-##
-## httpd.conf -- Apache HTTP server configuration file
-##
+#
+# Based upon the NCSA server configuration files originally by Rob McCool.
+#
+# This is the main Apache server configuration file. It contains the
+# configuration directives that give the server its instructions.
+# See <URL:http://httpd.apache.org/docs-2.0/> for detailed information about
+# the directives.
+#
+# Do NOT simply read the instructions in here without understanding
+# what they do. They're here only as hints or reminders. If you are unsure
+# consult the online docs. You have been warned.
+#
+# The configuration directives are grouped into three basic sections:
+# 1. Directives that control the operation of the Apache server process as a
+# whole (the 'global environment').
+# 2. Directives that define the parameters of the 'main' or 'default' server,
+# which responds to requests that aren't handled by a virtual host.
+# These directives also provide default values for the settings
+# of all virtual hosts.
+# 3. Settings for virtual hosts, which allow Web requests to be sent to
+# different IP addresses or hostnames and have them handled by the
+# same Apache server process.
+#
+# Configuration and logfile names: If the filenames you specify for many
+# of the server's control files begin with "/" (or "drive:/" for Win32), the
+# server will use that explicit path. If the filenames do *not* begin
+# with "/", the value of ServerRoot is prepended -- so "/foo.log"
+# with ServerRoot set to "/etc/httpd/httpd" will be interpreted by the
+# server as "/etc/httpd/httpd//foo.log".
+#
-##### Global Environment
+### Section 1: Global Environment
+#
# The directives in this section affect the overall operation of Apache,
-# such as the number of concurrent requests it can handle or where it can
-# find its configuration files.
-
-### ServerType
-# is either inetd, or standalone. Inetd mode is only supported on Unix
-# platforms.
-
-ServerType standalone
-
-### PidFile
-# The file in which the server should record its process identification
-# number when it starts.
-
-PidFile /var/run/httpd.pid
-
-### Timeout
-# The number of seconds before receives and sends time out.
-### KeepAliveTimeout
-# Number of seconds to wait for the next request from the same client on the
-# same connection.
-
-Timeout 300
-KeepAliveTimeout 15
-
-### KeepAlive
-# Whether or not to allow persistent connections (more than one request per
-# connection). Set to "Off" to deactivate.
-### MaxKeepAliveRequests
-# The maximum number of requests to allow during a persistent connection.
-# Set to 0 to allow an unlimited amount. We recommend you leave this number
-# high, for maximum performance.
-
-KeepAlive On
-MaxKeepAliveRequests 100
+# such as the number of concurrent requests it can handle or where it
+# can find its configuration files.
+#
-### ServerRoot
-# The top of the directory tree under which the server's configuration,
-# error, and log files are kept.
+#
+# ServerRoot: The top of the directory tree under which the server's
+# configuration, error, and log files are kept.
#
# NOTE! If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation
-# (available at <URL:http://www.apache.org/docs/mod/core.html#lockfile>);
+# (available at <URL:http://httpd.apache.org/docs-2.0/mod/core.html#lockfile>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
-ServerRoot "/usr"
+ServerRoot "/etc/httpd"
-### LockFile
-# The LockFile directive sets the path to the lockfile used when Apache
-# is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or
-# USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at
-# its default value. The main reason for changing it is if the logs
-# directory is NFS mounted, since the lockfile MUST BE STORED ON A LOCAL
-# DISK. The PID of the main server process is automatically appended to
-# the filename.
#
-LockFile /var/run/httpd.lock
+# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
+#
+<IfModule !mpm_winnt.c>
+<IfModule !mpm_netware.c>
+#LockFile /accept.lock
+</IfModule>
+</IfModule>
-### ScoreBoardFile
-# File used to store internal server process information. Not all
-# architectures require this. But if yours does (you'll know because this
-# file will be created when you run Apache) then you *must* ensure that no
-# two invocations of Apache share the same scoreboard file.
+#
+# ScoreBoardFile: File used to store internal server process information.
+# If unspecified (the default), the scoreboard will be stored in an
+# anonymous shared memory segment, and will be unavailable to third-party
+# applications.
+# If specified, ensure that no two invocations of Apache share the same
+# scoreboard file. The scoreboard file MUST BE STORED ON A LOCAL DISK.
+#
+<IfModule !mpm_netware.c>
+<IfModule !perchild.c>
+#ScoreBoardFile /apache_runtime_status
+</IfModule>
+</IfModule>
-ScoreBoardFile /var/run/httpd.scoreboard
#
-# In the standard configuration, the server will process this file,
-# srm.conf, and access.conf in that order. The latter two files are
-# now distributed empty, as it is recommended that all directives
-# be kept in a single file for simplicity. The commented-out values
-# below are the built-in defaults. You can have the server ignore
-# these files altogether by using "/dev/null" (for Unix) or
-# "nul" (for Win32) for the arguments to the directives.
+# PidFile: The file in which the server should record its process
+# identification number when it starts.
#
-ResourceConfig /dev/null
-AccessConfig /dev/null
+<IfModule !mpm_netware.c>
+PidFile /var/run/httpd.pid
+</IfModule>
#
-# Server-pool size regulation. Rather than making you guess how many
-# server processes you need, Apache dynamically adapts to the load it
-# sees --- that is, it tries to maintain enough server processes to
-# handle the current load, plus a few spare servers to handle transient
-# load spikes (e.g., multiple simultaneous requests from a single
-# Netscape browser).
-#
-# It does this by periodically checking how many servers are waiting
-# for a request. If there are fewer than MinSpareServers, it creates
-# a new spare. If there are more than MaxSpareServers, some of the
-# spares die off. The default values are probably OK for most sites.
+# Timeout: The number of seconds before receives and sends time out.
#
-MinSpareServers 5
-MaxSpareServers 10
+Timeout 300
#
-# Number of servers to start initially --- should be a reasonable ballpark
-# figure.
+# KeepAlive: Whether or not to allow persistent connections (more than
+# one request per connection). Set to "Off" to deactivate.
#
-StartServers 5
+KeepAlive On
#
-# Limit on total number of servers running, i.e., limit on the number
-# of clients who can simultaneously connect --- if this limit is ever
-# reached, clients will be LOCKED OUT, so it should NOT BE SET TOO LOW.
-# It is intended mainly as a brake to keep a runaway server from taking
-# the system with it as it spirals down...
+# MaxKeepAliveRequests: The maximum number of requests to allow
+# during a persistent connection. Set to 0 to allow an unlimited amount.
+# We recommend you leave this number high, for maximum performance.
#
-MaxClients 150
+MaxKeepAliveRequests 100
#
-# MaxRequestsPerChild: the number of requests each child process is
-# allowed to process before the child dies. The child will exit so
-# as to avoid problems after prolonged use when Apache (and maybe the
-# libraries it uses) leak memory or other resources. On most systems, this
-# isn't really needed, but a few (such as Solaris) do have notable leaks
-# in the libraries. For these platforms, set to something like 10000
-# or so; a setting of 0 means unlimited.
+# KeepAliveTimeout: Number of seconds to wait for the next request from the
+# same client on the same connection.
#
-# NOTE: This value does not include keepalive requests after the initial
-# request per connection. For example, if a child process handles
-# an initial request and 10 subsequent "keptalive" requests, it
-# would only count as 1 request towards this limit.
-
-MaxRequestsPerChild 30
+KeepAliveTimeout 15
-### Listen
-# Allows you to bind Apache to specific IP addresses and/or ports, in
-# addition to the default. See also the <VirtualHost> directive.
