec->have_ldap_url) {
- return DECLINED;
- }
-
- if (sec->host) {
- ldc = util_ldap_connection_find(r, sec->host, sec->port,
- sec->binddn, sec->bindpw, sec->deref,
- sec->netscapessl, sec->starttls);
- }
- else {
- ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authorise: no sec->host - weird...?", getpid());
- return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
- }
-
- /*
- * If there are no elements in the group attribute array, the default should be
- * member and uniquemember; populate the array now.
- */
- if (sec->groupattr->nelts == 0) {
- struct mod_auth_ldap_groupattr_entry_t *grp;
- apr_lock_acquire(sec->lock);
- grp = apr_array_push(sec->groupattr);
- grp->name = "member";
- grp = apr_array_push(sec->groupattr);
- grp->name = "uniquemember";
- apr_lock_release(sec->lock);
- }
-
- if (!reqs_arr) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authorise: no requirements array", getpid());
- return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
- }
-
- /* Loop through the requirements array until there's no elements
- * left, or something causes a return from inside the loop */
- for(x=0; x < reqs_arr->nelts; x++) {
- if (! (reqs[x].method_mask & (1 << m))) {
- continue;
- }
- method_restricted = 1;
-
- t = reqs[x].requirement;
- w = ap_getword(r->pool, &t, ' ');
-
- if (strcmp(w, "valid-user") == 0) {
- /*
- * Valid user will always be true if we authenticated with ldap,
- * but when using front page, valid user should only be true if
- * he exists in the frontpage password file. This hack will get
- * auth_ldap to look up the user in the the pw file to really be
- * sure that he's valid. Naturally, it requires mod_auth to be
- * compiled in, but if mod_auth wasn't in there, then the need
- * for this hack wouldn't exist anyway.
- */
- if (sec->frontpage_hack) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authorise: "
- "deferring authorisation to mod_auth (FP Hack)",
- getpid());
- return OK;
- }
- else {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authorise: "
- "successful authorisation because user "
- "is valid-user", getpid());
- return OK;
- }
- }
- else if (strcmp(w, "user") == 0) {
- if (req->dn == NULL || strlen(req->dn) == 0) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authorise: "
- "require user: user's DN has not been defined; failing authorisation",
- getpid());
- return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
- }
- /*
- * First do a whole-line compare, in case it's something like
- * require user Babs Jensen
- */
- result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, t);
- switch(result) {
- case LDAP_COMPARE_TRUE: {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authorise: "
- "require user: authorisation successful", getpid());
- return OK;
- }
- default: {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authorise: require user: "
- "authorisation failed [%s][%s]", getpid(),
- ldc->reason, ldap_err2string(result));
- }
- }
- /*
- * Now break apart the line and compare each word on it
- */
- while (t[0]) {
- w = ap_getword_conf(r->pool, &t);
- result = util_ldap_cache_compare(r, ldc, sec->url, req->dn, sec->attribute, w);
- switch(result) {
- case LDAP_COMPARE_TRUE: {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authorise: "
- "require user: authorisation successful", getpid());
- return OK;
- }
- default: {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authorise: "
- "require user: authorisation failed [%s][%s]",
- getpid(), ldc->reason, ldap_err2string(result));
- }
- }
- }
- }
- else if (strcmp(w, "dn") == 0) {
- if (req->dn == NULL || strlen(req->dn) == 0) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authorise: "
- "require dn: user's DN has not been defined; failing authorisation",
- getpid());
- return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
- }
-
- result = util_ldap_cache_comparedn(r, ldc, sec->url, req->dn, t, sec->compare_dn_on_server);
- switch(result) {
- case LDAP_COMPARE_TRUE: {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authorise: "
- "require dn: authorisation successful", getpid());
- return OK;
- }
- default: {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authorise: "
- "require dn: LDAP error [%s][%s]",
- getpid(), ldc->reason, ldap_err2string(result));
- }
- }
- }
- else if (strcmp(w, "group") == 0) {
- struct mod_auth_ldap_groupattr_entry_t *ent = (struct mod_auth_ldap_groupattr_entry_t *) sec->groupattr->elts;
- int i;
-
- if (sec->group_attrib_is_dn) {
- if (req->dn == NULL || strlen(req->dn) == 0) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authorise: require group: user's DN has not been defined; failing authorisation",
- getpid());
- return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
- }
- }
- else {
- if (req->user == NULL || strlen(req->user) == 0) {
- /* We weren't called in the authentication phase, so we didn't have a
- * chance to set the user field. Do so now. */
- req->user = r->user;
- }
- }
-
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authorise: require group: testing for group membership in `%s'",
- getpid(), t);
-
- for (i = 0; i < sec->groupattr->nelts; i++) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authorise: require group: testing for %s: %s (%s)", getpid(),
- ent[i].name, sec->group_attrib_is_dn ? req->dn : req->user, t);
-
- result = util_ldap_cache_compare(r, ldc, sec->url, t, ent[i].name,
- sec->group_attrib_is_dn ? req->dn : req->user);
- switch(result) {
- case LDAP_COMPARE_TRUE: {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authorise: require group: "
- "authorisation successful (attribute %s) [%s][%s]",
- getpid(), ent[i].name, ldc->reason, ldap_err2string(result));
- return OK;
- }
- default: {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authorise: require group: "
- "authorisation failed [%s][%s]",
- getpid(), ldc->reason, ldap_err2string(result));
- }
- }
- }
- }
- }
-
- if (!method_restricted) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authorise: agreeing because non-restricted",
- getpid());
- return OK;
- }
-
- if (!sec->auth_authoritative) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authorise: declining to authorise", getpid());
- return DECLINED;
- }
-
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
- "[%d] auth_ldap authorise: authorisation denied", getpid());
- ap_note_basic_auth_failure (r);
-
- return HTTP_UNAUTHORIZED;
-}
-
-
-/* ---------------------------------------- */
-/* config directives */
-
-
-void *mod_auth_ldap_create_dir_config(apr_pool_t *p, char *d)
-{
- mod_auth_ldap_config_t *sec =
- (mod_auth_ldap_config_t *)apr_pcalloc(p, sizeof(mod_auth_ldap_config_t));
-
- sec->pool = p;
- apr_lock_create(&sec->lock, APR_MUTEX, APR_INTRAPROCESS, NULL, p);
- sec->auth_authoritative = 1;
- sec->enabled = 1;
- sec->groupattr = apr_array_make(p, GROUPATTR_MAX_ELTS,
- sizeof(struct mod_auth_ldap_groupattr_entry_t));
-
- sec->have_ldap_url = 0;
- sec->url = "";
- sec->host = NULL;
- sec->binddn = NULL;
- sec->bindpw = NULL;
- sec->deref = always;
- sec->group_attrib_is_dn = 1;
-
- sec->frontpage_hack = 0;
- sec->netscapessl = 0;
- sec->starttls = 0;
-
- sec->user_is_dn = 0;
- sec->compare_dn_on_server = 0;
-
- return sec;
-}
-
-/*
- * Use the ldap url parsing routines to break up the ldap url into
- * host and port.
- */
-static const char *mod_auth_ldap_parse_url(cmd_parms *cmd,
- void *config,
- const char *url)
-{
- int result;
- LDAPURLDesc *urld;
-
- mod_auth_ldap_config_t *sec = config;
-
- ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
- cmd->server, "[%d] auth_ldap url parse: `%s'",
- getpid(), url);
-
- result = ldap_url_parse(url, &(urld));
- if (result != LDAP_SUCCESS) {
- switch (result) {
- case LDAP_URL_ERR_NOTLDAP:
- return "LDAP URL does not begin with ldap://";
- case LDAP_URL_ERR_NODN:
- return "LDAP URL does not have a DN";
- case LDAP_URL_ERR_BADSCOPE:
- return "LDAP URL has an invalid scope";
- case LDAP_URL_ERR_MEM:
- return "Out of memory parsing LDAP URL";
- default:
- return "Could not parse LDAP URL";
- }
- }
- sec->url = apr_pstrdup(cmd->pool, url);
-
- ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
- cmd->server, "[%d] auth_ldap url parse: Host: %s", getpid(), urld->lud_host);
- ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
- cmd->server, "[%d] auth_ldap url parse: Port: %d", getpid(), urld->lud_port);
- ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
- cmd->server, "[%d] auth_ldap url parse: DN: %s", getpid(), urld->lud_dn);
- ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
- cmd->server, "[%d] auth_ldap url parse: attrib: %s", getpid(), urld->lud_attrs? urld->lud_attrs[0] : "(null)");
- ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
- cmd->server, "[%d] auth_ldap url parse: scope: %s", getpid(),
- (urld->lud_scope == LDAP_SCOPE_SUBTREE? "subtree" :
- urld->lud_scope == LDAP_SCOPE_BASE? "base" :
- urld->lud_scope == LDAP_SCOPE_ONELEVEL? "onelevel" : "unknown"));
- ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
- cmd->server, "[%d] auth_ldap url parse: filter: %s", getpid(), urld->lud_filter);
-
- /* Set all the values, or at least some sane defaults */
- if (sec->host) {
- char *p = apr_palloc(cmd->pool, strlen(sec->host) + strlen(urld->lud_host) + 2);
- strcpy(p, urld->lud_host);
- strcat(p, " ");
- strcat(p, sec->host);
- sec->host = p;
- }
- else {
- sec->host = urld->lud_host? apr_pstrdup(cmd->pool, urld->lud_host) : "localhost";
- }
- sec->basedn = urld->lud_dn? apr_pstrdup(cmd->pool, urld->lud_dn) : "";
- if (urld->lud_attrs && urld->lud_attrs[0]) {
- int i = 1;
- while (urld->lud_attrs[i]) {
- i++;
- }
- sec->attributes = apr_pcalloc(cmd->pool, sizeof(char *) * (i+1));
- i = 0;
- while (urld->lud_attrs[i]) {
- sec->attributes[i] = apr_pstrdup(cmd->pool, urld->lud_attrs[i]);
- i++;
- }
- sec->attribute = sec->attributes[0];
- }
- else {
- sec->attribute = "uid";
- }
-
- sec->scope = urld->lud_scope == LDAP_SCOPE_ONELEVEL ?
- LDAP_SCOPE_ONELEVEL : LDAP_SCOPE_SUBTREE;
-
- if (urld->lud_filter) {
- if (urld->lud_filter[0] == '(') {
- /*
- * Get rid of the surrounding parens; later on when generating the
- * filter, they'll be put back.
- */
- sec->filter = apr_pstrdup(cmd->pool, urld->lud_filter+1);
- sec->filter[strlen(sec->filter)-1] = '\0';
- }
- else {
- sec->filter = apr_pstrdup(cmd->pool, urld->lud_filter);
- }
- }
- else {
- sec->filter = "objectclass=*";
- }
- if (strncmp(url, "ldaps", 5) == 0) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
- cmd->server, "[%d] auth_ldap parse url: requesting secure LDAP", getpid());
-#ifdef APU_HAS_LDAP_STARTTLS
- sec->port = urld->lud_port? urld->lud_port : LDAPS_PORT;
- sec->starttls = 1;
-#else
-#ifdef APU_HAS_LDAP_NETSCAPE_SSL
- sec->port = urld->lud_port? urld->lud_port : LDAPS_PORT;
- sec->netscapessl = 1;
-#else
- return "Secure LDAP (ldaps://) not supported. Rebuild APR-Util";
-#endif
-#endif
- }
- else {
- ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0,
- cmd->server, "[%d] auth_ldap parse url: not requesting secure LDAP", getpid());
- sec->netscapessl = 0;
- sec->starttls = 0;
- sec->port = urld->lud_port? urld->lud_port : LDAP_PORT;
- }
-
- sec->have_ldap_url = 1;
- ldap_free_urldesc(urld);
- return NULL;
-}
-
-static const char *mod_auth_ldap_set_deref(cmd_parms *cmd, void *config, const char *arg)
-{
- mod_auth_ldap_config_t *sec = config;
-
- if (strcmp(arg, "never") == 0 || strcasecmp(arg, "off") == 0) {
- sec->deref = never;
- }
- else if (strcmp(arg, "searching") == 0) {
- sec->deref = searching;
- }
- else if (strcmp(arg, "finding") == 0) {
- sec->deref = finding;
- }
- else if (strcmp(arg, "always") == 0 || strcasecmp(arg, "on") == 0) {
- sec->deref = always;
- }
- else {
- return "Unrecognized value for AuthLDAPAliasDereference directive";
- }
- return NULL;
-}
-
-static const char *mod_auth_ldap_add_group_attribute(cmd_parms *cmd, void *config, const char *arg)
-{
- struct mod_auth_ldap_groupattr_entry_t *new;
-
- mod_auth_ldap_config_t *sec = config;
-
- if (sec->groupattr->nelts > GROUPATTR_MAX_ELTS)
- return "Too many AuthLDAPGroupAttribute directives";
-
- new = apr_array_push(sec->groupattr);
- new->name = apr_pstrdup(cmd->pool, arg);
-
- return NULL;
-}
-
-command_rec mod_auth_ldap_cmds[] = {
- AP_INIT_TAKE1("AuthLDAPURL", mod_auth_ldap_parse_url, NULL, OR_AUTHCFG,
- "URL to define LDAP connection. This should be an RFC 2255 complaint\n"
- "URL of the form ldap://host[:port]/basedn[?attrib[?scope[?filter]]].\n"
- "
\n"
- "
Host is the name of the LDAP server. Use a space separated list of hosts \n"
- "to specify redundant servers.\n"
- "
Port is optional, and specifies the port to connect to.\n"
- "
basedn specifies the base DN to start searches from\n"
- "
Attrib specifies what attribute to search for in the directory. If not "
- "provided, it defaults to uid.\n"
- "
Scope is the scope of the search, and can be either sub or "
- "one. If not provided, the default is sub.\n"
- "
Filter is a filter to use in the search. If not provided, "
- "defaults to (objectClass=*).\n"
- "
\n"
- "Searches are performed using the attribute and the filter combined. "
- "For example, assume that the\n"
- "LDAP URL is ldap://ldap.airius.com/ou=People, o=Airius?uid?sub?(posixid=*). "
- "Searches will\n"
- "be done using the filter (&((posixid=*))(uid=username)), "
- "where username\n"
- "is the user name passed by the HTTP client. The search will be a subtree "
- "search on the branch ou=People, o=Airius."),
-
- AP_INIT_TAKE1("AuthLDAPBindDN", ap_set_string_slot,
- (void *)APR_XtOffsetOf(mod_auth_ldap_config_t, binddn), OR_AUTHCFG,
- "DN to use to bind to LDAP server. If not provided, will do an anonymous bind."),
-
- AP_INIT_TAKE1("AuthLDAPBindPassword", ap_set_string_slot,
- (void *)APR_XtOffsetOf(mod_auth_ldap_config_t, bindpw), OR_AUTHCFG,
- "Password to use to bind to LDAP server. If not provided, will do an anonymous bind."),
-
- AP_INIT_FLAG("AuthLDAPRemoteUserIsDN", ap_set_flag_slot,
- (void *)APR_XtOffsetOf(mod_auth_ldap_config_t, user_is_dn), OR_AUTHCFG,
- "Set to 'on' to set the REMOTE_USER environment variable to be the full "
- "DN of the remote user. By default, this is set to off, meaning that "
- "the REMOTE_USER variable will contain whatever value the remote user sent."),
-
- AP_INIT_FLAG("AuthLDAPAuthoritative", ap_set_flag_slot,
- (void *)APR_XtOffsetOf(mod_auth_ldap_config_t, auth_authoritative), OR_AUTHCFG,
- "Set to 'off' to allow access control to be passed along to lower modules if "
- "the UserID and/or group is not known to this module"),
-
- AP_INIT_FLAG("AuthLDAPCompareDNOnServer", ap_set_flag_slot,
- (void *)APR_XtOffsetOf(mod_auth_ldap_config_t, compare_dn_on_server), OR_AUTHCFG,
- "Set to 'on' to force auth_ldap to do DN compares (for the \"require dn\" "
- "directive) using the server, and set it 'off' to do the compares locally "
- "(at the expense of possible false matches). See the documentation for "
- "a complete description of this option."),
-
- AP_INIT_ITERATE("AuthLDAPGroupAttribute", mod_auth_ldap_add_group_attribute, NULL, OR_AUTHCFG,
- "A list of attributes used to define group membership - defaults to "
- "member and uniquemember"),
-
- AP_INIT_FLAG("AuthLDAPGroupAttributeIsDN", ap_set_flag_slot,
- (void *)APR_XtOffsetOf(mod_auth_ldap_config_t, group_attrib_is_dn), OR_AUTHCFG,
- "If set to 'on', auth_ldap uses the DN that is retrieved from the server for"
- "subsequent group comparisons. If set to 'off', auth_ldap uses the string"
- "provided by the client directly. Defaults to 'on'."),
-
- AP_INIT_TAKE1("AuthLDAPDereferenceAliases", mod_auth_ldap_set_deref, NULL, OR_AUTHCFG,
- "Determines how aliases are handled during a search. Can bo one of the"
- "values \"never\", \"searching\", \"finding\", or \"always\". "
- "Defaults to always."),
-
- AP_INIT_FLAG("AuthLDAPEnabled", ap_set_flag_slot,
- (void *)APR_XtOffsetOf(mod_auth_ldap_config_t, enabled), OR_AUTHCFG,
- "Set to off to disable auth_ldap, even if it's been enabled in a higher tree"),
-
- AP_INIT_FLAG("AuthLDAPFrontPageHack", ap_set_flag_slot,
- (void *)APR_XtOffsetOf(mod_auth_ldap_config_t, frontpage_hack), OR_AUTHCFG,
- "Set to 'on' to support Microsoft FrontPage"),
-
-#ifdef APU_HAS_LDAP_STARTTLS
- AP_INIT_FLAG("AuthLDAPStartTLS", ap_set_flag_slot,
- (void *)APR_XtOffsetOf(mod_auth_ldap_config_t, starttls), OR_AUTHCFG,
- "Set to 'on' to start TLS after connecting to the LDAP server."),
-#endif /* APU_HAS_LDAP_STARTTLS */
-
- {NULL}
-};
-
-static void mod_auth_ldap_register_hooks(apr_pool_t *p)
-{
- ap_hook_check_user_id(mod_auth_ldap_check_user_id, NULL, NULL, APR_HOOK_MIDDLE);
- ap_hook_auth_checker(mod_auth_ldap_auth_checker, NULL, NULL, APR_HOOK_MIDDLE);
-}
-
-module auth_ldap_module = {
- STANDARD20_MODULE_STUFF,
- mod_auth_ldap_create_dir_config, /* dir config creater */
- NULL, /* dir merger --- default is to override */
- NULL, /* server config */
- NULL, /* merge server config */
- mod_auth_ldap_cmds, /* command table */
- mod_auth_ldap_register_hooks, /* set up request processing hooks */
-};
diff --git a/modules/experimental/util_ldap.c b/modules/experimental/util_ldap.c
deleted file mode 100644
index 4e9ca0e5015..00000000000
--- a/modules/experimental/util_ldap.c
+++ /dev/null
@@ -1,1105 +0,0 @@
-/* ====================================================================
- * The Apache Software License, Version 1.1
- *
- * Copyright (c) 2000-2001 The Apache Software Foundation. All rights
- * reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. The end-user documentation included with the redistribution,
- * if any, must include the following acknowledgment:
- * "This product includes software developed by the
- * Apache Software Foundation (http://www.apache.org/)."
