<code>.htaccess</code> files would be a very expensive operation,
partially defeating the point of caching (to speed up requests),
<module>mod_cache</module> makes no decision about whether a cached
- entity is authorised for serving. In other words; if
+ entity is authorized for serving. In other words; if
<module>mod_cache</module> has cached some content, it will be served
from the cache as long as that content has not expired.</p>
Another example is so-called HTTP request-smuggling attacks.</p>
<p>This document is not the correct place for an in-depth discussion
- of HTTP request smuggling (instead, try your favourite search engine)
+ of HTTP request smuggling (instead, try your favorite search engine)
however it is important to be aware that it is possible to make
a series of requests, and to exploit a vulnerability on an origin
webserver such that the attacker can entirely control the content
</example>
<p>Some of these read directly across, some don't. I'll try to
- summarise what should be done below.</p>
+ summarize what should be done below.</p>
<p>The stages that read directly across :</p>
<title>ap_expr (NEW!)</title>
<p>Introduces a new API to parse and evaluate boolean and algebraic
expressions, including provision for a standard syntax and
- customised variants.</p>
+ customized variants.</p>
</section>
<section id="ap_listen">
sentinel is in fact not a valid bucket structure; any attempt to
call normal bucket functions (such as
<code>apr_bucket_read</code>) on the sentinel will have undefined
- behaviour (i.e. will crash the process).</p>
+ behavior (i.e. will crash the process).</p>
<p>There are a variety of functions and macros for traversing and
manipulating bucket brigades; see the <a
state = f->ctx;
if (state == NULL) {
- /* First invocation for this response: initialise state structure.
+ /* First invocation for this response: initialize state structure.
*/
f->ctx = state = apr_palloc(f->r->pool, sizeof *state);
<section id="prefer-language"><title>prefer-language</title>
- <p>This influences <module>mod_negotiation</module>'s behaviour. If
+ <p>This influences <module>mod_negotiation</module>'s behavior. If
it contains a language tag (such as <code>en</code>, <code>ja</code>
or <code>x-klingon</code>), <module>mod_negotiation</module> tries
to deliver a variant with that language. If there's no such variant,
CustomLog "|$/usr/local/apache/bin/rotatelogs /var/log/access_log 86400" common
</highlight>
- <p>This was the default behaviour for Apache 2.2.
+ <p>This was the default behavior for Apache 2.2.
Depending on the shell specifics this might lead to
an additional shell process for the lifetime of the logging
pipe program and signal handling problems during restart.
Allow use of AllowOverride option to treat invalid (unrecognized
or disallowed) directives in
.htaccess as nonfatal. Instead of causing an Internal Server
- Error, disallowed or unrecognised directives will be ignored
+ Error, disallowed or unrecognized directives will be ignored
and a warning logged:
<ul>
<li><strong>Nonfatal=Override</strong> treats directives
access will be denied. Setting the
<directive>AuthBearerAuthoritative</directive> directive explicitly
to <code>Off</code> allows for token verification to be passed on to
- other non-provider-based modules if the token is not recognised.
+ other non-provider-based modules if the token is not recognized.
This should only be necessary when combining
<module>mod_auth_bearer</module> with third-party modules that are not
configured with the
<usage>
<p>The <directive module="mod_auth_form">AuthFormLoginRequiredLocation</directive> directive
- specifies the URL to redirect to should the user not be authorised to view a page. The value
+ specifies the URL to redirect to should the user not be authorized to view a page. The value
is parsed using the <a href="../expr.html">ap_expr</a> parser before being sent to the client.
- By default, if a user is not authorised to view a page, the HTTP response code
+ By default, if a user is not authorized to view a page, the HTTP response code
<code>HTTP_UNAUTHORIZED</code> will be returned with the page specified by the
<directive module="core">ErrorDocument</directive> directive. This directive overrides this
default.</p>
<p>This directive is not normally necessary: it is implied if
authentication caching is enabled anywhere in <var>httpd.conf</var>.
