Rich Bowen [Tue, 19 May 2026 14:38:15 +0000 (14:38 +0000)]
mod_brotli: clarify that numeric directive values are powers of two
BrotliCompressionWindow and BrotliCompressionMaxInputBlock accept
log2 values, but the docs just said "a value between N and M" without
explaining what those numbers mean in practice. Clarify that the
actual sizes are 2^value bytes, with concrete examples (e.g., 18 =
256 KB, 24 = 16 MB). Also improve BrotliCompressionQuality description
with practical guidance. Add examples to all three directives.
Rich Bowen [Fri, 15 May 2026 20:54:41 +0000 (20:54 +0000)]
flags.xml: Add example for UNC flag
Show a Windows UNC path rewrite using a variable in the substitution,
explaining that the flag prevents Apache from collapsing the leading
double slash. Note that the flag is Windows-only and unnecessary when
the substitution starts with literal double slashes.
Rich Bowen [Fri, 15 May 2026 20:03:35 +0000 (20:03 +0000)]
flags.xml: Add examples and security warnings for UnsafeAllow3F and UnsafePrefixStat
Both flags were introduced to address CVE-2024-38474 and CVE-2024-38475
respectively. Add practical examples showing common scenarios where each
flag is needed (PHP front controller for UnsafeAllow3F; backreference-
starting substitution for UnsafePrefixStat), along with warning notes
linking to the relevant CVEs and advising restraint in their use.
Rich Bowen [Fri, 15 May 2026 19:40:03 +0000 (19:40 +0000)]
howto/htaccess.xml: Note that AllowOverride defaults to None
Users frequently miss that .htaccess files are disabled by default
(AllowOverride None since 2.3.9). Add an explicit note after the
AllowOverride explanation so this is immediately visible.
Rich Bowen [Fri, 15 May 2026 19:31:59 +0000 (19:31 +0000)]
Add PATH_INFO glossary entry, link first mention in each doc
Define PATH_INFO in glossary.xml with an example
(/app/index.php/extra/path), reference to AcceptPathInfo directive,
and RFC 3875 section 4.1.5 citation.
Convert the first prose mention of PATH_INFO in 14 files to
<glossary ref="pathinfo"> links. Subsequent mentions within the same
document are left as <code> or plain text to avoid link spam.
Skipped mod_ext_filter.xml (only occurrence is inside the compound
variable name DOCUMENT_PATH_INFO) and mod_ssl.xml (inside a <pre>
block where markup links are inappropriate).
Rich Bowen [Fri, 15 May 2026 19:19:49 +0000 (19:19 +0000)]
flags.xml: Add example and security warning for UnsafeAllow3F
Show the common real-world trigger: a PHP front controller with a
query string in the substitution (index.php?route=\$1) that breaks
when a request contains %3F. Add a warning note linking to
CVE-2024-38474, advising users to prefer URL restructuring over
enabling the flag where possible.
Rich Bowen [Fri, 15 May 2026 18:50:14 +0000 (18:50 +0000)]
Remove dead "Comments" link from See also sidebar
The comments system was removed long ago, but the link to
#comments_section remained in the See also sidebar on every page.
The target anchor no longer exists (common.xsl already has
"<!-- Comments section used to be here -->"), making this a dead link.
Remove from manualpage.xsl, synopsis.xsl, and overrideindex.xsl.
The lang/*/messages "comments" strings are left in place (harmless,
and removing them would require touching all 11 language files).
Merge paragraphs 2 and 3 of the module summary into a single paragraph
that flows naturally from the introduction without repeating the module
name at the start of each sentence.
Rich Bowen [Fri, 15 May 2026 18:10:54 +0000 (18:10 +0000)]
flags.xml: Add examples for [NS], [QSD], and [R] flags
These commonly-used flags had explanatory text but no configuration
examples. Add minimal, practical illustrations for each:
- [NS]: front controller pattern excluding subrequests
- [QSD]: redirect discarding the original query string
- [R]: 301 redirect to an external URL with path preserved
Rich Bowen [Fri, 15 May 2026 17:32:40 +0000 (17:32 +0000)]
rewrite/*.xml: Replace "URI" with "URL-path" or "URL" as appropriate
While URI and URL are functionally interchangeable in web contexts
(RFC 3986 subsumes both; every HTTP URL is a URI), the term "URI" is
ambiguous about whether the scheme://host:port portion is included.