- * Alternately, this acknowledgment may appear in the software itself,
- * if and wherever such third-party acknowledgments normally appear.
- *
- * 4. The names "Apache" and "Apache Software Foundation" must
- * not be used to endorse or promote products derived from this
- * software without prior written permission. For written
- * permission, please contact apache@apache.org.
- *
- * 5. Products derived from this software may not be called "Apache",
- * nor may "Apache" appear in their name, without prior written
- * permission of the Apache Software Foundation.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
- * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
- * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
- * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * ====================================================================
- *
- * This software consists of voluntary contributions made by many
- * individuals on behalf of the Apache Software Foundation. For more
- * information on the Apache Software Foundation, please see
- * .
- */
-
-/*
- * util_ldap.c: LDAP things
- *
- * Original code from auth_ldap module for Apache v1.3:
- * Copyright 1998, 1999 Enbridge Pipelines Inc.
- * Copyright 1999-2001 Dave Carrigan
- */
-
-#include
-
-#ifdef APU_HAS_LDAP
-
-#include
-#include
-
-#include "ap_config.h"
-#include "httpd.h"
-#include "http_config.h"
-#include "http_core.h"
-#include "http_log.h"
-#include "http_protocol.h"
-#include "http_request.h"
-#include "util_ldap.h"
-#include "util_ldap_cache.h"
-
-#if APR_HAVE_UNISTD_H
-#include
-#endif
-
-module AP_MODULE_DECLARE_DATA ldap_module;
-
-int util_ldap_handler(request_rec *r);
-void *util_ldap_create_config(apr_pool_t *p, server_rec *s);
-
-
-/*
- * Some definitions to help between various versions of apache.
- */
-
-#ifndef DOCTYPE_HTML_2_0
-#define DOCTYPE_HTML_2_0 "\n"
-#endif
-
-#ifndef DOCTYPE_HTML_3_2
-#define DOCTYPE_HTML_3_2 "\n"
-#endif
-
-#ifndef DOCTYPE_HTML_4_0S
-#define DOCTYPE_HTML_4_0S "\n"
-#endif
-
-#ifndef DOCTYPE_HTML_4_0T
-#define DOCTYPE_HTML_4_0T "\n"
-#endif
-
-#ifndef DOCTYPE_HTML_4_0F
-#define DOCTYPE_HTML_4_0F "\n"
-#endif
-
-/*
- * Status Handler
- * --------------
- *
- * This handler generates a status page about the current performance of
- * the LDAP cache. It is enabled as follows:
- *
- *
- * SetHandler ldap-status
- *
- *
- */
-int util_ldap_handler(request_rec *r)
-{
-
- r->allowed |= (1 << M_GET);
- if (r->method_number != M_GET)
- return DECLINED;
-
- if (strcmp(r->handler, "ldap-status")) {
- return DECLINED;
- }
-
- r->content_type = "text/html";
- if (r->header_only)
- return OK;
-
- ap_rputs(DOCTYPE_HTML_3_2
- "LDAP Cache Information\n", r);
- ap_rputs("
";
- }
-
- buf = util_ald_cache_display_stats(pool, util_ldap_cache, "LDAP URL Cache");
-
- for (i=0; i < util_ldap_cache->size; ++i) {
- util_cache_node_t *p;
- for (p = util_ldap_cache->nodes[i]; p != NULL; p = p->next) {
- util_url_node_t *n;
-
- n = (util_url_node_t *)p->payload;
-
- t1 = apr_psprintf(pool, "%s (Searches)", n->url);
- t2 = apr_psprintf(pool, "%s (Compares)", n->url);
- t3 = apr_psprintf(pool, "%s (DNCompares)", n->url);
-
- buf = apr_psprintf(pool, "%s\n\n"
- "%s\n\n"
- "%s\n\n"
- "%s\n\n",
- buf,
- util_ald_cache_display_stats(pool, n->search_cache, t1),
- util_ald_cache_display_stats(pool, n->compare_cache, t2),
- util_ald_cache_display_stats(pool, n->dn_compare_cache, t3)
- );
- }
- }
- return buf;
-}
-
-#endif /* APU_HAS_LDAP */
diff --git a/server/mpm/experimental/perchild/.cvsignore b/server/mpm/experimental/perchild/.cvsignore
deleted file mode 100644
index 84df2572148..00000000000
--- a/server/mpm/experimental/perchild/.cvsignore
+++ /dev/null
@@ -1,5 +0,0 @@
-.deps
-.libs
-*.lo
-*.la
-Makefile
diff --git a/server/mpm/experimental/perchild/Makefile.in b/server/mpm/experimental/perchild/Makefile.in
deleted file mode 100644
index 374f1306468..00000000000
--- a/server/mpm/experimental/perchild/Makefile.in
+++ /dev/null
@@ -1,5 +0,0 @@
-
-LTLIBRARY_NAME = libperchild.la
-LTLIBRARY_SOURCES = perchild.c
-
-include $(top_srcdir)/build/ltlib.mk
diff --git a/server/mpm/experimental/perchild/config5.m4 b/server/mpm/experimental/perchild/config5.m4
deleted file mode 100644
index bd179baed93..00000000000
--- a/server/mpm/experimental/perchild/config5.m4
+++ /dev/null
@@ -1,6 +0,0 @@
-dnl ## XXX - Need a more thorough check of the proper flags to use
-
-if test "$MPM_NAME" = "perchild" ; then
-
- APACHE_FAST_OUTPUT(server/mpm/$MPM_NAME/Makefile)
-fi
diff --git a/server/mpm/experimental/perchild/mpm.h b/server/mpm/experimental/perchild/mpm.h
deleted file mode 100644
index 7c407230003..00000000000
--- a/server/mpm/experimental/perchild/mpm.h
+++ /dev/null
@@ -1,98 +0,0 @@
-/* ====================================================================
- * The Apache Software License, Version 1.1
- *
- * Copyright (c) 2000-2001 The Apache Software Foundation. All rights
- * reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. The end-user documentation included with the redistribution,
- * if any, must include the following acknowledgment:
- * "This product includes software developed by the
- * Apache Software Foundation (http://www.apache.org/)."
- * Alternately, this acknowledgment may appear in the software itself,
- * if and wherever such third-party acknowledgments normally appear.
- *
- * 4. The names "Apache" and "Apache Software Foundation" must
- * not be used to endorse or promote products derived from this
- * software without prior written permission. For written
- * permission, please contact apache@apache.org.
- *
- * 5. Products derived from this software may not be called "Apache",
- * nor may "Apache" appear in their name, without prior written
- * permission of the Apache Software Foundation.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
- * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
- * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
- * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * ====================================================================
- *
- * This software consists of voluntary contributions made by many
- * individuals on behalf of the Apache Software Foundation. For more
- * information on the Apache Software Foundation, please see
- * .
- *
- * Portions of this software are based upon public domain software
- * originally written at the National Center for Supercomputing Applications,
- * University of Illinois, Urbana-Champaign.
- */
-
-#include "httpd.h"
-#include "mpm_default.h"
-#include "unixd.h"
-
-#ifndef APACHE_MPM_PERCHILD_H
-#define APACHE_MPM_PERCHILD_H
-
-#define PERCHILD_MPM
-
-#define MPM_NAME "Perchild"
-
-#define AP_MPM_WANT_RECLAIM_CHILD_PROCESSES
-#define AP_MPM_WANT_WAIT_OR_TIMEOUT
-#define AP_MPM_WANT_PROCESS_CHILD_STATUS
-#define AP_MPM_WANT_SET_PIDFILE
-#define AP_MPM_WANT_SET_SCOREBOARD
-#define AP_MPM_WANT_SET_LOCKFILE
-#define AP_MPM_WANT_SET_MAX_REQUESTS
-#define AP_MPM_WANT_SET_COREDUMPDIR
-#define AP_MPM_WANT_SET_ACCEPT_LOCK_MECH
-
-#define MPM_SYNC_CHILD_TABLE()
-#define MPM_CHILD_PID(i) (ap_scoreboard_image->parent[i].pid)
-#define MPM_NOTE_CHILD_KILLED(i) (MPM_CHILD_PID(i) = 0)
-
-/* Table of child status */
-#define SERVER_DEAD 0
-#define SERVER_DYING 1
-#define SERVER_ALIVE 2
-
-typedef struct ap_ctable{
- pid_t pid;
- unsigned char status;
-} ap_ctable;
-
-extern int ap_threads_per_child;
-extern int ap_max_daemons_limit;
-extern server_rec *ap_server_conf;
-
-#endif /* APACHE_MPM_PERCHILD_H */
diff --git a/server/mpm/experimental/perchild/mpm_default.h b/server/mpm/experimental/perchild/mpm_default.h
deleted file mode 100644
index 46fb0977013..00000000000
--- a/server/mpm/experimental/perchild/mpm_default.h
+++ /dev/null
@@ -1,118 +0,0 @@
-/* ====================================================================
- * The Apache Software License, Version 1.1
- *
- * Copyright (c) 2000-2001 The Apache Software Foundation. All rights
- * reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. The end-user documentation included with the redistribution,
- * if any, must include the following acknowledgment:
- * "This product includes software developed by the
- * Apache Software Foundation (http://www.apache.org/)."
- * Alternately, this acknowledgment may appear in the software itself,
- * if and wherever such third-party acknowledgments normally appear.
- *
- * 4. The names "Apache" and "Apache Software Foundation" must
- * not be used to endorse or promote products derived from this
- * software without prior written permission. For written
- * permission, please contact apache@apache.org.
- *
- * 5. Products derived from this software may not be called "Apache",
- * nor may "Apache" appear in their name, without prior written
- * permission of the Apache Software Foundation.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
- * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
- * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
- * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * ====================================================================
- *
- * This software consists of voluntary contributions made by many
- * individuals on behalf of the Apache Software Foundation. For more
- * information on the Apache Software Foundation, please see
- * .
- *
- * Portions of this software are based upon public domain software
- * originally written at the National Center for Supercomputing Applications,
- * University of Illinois, Urbana-Champaign.
- */
-
-#ifndef APACHE_MPM_DEFAULT_H
-#define APACHE_MPM_DEFAULT_H
-
-/* Number of threads to spawn off by default --- also, if fewer than
- * this free when the caretaker checks, it will spawn more.
- */
-#ifndef DEFAULT_START_THREAD
-#define DEFAULT_START_THREAD 5
-#endif
-
-/* Maximum number of *free* server threads --- more than this, and
- * they will die off.
- */
-
-#ifndef DEFAULT_MAX_SPARE_THREAD
-#define DEFAULT_MAX_SPARE_THREAD 10
-#endif
-
-/* Minimum --- fewer than this, and more will be created */
-
-#ifndef DEFAULT_MIN_SPARE_THREAD
-#define DEFAULT_MIN_SPARE_THREAD 5
-#endif
-
-/* Number of servers to spawn off by default
- */
-#ifndef DEFAULT_NUM_DAEMON
-#define DEFAULT_NUM_DAEMON 2
-#endif
-
-/* File used for accept locking, when we use a file */
-#ifndef DEFAULT_LOCKFILE
-#define DEFAULT_LOCKFILE "logs/accept.lock"
-#endif
-
-/* Scoreboard file, if there is one */
-#ifndef DEFAULT_SCOREBOARD
-#define DEFAULT_SCOREBOARD "logs/apache_runtime_status"
-#endif
-
-/* Where the main/parent process's pid is logged */
-#ifndef DEFAULT_PIDLOG
-#define DEFAULT_PIDLOG "logs/httpd.pid"
-#endif
-
-/*
- * Interval, in microseconds, between scoreboard maintenance.