However, if it is not enabled anywhere in <var>httpd.conf</var>
- it will by default not be initialised, and is therefore not
+ it will by default not be initialized, and is therefore not
available in a <var>.htaccess</var> context. This directive
- ensures it is initialised so it can be used in <var>.htaccess</var>.</p>
+ ensures it is initialized so it can be used in <var>.htaccess</var>.</p>
</usage>
</directivesynopsis>
directive, the module usually includes the contents of the file
after a standard HTML preamble (<code><html></code>,
<code><head></code>, <em>et cetera</em>). The
- <code>SuppressHTMLPreamble</code> option disables this behaviour,
+ <code>SuppressHTMLPreamble</code> option disables this behavior,
causing the module to start the display with the header file
contents. The header file must contain appropriate HTML instructions
in this case. If there is no header file, the preamble is generated
<p>RFC 2616 compliant caching provides a mechanism to verify whether
stale or expired content is still fresh, and can represent a significant
performance boost when the origin server supports <strong>conditional
- requests</strong> by honouring the
+ requests</strong> by honoring the
<a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.26">If-None-Match</a>
HTTP request header. Content is only regenerated from scratch when the content
has changed, and not when the cached entry expires.</p>
headers sent from a client in a request, or from a
server within a response. Under exceptional circumstances,
<module>mod_cache</module> can be configured to override these headers
- and force site specific behaviour, however such behaviour will be limited
+ and force site specific behavior, however such behavior will be limited
to this cache only, and will not affect the operation of other caches
that may exist between the client and server, and as a result is not
recommended unless strictly necessary.</p>
<a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.46">Warning</a>
HTTP header with a 110 response code. RFC 2616 also allows a cache to return
stale data when the attempt made to refresh the stale data returns an
- error 500 or above, and this behaviour is supported by default by
+ error 500 or above, and this behavior is supported by default by
<module>mod_cache</module>. Such responses will contain a
<a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.46">Warning</a>
HTTP header with a 111 response code.</p>
</highlight>
<p>For module authors, a hook called <var>cache_status</var> is available,
- allowing modules to respond to the caching outcomes above in customised
+ allowing modules to respond to the caching outcomes above in customized
ways.</p>
</section>
<p><directive>CacheIgnoreHeaders</directive> takes a space separated list
of HTTP headers that should not be stored in the cache. If only hop-by-hop
headers not should be stored in the cache (the RFC 2616 compliant
- behaviour), <directive>CacheIgnoreHeaders</directive> can be set to
+ behavior), <directive>CacheIgnoreHeaders</directive> can be set to
<code>None</code>.</p>
<example><title>Example 1</title>
<note type="warning"><title>Warning:</title>
If headers like <code>Expires</code> which are needed for proper cache
management are not stored due to a
- <directive>CacheIgnoreHeaders</directive> setting, the behaviour of
+ <directive>CacheIgnoreHeaders</directive> setting, the behavior of
mod_cache is undefined.
</note>
</usage>
<section id="pooling"><title>Connection Pooling</title>
<p>This module manages database connections, in a manner
- optimised for the platform. On non-threaded platforms,
+ optimized for the platform. On non-threaded platforms,
it provides a persistent connection in the manner of
classic LAMP (Linux, Apache, Mysql, Perl/PHP/Python).
On threaded platform, it provides an altogether more
<p>The argument can be:</p>
<ul>
<li><code>on</code>: issues a 302 redirection to the index resource.</li>
- <li><code>off</code>: does not issue a redirection. This is the legacy behaviour of mod_dir.</li>
+ <li><code>off</code>: does not issue a redirection. This is the legacy behavior of mod_dir.</li>
<li><code>permanent</code>: issues a 301 (permanent) redirection to the index resource.</li>
<li><code>temp</code>: this has the same effect as <code>on</code></li>
<li><code>seeother</code>: issues a 303 redirection (also known as "See Other") to the index resource.</li>
<dt>Server side Includes (SSI)</dt>
<dd>The same as the above but dispatching on handler (classic
- SSI behaviour; .shtml files get processed).