+##
+## Server-Pool Size Regulation (MPM specific)
+##
+
+# prefork MPM
+# StartServers: number of server processes to start
+# MinSpareServers: minimum number of server processes which are kept spare
+# MaxSpareServers: maximum number of server processes which are kept spare
+# MaxClients: maximum number of server processes allowed to start
+# MaxRequestsPerChild: maximum number of requests a server process serves
+<IfModule prefork.c>
+StartServers 5
+MinSpareServers 5
+MaxSpareServers 10
+MaxClients 150
+MaxRequestsPerChild 0
+</IfModule>
-#Listen 12.34.56.78:80
-Listen 80
+# worker MPM
+# StartServers: initial number of server processes to start
+# MaxClients: maximum number of simultaneous client connections
+# MinSpareThreads: minimum number of worker threads which are kept spare
+# MaxSpareThreads: maximum number of worker threads which are kept spare
+# ThreadsPerChild: constant number of worker threads in each server process
+# MaxRequestsPerChild: maximum number of requests a server process serves
+<IfModule worker.c>
+StartServers 2
+MaxClients 150
+MinSpareThreads 25
+MaxSpareThreads 75
+ThreadsPerChild 25
+MaxRequestsPerChild 0
+</IfModule>
-# Listen can take two arguments.
-# (this is an extension for supporting IPv6 addresses)
-#Listen :: 80
-#Listen 0.0.0.0 80
+# perchild MPM
+# NumServers: constant number of server processes
+# StartThreads: initial number of worker threads in each server process
+# MinSpareThreads: minimum number of worker threads which are kept spare
+# MaxSpareThreads: maximum number of worker threads which are kept spare
+# MaxThreadsPerChild: maximum number of worker threads in each server process
+# MaxRequestsPerChild: maximum number of connections per server process
+<IfModule perchild.c>
+NumServers 5
+StartThreads 5
+MinSpareThreads 5
+MaxSpareThreads 10
+MaxThreadsPerChild 20
+MaxRequestsPerChild 0
+</IfModule>
-### BindAddress
-# You can support virtual hosts with this option. This directive is used to
-# tell the server which IP address to listen to. It can either contain "*",
-# an IP address, or a fully qualified Internet domain name. See also the
-# <VirtualHost> and Listen directives.
+# WinNT MPM
+# ThreadsPerChild: constant number of worker threads in the server process
+# MaxRequestsPerChild: maximum number of requests a server process serves
+<IfModule mpm_winnt.c>
+ThreadsPerChild 250
+MaxRequestsPerChild 0
+</IfModule>
-#BindAddress *
+# BeOS MPM
+# StartThreads: how many threads do we initially spawn?
+# MaxClients: max number of threads we can have (1 thread == 1 client)
+# MaxRequestsPerThread: maximum number of requests each thread will process
+<IfModule beos.c>
+StartThreads 10
+MaxClients 50
+MaxRequestsPerThread 10000
+</IfModule>
+
+# NetWare MPM
+# ThreadStackSize ...... Stack size allocated for each worker thread
+# StartThreads ......... Number of worker threads launched at server startup
+# MinSpareThreads ...... Minimum number of idle threads, to handle request spikes
+# MaxSpareThreads ...... Maximum number of idle threads
+# MaxThreads ........... Maximum number of worker threads alive at the same time
+# MaxRequestsPerChild .. Maximum number of requests a thread serves. It is
+# recommended that the default value of 0 be set for this
+# directive on NetWare. This will allow the thread to
+# continue to service requests indefinitely.
+<IfModule mpm_netware.c>
+ThreadStackSize 65536
+StartThreads 250
+MinSpareThreads 25
+MaxSpareThreads 250
+MaxThreads 1000
+MaxRequestsPerChild 0
+</IfModule>
+#
+# Listen: Allows you to bind Apache to specific IP addresses and/or
+# ports, in addition to the default. See also the <VirtualHost>
+# directive.
+#
+# Change this to Listen on specific IP addresses as shown below to
+# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
+#
+#Listen 12.34.56.78:80
+Listen 80
-### Section 2: Dynamic Shared Object (DSO) Support
+#
+# Dynamic Shared Object (DSO) Support
+#
+# To be able to use the functionality of a module which was built as a DSO you
+# have to place corresponding `LoadModule' lines at this location so the
+# directives contained in it are actually available _before_ they are used.
+# Statically compiled modules (those listed by `httpd -l') do not need
+# to be loaded here.
#
# Example:
-# LoadModule foo_module libexec/mod_foo.so
-
-# Reconstruction of the complete module list from all available modules
-# (static and shared ones) to achieve correct module execution order.
-# [WHENEVER YOU CHANGE THE LOADMODULE SECTION ABOVE UPDATE THIS, TOO]
-ClearModuleList
-AddModule mod_so.c
-
-### ExtendedStatus
-# controls whether Apache will generate "full" status information
-# (ExtendedStatus On) or just basic information (ExtendedStatus Off) when
-# the "server-status" handler is called. The default is Off.
-
+#
+#
+LoadModule access_module lib/apache/mod_access.so
+LoadModule alias_module lib/apache/mod_alias.so
+LoadModule asis_module lib/apache/mod_asis.so
+LoadModule autoindex_module lib/apache/mod_autoindex.so
+LoadModule cern_meta_module lib/apache/mod_cern_meta.so
+LoadModule cgi_module lib/apache/mod_cgi.so
+LoadModule env_module lib/apache/mod_env.so
+LoadModule include_module lib/apache/mod_include.so
+LoadModule log_config_module lib/apache/mod_log_config.so
+LoadModule mime_magic_module lib/apache/mod_mime_magic.so
+LoadModule mime_module lib/apache/mod_mime.so
+LoadModule negotiation_module lib/apache/mod_negotiation.so
+LoadModule setenvif_module lib/apache/mod_setenvif.so
+LoadModule speling_module lib/apache/mod_speling.so
+LoadModule userdir_module lib/apache/mod_userdir.so
+
+# ExtendedStatus controls whether Apache will generate "full" status
+# information (ExtendedStatus On) or just basic information (ExtendedStatus
+# Off) when the "server-status" handler is called. The default is Off.
+#
#ExtendedStatus On
-### Section 3: 'Main' server configuration
+### Section 2: 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# virtual host being defined.
#
-#
-# If your ServerType directive (set earlier in the 'Global Environment'
-# section) is set to "inetd", the next few directives don't have any
-# effect since their settings are defined by the inetd configuration.
-# Skip ahead to the ServerAdmin directive.
-#
-
-#
-# Port: The port to which the standalone server listens. For
-# ports < 1023, you will need httpd to be run as root initially.
-#
-Port 80
-
+<IfModule !mpm_winnt.c>
+<IfModule !mpm_netware.c>
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
-User http
+# User/Group: The name (or #number) of the user/group to run httpd as.
+# . On SCO (ODT 3) use "User nouser" and "Group nogroup".
+# . On HPUX you may not be able to use shared memory as nobody, and the
+# suggested workaround is to create a user www and use that user.
+# NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
+# when the value of (unsigned)Group is above 60000;
+# don't use Group #-1 on these systems!
+#
+User http
Group http
+</IfModule>
+</IfModule>
#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
-# as error documents.
+# as error documents. e.g. admin@your-domain.com
#
-ServerAdmin admin@your_domain.org
+ServerAdmin you@your.address
#
-# ServerName allows you to set a host name which is sent back to clients for
-# your server if it's different than the one the program would get (i.e., use
-# "www" instead of the host's real name).
+# ServerName gives the name and port that the server uses to identify itself.
+# This can often be determined automatically, but we recommend you specify
+# it explicitly to prevent problems during startup.
+#
+# If this is not set to valid DNS name for your host, server-generated
+# redirections will not work. See also the UseCanonicalName directive.