- */
-#ifndef SCOREBOARD_MAINTENANCE_INTERVAL
-#define SCOREBOARD_MAINTENANCE_INTERVAL 1000000
-#endif
-
-/* Number of requests to try to handle in a single process. If <= 0,
- * the children don't die off.
- */
-#ifndef DEFAULT_MAX_REQUESTS_PER_CHILD
-#define DEFAULT_MAX_REQUESTS_PER_CHILD 10000
-#endif
-
-#endif /* AP_MPM_DEFAULT_H */
diff --git a/server/mpm/experimental/perchild/perchild.c b/server/mpm/experimental/perchild/perchild.c
deleted file mode 100644
index 4fb32443c92..00000000000
--- a/server/mpm/experimental/perchild/perchild.c
+++ /dev/null
@@ -1,2007 +0,0 @@
-/* ====================================================================
- * The Apache Software License, Version 1.1
- *
- * Copyright (c) 2000-2001 The Apache Software Foundation. All rights
- * reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. The end-user documentation included with the redistribution,
- * if any, must include the following acknowledgment:
- * "This product includes software developed by the
- * Apache Software Foundation (http://www.apache.org/)."
- * Alternately, this acknowledgment may appear in the software itself,
- * if and wherever such third-party acknowledgments normally appear.
- *
- * 4. The names "Apache" and "Apache Software Foundation" must
- * not be used to endorse or promote products derived from this
- * software without prior written permission. For written
- * permission, please contact apache@apache.org.
- *
- * 5. Products derived from this software may not be called "Apache",
- * nor may "Apache" appear in their name, without prior written
- * permission of the Apache Software Foundation.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
- * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
- * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
- * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * ====================================================================
- *
- * This software consists of voluntary contributions made by many
- * individuals on behalf of the Apache Software Foundation. For more
- * information on the Apache Software Foundation, please see
- * .
- *
- * Portions of this software are based upon public domain software
- * originally written at the National Center for Supercomputing Applications,
- * University of Illinois, Urbana-Champaign.
- */
-
-#include "apr_hash.h"
-#include "apr_strings.h"
-#include "apr_pools.h"
-#include "apr_portable.h"
-#include "apr_file_io.h"
-#include "apr_signal.h"
-
-#define APR_WANT_IOVEC
-#include "apr_want.h"
-
-#if APR_HAVE_UNISTD_H
-#include
-#endif
-#if APR_HAVE_SYS_SOCKET_H
-#include
-#endif
-
-#if !APR_HAS_THREADS
-#error The perchild MPM requires APR threads, but they are unavailable.
-#endif
-
-#define CORE_PRIVATE
-
-#include "ap_config.h"
-#include "httpd.h"
-#include "http_main.h"
-#include "http_log.h"
-#include "http_config.h" /* for read_config */
-#include "http_core.h" /* for get_remote_host */
-#include "http_protocol.h"
-#include "http_connection.h"
-#include "ap_mpm.h"
-#include "unixd.h"
-#include "mpm_common.h"
-#include "ap_listen.h"
-#include "mpm_default.h"
-#include "mpm.h"
-#include "scoreboard.h"
-#include "util_filter.h"
-
-/* ### should be APR-ized */
-#include
-#include
-#include
-#include
-#include
-#include
-#ifdef HAVE_SYS_PROCESSOR_H
-#include /* for bindprocessor() */
-#endif
-
-/*
- * Define some magic numbers that we use for the state of the incomming
- * request. These must be < 0 so they don't collide with a file descriptor.
- */
-#define AP_PERCHILD_THISCHILD -1
-#define AP_PERCHILD_OTHERCHILD -2
-
-/* Limit on the threads per process. Clients will be locked out if more than
- * this * server_limit are needed.
- *
- * We keep this for one reason it keeps the size of the scoreboard file small
- * enough that we can read the whole thing without worrying too much about
- * the overhead.
- */
-#ifndef DEFAULT_THREAD_LIMIT
-#define DEFAULT_THREAD_LIMIT 64
-#endif
-
-/* Admin can't tune ThreadLimit beyond MAX_THREAD_LIMIT. We want
- * some sort of compile-time limit to help catch typos.
- */
-#ifndef MAX_THREAD_LIMIT
-#define MAX_THREAD_LIMIT 20000
-#endif
-
-/* Limit on the total --- clients will be locked out if more servers than
- * this are needed. It is intended solely to keep the server from crashing
- * when things get out of hand.
- *
- * We keep a hard maximum number of servers, for two reasons --- first off,
- * in case something goes seriously wrong, we want to stop the fork bomb
- * short of actually crashing the machine we're running on by filling some
- * kernel table. Secondly, it keeps the size of the scoreboard file small
- * enough that we can read the whole thing without worrying too much about
- * the overhead.
- */
-#ifndef DEFAULT_SERVER_LIMIT
-#define DEFAULT_SERVER_LIMIT 8
-#endif
-
-/* Admin can't tune ServerLimit beyond MAX_SERVER_LIMIT. We want
- * some sort of compile-time limit to help catch typos.
- */
-#ifndef MAX_SERVER_LIMIT
-#define MAX_SERVER_LIMIT 20000
-#endif
-
-/*
- * Actual definitions of config globals
- */
-
-static int threads_to_start = 0; /* Worker threads per child */
-static int min_spare_threads = 0;
-static int max_spare_threads = 0;
-static int max_threads = 0;
-static int server_limit = DEFAULT_SERVER_LIMIT;
-static int first_server_limit;
-static int thread_limit = DEFAULT_THREAD_LIMIT;
-static int first_thread_limit;
-static int changed_limit_at_restart;
-static int max_requests_per_child = 0;
-static int num_daemons = 0;
-static int curr_child_num = 0;
-static int workers_may_exit = 0;
-static int requests_this_child;
-static int num_listenfds = 0;
-static apr_socket_t **listenfds;
-static jmp_buf jmpbuffer;
-
-struct child_info_t {
- uid_t uid;
- gid_t gid;
- int sd;
-};
-
-typedef struct {
- const char *sockname; /* The base name for the socket */
- const char *fullsockname; /* socket base name + extension */
- int sd; /* The socket descriptor */
- int sd2; /* The socket descriptor */
-} perchild_server_conf;
-
-typedef struct child_info_t child_info_t;
-
-/* Tables used to determine the user and group each child process should
- * run as. The hash table is used to correlate a server name with a child
- * process.
- */
-static child_info_t *child_info_table;
-static int *thread_socket_table;
-struct ap_ctable *ap_child_table;
-
-/*
- * The max child slot ever assigned, preserved across restarts. Necessary
- * to deal with NumServers changes across AP_SIG_GRACEFUL restarts. We
- * use this value to optimize routines that have to scan the entire child
- * table.
- *
- * XXX - It might not be worth keeping this code in. There aren't very
- * many child processes in this MPM.
- */
-int ap_max_daemons_limit = -1;
-int ap_threads_per_child; /* XXX not part of API! axe it! */
-
-module AP_MODULE_DECLARE_DATA mpm_perchild_module;
-
-static apr_file_t *pipe_of_death_in = NULL;
-static apr_file_t *pipe_of_death_out = NULL;
-static apr_lock_t *pipe_of_death_mutex;
-
-/* *Non*-shared http_main globals... */
-
-server_rec *ap_server_conf;
-
-/* one_process --- debugging mode variable; can be set from the command line
- * with the -X flag. If set, this gets you the child_main loop running
- * in the process which originally started up (no detach, no make_child),
- * which is a pretty nice debugging environment. (You'll get a SIGHUP
- * early in standalone_main; just continue through. This is the server
- * trying to kill off any child processes which it might have lying
- * around --- Apache doesn't keep track of their pids, it just sends
- * SIGHUP to the process group, ignoring it in the root process.
- * Continue through and you'll be fine.).
- */
-
-static int one_process = 0;
-
-#ifdef DEBUG_SIGSTOP
-int raise_sigstop_flags;
-#endif
-
-static apr_pool_t *pconf; /* Pool for config stuff */
-static apr_pool_t *pchild; /* Pool for httpd child stuff */
-static apr_pool_t *thread_pool_parent; /* Parent of per-thread pools */
-static apr_lock_t *thread_pool_parent_mutex;
-
-static int child_num;
-static unsigned int my_pid; /* Linux getpid() doesn't work except in
- main thread. Use this instead */
-/* Keep track of the number of worker threads currently active */
-static int worker_thread_count;
-static apr_lock_t *worker_thread_count_mutex;
-static int *worker_thread_free_ids;
-static apr_threadattr_t *worker_thread_attr;
-
-/* Keep track of the number of idle worker threads */
-static int idle_thread_count;
-static apr_lock_t *idle_thread_count_mutex;
-
-/* Locks for accept serialization */
-#ifdef NO_SERIALIZED_ACCEPT
-#define SAFE_ACCEPT(stmt) APR_SUCCESS
-#else
-#define SAFE_ACCEPT(stmt) (stmt)
-static apr_lock_t *process_accept_mutex;
-#endif /* NO_SERIALIZED_ACCEPT */
-static apr_lock_t *thread_accept_mutex;
-
-AP_DECLARE(apr_status_t) ap_mpm_query(int query_code, int *result)
-{
- switch(query_code){
- case AP_MPMQ_MAX_DAEMON_USED:
- *result = ap_max_daemons_limit;
- return APR_SUCCESS;
- case AP_MPMQ_IS_THREADED:
- *result = AP_MPMQ_DYNAMIC;
- return APR_SUCCESS;
- case AP_MPMQ_IS_FORKED:
- *result = AP_MPMQ_STATIC;
- return APR_SUCCESS;
- case AP_MPMQ_HARD_LIMIT_DAEMONS:
- *result = server_limit;
- return APR_SUCCESS;
- case AP_MPMQ_HARD_LIMIT_THREADS:
- *result = thread_limit;
- return APR_SUCCESS;
- case AP_MPMQ_MAX_THREADS:
- *result = max_threads;
- return APR_SUCCESS;
- case AP_MPMQ_MIN_SPARE_DAEMONS:
- *result = 0;
- return APR_SUCCESS;
- case AP_MPMQ_MIN_SPARE_THREADS:
- *result = min_spare_threads;
- return APR_SUCCESS;
- case AP_MPMQ_MAX_SPARE_DAEMONS:
- *result = 0;
- return APR_SUCCESS;
- case AP_MPMQ_MAX_SPARE_THREADS:
- *result = max_spare_threads;
- return APR_SUCCESS;
- case AP_MPMQ_MAX_REQUESTS_DAEMON:
- *result = max_requests_per_child;
- return APR_SUCCESS;
- case AP_MPMQ_MAX_DAEMONS:
- *result = num_daemons;
- return APR_SUCCESS;
- }
- return APR_ENOTIMPL;
-}
-
-/* a clean exit from a child with proper cleanup */
-static void clean_child_exit(int code)
-{
- if (pchild) {
- apr_pool_destroy(pchild);
- }
- exit(code);
-}
-
-/* handle all varieties of core dumping signals */
-static void sig_coredump(int sig)
-{
- chdir(ap_coredump_dir);
- apr_signal(sig, SIG_DFL);
- kill(getpid(), sig);
- /* At this point we've got sig blocked, because we're still inside
- * the signal handler. When we leave the signal handler it will
- * be unblocked, and we'll take the signal... and coredump or whatever
- * is appropriate for this particular Unix. In addition the parent
- * will see the real signal we received -- whereas if we called
- * abort() here, the parent would only see SIGABRT.
- */
-}
-
-static void just_die(int sig)
-{
- clean_child_exit(0);
-}
-
-/*****************************************************************
- * Connection structures and accounting...
- */
-
-/* volatile just in case */
-static int volatile shutdown_pending;
-static int volatile restart_pending;
-static int volatile is_graceful;
-static int volatile child_fatal;
-/* we don't currently track ap_my_generation, but mod_status
- * references it so it must be defined */
-ap_generation_t volatile ap_my_generation=0;
-
-/*
- * ap_start_shutdown() and ap_start_restart(), below, are a first stab at
- * functions to initiate shutdown or restart without relying on signals.
- * Previously this was initiated in sig_term() and restart() signal handlers,
- * but we want to be able to start a shutdown/restart from other sources --
- * e.g. on Win32, from the service manager. Now the service manager can
- * call ap_start_shutdown() or ap_start_restart() as appropiate. Note that
- * these functions can also be called by the child processes, since global
- * variables are no longer used to pass on the required action to the parent.
- *
- * These should only be called from the parent process itself, since the
- * parent process will use the shutdown_pending and restart_pending variables
- * to determine whether to shutdown or restart. The child process should
- * call signal_parent() directly to tell the parent to die -- this will
- * cause neither of those variable to be set, which the parent will
- * assume means something serious is wrong (which it will be, for the
- * child to force an exit) and so do an exit anyway.
- */
-
-static void ap_start_shutdown(void)
-{
- if (shutdown_pending == 1) {
- /* Um, is this _probably_ not an error, if the user has
- * tried to do a shutdown twice quickly, so we won't
- * worry about reporting it.