+ SSI behavior; .shtml files get processed).
<highlight language="config">
FilterProvider SSI INCLUDES "%{HANDLER} = 'server-parsed'"
FilterChain SSI
modules. For httpd 2.1 and later, the
<code>ap_register_output_filter_protocol</code> and
<code>ap_filter_protocol</code> API enables filter modules to
- declare their own behaviour.</p>
+ declare their own behavior.</p>
<p>At the same time, <module>mod_filter</module> should not interfere
with a filter that wants to handle all aspects of the protocol. By
<p><code>mod_firehose</code> provides a mechanism to record data
being passed between the httpd server and the client at the raw
connection level to either a file or a pipe in such a way that the
- data can be analysed or played back to the server at a future date.
+ data can be analyzed or played back to the server at a future date.
It can be thought of as "tcpdump for httpd".</p>
<p>Connections are recorded after the SSL has been stripped, and can
webserver has been built against APR v2.0 or later, and an optional
"nonblock" parameter is specified all file writes will be non
blocking, and buffer overflows will cause debugging data to be lost.
- In this case it is possible to prioritise the running of the server
+ In this case it is possible to prioritize the running of the server
over the recording of firehose data.</p>
</section>
<usage>
<p>
With the default 0, no padding bytes are added to any payload
- frames, e.g. HEADERS, DATA and PUSH_PROMISE. This is the behaviour
+ frames, e.g. HEADERS, DATA and PUSH_PROMISE. This is the behavior
of previous versions. It means that under certain conditions, an
observer of network traffic can see the length of those frames
in the TLS stream.
<directivesynopsis>
<name>H2OutputBuffering</name>
- <description>Determine buffering behaviour of output</description>
+ <description>Determine buffering behavior of output</description>
<syntax>H2OutputBuffering on|off</syntax>
<default>H2OutputBuffering on</default>
<contextlist>
<usage>
<p>
The directive <directive>H2OutputBuffering</directive> controls the buffering of stream output.
- The default is on, which is the behaviour of previous versions. When off, all
+ The default is on, which is the behavior of previous versions. When off, all
bytes are made available immediately to the main connection for sending them
out to the client. This fixes interop issues with certain flavours of gRPC.
</p>
response by adding <code>no-etag</code> to the request notes.</p>
<p>The <directive>SSIETag</directive> directive suppresses this
- behaviour, and allows the server to generate an <code>ETag</code> header.
+ behavior, and allows the server to generate an <code>ETag</code> header.
This can be used to enable caching of the output. Note that a backend server
or dynamic content generator may generate an ETag of its own, ignoring
<code>no-etag</code>, and this ETag will be passed by
the <code>Last-Modified</code> header is stripped from the response.</p>
<p>The <directive>SSILastModified</directive> directive overrides this
- behaviour, and allows the <code>Last-Modified</code> header to be respected
+ behavior, and allows the <code>Last-Modified</code> header to be respected
if already present, or set if the header is not already present. This can
be used to enable caching of the output. <directive>SSILastModified</directive>
can take on the following values:</p>
<compatibility>Available in version 2.4.58 and later</compatibility>
<usage>
<p>
- The mode `all` is the behaviour as in all previous versions. Both ServerName
+ The mode `all` is the behavior as in all previous versions. Both ServerName
and ServerAlias are inspected to find the MDomain matching a VirtualHost.
This automatically detects coverage, even when you only have added
one of the names to an MDomain.