#
-# Note: You cannot just invent host names and hope they work. The name you
-# define here must be a valid DNS name for your host. If you don't understand
-# this, ask your network administrator.
# If your host doesn't have a registered DNS name, enter its IP address here.
-# You will have to access it by its address (e.g., http://123.45.67.89/)
-# anyway, and this will make redirections work in a sensible way.
+# You will have to access it by its address anyway, and this will make
+# redirections work in a sensible way.
+#
+#ServerName new.host.name:80
+
#
-# 127.0.0.1 is the TCP/IP local loop-back address, often named localhost. Your
-# machine always knows itself by this address. If you use Apache strictly for
-# local testing and development, you may use 127.0.0.1 as the server name.
+# UseCanonicalName: Determines how Apache constructs self-referencing
+# URLs and the SERVER_NAME and SERVER_PORT variables.
+# When set "Off", Apache will use the Hostname and Port supplied
+# by the client. When set "On", Apache will use the value of the
+# ServerName directive.
#
-#ServerName new.host.name
+UseCanonicalName Off
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
-DocumentRoot "/home/httpd/html"
+DocumentRoot "/home/services/httpd/html"
#
-# Each directory to which Apache has access, can be configured with respect
+# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of
-# permissions.
+# features.
#
<Directory />
- Options FollowSymLinks
- AllowOverride None
+ Options FollowSymLinks
+ AllowOverride None
</Directory>
#
#
# This should be changed to whatever you set DocumentRoot to.
#
-<Directory "/home/httpd/html">
+<Directory "/home/services/httpd/html">
#
-# This may also be "None", "All", or any combination of "Indexes",
-# "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".
+# Possible values for the Options directive are "None", "All",
+# or any combination of:
+# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI Multiviews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
- Options Indexes FollowSymLinks MultiViews
+# The Options directive is both complicated and important. Please see
+# http://httpd.apache.org/docs-2.0/mod/core.html#options
+# for more information.
+#
+ Options Indexes FollowSymLinks
#
-# This controls which options the .htaccess files in directories can
-# override. Can also be "All", or any combination of "Options", "FileInfo",
-# "AuthConfig", and "Limit"
+# AllowOverride controls what directives may be placed in .htaccess files.
+# It can be "All", "None", or any combination of the keywords:
+# Options FileInfo AuthConfig Limit
#
- AllowOverride None
+ AllowOverride None
#
# Controls who can get stuff from this server.
#
- Order allow,deny
- Allow from all
+ Order allow,deny
+ Allow from all
+
</Directory>
#
-# UserDir: The name of the directory which is appended onto a user's home
+# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.
#
UserDir public_html
# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.
#
-#<Directory /home/users/*/public_html>
+#<Directory /home/*/public_html>
# AllowOverride FileInfo AuthConfig Limit
# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
# <Limit GET POST OPTIONS PROPFIND>
# </LimitExcept>
#</Directory>
-#
-# DirectoryIndex: Name of the file or files to use as a pre-written HTML
-# directory index. Separate multiple entries with spaces.
-#
-<IfModule mod_dir.c>
- DirectoryIndex index.html index.htm index.shtml index.cgi index.php
-</IfModule>
-
#
# AccessFileName: The name of the file to look for in each directory
-# for access control information.
+# for access control information. See also the AllowOverride directive.
#
AccessFileName .htaccess
#
-# The following lines prevent .htaccess files from being viewed by
-# Web clients. Since .htaccess files often contain authorization
-# information, access is disallowed for security reasons. Comment
-# these lines out if you want Web visitors to see the contents of
-# .htaccess files. If you change the AccessFileName directive above,
-# be sure to make the corresponding changes here.
-#
-# Also, folks tend to use names such as .htpasswd for password
-# files, so this will protect those as well.
+# The following lines prevent .htaccess and .htpasswd files from being
+# viewed by Web clients.
#
<Files ~ "^\.ht">
- Order allow,deny
- Deny from all
- Satisfy All
+ Order allow,deny
+ Deny from all
</Files>
-#
-# CacheNegotiatedDocs: By default, Apache sends "Pragma: no-cache" with each
-# document that was negotiated on the basis of content. This asks proxy
-# servers not to cache the document. Uncommenting the following line disables
-# this behavior, and proxies will be allowed to cache the documents.
-#
-#CacheNegotiatedDocs
-
-#
-# UseCanonicalName: (new for 1.3) With this setting turned on, whenever
-# Apache needs to construct a self-referencing URL (a URL that refers back
-# to the server the response is coming from) it will use ServerName and
-# Port to form a "canonical" name. With this setting off, Apache will
-# use the hostname:port that the client supplied, when possible. This
-# also affects SERVER_NAME and SERVER_PORT in CGI scripts.
-#
-UseCanonicalName On
-
#
# TypesConfig describes where the mime.types file (or equivalent) is
-# to be found. /etc/mime.types is provided by mailcap package.
+# to be found.
#
TypesConfig /etc/mime.types
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
-# mod_mime_magic is not part of the default server (you have to add
-# it yourself with a LoadModule [see the DSO paragraph in the 'Global
-# Environment' section], or recompile the server and include mod_mime_magic
-# as part of the configuration), so it's enclosed in an <IfModule> container.
-# This means that the MIMEMagicFile directive will only be processed if the
-# module is part of the server.
#
<IfModule mod_mime_magic.c>
- MIMEMagicFile /etc/httpd/magic
+ MIMEMagicFile /etc/httpd/magic
</IfModule>
#
#
HostnameLookups Off
+#
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here. If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+#
+ErrorLog /var/log/httpd/error_log
+
+#
+# LogLevel: Control the number of messages logged to the error_log.
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+#
+LogLevel warn
+
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
-#
-# ErrorLog: The location of the error log file.
-# If you do not specify an ErrorLog directive within a <VirtualHost>
-# container, error messages relating to that virtual host will be
-# logged here. If you *do* define an error logfile for a <VirtualHost>
-# container, that host's errors will be logged there and not here.
-#
-ErrorLog /var/log/httpd/error_log
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# logged therein and *not* in this file.
#
CustomLog /var/log/httpd/access_log common
-CustomLog /var/log/httpd/referer_log referer
-CustomLog /var/log/httpd/agent_log agent
#
-# LogLevel: Control the number of messages logged to the error_log.
-# Possible values include: debug, info, notice, warn, error, crit,
-# alert, emerg.
+# If you would like to have agent and referer logfiles, uncomment the
+# following directives.
#
-LogLevel warn
+#CustomLog /var/log/httpd/referer_log referer
+#CustomLog /var/log/httpd/agent_log agent
+
+#
+# If you prefer a single logfile with access, agent, and referer information
+# (Combined Logfile Format) you can use the following directive.
+#
+#CustomLog /var/log/httpd/access_log combined
#
# Optionally add a line containing the server version and virtual host
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#
-ServerSignature Email
+ServerSignature On
#
# Aliases: Add here as many aliases as you need (with no limit). The format is
#
# Note that if you include a trailing / on fakename then the server will
# require it to be present in the URL. So "/icons" isn't aliased in this
-# example, only "/icons/"..
+# example, only "/icons/". If the fakename is slash-terminated, then the
+# realname must also be slash terminated, and if the fakename omits the
+# trailing slash, the realname must also omit it.
+#
+# We include the /icons/ alias for FancyIndexed directory listings. If you
+# do not use FancyIndexing, you may comment this out.