- */
- return;
- }
- shutdown_pending = 1;
-}
-
-/* do a graceful restart if graceful == 1 */
-static void ap_start_restart(int graceful)
-{
-
- if (restart_pending == 1) {
- /* Probably not an error - don't bother reporting it */
- return;
- }
- restart_pending = 1;
- is_graceful = graceful;
- if (is_graceful) {
- apr_pool_cleanup_kill(pconf, NULL, ap_cleanup_scoreboard);
- }
-}
-
-static void sig_term(int sig)
-{
- ap_start_shutdown();
-}
-
-static void restart(int sig)
-{
-#ifndef WIN32
- ap_start_restart(sig == AP_SIG_GRACEFUL);
-#else
- ap_start_restart(1);
-#endif
-}
-
-static void set_signals(void)
-{
-#ifndef NO_USE_SIGACTION
- struct sigaction sa;
-
- sigemptyset(&sa.sa_mask);
- sa.sa_flags = 0;
-
- if (!one_process) {
- sa.sa_handler = sig_coredump;
-#if defined(SA_ONESHOT)
- sa.sa_flags = SA_ONESHOT;
-#elif defined(SA_RESETHAND)
- sa.sa_flags = SA_RESETHAND;
-#endif
- if (sigaction(SIGSEGV, &sa, NULL) < 0)
- ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf,
- "sigaction(SIGSEGV)");
-#ifdef SIGBUS
- if (sigaction(SIGBUS, &sa, NULL) < 0)
- ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf,
- "sigaction(SIGBUS)");
-#endif
-#ifdef SIGABORT
- if (sigaction(SIGABORT, &sa, NULL) < 0)
- ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf,
- "sigaction(SIGABORT)");
-#endif
-#ifdef SIGABRT
- if (sigaction(SIGABRT, &sa, NULL) < 0)
- ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf,
- "sigaction(SIGABRT)");
-#endif
-#ifdef SIGILL
- if (sigaction(SIGILL, &sa, NULL) < 0)
- ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf,
- "sigaction(SIGILL)");
-#endif
- sa.sa_flags = 0;
- }
- sa.sa_handler = sig_term;
- if (sigaction(SIGTERM, &sa, NULL) < 0)
- ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf,
- "sigaction(SIGTERM)");
-#ifdef SIGINT
- if (sigaction(SIGINT, &sa, NULL) < 0)
- ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf,
- "sigaction(SIGINT)");
-#endif
-#ifdef SIGXCPU
- sa.sa_handler = SIG_DFL;
- if (sigaction(SIGXCPU, &sa, NULL) < 0)
- ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf,
- "sigaction(SIGXCPU)");
-#endif
-#ifdef SIGXFSZ
- sa.sa_handler = SIG_DFL;
- if (sigaction(SIGXFSZ, &sa, NULL) < 0)
- ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf,
- "sigaction(SIGXFSZ)");
-#endif
-#ifdef SIGPIPE
- sa.sa_handler = SIG_IGN;
- if (sigaction(SIGPIPE, &sa, NULL) < 0)
- ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf,
- "sigaction(SIGPIPE)");
-#endif
-
- /* we want to ignore HUPs and AP_SIG_GRACEFUL while we're busy
- * processing one */
- sigaddset(&sa.sa_mask, SIGHUP);
- sigaddset(&sa.sa_mask, AP_SIG_GRACEFUL);
- sa.sa_handler = restart;
- if (sigaction(SIGHUP, &sa, NULL) < 0)
- ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf,
- "sigaction(SIGHUP)");
- if (sigaction(AP_SIG_GRACEFUL, &sa, NULL) < 0)
- ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf,
- "sigaction(" AP_SIG_GRACEFUL_STRING ")");
-#else
- if (!one_process) {
- apr_signal(SIGSEGV, sig_coredump);
-#ifdef SIGBUS
- apr_signal(SIGBUS, sig_coredump);
-#endif /* SIGBUS */
-#ifdef SIGABORT
- apr_signal(SIGABORT, sig_coredump);
-#endif /* SIGABORT */
-#ifdef SIGABRT
- apr_signal(SIGABRT, sig_coredump);
-#endif /* SIGABRT */
-#ifdef SIGILL
- apr_signal(SIGILL, sig_coredump);
-#endif /* SIGILL */
-#ifdef SIGXCPU
- apr_signal(SIGXCPU, SIG_DFL);
-#endif /* SIGXCPU */
-#ifdef SIGXFSZ
- apr_signal(SIGXFSZ, SIG_DFL);
-#endif /* SIGXFSZ */
- }
-
- apr_signal(SIGTERM, sig_term);
-#ifdef SIGHUP
- apr_signal(SIGHUP, restart);
-#endif /* SIGHUP */
-#ifdef AP_SIG_GRACEFUL
- apr_signal(AP_SIG_GRACEFUL, restart);
-#endif /* AP_SIG_GRACEFUL */
-#ifdef SIGPIPE
- apr_signal(SIGPIPE, SIG_IGN);
-#endif /* SIGPIPE */
-
-#endif
-}
-
-/*****************************************************************
- * Here follows a long bunch of generic server bookkeeping stuff...
- */
-
-int ap_graceful_stop_signalled(void)
-{
- /* XXX - Does this really work? - Manoj */
- return is_graceful;
-}
-
-/*****************************************************************
- * Child process main loop.
- */
-
-static void process_socket(apr_pool_t *p, apr_socket_t *sock, long conn_id)
-{
- conn_rec *current_conn;
- int csd;
- apr_status_t rv;
- int thread_num = conn_id % thread_limit;
- void *sbh;
-
- if ((rv = apr_os_sock_get(&csd, sock)) != APR_SUCCESS) {
- ap_log_error(APLOG_MARK, APLOG_ERR, rv, NULL, "apr_os_sock_get");
- }
-
- if (csd >= FD_SETSIZE) {
- ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_WARNING, 0, NULL,
- "new file descriptor %d is too large; you probably need "
- "to rebuild Apache with a larger FD_SETSIZE "
- "(currently %d)",
- csd, FD_SETSIZE);
- apr_socket_close(sock);
- return;
- }
-
- if (thread_socket_table[thread_num] < 0) {
- ap_sock_disable_nagle(sock);
- }
-
- ap_create_sb_handle(&sbh, p, conn_id / thread_limit, thread_num);
- current_conn = ap_run_create_connection(p, ap_server_conf, sock, conn_id, sbh);
- if (current_conn) {
- ap_process_connection(current_conn);
- ap_lingering_close(current_conn);
- }
-}
-
-static void *worker_thread(apr_thread_t *, void *);
-
-/* Starts a thread as long as we're below max_threads */
-static int start_thread(void)
-{
- apr_thread_t *thread;
- int rc;
-
- apr_lock_acquire(worker_thread_count_mutex);
- if (worker_thread_count < max_threads - 1) {
- rc = apr_thread_create(&thread, worker_thread_attr, worker_thread,
- &worker_thread_free_ids[worker_thread_count], pchild);
- if (rc != APR_SUCCESS) {
- ap_log_error(APLOG_MARK, APLOG_ALERT, rc, ap_server_conf,
- "apr_thread_create: unable to create worker thread");
- /* In case system resources are maxxed out, we don't want
- Apache running away with the CPU trying to fork over and
- over and over again if we exit. */
- sleep(10);
- workers_may_exit = 1;
- apr_lock_release(worker_thread_count_mutex);
- return 0;
- }
- else {
- worker_thread_count++;
- }
- }
- else {
- static int reported = 0;
-
- if (!reported) {
- ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0,
- ap_server_conf,
- "server reached MaxThreadsPerChild setting, "
- "consider raising the MaxThreadsPerChild or "
- "NumServers settings");
- reported = 1;
- }
- apr_lock_release(worker_thread_count_mutex);
- return 0;
- }
- apr_lock_release(worker_thread_count_mutex);
- return 1;
-
-}
-/* Sets workers_may_exit if we received a character on the pipe_of_death */
-static void check_pipe_of_death(void)
-{
- apr_lock_acquire(pipe_of_death_mutex);
- if (!workers_may_exit) {
- int ret;
- char pipe_read_char;
- apr_size_t n = 1;
-
- ret = apr_recv(listenfds[0], &pipe_read_char, &n);
- if (APR_STATUS_IS_EAGAIN(ret)) {
- /* It lost the lottery. It must continue to suffer
- * through a life of servitude. */
- }
- else {
- /* It won the lottery (or something else is very
- * wrong). Embrace death with open arms. */
- workers_may_exit = 1;
- }
- }
- apr_lock_release(pipe_of_death_mutex);
-}
-
-/* idle_thread_count should be incremented before starting a worker_thread */
-
-static void *worker_thread(apr_thread_t *thd, void *arg)
-{
- apr_socket_t *csd = NULL;
- apr_pool_t *tpool; /* Pool for this thread */
- apr_pool_t *ptrans; /* Pool for per-transaction stuff */
- apr_socket_t *sd = NULL;
- volatile int last_pollfd = 0;
- volatile int thread_just_started = 1;
- int srv;
- int curr_pollfd;
- int thread_num = *((int *) arg);
- long conn_id = child_num * thread_limit + thread_num;
- apr_pollfd_t *pollset;
- int n;
- apr_status_t rv;
-
- apr_lock_acquire(thread_pool_parent_mutex);
- apr_pool_create(&tpool, thread_pool_parent);
- apr_lock_release(thread_pool_parent_mutex);
- apr_pool_create(&ptrans, tpool);
-
- (void) ap_update_child_status_from_indexes(child_num, thread_num,
- SERVER_STARTING,
- (request_rec *) NULL);
-
- apr_poll_setup(&pollset, num_listenfds+1, tpool);
- for(n = 0; n <= num_listenfds; ++n) {
- apr_poll_socket_add(pollset, listenfds[n], APR_POLLIN);
- }
-
- while (!workers_may_exit) {
- workers_may_exit |= (max_requests_per_child != 0)
- && (requests_this_child <= 0);
- if (workers_may_exit) break;
- if (!thread_just_started) {
- apr_lock_acquire(idle_thread_count_mutex);
- if (idle_thread_count < max_spare_threads) {
- idle_thread_count++;
- apr_lock_release(idle_thread_count_mutex);
- }
- else {
- apr_lock_release(idle_thread_count_mutex);
- break;
- }
- }
- else {
- thread_just_started = 0;
- }
-
- (void) ap_update_child_status_from_indexes(child_num, thread_num,
- SERVER_READY,
- (request_rec *) NULL);
-
- apr_lock_acquire(thread_accept_mutex);
- if (workers_may_exit) {
- apr_lock_release(thread_accept_mutex);
- break;
- }
- if ((rv = SAFE_ACCEPT(apr_lock_acquire(process_accept_mutex)))
- != APR_SUCCESS) {
- ap_log_error(APLOG_MARK, APLOG_EMERG, rv, ap_server_conf,
- "apr_lock_acquire failed. Attempting to shutdown "
- "process gracefully.");
- workers_may_exit = 1;
- }
-
- while (!workers_may_exit) {
- apr_int16_t event;
- srv = apr_poll(pollset, &n, -1);
-
- if (srv != APR_SUCCESS) {
- if (APR_STATUS_IS_EINTR(srv)) {
- continue;
- }
-
- /* apr_poll() will only return errors in catastrophic
- * circumstances. Let's try exiting gracefully, for now. */
- ap_log_error(APLOG_MARK, APLOG_ERR, srv, (const server_rec *)
- ap_server_conf, "apr_poll: (listen)");
- workers_may_exit = 1;
- }
- if (workers_may_exit) break;
-
- apr_poll_revents_get(&event, listenfds[0], pollset);
- if (event & APR_POLLIN) {
- /* A process got a signal on the shutdown pipe. Check if we're
- * the lucky process to die. */
- check_pipe_of_death();
- continue;
- }
-
- apr_poll_revents_get(&event, listenfds[1], pollset);
- if (event & APR_POLLIN || event & APR_POLLOUT) {
- /* This request is from another child in our current process.
- * We should set a flag here, and then below we will read
- * two bytes (the socket number and the NULL byte.
- */
- thread_socket_table[thread_num] = AP_PERCHILD_OTHERCHILD;
- goto got_from_other_child;
- }
-
- if (num_listenfds == 1) {
- sd = ap_listeners->sd;
- goto got_fd;
- }
- else {
- /* find a listener */
- curr_pollfd = last_pollfd;
- do {
- curr_pollfd++;
- if (curr_pollfd > num_listenfds) {
- curr_pollfd = 1;
- }
- /* XXX: Should we check for POLLERR? */
- apr_poll_revents_get(&event, listenfds[curr_pollfd],
- pollset);
- if (event & APR_POLLIN) {
- last_pollfd = curr_pollfd;
- sd = listenfds[curr_pollfd];
- goto got_fd;
- }
- } while (curr_pollfd != last_pollfd);
- }
- }
- got_fd:
- if (!workers_may_exit) {
- if ((rv = apr_accept(&csd, sd, ptrans)) != APR_SUCCESS) {
- ap_log_error(APLOG_MARK, APLOG_ERR, rv, ap_server_conf,
- "apr_accept");
- }
- if ((rv = SAFE_ACCEPT(apr_lock_release(process_accept_mutex)))
- != APR_SUCCESS) {
- ap_log_error(APLOG_MARK, APLOG_EMERG, rv, ap_server_conf,
- "apr_lock_release failed. Attempting to shutdown "
- "process gracefully.");
- workers_may_exit = 1;
- }
- apr_lock_release(thread_accept_mutex);
- apr_lock_acquire(idle_thread_count_mutex);
- if (idle_thread_count > min_spare_threads) {
- idle_thread_count--;
- }
- else {
- if (!start_thread()) {
- idle_thread_count--;
- }
- }
- apr_lock_release(idle_thread_count_mutex);
- got_from_other_child:
- if (thread_socket_table[thread_num] == AP_PERCHILD_OTHERCHILD) {
- struct msghdr msg;
- struct cmsghdr *cmsg;
- char sockname[80];
- struct iovec iov;
- int ret, sd, dp;
-
- iov.iov_base = sockname;
- iov.iov_len = 80;
-
- msg.msg_name = NULL;
- msg.msg_namelen = 0;
- msg.msg_iov = &iov;
- msg.msg_iovlen = 1;
-
- cmsg = apr_palloc(ptrans, sizeof(*cmsg) + sizeof(sd));
- cmsg->cmsg_len = sizeof(*cmsg) + sizeof(sd);
- msg.msg_control = (caddr_t)cmsg;
- msg.msg_controllen = cmsg->cmsg_len;
- msg.msg_flags = 0;
-
- ret = recvmsg(child_info_table[child_num].sd, &msg, 0);
-
- memcpy(&dp, CMSG_DATA(cmsg), sizeof(dp));
-
- thread_socket_table[thread_num] = dp;
- apr_os_sock_put(&csd, &child_info_table[child_num].sd, ptrans);
- }
- if (setjmp(jmpbuffer) != 1) {
- process_socket(ptrans, csd, conn_id);
- }
- else {
- thread_socket_table[thread_num] = AP_PERCHILD_THISCHILD;
- }
- requests_this_child--;
- }
- else {
- if ((rv = SAFE_ACCEPT(apr_lock_release(process_accept_mutex)))
- != APR_SUCCESS) {
- ap_log_error(APLOG_MARK, APLOG_EMERG, rv, ap_server_conf,
- "apr_lock_release failed. Attempting to shutdown "
- "process gracefully.");
- workers_may_exit = 1;
- }
- apr_lock_release(thread_accept_mutex);
- apr_lock_acquire(idle_thread_count_mutex);
- idle_thread_count--;
- apr_lock_release(idle_thread_count_mutex);
- break;
- }
- apr_pool_clear(ptrans);
- }
-
- apr_lock_acquire(thread_pool_parent_mutex);
- ap_update_child_status_from_indexes(child_num, thread_num, SERVER_DEAD,
- (request_rec *) NULL);
- apr_pool_destroy(tpool);
- apr_lock_release(thread_pool_parent_mutex);
- apr_lock_acquire(worker_thread_count_mutex);
- worker_thread_count--;
- worker_thread_free_ids[worker_thread_count] = thread_num;
- if (worker_thread_count == 0) {
- /* All the threads have exited, now finish the shutdown process
- * by signalling the sigwait thread */
- kill(my_pid, SIGTERM);
- }
- apr_lock_release(worker_thread_count_mutex);
-
- return NULL;
-}
-
-/* Set group privileges.
- *
- * Note that we use the username as set in the config files, rather than
- * the lookup of to uid --- the same uid may have multiple passwd entries,
- * with different sets of groups for each.
- */
-
-static int set_group_privs(uid_t uid, gid_t gid)
-{
- if (!geteuid()) {
- const char *name;
-
- /* Get username if passed as a uid */
-
- struct passwd *ent;
-
- if ((ent = getpwuid(uid)) == NULL) {
- ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
- "getpwuid: couldn't determine user name from uid %u, "
- "you probably need to modify the User directive",
- (unsigned)uid);
- return -1;
- }
-
- name = ent->pw_name;
-
- /*
- * Set the GID before initgroups(), since on some platforms
- * setgid() is known to zap the group list.