</strong>: Enforce a minimum HTTP version within a request</dt>
<dd>When a request is encountered with an HTTP version number less than
the required minimum version, the request is rejected. The following
- version numbers are recognised:
+ version numbers are recognized:
<ul><li><code>HTTP/1.1</code></li>
<li><code>HTTP/1.0</code></li>
<li><code>HTTP/0.9</code></li>
<section id="env"><title>Environment Variables</title>
<p>In addition to the configuration directives that control the
- behaviour of <module>mod_proxy</module>, there are a number of
+ behavior of <module>mod_proxy</module>, there are a number of
<dfn>environment variables</dfn> that control the FCGI protocol
provider:</p>
<dl>
The main customisation directives are <directive>ProxyHTMLLinks</directive>
and <directive>ProxyHTMLEvents</directive>. By default these are set in
configuration file <var>proxy-html.conf</var>, which also contains
-comments to help you customise your parser if required.</p>
+comments to help you customize your parser if required.</p>
<note>For historical reasons, configuring mod_proxy_html to rewrite
URLs in scripting events does not by default rewrite URLs in stylesheets.
This can be changed by uncommenting the relevant line in
(note that this happens automatically for HTML links).</p></dd>
<dt>l</dt>
<dd><p>Opposite to L. Overrides the one-change-only default
-behaviour with HTML links.</p></dd>
+behavior with HTML links.</p></dd>
<dt>R</dt>
<dd><p>Use Regular Expression matching-and-replace. <code>from-pattern</code>
is a regexp, and <code>to-pattern</code> a replacement string that may be
<section id="env"><title>Environment Variables</title>
<p>In addition to the configuration directives that control the
- behaviour of <module>mod_proxy</module>, there are a number of
+ behavior of <module>mod_proxy</module>, there are a number of
<dfn>environment variables</dfn> that control the HTTP protocol
provider. Environment variables below that don't specify specific values
are enabled when set to any value.</p>
<section id="env"><title>Environment Variables</title>
<p>In addition to the configuration directives that control the
- behaviour of <module>mod_proxy</module>, an <dfn>environment
+ behavior of <module>mod_proxy</module>, an <dfn>environment
variable</dfn> may also control the SCGI protocol
provider:</p>
<dl>
optimizations, which are not possible if the file comes over the backend
socket. Additionally, the file contents are not transmitted twice.</p>
<p>The <directive>ProxySCGISendfile</directive> argument determines the
- gateway behaviour:</p>
+ gateway behavior:</p>
<dl>
<dt><code>Off</code></dt>
<dd>No special handling takes place.</dd>
<p>Using the "show cookies" feature of your browser, you would have seen
a clear text representation of the session. This could potentially be a
problem should the end user need to be kept unaware of the contents of
- the session, or where a third party could gain unauthorised access to the
+ the session, or where a third party could gain unauthorized access to the
data within the session.</p>
<p>The contents of the session can be optionally encrypted before being
</p></note>
<p>Before Apache 2.4.17, this timeout was hardcoded and its value was 600 usec.
- So, the closest configuration to match the legacy behaviour is to set
+ So, the closest configuration to match the legacy behavior is to set
<directive>MemcacheConnTTL</directive> to 1ms.</p>
<example>
</p>
<p>
The <var>flag</var> <code>no_crl_for_cert_ok</code> allows to restore
- previous behaviour.
+ previous behavior.
</p>
</li>
</ul>
where available to configure OpenSSL, and
<directive>SSLOpenSSLConfCmd</directive> is only used for features of
OpenSSL which are not configurable by mod_ssl. It is possible that
-mod_ssl behaviour will change across versions of httpd where
+mod_ssl behavior will change across versions of httpd where
<directive>SSLOpenSSLConfCmd</directive> is used.</p>
</note>
</usage>
context (<code>off</code>).
The latter was the default in versions 2.4 and earlier, but changed
starting with 2.5, hence <directive>SubstituteInheritBefore</directive>
- set to <code>off</code> allows to restore the legacy behaviour.
+ set to <code>off</code> allows to restore the legacy behavior.