#
-Alias /icons/ "/home/httpd/icons/"
+Alias /icons/ "/home/services/httpd/icons/"
-<Directory "/home/httpd/icons">
- Options Indexes MultiViews
- AllowOverride None
- Order allow,deny
- Allow from all
+<Directory "/home/services/httpd/icons/">
+ Options Indexes MultiViews
+ AllowOverride None
+ Order allow,deny
+ Allow from all
</Directory>
+#
+# This should be changed to the ServerRoot/manual/. The alias provides
+# the manual, even if you choose to move your DocumentRoot. You may comment
+# this out if you do not care for the documentation.
+#
+Alias /manual "/home/services/httpd/manual/"
-
-
-Alias /manual "/home/httpd/manual"
-
-<Directory "/home/httpd/manual">
- Options Indexes MultiViews
- AllowOverride None
+<Directory "/home/services/httpd/manual/">
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverride None
+ Order allow,deny
+ Allow from all
</Directory>
-
-
#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
#
-ScriptAlias /cgi-bin/ "/home/httpd/cgi-bin/"
+ScriptAlias /cgi-bin/ "/home/services/httpd/cgi-bin/"
+
+<IfModule mod_cgid.c>
+#
+# Additional to mod_cgid.c settings, mod_cgid has Scriptsock <path>
+# for setting UNIX socket for communicating with cgid.
+#
+#Scriptsock /var/run/apache/cgisock
+</IfModule>
#
-# "/home/httpd/cgi-bin" should be changed to whatever your ScriptAliased
+# "/home/services/httpd/cgi-bin/" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
-<Directory "/home/httpd/cgi-bin">
- AllowOverride None
- Options None
- Order allow,deny
- Allow from all
+<Directory "/home/services/httpd/cgi-bin/">
+ AllowOverride None
+ Options None
+ Order allow,deny
+ Allow from all
</Directory>
#
# Redirect allows you to tell clients about documents which used to exist in
# your server's namespace, but do not anymore. This allows you to tell the
# clients where to look for the relocated document.
-# Format: Redirect old-URI new-URL
-#
+# Example:
+# Redirect permanent /foo http://www.example.com/bar
#
# Directives controlling the display of server-generated directory listings.
#
#
-# FancyIndexing is whether you want fancy directory indexing or standard
+# FancyIndexing is whether you want fancy directory indexing or standard.
+# VersionSort is whether files containing version numbers should be
+# compared in the natural way, so that `apache-1.3.9.tar' is placed before
+# `apache-1.3.12.tar'.
#
-IndexOptions FancyIndexing
+IndexOptions FancyIndexing VersionSort
#
# AddIcon* directives tell the server which icon to show for different
# directories.
# Format: AddDescription "description" filename
#
-AddDescription "GZIP compressed document" .gz
-AddDescription "tar archive" .tar
-AddDescription "GZIP compressed tar archive" .tgz
+#AddDescription "GZIP compressed document" .gz
+#AddDescription "tar archive" .tar
+#AddDescription "GZIP compressed tar archive" .tgz
#
# ReadmeName is the name of the README file the server will look for by
#
# HeaderName is the name of a file which should be prepended to
# directory indexes.
-#
-# If MultiViews are amongst the Options in effect, the server will
-# first look for name.html and include it if found. If name.html
-# doesn't exist, the server will then look for name.txt and include
-# it as plaintext if found.
-#
-ReadmeName README
-HeaderName HEADER
+ReadmeName README.html
+HeaderName HEADER.html
#
# IndexIgnore is a set of filenames which directory indexing should ignore
# to do with the FancyIndexing customization directives above.
#
AddEncoding x-compress Z
-AddEncoding x-gzip gz
+AddEncoding x-gzip gz tgz
#
-# AddLanguage allows you to specify the language of a document. You can
-# then use content negotiation to give a browser a file in a language
-# it can understand.
+# DefaultLanguage and AddLanguage allows you to specify the language of
+# a document. You can then use content negotiation to give a browser a
+# file in a language the user can understand.
+#
+# Specify a default language. This means that all data
+# going out without a specific language tag (see below) will
+# be marked with this one. You probably do NOT want to set
+# this unless you are sure it is correct for all cases.
+#
+# * It is generally better to not mark a page as
+# * being a certain language than marking it with the wrong
+# * language!
+#
+# DefaultLanguage nl
#
# Note 1: The suffix does not have to be the same as the language
# keyword --- those with documents in Polish (whose net-standard
# language code is pl) may wish to use "AddLanguage pl .po" to
# avoid the ambiguity with the common suffix for perl scripts.
#
-# Note 2: The example entries below illustrate that in quite
-# some cases the two character 'Language' abbriviation is not
-# identical to the two character 'Country' code for its country,
+# Note 2: The example entries below illustrate that in some cases
+# the two character 'Language' abbreviation is not identical to
+# the two character 'Country' code for its country,
# E.g. 'Danmark/dk' versus 'Danish/da'.
#
# Note 3: In the case of 'ltz' we violate the RFC by using a three char
-# specifier. But there is 'work in progress' to fix this and get
+# specifier. There is 'work in progress' to fix this and get
# the reference data for rfc1766 cleaned up.
#
-# Danish (da) - Dutch (nl) - English (en) - Estonian (ee)
+# Danish (da) - Dutch (nl) - English (en) - Estonian (et)
# French (fr) - German (de) - Greek-Modern (el)
-# Italian (it) - Korean (kr) - Norwegian (no)
+# Italian (it) - Norwegian (no) - Norwegian Nynorsk (nn) - Korean (kr)
# Portugese (pt) - Luxembourgeois* (ltz)
# Spanish (es) - Swedish (sv) - Catalan (ca) - Czech(cz)
# Polish (pl) - Brazilian Portuguese (pt-br) - Japanese (ja)
-# Russian (ru)
+# Russian (ru) - Croatian (hr)
#
-AddLanguage ca .ca
-AddLanguage cz .cz
AddLanguage da .dk
-AddLanguage de .de
+AddLanguage nl .nl
AddLanguage en .en
-AddLanguage el .el
-AddLanguage es .es
-AddLanguage et .ee
+AddLanguage et .et
AddLanguage fr .fr
+AddLanguage de .de
AddLanguage he .he
+AddLanguage el .el
AddLanguage it .it
AddLanguage ja .ja
+AddLanguage pl .po
AddLanguage kr .kr
-AddLanguage ltz .lu
-AddLanguage nl .nl
+AddLanguage pt .pt
AddLanguage nn .nn
AddLanguage no .no
-AddLanguage pl .po
-AddLanguage pt .pt
AddLanguage pt-br .pt-br
+AddLanguage ltz .ltz
+AddLanguage ca .ca
+AddLanguage es .es
+AddLanguage sv .se
+AddLanguage cz .cz
AddLanguage ru .ru
-AddLanguage sv .sv
AddLanguage tw .tw
AddLanguage zh-tw .tw
-
-AddCharset Big5 .Big5 .big5
-AddCharset CP866 .cp866
-AddCharset ISO-8859-2 .iso-pl
-AddCharset ISO-8859-5 .iso-ru
-AddCharset ISO-8859-8 .iso8859-8
-AddCharset ISO-2022-JP .his
-AddCharset ISO-2022-KR .iso-kr
-AddCharset KOI8-R .koi8-r
-AddCharset UCS-2 .ucs2
-AddCharset UCS-4 .ucs4
-AddCharset UTF-8 .utf8
-AddCharset WINDOWS-1251 .cp-1251
+AddLanguage hr .hr
#
# LanguagePriority allows you to give precedence to some languages
# in case of a tie during content negotiation.
-# Just list the languages in decreasing order of preference.
#
-LanguagePriority en pl fr de
+# Just list the languages in decreasing order of preference. We have
+# more or less alphabetized them here. You probably want to change this.