- */
- if (setgid(gid) == -1) {
- ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
- "setgid: unable to set group id to Group %u",
- (unsigned)gid);
- return -1;
- }
-
- /* Reset `groups' attributes. */
-
- if (initgroups(name, gid) == -1) {
- ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
- "initgroups: unable to set groups for User %s "
- "and Group %u", name, (unsigned)gid);
- return -1;
- }
- }
- return 0;
-}
-
-
-static int perchild_setup_child(int childnum)
-{
- child_info_t *ug = &child_info_table[childnum];
-
- if (ug->uid == -1 && ug->gid == -1) {
- return unixd_setup_child();
- }
- if (set_group_privs(ug->uid, ug->gid)) {
- return -1;
- }
- /* Only try to switch if we're running as root */
- if (!geteuid()
- && (
-#ifdef _OSD_POSIX
- os_init_job_environment(server_conf, unixd_config.user_name,
- one_process) != 0 ||
-#endif
- setuid(ug->uid) == -1)) {
- ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
- "setuid: unable to change to uid: %ld",
- (long) ug->uid);
- return -1;
- }
- return 0;
-}
-
-static int check_signal(int signum)
-{
- switch (signum) {
- case SIGTERM:
- case SIGINT:
- just_die(signum);
- return 1;
- }
- return 0;
-}
-
-static void child_main(int child_num_arg)
-{
- int i;
- ap_listen_rec *lr;
- apr_status_t rv;
-
- my_pid = getpid();
- child_num = child_num_arg;
- apr_pool_create(&pchild, pconf);
-
- /*stuff to do before we switch id's, so we have permissions.*/
-
- rv = SAFE_ACCEPT(apr_lock_child_init(&process_accept_mutex, ap_lock_fname,
- pchild));
- if (rv != APR_SUCCESS) {
- ap_log_error(APLOG_MARK, APLOG_EMERG, rv, ap_server_conf,
- "Couldn't initialize cross-process lock in child");
- clean_child_exit(APEXIT_CHILDFATAL);
- }
-
- if (perchild_setup_child(child_num)) {
- clean_child_exit(APEXIT_CHILDFATAL);
- }
-
- ap_run_child_init(pchild, ap_server_conf);
-
- /*done with init critical section */
-
- apr_setup_signal_thread();
-
- requests_this_child = max_requests_per_child;
-
- /* Set up the pollfd array, num_listenfds + 1 for the pipe and 1 for
- * the child socket.
- */
- listenfds = apr_pcalloc(pchild, sizeof(*listenfds) * (num_listenfds + 2));
-#if APR_FILES_AS_SOCKETS
- apr_socket_from_file(&listenfds[0], pipe_of_death_in);
-#endif
-
- /* The child socket */
- apr_os_sock_put(&listenfds[1], &child_info_table[child_num].sd, pchild);
-
- num_listenfds++;
- for (lr = ap_listeners, i = 2; i <= num_listenfds; lr = lr->next, ++i) {
- listenfds[i]=lr->sd;
- }
-
- /* Setup worker threads */
-
- if (threads_to_start > max_threads) {
- threads_to_start = max_threads;
- }
- idle_thread_count = threads_to_start;
- worker_thread_count = 0;
- worker_thread_free_ids = (int *)apr_pcalloc(pchild, thread_limit * sizeof(int));
- for (i = 0; i < max_threads; i++) {
- worker_thread_free_ids[i] = i;
- }
- apr_pool_create(&thread_pool_parent, pchild);
- apr_lock_create(&thread_pool_parent_mutex, APR_MUTEX, APR_INTRAPROCESS,
- APR_LOCK_DEFAULT, NULL, pchild);
- apr_lock_create(&idle_thread_count_mutex, APR_MUTEX, APR_INTRAPROCESS,
- APR_LOCK_DEFAULT, NULL, pchild);
- apr_lock_create(&worker_thread_count_mutex, APR_MUTEX, APR_INTRAPROCESS,
- APR_LOCK_DEFAULT, NULL, pchild);
- apr_lock_create(&pipe_of_death_mutex, APR_MUTEX, APR_INTRAPROCESS,
- APR_LOCK_DEFAULT, NULL, pchild);
- apr_lock_create(&thread_accept_mutex, APR_MUTEX, APR_INTRAPROCESS,
- APR_LOCK_DEFAULT, NULL, pchild);
-
- apr_threadattr_create(&worker_thread_attr, pchild);
- apr_threadattr_detach_set(worker_thread_attr, 1);
-
- /* We are creating worker threads right now */
- for (i=0; i < threads_to_start; i++) {
- /* start_thread shouldn't fail here */
- if (!start_thread()) {
- break;
- }
- }
-
- apr_signal_thread(check_signal);
-}
-
-static int make_child(server_rec *s, int slot)
-{
- int pid;
-
- if (slot + 1 > ap_max_daemons_limit) {
- ap_max_daemons_limit = slot + 1;
- }
-
- if (one_process) {
- set_signals();
- ap_child_table[slot].pid = getpid();
- ap_child_table[slot].status = SERVER_ALIVE;
- child_main(slot);
- }
- (void) ap_update_child_status_from_indexes(slot, 0, SERVER_STARTING,
- (request_rec *) NULL);
-
- if ((pid = fork()) == -1) {
- ap_log_error(APLOG_MARK, APLOG_ERR, errno, s,
- "fork: Unable to fork new process");
- /* In case system resources are maxxed out, we don't want
- * Apache running away with the CPU trying to fork over and
- * over and over again. */
- sleep(10);
-
- return -1;
- }
-
- if (!pid) {
-#ifdef HAVE_BINDPROCESSOR
- /* By default, AIX binds to a single processor. This bit unbinds
- * children which will then bind to another CPU.
- */
- int status = bindprocessor(BINDPROCESS, (int)getpid(),
- PROCESSOR_CLASS_ANY);
- if (status != OK) {
- ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_WARNING, errno,
- ap_server_conf, "processor unbind failed %d", status);
- }
-#endif
-
- RAISE_SIGSTOP(MAKE_CHILD);
-
- /* XXX - For an unthreaded server, a signal handler will be necessary
- * apr_signal(SIGTERM, just_die);
- */
- child_main(slot);
- clean_child_exit(0);
- }
- /* else */
- ap_child_table[slot].pid = pid;
- ap_child_table[slot].status = SERVER_ALIVE;
-
- return 0;
-}
-
-/* start up a bunch of children */
-static int startup_children(int number_to_start)
-{
- int i;
-
- for (i = 0; number_to_start && i < num_daemons; ++i) {
- if (ap_child_table[i].pid) {
- continue;
- }
- if (make_child(ap_server_conf, i) < 0) {
- break;
- }
- --number_to_start;
- }
- return number_to_start;
-}
-
-
-/*
- * spawn_rate is the number of children that will be spawned on the
- * next maintenance cycle if there aren't enough servers. It is
- * doubled up to MAX_SPAWN_RATE, and reset only when a cycle goes by
- * without the need to spawn.
- */
-static int spawn_rate = 1;
-#ifndef MAX_SPAWN_RATE
-#define MAX_SPAWN_RATE (32)
-#endif
-static int hold_off_on_exponential_spawning;
-
-static void perform_child_maintenance(void)
-{
- int i;
- int free_length;
- int free_slots[MAX_SPAWN_RATE];
- int last_non_dead = -1;
-
- /* initialize the free_list */
- free_length = 0;
-
- for (i = 0; i < num_daemons; ++i) {
- if (ap_child_table[i].pid == 0) {
- if (free_length < spawn_rate) {
- free_slots[free_length] = i;
- ++free_length;
- }
- }
- else {
- last_non_dead = i;
- }
-
- if (i >= ap_max_daemons_limit && free_length >= spawn_rate) {
- break;
- }
- }
- ap_max_daemons_limit = last_non_dead + 1;
-
- if (free_length > 0) {
- for (i = 0; i < free_length; ++i) {
- make_child(ap_server_conf, free_slots[i]);
- }
- /* the next time around we want to spawn twice as many if this
- * wasn't good enough, but not if we've just done a graceful
- */
- if (hold_off_on_exponential_spawning) {
- --hold_off_on_exponential_spawning;
- }
- else if (spawn_rate < MAX_SPAWN_RATE) {
- spawn_rate *= 2;
- }
- }
- else {
- spawn_rate = 1;
- }
-}
-
-static void server_main_loop(int remaining_children_to_start)
-{
- int child_slot;
- apr_exit_why_e exitwhy;
- int status;
- apr_proc_t pid;
- int i;
-
- while (!restart_pending && !shutdown_pending) {
- ap_wait_or_timeout(&exitwhy, &status, &pid, pconf);
-
- if (pid.pid != -1) {
- if (ap_process_child_status(&pid, exitwhy, status)
- == APEXIT_CHILDFATAL) {
- shutdown_pending = 1;
- child_fatal = 1;
- return;
- }
- /* non-fatal death... note that it's gone in the child table and
- * clean out the status table. */
- child_slot = -1;
- for (i = 0; i < ap_max_daemons_limit; ++i) {
- if (ap_child_table[i].pid == pid.pid) {
- child_slot = i;
- break;
- }
- }
- if (child_slot >= 0) {
- ap_child_table[child_slot].pid = 0;
- ap_update_child_status_from_indexes(child_slot, i, SERVER_DEAD,
- (request_rec *) NULL);
-
-
- if (remaining_children_to_start
- && child_slot < num_daemons) {
- /* we're still doing a 1-for-1 replacement of dead
- * children with new children
- */
- make_child(ap_server_conf, child_slot);
- --remaining_children_to_start;
- }
-#if APR_HAS_OTHER_CHILD
- }
- else if (apr_proc_other_child_read(&pid, status) == 0) {
- /* handled */
-#endif
- }
- else if (is_graceful) {
- /* Great, we've probably just lost a slot in the
- * child table. Somehow we don't know about this
- * child.
- */
- ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_WARNING, 0,
- ap_server_conf,
- "long lost child came home! (pid %ld)",
- (long)pid.pid);
- }
- /* Don't perform idle maintenance when a child dies,
- * only do it when there's a timeout. Remember only a
- * finite number of children can die, and it's pretty
- * pathological for a lot to die suddenly.
- */
- continue;
- }
- else if (remaining_children_to_start) {
- /* we hit a 1 second timeout in which none of the previous
- * generation of children needed to be reaped... so assume
- * they're all done, and pick up the slack if any is left.
- */
- remaining_children_to_start = \
- startup_children(remaining_children_to_start);
- /* In any event we really shouldn't do the code below because
- * few of the servers we just started are in the IDLE state
- * yet, so we'd mistakenly create an extra server.
- */
- continue;
- }
-
- perform_child_maintenance();
- }
-}
-
-int ap_mpm_run(apr_pool_t *_pconf, apr_pool_t *plog, server_rec *s)
-{
- int remaining_children_to_start;
- int i;
- apr_status_t rv;
- apr_size_t one = 1;
-
- pconf = _pconf;
- ap_server_conf = s;
- first_server_limit = server_limit;
- first_thread_limit = thread_limit;
- if (changed_limit_at_restart) {
- ap_log_error(APLOG_MARK, APLOG_WARNING | APLOG_NOERRNO, 0, s,
- "WARNING: Attempt to change ServerLimit or ThreadLimit "
- "ignored during restart");
- changed_limit_at_restart = 0;
- }
-
- if ((rv = apr_file_pipe_create(&pipe_of_death_in, &pipe_of_death_out,
- pconf)) != APR_SUCCESS) {
- ap_log_error(APLOG_MARK, APLOG_ERR, rv,
- (const server_rec*) ap_server_conf,
- "apr_file_pipe_create (pipe_of_death)");
- exit(1);
- }
- if ((rv = apr_file_pipe_timeout_set(pipe_of_death_in, 0)) != APR_SUCCESS) {
- ap_log_error(APLOG_MARK, APLOG_ERR, rv,
- (const server_rec*) ap_server_conf,
- "apr_file_pipe_timeout_set (pipe_of_death)");
- exit(1);
- }
- ap_server_conf = s;
- if ((num_listenfds = ap_setup_listeners(ap_server_conf)) < 1) {
- /* XXX: hey, what's the right way for the mpm to indicate
- * a fatal error? */
- ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ALERT, 0, s,
- "no listening sockets available, shutting down");
- return 1;
- }
- ap_log_pid(pconf, ap_pid_fname);
-
- /* Initialize cross-process accept lock */
- ap_lock_fname = apr_psprintf(_pconf, "%s.%u",
- ap_server_root_relative(_pconf, ap_lock_fname),
- my_pid);
- rv = SAFE_ACCEPT(apr_lock_create(&process_accept_mutex, APR_MUTEX,
- APR_CROSS_PROCESS, ap_accept_lock_mech,
- ap_lock_fname, _pconf));
- if (rv != APR_SUCCESS) {
- ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s,
- "Couldn't create cross-process lock");
- return 1;
- }
-
- if (!is_graceful) {
- ap_run_pre_mpm(pconf, SB_SHARED);
- }
- /* Initialize the child table */
- if (!is_graceful) {
- for (i = 0; i < server_limit; i++) {
- ap_child_table[i].pid = 0;
- }
- }
-
- set_signals();
-
- /* If we're doing a graceful_restart then we're going to see a lot
- * of children exiting immediately when we get into the main loop
- * below (because we just sent them AP_SIG_GRACEFUL). This happens
- * pretty rapidly... and for each one that exits we'll start a new one
- * until we reach at least daemons_min_free. But we may be permitted to
- * start more than that, so we'll just keep track of how many we're
- * supposed to start up without the 1 second penalty between each fork.
- */
- remaining_children_to_start = num_daemons;
- if (!is_graceful) {
- remaining_children_to_start = \
- startup_children(remaining_children_to_start);
- }
- else {
- /* give the system some time to recover before kicking into
- * exponential mode */
- hold_off_on_exponential_spawning = 10;
- }
-
- ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, 0, ap_server_conf,
- "%s configured -- resuming normal operations",
- ap_get_server_version());
- ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, 0, ap_server_conf,
- "Server built: %s", ap_get_server_built());
- restart_pending = shutdown_pending = 0;
-
- server_main_loop(remaining_children_to_start);
-
- if (shutdown_pending) {
- /* Time to gracefully shut down:
- * Kill child processes, tell them to call child_exit, etc...
- */
- if (unixd_killpg(getpgrp(), SIGTERM) < 0) {
- ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf,
- "killpg SIGTERM");
- }
- ap_reclaim_child_processes(1); /* Start with SIGTERM */
-
- if (!child_fatal) {
- /* cleanup pid file on normal shutdown */
- const char *pidfile = NULL;
- pidfile = ap_server_root_relative (pconf, ap_pid_fname);
- if (pidfile != NULL && unlink(pidfile) == 0) {
- ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, 0,
- ap_server_conf,
- "removed PID file %s (pid=%ld)",
- pidfile, (long)getpid());
- }
-
- ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, 0,
- ap_server_conf, "caught SIGTERM, shutting down");
- }
- return 1;
- }
-
- /* we've been told to restart */
- apr_signal(SIGHUP, SIG_IGN);
-
- if (one_process) {
- /* not worth thinking about */
- return 1;
- }
-
- if (is_graceful) {
- char char_of_death = '!';
-
- ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, 0,
- ap_server_conf, AP_SIG_GRACEFUL_STRING " received. "
- "Doing graceful restart");
-
- /* This is mostly for debugging... so that we know what is still
- * gracefully dealing with existing request.