"URL-path" — as defined in our own directive-dict.xml — makes explicit
that only the path component is meant, which is what mod_rewrite
actually operates on.
Changes across avoid.xml, flags.xml, rewritemap.xml, and tech.xml:
- "URI" → "URL-path" where the context is the path component only
(what RewriteRule patterns match against)
- "URI" → "URL" in the QSA/QSD/R sections where query strings are
part of the discussion (URL-path excludes query strings by definition)
- Kept "URI" in two places: the literal error message "Invalid URI in
request", and "URI translation" (an official httpd hook/phase name)
Rich Bowen [Fri, 15 May 2026 17:25:32 +0000 (17:25 +0000)]
flags.xml: Clarify DPI flag docs, replace "URI" with "URL-path", add example
In RFC terms, URI and URL are functionally interchangeable on the web
(all HTTP URLs are URIs; RFC 3986 subsumes both). However, in this
context the docs mean specifically the path component — no scheme, no
host, no port. "URL-path" (as defined in our own directive-dict.xml)
makes this unambiguous, and is consistent with the rest of the
mod_rewrite documentation which uses "URL-path" throughout.
Also add a concrete example showing DPI preventing PATH_INFO
duplication when rewriting a request.
Rich Bowen [Fri, 15 May 2026 16:42:03 +0000 (16:42 +0000)]
Consolidate "What is matched?" from mod_rewrite.xml into rewrite/intro.xml
Replace the detailed "What is matched?" note block in mod_rewrite.xml
with a concise summary linking to rewrite/intro.html#rewriterule.
Expand the RewriteRule Basics section in rewrite/intro.xml to cover:
- Pattern matches %-decoded URL-path (server context)
- Pattern matches directory-relative path (per-directory context),
with link to htaccess.html#path-stripping
- Pattern does NOT match hostname, port, or query string —
use RewriteCond with %{HTTP_HOST}, %{SERVER_PORT}, %{QUERY_STRING}
Part of: https://bz.apache.org/bugzilla/show_bug.cgi?id=70045
Rich Bowen [Fri, 15 May 2026 16:21:03 +0000 (16:21 +0000)]
Consolidate per-directory rewrite notes: remove duplication between mod_rewrite.xml and rewrite/htaccess.xml
The large "Per-directory Rewrites" note block in mod_rewrite.xml
duplicated content already covered (and better explained) in
rewrite/htaccess.xml. Replace it with a short link to the guide.
Migrate the useful tips that were unique to that block into
rewrite/htaccess.xml:
- ^/ never matches in per-directory context (path-stripping section)
- Use %{REQUEST_URI} to match the full URL-path, with example
- <Location>/<Files> are unsupported contexts (new section)
- <If> follows directory context rules (new section)
Part of: https://bz.apache.org/bugzilla/show_bug.cgi?id=70045
Rich Bowen [Fri, 15 May 2026 15:23:39 +0000 (15:23 +0000)]
Consolidates advice about crafting regular expressions in one place,
rather than having it duplicated in two docs. Gives example of using !
to negate a match, and notes that in the event of a not-match,
backreferences are not defined (because they didn't match) and points to
the backrefs section for further discussion.
Note that there's still probably a case to be made for a separate
regular expression reference, since neither `man perlre` nor Jeffrey's book
are likely to be in the possession of our audience.
(References patch on bz#70024 but takes it rather a different direction,
since that patch was not accurate.)
Joe Orton [Fri, 15 May 2026 10:31:10 +0000 (10:31 +0000)]
Remove mod_dav_lock, which was useful only to provide drop-in
locking for mod_dav_svn from Apache Subversion older than 1.2.0.
mod_dav_svn from 1.2.0 onwards provides a locking mechanism.
Remove mod_dav_lock from cmake and Windows build system:
* CMakeLists.txt: Remove mod_dav_lock from MODULE_LIST,
mod_dav_lock_extra_sources and mod_dav_lock_extra_libs.
* Apache.dsw, Apache-apr2.dsw: Remove mod_dav_lock project
and dependency entries.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Github: closes #646
Joe Orton [Fri, 15 May 2026 06:57:49 +0000 (06:57 +0000)]
mod_ssl: Set auth type to \"ClientCert\" after authentication
When client certificate authentication has been performed r->ap_auth_type was
never populated and env AUTH_TYPE was empty.
We now set auth type to \"ClientCert\".