+#
+LanguagePriority en da nl et fr de el it ja kr no pl pt pt-br ltz ca es sv tw
#
-# AddType allows you to tweak mime.types without actually editing it, or to
-# make certain files to be certain types.
+# ForceLanguagePriority allows you to serve a result page rather than
+# MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback)
+# [in case no accepted languages matched the available variants]
#
-# For example, the PHP 3.x module (not part of the Apache distribution - see
-# http://www.php.net) will typically use:
+ForceLanguagePriority Prefer Fallback
+
#
-#AddType application/x-httpd-php3 .php3
-#AddType application/x-httpd-php3-source .phps
+# Specify a default charset for all pages sent out. This is
+# always a good idea and opens the door for future internationalisation
+# of your web site, should you ever want it. Specifying it as
+# a default does little harm; as the standard dictates that a page
+# is in iso-8859-1 (latin1) unless specified otherwise i.e. you
+# are merely stating the obvious. There are also some security
+# reasons in browsers, related to javascript and URL parsing
+# which encourage you to always set a default char set.
#
-# And for PHP 4.x, use:
+AddDefaultCharset ISO-8859-2
+
#
-#AddType application/x-httpd-php .php
-#AddType application/x-httpd-php-source .phps
+# Commonly used filename extensions to character sets. You probably
+# want to avoid clashes with the language extensions, unless you
+# are good at carefully testing your setup after each change.
+# See ftp://ftp.isi.edu/in-notes/iana/assignments/character-sets for
+# the official list of charset names and their respective RFCs
#
-#AddType application/x-tar .tgz
+AddCharset ISO-8859-1 .iso8859-1 .latin1
+AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen
+AddCharset ISO-8859-3 .iso8859-3 .latin3
+AddCharset ISO-8859-4 .iso8859-4 .latin4
+AddCharset ISO-8859-5 .iso8859-5 .latin5 .cyr .iso-ru
+AddCharset ISO-8859-6 .iso8859-6 .latin6 .arb
+AddCharset ISO-8859-7 .iso8859-7 .latin7 .grk
+AddCharset ISO-8859-8 .iso8859-8 .latin8 .heb
+AddCharset ISO-8859-9 .iso8859-9 .latin9 .trk
+AddCharset ISO-2022-JP .iso2022-jp .jis
+AddCharset ISO-2022-KR .iso2022-kr .kis
+AddCharset ISO-2022-CN .iso2022-cn .cis
+AddCharset Big5 .Big5 .big5
+# For russian, more than one charset is used (depends on client, mostly):
+AddCharset WINDOWS-1251 .cp-1251 .win-1251
+AddCharset CP866 .cp866
+AddCharset KOI8-r .koi8-r .koi8-ru
+AddCharset KOI8-ru .koi8-uk .ua
+AddCharset ISO-10646-UCS-2 .ucs2
+AddCharset ISO-10646-UCS-4 .ucs4
+AddCharset UTF-8 .utf8
+# The set below does not map to a specific (iso) standard
+# but works on a fairly wide range of browsers. Note that
+# capitalization actually matters (it should not, but it
+# does for some browsers).
#
-# AddHandler allows you to map certain file extensions to "handlers",
-# actions unrelated to filetype. These can be either built into the server
-# or added with the Action command (see below)
+# See ftp://ftp.isi.edu/in-notes/iana/assignments/character-sets
+# for a list of sorts. But browsers support few.
#
-# If you want to use server side includes, or CGI outside
-# ScriptAliased directories, uncomment the following lines.
+AddCharset GB2312 .gb2312 .gb
+AddCharset utf-7 .utf7
+AddCharset utf-8 .utf8
+AddCharset big5 .big5 .b5
+AddCharset EUC-TW .euc-tw
+AddCharset EUC-JP .euc-jp
+AddCharset EUC-KR .euc-kr
+AddCharset shift_jis .sjis
+
#
-# To use CGI scripts:
+# AddType allows you to add to or override the MIME configuration
+# file mime.types for specific file types.
#
-AddHandler cgi-script .cgi
+AddType application/x-tar .tgz
#
-# To use server-parsed HTML files
+# AddHandler allows you to map certain file extensions to "handlers":
+# actions unrelated to filetype. These can be either built into the server
+# or added with the Action directive (see below)
#
-AddType text/html .shtml
-AddHandler server-parsed .shtml
+# To use CGI scripts outside of ScriptAliased directories:
+# (You will also need to add "ExecCGI" to the "Options" directive.)
+#
+#AddHandler cgi-script .cgi
#
-# Uncomment the following line to enable Apache's send-asis HTTP file
-# feature
+# For files that include their own HTTP headers:
#
-AddHandler send-as-is asis
+#AddHandler send-as-is asis
#
-# If you wish to use server-parsed imagemap files, use
+# For server-parsed imagemap files:
#
-AddHandler imap-file map
+#AddHandler imap-file map
#
-# To enable type maps, you might want to use
+# For type maps (negotiated resources):
+# (This is enabled by default to allow the Apache "It Worked" page
+# to be distributed in multiple languages.)
#
AddHandler type-map var
+# Filters allow you to process content before it is sent to the client.
+#
+# To parse .shtml files for server-side includes (SSI):
+# (You will also need to add "Includes" to the "Options" directive.)
+#
+#AddOutputFilter INCLUDES .shtml
+
#
# Action lets you define media types that will execute a script whenever
# a matching file is called. This eliminates the need for repeated URL
#
#
-# MetaDir: specifies the name of the directory in which Apache can find
-# meta information files. These files contain additional HTTP headers
-# to include when sending the document
-#
-MetaDir .web
-
-#
-# MetaSuffix: specifies the file name suffix for the file containing the
-# meta information.
+# Customizable error responses come in three flavors:
+# 1) plain text 2) local redirects 3) external redirects
#
-MetaSuffix .meta
-
-#
-# Customizable error response (Apache style)
-# these come in three flavors
-#
-# 1) plain text
-#ErrorDocument 500 "The server made a boo boo.
-# n.b. the single leading (") marks it as text, it does not get output
-#
-# 2) local redirects
+# Some examples:
+#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
-# to redirect to local URL /missing.html
-#ErrorDocument 404 /cgi-bin/missing_handler.pl
-# N.B.: You can redirect to a script or a document using server-side-includes.
-#
-# 3) external redirects
-#ErrorDocument 402 http://some.other-server.com/subscription_info.html
-# N.B.: Many of the environment variables associated with the original
-# request will *not* be available to such a script.
-
-Alias /errordocs/ "/home/httpd/errordocs/"
+#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
+#ErrorDocument 402 http://www.example.com/subscription_info.html
+#
+
+#
+# Putting this all together, we can Internationalize error responses.
+#
+# We use Alias to redirect any /error/HTTP_<error>.html.var response to
+# our collection of by-error message multi-language collections. We use
+# includes to substitute the appropriate text.
+#
+# You can modify the messages' appearance without changing any of the
+# default HTTP_<error>.html.var files by adding the line;
+#
+# Alias /error/include/ "/your/include/path/"
+#
+# which allows you to create your own set of files by starting with the
+# /etc/httpd/httpd//include/ files and
+# copying them to /your/include/path/, even on a per-VirtualHost basis.