- */
-
- for (i = 0; i < num_daemons; ++i) {
- if (ap_child_table[i].pid) {
- ap_child_table[i].status = SERVER_DYING;
- }
- }
- /* give the children the signal to die */
- for (i = 0; i < num_daemons;) {
- if ((rv = apr_file_write(pipe_of_death_out, &char_of_death,
- &one)) != APR_SUCCESS) {
- if (APR_STATUS_IS_EINTR(rv)) continue;
- ap_log_error(APLOG_MARK, APLOG_WARNING, rv, ap_server_conf,
- "write pipe_of_death");
- }
- i++;
- }
- }
- else {
- /* Kill 'em all. Since the child acts the same on the parents SIGTERM
- * and a SIGHUP, we may as well use the same signal, because some user
- * pthreads are stealing signals from us left and right.
- */
- if (unixd_killpg(getpgrp(), SIGTERM) < 0) {
- ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf,
- "killpg SIGTERM");
- }
- ap_reclaim_child_processes(1); /* Start with SIGTERM */
- ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, 0,
- ap_server_conf, "SIGHUP received. Attempting to restart");
- }
- return 0;
-}
-
-static void perchild_pre_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp)
-{
- static int restart_num = 0;
- int no_detach, debug;
- ap_directive_t *pdir;
- int i;
- int tmp_server_limit = DEFAULT_SERVER_LIMIT;
- int tmp_thread_limit = DEFAULT_THREAD_LIMIT;
-
- debug = ap_exists_config_define("DEBUG");
-
- if (debug) {
- no_detach = one_process = 1;
- }
- else {
- one_process = ap_exists_config_define("ONE_PROCESS");
- no_detach = ap_exists_config_define("NO_DETACH");
- }
-
- /* sigh, want this only the second time around */
- if (restart_num++ == 1) {
- is_graceful = 0;
-
- if (!one_process && !no_detach) {
- apr_proc_detach();
- }
-
- my_pid = getpid();
- }
-
- unixd_pre_config(ptemp);
- ap_listen_pre_config();
- num_daemons = DEFAULT_NUM_DAEMON;
- threads_to_start = DEFAULT_START_THREAD;
- min_spare_threads = DEFAULT_MIN_SPARE_THREAD;
- max_spare_threads = DEFAULT_MAX_SPARE_THREAD;
- max_threads = thread_limit;
- ap_pid_fname = DEFAULT_PIDLOG;
- ap_scoreboard_fname = DEFAULT_SCOREBOARD;
- ap_lock_fname = DEFAULT_LOCKFILE;
- max_requests_per_child = DEFAULT_MAX_REQUESTS_PER_CHILD;
- curr_child_num = 0;
-
- apr_cpystrn(ap_coredump_dir, ap_server_root, sizeof(ap_coredump_dir));
-
- /* we need to know ServerLimit and ThreadLimit before we start processing
- * the tree because we need to already have allocated child_info_table
- */
- for (pdir = ap_conftree; pdir != NULL; pdir = pdir->next) {
- if (!strcasecmp(pdir->directive, "ServerLimit")) {
- if (atoi(pdir->args) > tmp_server_limit) {
- tmp_server_limit = atoi(pdir->args);
- if (tmp_server_limit > MAX_SERVER_LIMIT) {
- tmp_server_limit = MAX_SERVER_LIMIT;
- }
- }
- }
- else if (!strcasecmp(pdir->directive, "ThreadLimit")) {
- if (atoi(pdir->args) > tmp_thread_limit) {
- tmp_thread_limit = atoi(pdir->args);
- if (tmp_thread_limit > MAX_THREAD_LIMIT) {
- tmp_thread_limit = MAX_THREAD_LIMIT;
- }
- }
- }
- }
-
- child_info_table = (child_info_t *)apr_pcalloc(p, tmp_server_limit * sizeof(child_info_t));
- for (i = 0; i < tmp_server_limit; i++) {
- child_info_table[i].uid = -1;
- child_info_table[i].gid = -1;
- child_info_table[i].sd = -1;
- }
-}
-
-static int pass_request(request_rec *r)
-{
- apr_socket_t *thesock = ap_get_module_config(r->connection->conn_config, &core_module);
- struct msghdr msg;
- struct cmsghdr *cmsg;
- int sfd;
- struct iovec iov;
- apr_bucket_brigade *bb = apr_brigade_create(r->pool);
- perchild_server_conf *sconf = (perchild_server_conf *)
- ap_get_module_config(r->server->module_config,
- &mpm_perchild_module);
- char *foo;
- apr_size_t len;
- apr_off_t zero = 0;
-
- apr_pool_userdata_get((void **)&foo, "PERCHILD_BUFFER",
- r->connection->pool);
- len = strlen(foo);
-
- apr_pool_userdata_set(NULL, "PERCHILD_BUFFER", apr_pool_cleanup_null,
- r->connection->pool);
-
- apr_os_sock_get(&sfd, thesock);
-
- iov.iov_base = NULL;
- iov.iov_len = 0;
-
- msg.msg_name = NULL;
- msg.msg_namelen = 0;
- msg.msg_iov = &iov;
- msg.msg_iovlen = 1;
-
- cmsg = apr_palloc(r->pool, sizeof(*cmsg) + sizeof(sfd));
- cmsg->cmsg_len = sizeof(*cmsg) + sizeof(int);
- cmsg->cmsg_level = SOL_SOCKET;
- cmsg->cmsg_type = SCM_RIGHTS;
-
- memcpy(CMSG_DATA(cmsg), &sfd, sizeof(sfd));
-
- msg.msg_control = (caddr_t)cmsg;
- msg.msg_controllen = cmsg->cmsg_len;
- msg.msg_flags=0;
-
- if (sendmsg(sconf->sd2, &msg, 0) == -1) {
- apr_pool_destroy(r->pool);
- return -1;
- }
-
- write(sconf->sd2, foo, len);
-
- /* ### this "read one line" doesn't seem right... shouldn't we be
- ### reading large chunks of data or something?
- */
- while (ap_get_brigade(r->input_filters, bb, AP_MODE_NONBLOCKING,
- &zero /* read one line */) == APR_SUCCESS) {
- apr_bucket *e;
- APR_BRIGADE_FOREACH(e, bb) {
- const char *str;
-
- apr_bucket_read(e, &str, &len, APR_NONBLOCK_READ);
- write(sconf->sd2, str, len);
- }
- }
-
- apr_pool_destroy(r->pool);
- return 1;
-}
-
-static char *make_perchild_socket(const char *fullsockname, int sd[2])
-{
- socketpair(PF_UNIX, SOCK_STREAM, 0, sd);
- return NULL;
-}
-
-static int perchild_post_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s)
-{
- int i;
- server_rec *sr;
- perchild_server_conf *sconf;
- int def_sd[2];
-
- def_sd[0] = -1;
- def_sd[1] = -1;
-
- for (sr = s; sr; sr = sr->next) {
- sconf = (perchild_server_conf *)ap_get_module_config(sr->module_config,
- &mpm_perchild_module);
-
- if (sconf->sd == -1) {
- sconf->fullsockname = apr_pstrcat(sr->process->pool,
- sconf->sockname, ".DEFAULT", NULL);
- if (def_sd[0] == -1) {
- if (!make_perchild_socket(sconf->fullsockname, def_sd)) {
- /* log error */
- }
- }
- sconf->sd = def_sd[0];
- sconf->sd2 = def_sd[1];
- }
- }
-
- for (i = 0; i < num_daemons; i++) {
- if (child_info_table[i].uid == -1) {
- child_info_table[i].sd = def_sd[0];
- }
- }
-
- thread_socket_table = (int *)apr_pcalloc(p, thread_limit * sizeof(int));
- for (i = 0; i < thread_limit; i++) {
- thread_socket_table[i] = AP_PERCHILD_THISCHILD;
- }
- ap_child_table = (ap_ctable *)apr_pcalloc(p, server_limit * sizeof(ap_ctable));
-
- return OK;
-}
-
-static int perchild_post_read(request_rec *r)
-{
- ap_filter_t *f = r->connection->input_filters;
- int thread_num = r->connection->id % thread_limit;
- perchild_server_conf *sconf = (perchild_server_conf *)
- ap_get_module_config(r->server->module_config,
- &mpm_perchild_module);
-
- while (f) {
- if (!strcasecmp("PERCHILD_BUFFER", f->frec->name)) {
- ap_remove_output_filter(f);
- break;
- }
- f = f->next;
- }
-
- if (thread_socket_table[thread_num] != AP_PERCHILD_THISCHILD) {
- apr_socket_t *csd = NULL;
-
- apr_os_sock_put(&csd, &thread_socket_table[thread_num],
- r->connection->pool);
- ap_sock_disable_nagle(csd);
- ap_set_module_config(r->connection->conn_config, &core_module, csd);
- return OK;
- }
- else {
- /* sconf is the server config for this vhost, so if our socket
- * is not the same that was set in the config, then the request
- * needs to be passed to another child. */
- if (sconf->sd != child_info_table[child_num].sd) {
- if (pass_request(r) == -1) {
- ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0,
- ap_server_conf, "Could not pass request to proper "
- "child, request will not be honored.");
- }
- longjmp(jmpbuffer, 1);
- }
- return OK;
- }
- return OK;
-}
-
-static apr_status_t perchild_buffer(ap_filter_t *f, apr_bucket_brigade *b,
- ap_input_mode_t mode, apr_off_t *readbytes)
-{
- apr_bucket *e;
- apr_status_t rv;
- char *buffer = NULL;
- const char *str;
- apr_size_t len;
-
- if ((rv = ap_get_brigade(f->next, b, mode, readbytes)) != APR_SUCCESS) {
- return rv;
- }
-
- apr_pool_userdata_get((void **)&buffer, "PERCHILD_BUFFER", f->c->pool);
-
- APR_BRIGADE_FOREACH(e, b) {
- if (e->length != 0) {
- apr_bucket_read(e, &str, &len, APR_NONBLOCK_READ);
-
- if (buffer == NULL) {
- buffer = apr_pstrndup(f->c->pool, str, len);
- }
- else {
- buffer = apr_pstrcat(f->c->pool, buffer,
- apr_pstrndup(f->c->pool, str, len), NULL);
- }
- }
- }
- apr_pool_userdata_set(buffer, "PERCHILD_BUFFER", apr_pool_cleanup_null,
- f->c->pool);
-
- return APR_SUCCESS;
-}
-
-static int perchild_pre_connection(conn_rec *c)
-{
- ap_add_input_filter("PERCHILD_BUFFER", NULL, NULL, c);
- return OK;
-}
-
-static void perchild_hooks(apr_pool_t *p)
-{
- one_process = 0;
-
- ap_hook_pre_config(perchild_pre_config, NULL, NULL, APR_HOOK_MIDDLE);
- ap_hook_post_config(perchild_post_config, NULL, NULL, APR_HOOK_MIDDLE);
- ap_hook_pre_connection(perchild_pre_connection,NULL,NULL, APR_HOOK_MIDDLE);
-
- /* This must be run absolutely first. If this request isn't for this
- * server then we need to forward it to the proper child. No sense
- * tying up this server running more post_read request hooks if it is
- * just going to be forwarded along.