PR: 45058
Submitted by: Michael Osipov <michaelo@apache.org>
Github: closes #645
Joe Orton [Fri, 15 May 2026 06:56:04 +0000 (06:56 +0000)]
CI: Add *.md to the ignore list. (the "**" syntax is correct
here, per https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#filter-pattern-cheat-sheet)
Rich Bowen [Thu, 14 May 2026 20:30:43 +0000 (20:30 +0000)]
rewrite guide: document REDIRECT_ prefix for [E=] environment variables
flags.xml: expand the [E] flag section with a note box explaining
that per-directory rewrites rename env vars with a REDIRECT_ prefix
after internal redirect, with an example showing how to reference the
renamed variable and a note about prefix stacking.
env.xml: add cross-reference from the REDIRECT_ variables section
back to rewrite/flags.html#flag_e for mod_rewrite-specific details.
tech.xml: new "URL Encoding and Decoding" section explaining that
httpd unescapes the URI before pattern matching, how to use
%{THE_REQUEST} for the raw form, AllowEncodedSlashes options, and
a summary of the [B]/[BNP]/[NE] flags with links to flags.xml.
flags.xml: add cross-references to tech.html#encoding from the [B],
[BNP], and [NE] flag sections. Restore section headers for flag_bnp
and flag_bctls that were inadvertently dropped.
Add note to the "Forcing HTTPS" recipe in remapping.xml explaining
that %{HTTPS} queries mod_ssl directly and reports "off" when SSL is
terminated upstream. Provides the X-Forwarded-Proto alternative with
a security warning about trusting forwarded headers.
These pages were replaced by reorganized content in avoid.xml,
remapping.xml, rewritemap.xml, and flags.xml during the redundancy
cleanup. Each stub contained only a deprecation notice with pointers
to the new locations, and no other page in the guide links to them.
Removes 54 files (English sources, translations, built HTML, meta).
We will *not* be deleting these in 2.4 but some day when 2.6 branches,
they'll get dropped. The versions in 2.4 are already marked as
deprecated, with a "will go away in the future" message, so by that
time, this should take care of itself.
Rich Bowen [Thu, 14 May 2026 19:17:27 +0000 (19:17 +0000)]
rewrite guide: document mod_rewrite vs mod_alias processing order
tech.xml: new "Module Processing Order" section explaining that
mod_rewrite runs before mod_alias in server/vhost context (hook
priority, not config order), and that per-directory context reverses
this. Includes a concrete example and practical guidance.
avoid.xml: add cross-reference note to the "Simple Redirection"
section warning about the order inconsistency.
Rich Bowen [Mon, 11 May 2026 19:50:14 +0000 (19:50 +0000)]
Rewrite guide: harmonize seealso blocks across all files
Every document in the rewrite guide now cross-references all sibling
documents (htaccess, flags, tech, intro, remapping, rewritemap, vhosts,
avoid) consistently. Removed commented-out self-references.
Rich Bowen [Mon, 11 May 2026 19:31:10 +0000 (19:31 +0000)]
Rewrite guide: deduplicate HTTPS redirect recipe
avoid.xml had a full VirtualHost example for HTTP-to-HTTPS that was
identical to remapping.xml's version. Replace with a brief paragraph
and cross-reference to remapping.html#https-redirect, which covers
both the Redirect and .htaccess mod_rewrite approaches.
Rich Bowen [Mon, 11 May 2026 17:29:33 +0000 (17:29 +0000)]
AI-Assisted survey of the last 20 years of users@ identified a number of
questions that we *could* answer in this Rewrite Guide, but are not yet
doing so. This is more recipe-based, Q&A stuff, and none of it is
terribly high priority, but gives an opportunity to give high-quality
answers to common questions and combat some misinformation.
Rich Bowen [Mon, 11 May 2026 17:18:52 +0000 (17:18 +0000)]
Rewrite guide: merge www-resolve into canonicalhost section
The two sections covered the same hostname canonicalization concept
from slightly different angles. Merge the "Remove www" recipe and
SEO rationale into the existing canonicalhost section and remove
the standalone www-resolve section.
Rich Bowen [Mon, 11 May 2026 17:12:49 +0000 (17:12 +0000)]
Rewrite guide: merge duplicate SSRF warning in flags.xml [P] section
The [P] flag section had two nearly identical security warnings.
Merge into a single comprehensive warning that names the SSRF
vulnerability explicitly and includes the mitigation advice from
both.
projects / thirdparty / apache / httpd.git / log