+#
+
+<IfModule mod_negotiation.c>
+<IfModule mod_include.c>
+ Alias /error/ "/home/services/httpd/error/"
+
+ <Directory "/home/services/httpd/error/">
+ AllowOverride None
+ Options IncludesNoExec
+ AddOutputFilter Includes html
+ AddHandler type-map var
+ Order allow,deny
+ Allow from all
+ LanguagePriority en es de fr
+ ForceLanguagePriority Prefer Fallback
+ </Directory>
+
+ ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
+ ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
+ ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
+ ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
+ ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
+ ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
+ ErrorDocument 410 /error/HTTP_GONE.html.var
+ ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
+ ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
+ ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
+ ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
+ ErrorDocument 415 /error/HTTP_SERVICE_UNAVAILABLE.html.var
+ ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
+ ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
+ ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
+ ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
+ ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
-<Directory /home/httpd/errordocs/>
- AllowOverride none
- Options IncludesNoExec FollowSymLinks
-</Directory>
+</IfModule>
+</IfModule>
-ErrorDocument 400 /errordocs/400.shtml
-ErrorDocument 401 /errordocs/401.shtml
-ErrorDocument 403 /errordocs/403.shtml
-ErrorDocument 404 /errordocs/404.shtml
-ErrorDocument 405 /errordocs/405.shtml
-ErrorDocument 406 /errordocs/406.shtml
-ErrorDocument 408 /errordocs/408.shtml
-ErrorDocument 410 /errordocs/410.shtml
-ErrorDocument 411 /errordocs/411.shtml
-ErrorDocument 414 /errordocs/414.shtml
-ErrorDocument 500 /errordocs/500.shtml
-ErrorDocument 503 /errordocs/503.shtml
-
-# The following directives modify normal HTTP response behavior.
-# The first directive disables keepalive for Netscape 2.x and browsers that
-# spoof it. There are known problems with these browser implementations.
-# The second directive is for Microsoft Internet Explorer 4.0b2
-# which has a broken HTTP/1.1 implementation and does not properly
-# support keepalive when it is used on 301 or 302 (redirect) responses.
+#
+# The following directives modify normal HTTP response behavior to
+# handle known problems with browser implementations.
#
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
-
-#
-# The following directive disables HTTP/1.1 responses to browsers which
-# are in violation of the HTTP/1.0 spec by not being able to grok a
-# basic 1.1 response.
-#
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
#
-# Allow remote server configuration reports, with the URL of
-# http://servername/server-info (requires that mod_info.c be loaded).
-# Change the ".your-domain.com" to match your domain to enable.
+# The following directive disables redirects on non-GET requests for
+# a directory that does not include the trailing slash. This fixes a
+# problem with Microsoft WebFolders which does not appropriately handle
+# redirects for folders with DAV methods.
#
-#<Location /server-info>
-# SetHandler server-info
-# Order deny,allow
-# Deny from all
-# Allow from .your-domain.com
-#</Location>
+BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
+BrowserMatch "^WebDrive" redirect-carefully
+
-#
-# There have been reports of people trying to abuse an old bug from pre-1.1
-# days. This bug involved a CGI script distributed as a part of Apache.
-# By uncommenting these lines you can redirect these attacks to a logging
-# script on phf.apache.org. Or, you can record them yourself, using the script
-# support/phf_abuse_log.cgi.
-#
-#<Location /cgi-bin/phf*>
-# Deny from all
-# ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
-#</Location>
-LoadModule ssl_module lib/apache/libssl.so
-AddModule mod_ssl.c
-
-##--------------------------------------------------------------------------
-## Add additional SSL configuration directives which provide a
-## robust default configuration: virtual server on port 443
-## which speaks SSL.
-##--------------------------------------------------------------------------
-##
-## SSL Support
-##
-## When we also provide SSL we have to listen to the
-## standard HTTP port (see above) and to the HTTPS port
-##
+LoadModule ssl_module lib/apache/mod_ssl.so
+
+<IfModule mod_ssl.c>
+#
+# This is the Apache server configuration file providing SSL support.
+# It contains the configuration directives to instruct the server how to
+# serve pages over an https connection. For detailing information about these
+# directives see <URL:http://httpd.apache.org/docs-2.0/mod/mod_ssl.html>
+#
+# For the moment, see <URL:http://www.modssl.org/docs/> for this info.
+# The documents are still being prepared from material donated by the
+# modssl project.
+#
+# Do NOT simply read the instructions in here without understanding
+# what they do. They're here only as hints or reminders. If you are unsure
+# consult the online docs. You have been warned.
+#
+#<IfDefine SSL>
+
+# Until documentation is completed, please check http://www.modssl.org/
+# for additional config examples and module docmentation. Directives
+# and features of mod_ssl are largely unchanged from the mod_ssl project
+# for Apache 1.3.
+
+#
+# When we also provide SSL we have to listen to the
+# standard HTTP port (see above) and to the HTTPS port
+#
Listen 443
+#
+# Dynamic Shared Object (DSO) Support
+#
+# To be able to use the functionality of a module which was built as a DSO you
+# ErrorLog logs/dummy-host.example.com-error_log
+# CustomLog logs/dummy-host.example.com-access_log common
+
##
## SSL Global Context
##
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
-# Configure the SSL Session Cache: First either `none'
-# or `dbm:/path/to/file' for the mechanism to use and
-# second the expiring timeout (in seconds).
+# Configure the SSL Session Cache: First the mechanism
+# to use and second the expiring timeout (in seconds).
#SSLSessionCache none
-#SSLSessionCache dbm:logs/ssl_scache
-SSLSessionCache shm:/var/run/ssl_scache(512000)
+#SSLSessionCache shmht:logs/ssl_scache(512000)
+#SSLSessionCache shmcb:logs/ssl_scache(512000)
+SSLSessionCache dbm:/var/log/httpd/ssl_scache
SSLSessionCacheTimeout 300
# Semaphore:
-# Configure the path to the mutual explusion semaphore the
+# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
-SSLMutex file:/var/run/ssl_mutex
+SSLMutex file:logs/ssl_mutex
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
+# WARNING! On some platforms /dev/random blocks if not enough entropy
+# is available. This means you then cannot use the /dev/random device
+# because it would lead to very long connection times (as long as
+# it requires to make more entropy available). But usually those
+# platforms additionally provide a /dev/urandom device which doesn't
+# block. So, if available, use this one instead. Read the mod_ssl User
+# Manual for more details.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
SSLLog /var/log/httpd/ssl_engine_log
SSLLogLevel info
+##
+## SSL Virtual Host Context
+##
+
<VirtualHost _default_:443>
+
+# General setup for the virtual host
+DocumentRoot "/home/services/httpd/html"
+ServerName new.host.name:443
+ServerAdmin you@your.address
+ErrorLog /var/log/httpd/error_log
+TransferLog /var/log/httpd/access_log
+
+# SSL Engine Switch:
+# Enable/Disable SSL for this virtual host.
SSLEngine on
-#SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-SSLCertificateFile /etc/httpd/server.crt
-SSLCertificateKeyFile /etc/httpd/server.key
-#SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt
-#SSLCACertificatePath /etc/httpd/conf/ssl.crt
-#SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt
-#SSLCARevocationPath /etc/httpd/conf/ssl.crl
-#SSLCARevocationFile /etc/httpd/conf/ssl.crl/ca-bundle.crl
+
+# SSL Cipher Suite:
+# List the ciphers that the client is permitted to negotiate.
+# See the mod_ssl documentation for a complete list.
+SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+
+# Server Certificate:
+# Point SSLCertificateFile at a PEM encoded certificate. If
+# the certificate is encrypted, then you will be prompted for a
+# pass phrase. Note that a kill -HUP will prompt again. A test
+# certificate can be generated with `make certificate' under
+# built time. Keep in mind that if you've both a RSA and a DSA
+# certificate you can configure both in parallel (to also allow
+# the use of DSA ciphers, etc.)
+SSLCertificateFile /etc/httpd/ssl/server.crt
+#SSLCertificateFile /etc/httpd/ssl/server-dsa.crt
+
+# Server Private Key:
+# If the key is not combined with the certificate, use this
+# directive to point at the key file. Keep in mind that if
+# you've both a RSA and a DSA private key you can configure
+# both in parallel (to also allow the use of DSA ciphers, etc.)