<directive>SubstituteInheritBefore</directive> is itself inherited,
hence contexts that inherit it (those that don't specify their own
<directive>SubstituteInheritBefore</directive> value) will apply the
<code>xml2enc_filter</code> optional function to postprocess to another
encoding. Using mod_xml2enc with an enabled module, no configuration
is necessary: the other module will configure mod_xml2enc for you
- (though you may still want to customise it using the configuration
+ (though you may still want to customize it using the configuration
directives below).</p>
</dd>
<dt>Non-enabled modules</dt><dd>
<usage>
<p>This server-wide directive aliases one or more encoding to another
- encoding. This enables encodings not recognised by libxml2 to be handled
+ encoding. This enables encodings not recognized by libxml2 to be handled
internally by libxml2's encoding support using the translation table for
- a recognised encoding. This serves two purposes: to support character sets
- (or names) not recognised either by libxml2 or iconv, and to skip
+ a recognized encoding. This serves two purposes: to support character sets
+ (or names) not recognized either by libxml2 or iconv, and to skip
conversion for an encoding where it is known to be unnecessary.</p>
</usage>
</directivesynopsis>
IPv6 address without also accepting connections via IPv4, or
conflicting with a Listen directive using an IPv4 address bound
to the same port. (If the server is built with IPv4-mapped
- addresses <em>disabled</em>, this is the default behaviour and
+ addresses <em>disabled</em>, this is the default behavior and
this option has no effect.)</li>
<li><code>multipathtcp</code>: Enable the use of
example when several modules each maintain their own connections.</p>
<p>Apache 2.1 and later provides the <code>ap_dbd</code> API for
- managing database connections (including optimised strategies
+ managing database connections (including optimized strategies
for threaded and unthreaded MPMs), while APR 1.2 and later provides
the <code>apr_dbd</code> API for interacting with the database.</p>
<dd>Where possible, <module>mod_cache</module> directives can now be set
per directory, instead of per server.</dd>
- <dd>The base URL of cached URLs can be customised, so that a cluster of
+ <dd>The base URL of cached URLs can be customized, so that a cluster of
caches can share the same endpoint URL prefix.</dd>
<dd><module>mod_cache</module> is now capable of serving stale cached
the <code>-t</code> option.</dd>
<dt><code>-n</code></dt>
- <dd>Be nice. This causes slower processing in favour of other
+ <dd>Be nice. This causes slower processing in favor of other
processes. <program>htcacheclean</program> will sleep from time to time
so that (a) the disk IO will be delayed and (b) the kernel can schedule
other processes in the meantime.</dd>
(<directive module="core">Mutex</directive>) and Unix socket files
(<directive module="mod_cgid">ScriptSock</directive>) contain the server
PID, and should coexist without problem. However, if a configuration
- directive, third-party module or persistent CGI utilises any other on-disk
+ directive, third-party module or persistent CGI utilizes any other on-disk
lock or state files, care should be taken to ensure that multiple running
instances of <program>httpd</program> do not clobber each other's files.</p>
option, there is
always the possibility that a system or library call suEXEC uses
before this check may be exploitable on your system. To counter
- this, and because it is best-practise in general, you should use
+ this, and because it is best-practice in general, you should use
filesystem permissions to ensure that only the group httpd
runs as may execute suEXEC.</p>
</li>
<li><module>mod_charset_lite</module>: The <code>DebugLevel</code>
- option has been removed in favour of per-module <directive
+ option has been removed in favor of per-module <directive
module="core">LogLevel</directive> configuration.
</li>
<li><module>mod_ext_filter</module>: The <code>DebugLevel</code>
- option has been removed in favour of per-module <directive
+ option has been removed in favor of per-module <directive
module="core">LogLevel</directive> configuration.
</li>
<directive module="mod_log_config">CustomLog</directive> were invoked using
<code>/bin/sh -c</code> in 2.2 and earlier. In 2.4 and later,
piped logging commands are executed directly. To restore the
- old behavio
ur, see the <a href="logs.html#piped">piped logging
+ old behavior, see the <a href="logs.html#piped">piped logging
documentation</a>.</li>
</ul>
If this is not the server name you
wish to use, a bogus entry (eg. <code>ServerName
none.example.com</code>) can be added to get around this
- behaviour.</p>
+ behavior.</p>
</note>
</section>
projects / thirdparty / apache / httpd.git / commitdiff