- */
- ap_hook_post_read_request(perchild_post_read, NULL, NULL,
- APR_HOOK_REALLY_FIRST);
- ap_register_input_filter("PERCHILD_BUFFER", perchild_buffer,
- AP_FTYPE_CONTENT);
-}
-
-static const char *set_num_daemons(cmd_parms *cmd, void *dummy,
- const char *arg)
-{
- const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
- if (err != NULL) {
- return err;
- }
-
- num_daemons = atoi(arg);
- if (num_daemons > server_limit) {
- ap_log_error(APLOG_MARK, APLOG_STARTUP | APLOG_NOERRNO, 0, NULL,
- "WARNING: NumServers of %d exceeds ServerLimit value "
- "of %d servers,", num_daemons, server_limit);
- ap_log_error(APLOG_MARK, APLOG_STARTUP | APLOG_NOERRNO, 0, NULL,
- " lowering NumServers to %d. To increase, please "
- "see the", server_limit);
- ap_log_error(APLOG_MARK, APLOG_STARTUP | APLOG_NOERRNO, 0, NULL,
- " ServerLimit directive.");
- num_daemons = server_limit;
- }
- else if (num_daemons < 1) {
- ap_log_error(APLOG_MARK, APLOG_STARTUP | APLOG_NOERRNO, 0, NULL,
- "WARNING: Require NumServers > 0, setting to 1");
- num_daemons = 1;
- }
- return NULL;
-}
-
-static const char *set_threads_to_start(cmd_parms *cmd, void *dummy,
- const char *arg)
-{
- const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
- if (err != NULL) {
- return err;
- }
-
- threads_to_start = atoi(arg);
- if (threads_to_start > thread_limit) {
- ap_log_error(APLOG_MARK, APLOG_STARTUP | APLOG_NOERRNO, 0, NULL,
- "WARNING: StartThreads of %d exceeds ThreadLimit value"
- " of %d threads,", threads_to_start,
- thread_limit);
- ap_log_error(APLOG_MARK, APLOG_STARTUP | APLOG_NOERRNO, 0, NULL,
- " lowering StartThreads to %d. To increase, please"
- " see the", thread_limit);
- ap_log_error(APLOG_MARK, APLOG_STARTUP | APLOG_NOERRNO, 0, NULL,
- " ThreadLimit directive.");
- }
- else if (threads_to_start < 1) {
- ap_log_error(APLOG_MARK, APLOG_STARTUP | APLOG_NOERRNO, 0, NULL,
- "WARNING: Require StartThreads > 0, setting to 1");
- threads_to_start = 1;
- }
- return NULL;
-}
-
-static const char *set_min_spare_threads(cmd_parms *cmd, void *dummy,
- const char *arg)
-{
- const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
- if (err != NULL) {
- return err;
- }
-
- min_spare_threads = atoi(arg);
- if (min_spare_threads <= 0) {
- ap_log_error(APLOG_MARK, APLOG_STARTUP | APLOG_NOERRNO, 0, NULL,
- "WARNING: detected MinSpareThreads set to non-positive.");
- ap_log_error(APLOG_MARK, APLOG_STARTUP | APLOG_NOERRNO, 0, NULL,
- "Resetting to 1 to avoid almost certain Apache failure.");
- ap_log_error(APLOG_MARK, APLOG_STARTUP | APLOG_NOERRNO, 0, NULL,
- "Please read the documentation.");
- min_spare_threads = 1;
- }
-
- return NULL;
-}
-
-static const char *set_max_spare_threads(cmd_parms *cmd, void *dummy,
- const char *arg)
-{
- const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
- if (err != NULL) {
- return err;
- }
-
- max_spare_threads = atoi(arg);
- if (max_spare_threads >= thread_limit) {
- ap_log_error(APLOG_MARK, APLOG_STARTUP | APLOG_NOERRNO, 0, NULL,
- "WARNING: detected MinSpareThreads set higher than");
- ap_log_error(APLOG_MARK, APLOG_STARTUP | APLOG_NOERRNO, 0, NULL,
- "ThreadLimit. Resetting to %d", thread_limit);
- max_spare_threads = thread_limit;
- }
- return NULL;
-}
-
-static const char *set_max_threads(cmd_parms *cmd, void *dummy, const char *arg)
-{
- const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
- if (err != NULL) {
- return err;
- }
-
- max_threads = atoi(arg);
- if (max_threads > thread_limit) {
- ap_log_error(APLOG_MARK, APLOG_STARTUP | APLOG_NOERRNO, 0, NULL,
- "WARNING: detected MaxThreadsPerChild set higher than");
- ap_log_error(APLOG_MARK, APLOG_STARTUP | APLOG_NOERRNO, 0, NULL,
- "ThreadLimit. Resetting to %d", thread_limit);
- max_threads = thread_limit;
- }
- return NULL;
-}
-
-static const char *set_child_per_uid(cmd_parms *cmd, void *dummy, const char *u,
- const char *g, const char *num)
-{
- int i;
- int max_this_time = atoi(num) + curr_child_num;
-
- for (i = curr_child_num; i < max_this_time; i++, curr_child_num++) {
- child_info_t *ug = &child_info_table[i - 1];
-
- if (i > num_daemons) {
- return "Trying to use more child ID's than NumServers. Increase "
- "NumServers in your config file.";
- }
-
- ug->uid = atoi(u);
- ug->gid = atoi(g);
- }
- return NULL;
-}
-
-static const char *assign_childuid(cmd_parms *cmd, void *dummy, const char *uid,
- const char *gid)
-{
- int i;
- int u = atoi(uid);
- int g = atoi(gid);
- const char *errstr;
- int socks[2];
- perchild_server_conf *sconf = (perchild_server_conf *)
- ap_get_module_config(cmd->server->module_config,
- &mpm_perchild_module);
-
- sconf->fullsockname = apr_pstrcat(cmd->pool, sconf->sockname, ".", uid,
- ":", gid, NULL);
-
- if ((errstr = make_perchild_socket(sconf->fullsockname, socks))) {
- return errstr;
- }
-
- sconf->sd = socks[0];
- sconf->sd2 = socks[1];
-
- for (i = 0; i < num_daemons; i++) {
- if (u == child_info_table[i].uid && g == child_info_table[i].gid) {
- child_info_table[i].sd = sconf->sd;
- }
- }
-
- return NULL;
-}
-
-static const char *set_server_limit (cmd_parms *cmd, void *dummy, const char *arg)
-{
- int tmp_server_limit;
-
- const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
- if (err != NULL) {
- return err;
- }
-
- tmp_server_limit = atoi(arg);
- /* you cannot change ServerLimit across a restart; ignore
- * any such attempts
- */
- if (first_server_limit &&
- tmp_server_limit != server_limit) {
- /* how do we log a message? the error log is a bit bucket at this
- * point; we'll just have to set a flag so that ap_mpm_run()
- * logs a warning later
- */
- changed_limit_at_restart = 1;
- return NULL;
- }
- server_limit = tmp_server_limit;
-
- if (server_limit > MAX_SERVER_LIMIT) {
- ap_log_error(APLOG_MARK, APLOG_STARTUP | APLOG_NOERRNO, 0, NULL,
- "WARNING: ServerLimit of %d exceeds compile time limit "
- "of %d servers,", server_limit, MAX_SERVER_LIMIT);
- ap_log_error(APLOG_MARK, APLOG_STARTUP | APLOG_NOERRNO, 0, NULL,
- " lowering ServerLimit to %d.", MAX_SERVER_LIMIT);
- server_limit = MAX_SERVER_LIMIT;
- }
- else if (server_limit < 1) {
- ap_log_error(APLOG_MARK, APLOG_STARTUP | APLOG_NOERRNO, 0, NULL,
- "WARNING: Require ServerLimit > 0, setting to 1");
- server_limit = 1;
- }
- return NULL;
-}
-
-static const char *set_thread_limit (cmd_parms *cmd, void *dummy, const char *arg)
-{
- int tmp_thread_limit;
-
- const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
- if (err != NULL) {
- return err;
- }
-
- tmp_thread_limit = atoi(arg);
- /* you cannot change ThreadLimit across a restart; ignore
- * any such attempts
- */
- if (first_thread_limit &&
- tmp_thread_limit != thread_limit) {
- /* how do we log a message? the error log is a bit bucket at this
- * point; we'll just have to set a flag so that ap_mpm_run()
- * logs a warning later
- */
- changed_limit_at_restart = 1;
- return NULL;
- }
- thread_limit = tmp_thread_limit;
-
- if (thread_limit > MAX_THREAD_LIMIT) {
- ap_log_error(APLOG_MARK, APLOG_STARTUP | APLOG_NOERRNO, 0, NULL,
- "WARNING: ThreadLimit of %d exceeds compile time limit "
- "of %d servers,", thread_limit, MAX_THREAD_LIMIT);
- ap_log_error(APLOG_MARK, APLOG_STARTUP | APLOG_NOERRNO, 0, NULL,
- " lowering ThreadLimit to %d.", MAX_THREAD_LIMIT);
- thread_limit = MAX_THREAD_LIMIT;
- }
- else if (thread_limit < 1) {
- ap_log_error(APLOG_MARK, APLOG_STARTUP | APLOG_NOERRNO, 0, NULL,
- "WARNING: Require ThreadLimit > 0, setting to 1");
- thread_limit = 1;
- }
- return NULL;
-}
-
-static const command_rec perchild_cmds[] = {
-UNIX_DAEMON_COMMANDS,
-LISTEN_COMMANDS,
-AP_INIT_TAKE1("NumServers", set_num_daemons, NULL, RSRC_CONF,
- "Number of children alive at the same time"),
-AP_INIT_TAKE1("StartThreads", set_threads_to_start, NULL, RSRC_CONF,
- "Number of threads each child creates"),
-AP_INIT_TAKE1("MinSpareThreads", set_min_spare_threads, NULL, RSRC_CONF,
- "Minimum number of idle threads per child, to handle "
- "request spikes"),
-AP_INIT_TAKE1("MaxSpareThreads", set_max_spare_threads, NULL, RSRC_CONF,
- "Maximum number of idle threads per child"),
-AP_INIT_TAKE1("MaxThreadsPerChild", set_max_threads, NULL, RSRC_CONF,
- "Maximum number of threads per child"),
-AP_INIT_TAKE3("ChildperUserID", set_child_per_uid, NULL, RSRC_CONF,
- "Specify a User and Group for a specific child process."),
-AP_INIT_TAKE2("AssignUserID", assign_childuid, NULL, RSRC_CONF,
- "Tie a virtual host to a specific child process."),
-AP_INIT_TAKE1("ServerLimit", set_server_limit, NULL, RSRC_CONF,
- "Maximum value of NumServers for this run of Apache"),
-AP_INIT_TAKE1("ThreadLimit", set_thread_limit, NULL, RSRC_CONF,
- "Maximum worker threads in a server for this run of Apache"),
-{ NULL }
-};
-
-static void *perchild_create_config(apr_pool_t *p, server_rec *s)
-{
- perchild_server_conf *c = (perchild_server_conf *)
- apr_pcalloc(p, sizeof(perchild_server_conf));
-
- c->sd = -1;
- return c;
-}
-
-module AP_MODULE_DECLARE_DATA mpm_perchild_module = {
- MPM20_MODULE_STUFF,
- NULL, /* hook to run before apache parses args */
- NULL, /* create per-directory config structure */
- NULL, /* merge per-directory config structures */
- perchild_create_config, /* create per-server config structure */
- NULL, /* merge per-server config structures */
- perchild_cmds, /* command apr_table_t */
- perchild_hooks /* register_hooks */
-};
-
diff --git a/support/dbmmanage b/support/dbmmanage
deleted file mode 100644
index ad9a4aca761..00000000000
--- a/support/dbmmanage
+++ /dev/null
@@ -1,350 +0,0 @@
-#!/usr/bin/perl
-# ====================================================================
-# The Apache Software License, Version 1.1
-#
-# Copyright (c) 2000-2001 The Apache Software Foundation. All rights
-# reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-#
-# 1. Redistributions of source code must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-#
-# 2. Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in
-# the documentation and/or other materials provided with the
-# distribution.
-#
-# 3. The end-user documentation included with the redistribution,
-# if any, must include the following acknowledgment:
-# "This product includes software developed by the
-# Apache Software Foundation (http://www.apache.org/)."
-# Alternately, this acknowledgment may appear in the software itself,
-# if and wherever such third-party acknowledgments normally appear.
-#
-# 4. The names "Apache" and "Apache Software Foundation" must
-# not be used to endorse or promote products derived from this
-# software without prior written permission. For written
-# permission, please contact apache@apache.org.
-#
-# 5. Products derived from this software may not be called "Apache",
-# nor may "Apache" appear in their name, without prior written
-# permission of the Apache Software Foundation.
-#
-# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-# DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
-# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
-# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
-# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-# SUCH DAMAGE.
-# ====================================================================
-#
-# This software consists of voluntary contributions made by many
-# individuals on behalf of the Apache Software Foundation. For more
-# information on the Apache Software Foundation, please see
-# .
-#
-
-#for more functionality see the HTTPD::UserAdmin module:
-# http://www.perl.com/CPAN/modules/by-module/HTTPD/HTTPD-Tools-x.xx.tar.gz
-#
-# usage: dbmmanage
-
-package dbmmanage;
-# -ldb -lndbm -lgdbm -lsdbm
-BEGIN { @AnyDBM_File::ISA = qw(DB_File NDBM_File GDBM_File SDBM_File) }
-use strict;
-use Fcntl;
-use AnyDBM_File ();
-
-sub usage {
- my $cmds = join "|", sort keys %dbmc::;
- die <$command();
-untie %DB;
-
-
-my $x;
-sub genseed {
- my $psf;
- if ($not_unix) {
- srand (time ^ $$ or time ^ ($$ + ($$ << 15)));
- }
- else {
- for (qw(-xlwwa -le)) {
- `ps $_ 2>/dev/null`;
- $psf = $_, last unless $?;
- }
- srand (time ^ $$ ^ unpack("%L*", `ps $psf | gzip -f`));
- }
- @range = (qw(. /), '0'..'9','a'..'z','A'..'Z');
- $x = int scalar @range;
-}
-
-sub randchar {
- join '', map $range[rand $x], 1..shift||1;
-}
-
-sub saltpw_crypt {
- genseed() unless @range;
- return $newstyle_salt ?
- join '', "_", randchar, "a..", randchar(4) :
- randchar(2);
-}
-
-sub cryptpw_crypt {
- my ($pw, $salt) = @_;
- $salt = saltpw_crypt unless $salt;
- crypt $pw, $salt;
-}
-
-sub saltpw_md5 {
- genseed() unless @range;
- randchar(8);
-}
-
-sub cryptpw_md5 {
- my($pw, $salt) = @_;
- $salt = saltpw_md5 unless $salt;
- Crypt::PasswdMD5::apache_md5_crypt($pw, $salt);
-}
-
-sub cryptpw_sha1 {
- my($pw, $salt) = @_;
- '{SHA}' . Digest::SHA1::sha1_base64($pw) . "=";
-}
-
-sub cryptpw {
- if ($crypt_method eq "md5") {
- return cryptpw_md5(@_);
- } elsif ($crypt_method eq "sha1") {
- return cryptpw_sha1(@_);
- } elsif ($crypt_method eq "crypt") {
- return cryptpw_crypt(@_);
- }
- @_[0]; # otherwise return plaintext
-}
-
-sub getpass {
- my $prompt = shift || "Enter password:";
-
- unless($not_unix) {
- open STDIN, "/dev/tty" or warn "couldn't open /dev/tty $!\n";
- system "stty -echo;";
- }
-
- my($c,$pwd);
- print STDERR $prompt;
- while (($c = getc(STDIN)) ne '' and $c ne "\n" and $c ne "\r") {
- $pwd .= $c;
- }
-
- system "stty echo" unless $not_unix;
- print STDERR "\n";
- die "Can't use empty password!\n" unless length $pwd;
- return $pwd;
-}
-
-sub dbmc::update {
- die "Sorry, user `$key' doesn't exist!\n" unless $DB{$key};
- $crypted_pwd = (split /:/, $DB{$key}, 3)[0] if $crypted_pwd eq '.';
- $groups = (split /:/, $DB{$key}, 3)[1] if !$groups || $groups eq '.';
- $comment = (split /:/, $DB{$key}, 3)[2] if !$comment || $comment eq '.';
- if (!$crypted_pwd || $crypted_pwd eq '-') {
- dbmc->adduser;
- }
- else {
- dbmc->add;
- }
-}
-
-sub dbmc::add {
- die "Can't use empty password!\n" unless $crypted_pwd;
- unless($is_update) {
- die "Sorry, user `$key' already exists!\n" if $DB{$key};
- }
- $groups = '' if $groups eq '-';
- $comment = '' if $comment eq '-';
- $groups .= ":" . $comment if $comment;
- $crypted_pwd .= ":" . $groups if $groups;
- $DB{$key} = $crypted_pwd;
- my $action = $is_update ? "updated" : "added";
- print "User $key $action with password encrypted to $DB{$key} using $crypt_method\n";
-}
-
-sub dbmc::adduser {
- my $value = getpass "New password:";
- die "They don't match, sorry.\n" unless getpass("Re-type new password:") eq $value;
- $crypted_pwd = cryptpw $value;
- dbmc->add;
-}
-
-sub dbmc::delete {
- die "Sorry, user `$key' doesn't exist!\n" unless $DB{$key};
- delete $DB{$key}, print "`$key' deleted\n";
-}
-
-sub dbmc::view {
- print $key ? "$key:$DB{$key}\n" : map { "$_:$DB{$_}\n" if $DB{$_} } keys %DB;
-}
-
-sub dbmc::check {
- die "Sorry, user `$key' doesn't exist!\n" unless $DB{$key};
- my $chkpass = (split /:/, $DB{$key}, 3)[0];
- my $testpass = getpass();
- if (substr($chkpass, 0, 6) eq '$apr1$') {
- need_md5_crypt;
- $crypt_method = "md5";
- } elsif (substr($chkpass, 0, 5) eq '{SHA}') {
- need_sha1_crypt;
- $crypt_method = "sha1";
- } elsif (length($chkpass) == 13 && $chkpass ne $testpass) {
- $crypt_method = "crypt";
- } else {
- $crypt_method = "plain";
- }
- print $crypt_method . (cryptpw($testpass, $chkpass) eq $chkpass
- ? " password ok\n" : " password mismatch\n");
-}
-
-sub dbmc::import {
- while(defined($_ = ) and chomp) {
- ($key,$crypted_pwd,$groups,$comment) = split /:/, $_, 4;
- dbmc->add;
- }
-}
-
diff --git a/support/log_server_status b/support/log_server_status
deleted file mode 100644
index e32280c9127..00000000000
--- a/support/log_server_status
+++ /dev/null
@@ -1,114 +0,0 @@
-#!/usr/bin/perl
-# ====================================================================
-# The Apache Software License, Version 1.1
-#
-# Copyright (c) 2000-2001 The Apache Software Foundation. All rights
-# reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-#
-# 1. Redistributions of source code must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-#
-# 2. Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in
-# the documentation and/or other materials provided with the
-# distribution.
-#
-# 3. The end-user documentation included with the redistribution,
-# if any, must include the following acknowledgment:
-# "This product includes software developed by the
-# Apache Software Foundation (http://www.apache.org/)."