+SSLCertificateKeyFile /etc/httpd/ssl/server.key
+#SSLCertificateKeyFile /etc/httpd/ssl/server-dsa.key
+
+# Server Certificate Chain:
+# Point SSLCertificateChainFile at a file containing the
+# concatenation of PEM encoded CA certificates which form the
+# certificate chain for the server certificate. Alternatively
+# the referenced file can be the same as SSLCertificateFile
+# when the CA certificates are directly appended to the server
+# certificate for convinience.
+#SSLCertificateChainFile /etc/httpd/ssl/ca.crt
+
+# Certificate Authority (CA):
+# Set the CA certificate verification path where to find CA
+# certificates for client authentication or alternatively one
+# huge file containing all of them (file must be PEM encoded)
+# Note: Inside SSLCACertificatePath you need hash symlinks
+# to point to the certificate files. Use the provided
+# Makefile to update the hash symlinks after changes.
+#SSLCACertificatePath /etc/httpd/ssl
+#SSLCACertificateFile /etc/httpd/ssl/ca-bundle.crt
+
+# Certificate Revocation Lists (CRL):
+# Set the CA revocation path where to find CA CRLs for client
+# authentication or alternatively one huge file containing all
+# of them (file must be PEM encoded)
+# Note: Inside SSLCARevocationPath you need hash symlinks
+# to point to the certificate files. Use the provided
+# Makefile to update the hash symlinks after changes.
+#SSLCARevocationPath /etc/httpd/ssl
+#SSLCARevocationFile /etc/httpd/ssl/ca-bundle.crl
+
+# Client Authentication (Type):
+# Client certificate verification type and depth. Types are
+# none, optional, require and optional_no_ca. Depth is a
+# number which specifies how deeply to verify the certificate
+# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
+# Access Control:
+# With SSLRequire you can do per-directory access control based
+# on arbitrary complex boolean expressions containing server
+# variable checks and other lookup directives. The syntax is a
+# mixture between C and Perl. See the mod_ssl documentation
+# for more details.
+#<Location />
+#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
+# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#</Location>
+
+# SSL Engine Options:
+# Set various options for the SSL engine.
+# o FakeBasicAuth:
+# Translate the client X.509 into a Basic Authorisation. This means that
+# the standard Auth/DBMAuth methods can be used for access control. The
+# user name is the `one line' version of the client's X.509 certificate.
+# Note that no password is obtained from the user. Every entry in the user
+# file needs this password: `xxj31ZMTZzkVA'.
+# o ExportCertData:
+# This exports two additional environment variables: SSL_CLIENT_CERT and
+# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+# server (always existing) and the client (only existing when client
+# authentication is used). This can be used to import the certificates
+# into CGI scripts.
+# o StdEnvVars:
+# This exports the standard SSL/TLS related `SSL_*' environment variables.
+# Per default this exportation is switched off for performance reasons,
+# because the extraction step is an expensive operation and is usually
+# useless for serving static content. So one usually enables the
+# exportation for CGI and SSI requests only.
+# o CompatEnvVars:
+# This exports obsolete environment variables for backward compatibility
+# to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
+# to provide compatibility to existing CGI scripts.
+# o StrictRequire:
+# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+# under a "Satisfy any" situation, i.e. when it applies access is denied
+# and no other module can change it.
+# o OptRenegotiate:
+# This enables optimized SSL connection renegotiation handling when SSL
+# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
-<Files ~ "\.(cgi|shtml)$">
+<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
-<Directory "/home/httpd/html/cgi-bin">
+<Directory "//home/services/httpd/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
-SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
+
+# SSL Protocol Adjustments:
+# The safe and default but still SSL/TLS standard compliant shutdown
+# approach is that mod_ssl sends the close notify alert but doesn't wait for
+# the close notify alert from client. When you need a different shutdown
+# approach you can use one of the following variables:
+# o ssl-unclean-shutdown:
+# This forces an unclean shutdown when the connection is closed, i.e. no
+# SSL close notify alert is send or allowed to received. This violates
+# the SSL/TLS standard but is needed for some brain-dead browsers. Use
+# this when you receive I/O errors because of the standard approach where
+# mod_ssl sends the close notify alert.
+# o ssl-accurate-shutdown:
+# This forces an accurate shutdown when the connection is closed, i.e. a
+# SSL close notify alert is send and mod_ssl waits for the close notify
+# alert of the client. This is 100% SSL/TLS standard compliant, but in
+# practice often causes hanging connections with brain-dead browsers. Use
+# this only for browsers where you know that their SSL implementation
+# works correctly.
+# Notice: Most problems of broken clients are also related to the HTTP
+# keep-alive facility, so you usually additionally want to disable
+# keep-alive for those clients, too. Use variable "nokeepalive" for this.
+# Similarly, one has to force some clients to use HTTP/1.0 to workaround
+# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+# "force-response-1.0" for this.
+SetEnvIf User-Agent ".*MSIE.*" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+
+# Per-Server Logging:
+# The home of a custom SSL log file. Use this when you want a
+# compact non-error SSL logfile on a virtual host basis.
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
+
+
+</IfModule>
-LoadModule ssl_module lib/apache/libssl.so
-AddModule mod_ssl.c
-
-##--------------------------------------------------------------------------
-## Add additional SSL configuration directives which provide a
-## robust default configuration: virtual server on port 443
-## which speaks SSL.
-##--------------------------------------------------------------------------
-##
-## SSL Support
-##
-## When we also provide SSL we have to listen to the
-## standard HTTP port (see above) and to the HTTPS port
-##
+LoadModule ssl_module lib/apache/mod_ssl.so
+
+<IfModule mod_ssl.c>
+#
+# This is the Apache server configuration file providing SSL support.
+# It contains the configuration directives to instruct the server how to
+# serve pages over an https connection. For detailing information about these
+# directives see <URL:http://httpd.apache.org/docs-2.0/mod/mod_ssl.html>
+#
+# For the moment, see <URL:http://www.modssl.org/docs/> for this info.
+# The documents are still being prepared from material donated by the
+# modssl project.
+#
+# Do NOT simply read the instructions in here without understanding
+# what they do. They're here only as hints or reminders. If you are unsure
+# consult the online docs. You have been warned.
+#
+#<IfDefine SSL>
+
+# Until documentation is completed, please check http://www.modssl.org/
+# for additional config examples and module docmentation. Directives
+# and features of mod_ssl are largely unchanged from the mod_ssl project
+# for Apache 1.3.
+
+#
+# When we also provide SSL we have to listen to the
+# standard HTTP port (see above) and to the HTTPS port
+#
Listen 443
+#
+# Dynamic Shared Object (DSO) Support
+#
+# To be able to use the functionality of a module which was built as a DSO you
+# ErrorLog logs/dummy-host.example.com-error_log
+# CustomLog logs/dummy-host.example.com-access_log common
+
##
## SSL Global Context
##
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
-# Configure the SSL Session Cache: First either `none'
-# or `dbm:/path/to/file' for the mechanism to use and
-# second the expiring timeout (in seconds).
+# Configure the SSL Session Cache: First the mechanism
+# to use and second the expiring timeout (in seconds).
#SSLSessionCache none
-#SSLSessionCache dbm:logs/ssl_scache
-SSLSessionCache shm:/var/run/ssl_scache(512000)
+#SSLSessionCache shmht:logs/ssl_scache(512000)
+#SSLSessionCache shmcb:logs/ssl_scache(512000)
+SSLSessionCache dbm:/var/log/httpd/ssl_scache
SSLSessionCacheTimeout 300
# Semaphore:
-# Configure the path to the mutual explusion semaphore the
+# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
-SSLMutex file:/var/run/ssl_mutex
+SSLMutex file:logs/ssl_mutex
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
+# WARNING! On some platforms /dev/random blocks if not enough entropy
+# is available. This means you then cannot use the /dev/random device
+# because it would lead to very long connection times (as long as
+# it requires to make more entropy available). But usually those
+# platforms additionally provide a /dev/urandom device which doesn't
+# block. So, if available, use this one instead. Read the mod_ssl User
+# Manual for more details.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
SSLLog /var/log/httpd/ssl_engine_log
SSLLogLevel info
+##
+## SSL Virtual Host Context
+##
+
<VirtualHost _default_:443>
+
+# General setup for the virtual host
+DocumentRoot "/home/services/httpd/html"
+ServerName new.host.name:443
+ServerAdmin you@your.address
+ErrorLog /var/log/httpd/error_log
+TransferLog /var/log/httpd/access_log
+
+# SSL Engine Switch:
+# Enable/Disable SSL for this virtual host.
SSLEngine on
-#SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-SSLCertificateFile /etc/httpd/server.crt
-SSLCertificateKeyFile /etc/httpd/server.key
-#SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt
-#SSLCACertificatePath /etc/httpd/conf/ssl.crt
-#SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt
-#SSLCARevocationPath /etc/httpd/conf/ssl.crl
-#SSLCARevocationFile /etc/httpd/conf/ssl.crl/ca-bundle.crl
+
+# SSL Cipher Suite:
+# List the ciphers that the client is permitted to negotiate.
+# See the mod_ssl documentation for a complete list.
+SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+
+# Server Certificate:
+# Point SSLCertificateFile at a PEM encoded certificate. If
+# the certificate is encrypted, then you will be prompted for a
+# pass phrase. Note that a kill -HUP will prompt again. A test
+# certificate can be generated with `make certificate' under
+# built time. Keep in mind that if you've both a RSA and a DSA
+# certificate you can configure both in parallel (to also allow
+# the use of DSA ciphers, etc.)
+SSLCertificateFile /etc/httpd/ssl/server.crt
+#SSLCertificateFile /etc/httpd/ssl/server-dsa.crt
+
+# Server Private Key:
+# If the key is not combined with the certificate, use this
+# directive to point at the key file. Keep in mind that if
+# you've both a RSA and a DSA private key you can configure
+# both in parallel (to also allow the use of DSA ciphers, etc.)
+SSLCertificateKeyFile /etc/httpd/ssl/server.key
+#SSLCertificateKeyFile /etc/httpd/ssl/server-dsa.key
+
+# Server Certificate Chain:
+# Point SSLCertificateChainFile at a file containing the
+# concatenation of PEM encoded CA certificates which form the
+# certificate chain for the server certificate. Alternatively
+# the referenced file can be the same as SSLCertificateFile
+# when the CA certificates are directly appended to the server
+# certificate for convinience.
+#SSLCertificateChainFile /etc/httpd/ssl/ca.crt
+
+# Certificate Authority (CA):
+# Set the CA certificate verification path where to find CA
+# certificates for client authentication or alternatively one
+# huge file containing all of them (file must be PEM encoded)
+# Note: Inside SSLCACertificatePath you need hash symlinks
+# to point to the certificate files. Use the provided
+# Makefile to update the hash symlinks after changes.
+#SSLCACertificatePath /etc/httpd/ssl
+#SSLCACertificateFile /etc/httpd/ssl/ca-bundle.crt
+
+# Certificate Revocation Lists (CRL):
+# Set the CA revocation path where to find CA CRLs for client
+# authentication or alternatively one huge file containing all
+# of them (file must be PEM encoded)
+# Note: Inside SSLCARevocationPath you need hash symlinks
+# to point to the certificate files. Use the provided
+# Makefile to update the hash symlinks after changes.
+#SSLCARevocationPath /etc/httpd/ssl
+#SSLCARevocationFile /etc/httpd/ssl/ca-bundle.crl
+
+# Client Authentication (Type):
+# Client certificate verification type and depth. Types are
+# none, optional, require and optional_no_ca. Depth is a
+# number which specifies how deeply to verify the certificate
+# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
+# Access Control:
+# With SSLRequire you can do per-directory access control based
+# on arbitrary complex boolean expressions containing server
+# variable checks and other lookup directives. The syntax is a
+# mixture between C and Perl. See the mod_ssl documentation
+# for more details.
+#<Location />
+#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
+# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#</Location>
+
+# SSL Engine Options:
+# Set various options for the SSL engine.
+# o FakeBasicAuth:
+# Translate the client X.509 into a Basic Authorisation. This means that
+# the standard Auth/DBMAuth methods can be used for access control. The
+# user name is the `one line' version of the client's X.509 certificate.
+# Note that no password is obtained from the user. Every entry in the user
+# file needs this password: `xxj31ZMTZzkVA'.
+# o ExportCertData:
+# This exports two additional environment variables: SSL_CLIENT_CERT and
+# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+# server (always existing) and the client (only existing when client
+# authentication is used). This can be used to import the certificates
+# into CGI scripts.
+# o StdEnvVars:
+# This exports the standard SSL/TLS related `SSL_*' environment variables.
+# Per default this exportation is switched off for performance reasons,
+# because the extraction step is an expensive operation and is usually
+# useless for serving static content. So one usually enables the
+# exportation for CGI and SSI requests only.
+# o CompatEnvVars:
+# This exports obsolete environment variables for backward compatibility
+# to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
+# to provide compatibility to existing CGI scripts.
+# o StrictRequire:
+# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+# under a "Satisfy any" situation, i.e. when it applies access is denied
+# and no other module can change it.
+# o OptRenegotiate:
+# This enables optimized SSL connection renegotiation handling when SSL
+# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
-<Files ~ "\.(cgi|shtml)$">
+<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
-<Directory "/home/httpd/html/cgi-bin">
+<Directory "//home/services/httpd/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
-SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
+
+# SSL Protocol Adjustments:
+# The safe and default but still SSL/TLS standard compliant shutdown
+# approach is that mod_ssl sends the close notify alert but doesn't wait for
+# the close notify alert from client. When you need a different shutdown
+# approach you can use one of the following variables:
+# o ssl-unclean-shutdown:
+# This forces an unclean shutdown when the connection is closed, i.e. no
+# SSL close notify alert is send or allowed to received. This violates
+# the SSL/TLS standard but is needed for some brain-dead browsers. Use
+# this when you receive I/O errors because of the standard approach where
+# mod_ssl sends the close notify alert.
+# o ssl-accurate-shutdown:
+# This forces an accurate shutdown when the connection is closed, i.e. a
+# SSL close notify alert is send and mod_ssl waits for the close notify
+# alert of the client. This is 100% SSL/TLS standard compliant, but in
+# practice often causes hanging connections with brain-dead browsers. Use
+# this only for browsers where you know that their SSL implementation
+# works correctly.
+# Notice: Most problems of broken clients are also related to the HTTP
+# keep-alive facility, so you usually additionally want to disable
+# keep-alive for those clients, too. Use variable "nokeepalive" for this.
+# Similarly, one has to force some clients to use HTTP/1.0 to workaround
+# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+# "force-response-1.0" for this.
+SetEnvIf User-Agent ".*MSIE.*" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+
+# Per-Server Logging:
+# The home of a custom SSL log file. Use this when you want a
+# compact non-error SSL logfile on a virtual host basis.
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
+
+
+</IfModule>
projects / packages / apache.git / commitdiff