-# Alternately, this acknowledgment may appear in the software itself,
-# if and wherever such third-party acknowledgments normally appear.
-#
-# 4. The names "Apache" and "Apache Software Foundation" must
-# not be used to endorse or promote products derived from this
-# software without prior written permission. For written
-# permission, please contact apache@apache.org.
-#
-# 5. Products derived from this software may not be called "Apache",
-# nor may "Apache" appear in their name, without prior written
-# permission of the Apache Software Foundation.
-#
-# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-# DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
-# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
-# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
-# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-# SUCH DAMAGE.
-# ====================================================================
-#
-# This software consists of voluntary contributions made by many
-# individuals on behalf of the Apache Software Foundation. For more
-# information on the Apache Software Foundation, please see
-# .
-#
-# Log Server Status
-# Mark J Cox, UK Web Ltd 1996, mark@ukweb.com
-#
-# This script is designed to be run at a frequent interval by something
-# like cron. It connects to the server and downloads the status
-# information. It reformats the information to a single line and logs
-# it to a file. Make sure the directory $wherelog is writable by the
-# user who runs this script.
-#
-require 'sys/socket.ph';
-
-$wherelog = "/var/log/graph/"; # Logs will be like "/var/log/graph/19960312"
-$server = "localhost"; # Name of server, could be "www.foo.com"
-$port = "80"; # Port on server
-$request = "/status/?auto"; # Request to send
-
-sub tcp_connect
-{
- local($host,$port) =@_;
- $sockaddr='S n a4 x8';
- chop($hostname=`hostname`);
- $port=(getservbyname($port, 'tcp'))[2] unless $port =~ /^\d+$/;
- $me=pack($sockaddr,&AF_INET,0,(gethostbyname($hostname))[4]);
- $them=pack($sockaddr,&AF_INET,$port,(gethostbyname($host))[4]);
- socket(S,&PF_INET,&SOCK_STREAM,(getprotobyname('tcp'))[2]) ||
- die "socket: $!";
- bind(S,$me) || return "bind: $!";
- connect(S,$them) || return "connect: $!";
- select(S);
- $| = 1;
- select(stdout);
- return "";
-}
-
-### Main
-
-{
- $year=`date +%y`;
- chomp($year);
- $year += ($year < 70) ? 2000 : 1900;
- $date = $year . `date +%m%d:%H%M%S`;
- chomp($date);
- ($day,$time)=split(/:/,$date);
- $res=&tcp_connect($server,$port);
- open(OUT,">>$wherelog$day");
- if ($res) {
- print OUT "$time:-1:-1:-1:-1:$res\n";
- exit 1;
- }
- print S "GET $request\n";
- while () {
- $requests=$1 if ( m|^BusyServers:\ (\S+)|);
- $idle=$1 if ( m|^IdleServers:\ (\S+)|);
- $number=$1 if ( m|sses:\ (\S+)|);
- $cpu=$1 if (m|^CPULoad:\ (\S+)|);
- }
- print OUT "$time:$requests:$idle:$number:$cpu\n";
-}
-
-
diff --git a/support/logresolve.pl b/support/logresolve.pl
deleted file mode 100644
index ab5a7322ab2..00000000000
--- a/support/logresolve.pl
+++ /dev/null
@@ -1,261 +0,0 @@
-#!/usr/bin/perl
-# ====================================================================
-# The Apache Software License, Version 1.1
-#
-# Copyright (c) 2000-2001 The Apache Software Foundation. All rights
-# reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-#
-# 1. Redistributions of source code must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-#
-# 2. Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in
-# the documentation and/or other materials provided with the
-# distribution.
-#
-# 3. The end-user documentation included with the redistribution,
-# if any, must include the following acknowledgment:
-# "This product includes software developed by the
-# Apache Software Foundation (http://www.apache.org/)."
-# Alternately, this acknowledgment may appear in the software itself,
-# if and wherever such third-party acknowledgments normally appear.
-#
-# 4. The names "Apache" and "Apache Software Foundation" must
-# not be used to endorse or promote products derived from this
-# software without prior written permission. For written
-# permission, please contact apache@apache.org.
-#
-# 5. Products derived from this software may not be called "Apache",
-# nor may "Apache" appear in their name, without prior written
-# permission of the Apache Software Foundation.
-#
-# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-# DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
-# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
-# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
-# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-# SUCH DAMAGE.
-# ====================================================================
-#
-# This software consists of voluntary contributions made by many
-# individuals on behalf of the Apache Software Foundation. For more
-# information on the Apache Software Foundation, please see
-# .
-#
-# logresolve.pl
-#
-# v 1.2 by robh @ imdb.com
-#
-# usage: logresolve.pl outfile
-#
-# input = Apache/NCSA/.. logfile with IP numbers at start of lines
-# output = same logfile with IP addresses resolved to hostnames where
-# name lookups succeeded.
-#
-# this differs from the C based 'logresolve' in that this script
-# spawns a number ($CHILDREN) of subprocesses to resolve addresses
-# concurrently and sets a short timeout ($TIMEOUT) for each lookup in
-# order to keep things moving quickly.
-#
-# the parent process handles caching of IP->hostnames using a Perl hash
-# it also avoids sending the same IP to multiple child processes to be
-# resolved multiple times concurrently.
-#
-# Depending on the settings of $CHILDREN and $TIMEOUT you should see
-# significant reductions in the overall time taken to resolve your
-# logfiles. With $CHILDREN=40 and $TIMEOUT=5 I've seen 200,000 - 300,000
-# logfile lines processed per hour compared to ~45,000 per hour
-# with 'logresolve'.
-#
-# I haven't yet seen any noticable reduction in the percentage of IPs
-# that fail to get resolved. Your mileage will no doubt vary. 5s is long
-# enough to wait IMO.
-#
-# Known to work with FreeBSD 2.2
-# Known to have problems with Solaris
-#
-# 980417 - use 'sockaddr_un' for bind/connect to make the script work
-# with linux. Fix from Luuk de Boer
-
-require 5.004;
-
-$|=1;
-
-use FileHandle;
-use Socket;
-
-use strict;
-no strict 'refs';
-
-use vars qw($PROTOCOL);
-$PROTOCOL = 0;
-
-my $CHILDREN = 40;
-my $TIMEOUT = 5;
-
-my $filename;
-my %hash = ();
-my $parent = $$;
-
-my @children = ();
-for (my $child = 1; $child <=$CHILDREN; $child++) {
- my $f = fork();
- if (!$f) {
- $filename = "./.socket.$parent.$child";
- if (-e $filename) { unlink($filename) || warn "$filename .. $!\n";}
- &child($child);
- exit(0);
- }
- push(@children, $f);
-}
-
-&parent;
-&cleanup;
-
-## remove all temporary files before shutting down
-sub cleanup {
- # die kiddies, die
- kill(15, @children);
- for (my $child = 1; $child <=$CHILDREN; $child++) {
- if (-e "./.socket.$parent.$child") {
- unlink("./.socket.$parent.$child")
- || warn ".socket.$parent.$child $!";
- }
- }
-}
-
-sub parent {
- # Trap some possible signals to trigger temp file cleanup
- $SIG{'KILL'} = $SIG{'INT'} = $SIG{'PIPE'} = \&cleanup;
-
- my %CHILDSOCK;
- my $filename;
-
- ## fork child processes. Each child will create a socket connection
- ## to this parent and use an unique temp filename to do so.
- for (my $child = 1; $child <=$CHILDREN; $child++) {
- $CHILDSOCK{$child}= FileHandle->new;
-
- if (!socket($CHILDSOCK{$child}, AF_UNIX, SOCK_STREAM, $PROTOCOL)) {
- warn "parent socket to child failed $!";
- }
- $filename = "./.socket.$parent.$child";
- my $response;
- do {
- $response = connect($CHILDSOCK{$child}, sockaddr_un($filename));
- if ($response != 1) {
- sleep(1);
- }
- } while ($response != 1);
- $CHILDSOCK{$child}->autoflush;
- }
- ## All child processes should now be ready or at worst warming up
-
- my (@buffer, $child, $ip, $rest, $hostname, $response);
- ## read the logfile lines from STDIN
- while() {
- @buffer = (); # empty the logfile line buffer array.
- $child = 1; # children are numbered 1..N, start with #1
-
- # while we have a child to talk to and data to give it..
- do {
- push(@buffer, $_); # buffer the line
- ($ip, $rest) = split(/ /, $_, 2); # separate IP form rest
-
- unless ($hash{$ip}) { # resolve if unseen IP
- $CHILDSOCK{$child}->print("$ip\n"); # pass IP to next child
- $hash{$ip} = $ip; # don't look it up again.
- $child++;
- }
- } while (($child < ($CHILDREN-1)) and ($_ = ));
-
- ## now poll each child for a response
- while (--$child > 0) {
- $response = $CHILDSOCK{$child}->getline;
- chomp($response);
- # child sends us back both the IP and HOSTNAME, no need for us
- # to remember what child received any given IP, and no worries
- # what order we talk to the children
- ($ip, $hostname) = split(/\|/, $response, 2);
- $hash{$ip} = $hostname;
- }
-
- # resolve all the logfiles lines held in the log buffer array..
- for (my $line = 0; $line <=$#buffer; $line++) {
- # get next buffered line
- ($ip, $rest) = split(/ /, $buffer[$line], 2);
- # separate IP from rest and replace with cached hostname
- printf STDOUT ("%s %s", $hash{$ip}, $rest);
- }
- }
-}
-
-########################################
-
-sub child {
- # arg = numeric ID - how the parent refers to me
- my $me = shift;
-
- # add trap for alarm signals.
- $SIG{'ALRM'} = sub { die "alarmed"; };
-
- # create a socket to communicate with parent
- socket(INBOUND, AF_UNIX, SOCK_STREAM, $PROTOCOL)
- || die "Error with Socket: !$\n";
- $filename = "./.socket.$parent.$me";
- bind(INBOUND, sockaddr_un($filename))
- || die "Error Binding $filename: $!\n";
- listen(INBOUND, 5) || die "Error Listening: $!\n";
-
- my ($ip, $send_back);
- my $talk = FileHandle->new;
-
- # accept a connection from the parent process. We only ever have
- # have one connection where we exchange 1 line of info with the
- # parent.. 1 line in (IP address), 1 line out (IP + hostname).
- accept($talk, INBOUND) || die "Error Accepting: $!\n";
- # disable I/O buffering just in case
- $talk->autoflush;
- # while the parent keeps sending data, we keep responding..
- while(($ip = $talk->getline)) {
- chomp($ip);
- # resolve the IP if time permits and send back what we found..
- $send_back = sprintf("%s|%s", $ip, &nslookup($ip));
- $talk->print($send_back."\n");
- }
-}
-
-# perform a time restricted hostname lookup.
-sub nslookup {
- # get the IP as an arg
- my $ip = shift;
- my $hostname = undef;
-
- # do the hostname lookup inside an eval. The eval will use the
- # already configured SIGnal handler and drop out of the {} block
- # regardless of whether the alarm occured or not.
- eval {
- alarm($TIMEOUT);
- $hostname = gethostbyaddr(gethostbyname($ip), AF_INET);
- alarm(0);
- };
- if ($@ =~ /alarm/) {
- # useful for debugging perhaps..
- # print "alarming, isn't it? ($ip)";
- }
-
- # return the hostname or the IP address itself if there is no hostname
- $hostname ne "" ? $hostname : $ip;
-}
-
-
diff --git a/support/phf_abuse_log.cgi b/support/phf_abuse_log.cgi
deleted file mode 100644
index 87543ce5f48..00000000000
--- a/support/phf_abuse_log.cgi
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/usr/bin/perl
-
-# This script is used to detect people trying to abuse the security hole which
-# existed in A CGI script direstributed with Apache 1.0.3 and earlier versions.
-# You can redirect them to here using the "" suggestion
-# in httpd.conf.
-#
-# The format logged to is
-# "[date] remote_addr remote_host [date] referrer user_agent".
-
-$LOG = "/var/log/phf_log";
-
-require "ctime.pl";
-$when = &ctime(time);
-$when =~ s/\n//go;
-$ENV{HTTP_USER_AGENT} .= " via $ENV{HTTP_VIA}" if($ENV{HTTP_VIA});
-
-open(LOG, ">>$LOG") || die "boo hoo, phf_log $!";
-print LOG "[$when] $ENV{REMOTE_ADDR} $ENV{REMOTE_HOST} $ENV{$HTTP_REFERER} $ENV{HTTP_USER_AGENT}\n";
-close(LOG);
-
-print "Content-type: text/html\r\n\r\n\n";
diff --git a/support/split-logfile b/support/split-logfile
deleted file mode 100644
index c0f34861aab..00000000000
--- a/support/split-logfile
+++ /dev/null
@@ -1,98 +0,0 @@
-#!/usr/bin/perl
-# ====================================================================
-# The Apache Software License, Version 1.1
-#
-# Copyright (c) 2000-2001 The Apache Software Foundation. All rights
-# reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-#
-# 1. Redistributions of source code must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-#
-# 2. Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in
-# the documentation and/or other materials provided with the
-# distribution.
-#
-# 3. The end-user documentation included with the redistribution,
-# if any, must include the following acknowledgment:
-# "This product includes software developed by the
-# Apache Software Foundation (http://www.apache.org/)."
-# Alternately, this acknowledgment may appear in the software itself,
-# if and wherever such third-party acknowledgments normally appear.
-#
-# 4. The names "Apache" and "Apache Software Foundation" must
-# not be used to endorse or promote products derived from this
-# software without prior written permission. For written
-# permission, please contact apache@apache.org.
-#
-# 5. Products derived from this software may not be called "Apache",
-# nor may "Apache" appear in their name, without prior written
-# permission of the Apache Software Foundation.
-#
-# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-# DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
-# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
-# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
-# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-# SUCH DAMAGE.
-# ====================================================================
-#
-# This software consists of voluntary contributions made by many
-# individuals on behalf of the Apache Software Foundation. For more
-# information on the Apache Software Foundation, please see
-# .
-
-# This script will take a combined Web server access
-# log file and break its contents into separate files.
-# It assumes that the first field of each line is the
-# virtual host identity (put there by "%v"), and that
-# the logfiles should be named that+".log" in the current
-# directory.
-#
-# The combined log file is read from stdin. Records read
-# will be appended to any existing log files.
-#
-%is_open = ();
-
-while ($log_line = ) {
- #
- # Get the first token from the log record; it's the
- # identity of the virtual host to which the record
- # applies.
- #
- ($vhost) = split (/\s/, $log_line);
- #
- # Normalize the virtual host name to all lowercase.
- # If it's blank, the request was handled by the default
- # server, so supply a default name. This shouldn't
- # happen, but caution rocks.
- #
- $vhost = lc ($vhost) or "access";
- #
- # If the log file for this virtual host isn't opened
- # yet, do it now.
- #
- if (! $is_open{$vhost}) {
- open $vhost, ">>${vhost}.log"
- or die ("Can't open ${vhost}.log");
- $is_open{$vhost} = 1;
- }
- #
- # Strip off the first token (which may be null in the
- # case of the default server), and write the edited
- # record to the current log file.
- #
- $log_line =~ s/^\S*\s+//;
- printf $vhost "%s", $log_line;
-}
-exit 0;