1: #
2: # Based upon the NCSA server configuration files originally by Rob McCool.
3: #
4: # This is the main Apache server configuration file. It contains the
5: # configuration directives that give the server its instructions.
6: # See <URL:http://www.apache.org/docs/> for detailed information about
7: # the directives.
8: #
9: # Do NOT simply read the instructions in here without understanding
10: # what they do. They're here only as hints or reminders. If you are unsure
11: # consult the online docs. You have been warned.
12: #
13: # After this file is processed, the server will look for and process
14: # /etc/httpd/conf/srm.conf and then /etc/httpd/conf/access.conf
15: # unless you have overridden these with ResourceConfig and/or
16: # AccessConfig directives here.
17: #
18: # The configuration directives are grouped into three basic sections:
19: # 1. Directives that control the operation of the Apache server process as a
20: # whole (the 'global environment').
21: # 2. Directives that define the parameters of the 'main' or 'default' server,
22: # which responds to requests that aren't handled by a virtual host.
23: # These directives also provide default values for the settings
24: # of all virtual hosts.
25: # 3. Settings for virtual hosts, which allow Web requests to be sent to
26: # different IP addresses or hostnames and have them handled by the
27: # same Apache server process.
28: #
29: # Configuration and logfile names: If the filenames you specify for many
30: # of the server's control files begin with "/" (or "drive:/" for Win32), the
31: # server will use that explicit path. If the filenames do *not* begin
32: # with "/", the value of ServerRoot is prepended -- so "logs/foo.log"
33: # with ServerRoot set to "/usr/local/apache" will be interpreted by the
34: # server as "/usr/local/apache/logs/foo.log".
35: #
36:
37: ### Section 1: Global Environment
38: #
39: # The directives in this section affect the overall operation of Apache,
40: # such as the number of concurrent requests it can handle or where it
41: # can find its configuration files.
42: #
43:
44: #
45: # ServerType is either inetd, or standalone. Inetd mode is only supported on
46: # Unix platforms.
47: #
48: ServerType standalone
49:
50: #
51: # ServerRoot: The top of the directory tree under which the server's
52: # configuration, error, and log files are kept.
53: #
54: # NOTE! If you intend to place this on an NFS (or otherwise network)
55: # mounted filesystem then please read the LockFile documentation
56: # (available at <URL:http://www.apache.org/docs/mod/core.html#lockfile>);
57: # you will save yourself a lot of trouble.
58: #
59: # Do NOT add a slash at the end of the directory path.
60: #
61: ServerRoot "/etc/httpd"
62:
63: #
64: # The LockFile directive sets the path to the lockfile used when Apache
65: # is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or
66: # USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at
67: # its default value. The main reason for changing it is if the logs
68: # directory is NFS mounted, since the lockfile MUST BE STORED ON A LOCAL
69: # DISK. The PID of the main server process is automatically appended to
70: # the filename.
71: #
72: LockFile /var/run/httpd.lock
73:
74: #
75: # PidFile: The file in which the server should record its process
76: # identification number when it starts.
77: #
78: PidFile /var/run/httpd.pid
79:
80: #
81: # ScoreBoardFile: File used to store internal server process information.
82: # Not all architectures require this. But if yours does (you'll know because
83: # this file will be created when you run Apache) then you *must* ensure that
84: # no two invocations of Apache share the same scoreboard file.
85: #
86: ScoreBoardFile logs/apache_runtime_status
87:
88: #
89: # In the standard configuration, the server will process httpd.conf (this
90: # file, specified by the -f command line option), srm.conf, and access.conf
91: # in that order. The latter two files are now distributed empty, as it is
92: # recommended that all directives be kept in a single file for simplicity.
93: # The commented-out values below are the built-in defaults. You can have the
94: # server ignore these files altogether by using "/dev/null" (for Unix) or
95: # "nul" (for Win32) for the arguments to the directives.
96: #
97: #ResourceConfig conf/srm.conf
98: #AccessConfig conf/access.conf
99:
100: #
101: # Timeout: The number of seconds before receives and sends time out.
102: #
103: Timeout 300
104:
105: #
106: # KeepAlive: Whether or not to allow persistent connections (more than
107: # one request per connection). Set to "Off" to deactivate.
108: #
109: KeepAlive Off
110:
111: #
112: # MaxKeepAliveRequests: The maximum number of requests to allow
113: # during a persistent connection. Set to 0 to allow an unlimited amount.
114: # We recommend you leave this number high, for maximum performance.
115: #
116: MaxKeepAliveRequests 100
117:
118: #
119: # KeepAliveTimeout: Number of seconds to wait for the next request from the
120: # same client on the same connection.
121: #
122: KeepAliveTimeout 15
123:
124: #
125: # Server-pool size regulation. Rather than making you guess how many
126: # server processes you need, Apache dynamically adapts to the load it
127: # sees --- that is, it tries to maintain enough server processes to
128: # handle the current load, plus a few spare servers to handle transient
129: # load spikes (e.g., multiple simultaneous requests from a single
130: # Netscape browser).
131: #
132: # It does this by periodically checking how many servers are waiting
133: # for a request. If there are fewer than MinSpareServers, it creates
134: # a new spare. If there are more than MaxSpareServers, some of the
135: # spares die off. The default values are probably OK for most sites.
136: #
137: MinSpareServers 5
138: MaxSpareServers 20
139:
140: #
141: # Number of servers to start initially --- should be a reasonable ballpark
142: # figure.
143: #
144: StartServers 8
145:
146: #
147: # Limit on total number of servers running, i.e., limit on the number
148: # of clients who can simultaneously connect --- if this limit is ever
149: # reached, clients will be LOCKED OUT, so it should NOT BE SET TOO LOW.
150: # It is intended mainly as a brake to keep a runaway server from taking
151: # the system with it as it spirals down...
152: #
153: MaxClients 150
154:
155: #
156: # MaxRequestsPerChild: the number of requests each child process is
157: # allowed to process before the child dies. The child will exit so
158: # as to avoid problems after prolonged use when Apache (and maybe the
159: # libraries it uses) leak memory or other resources. On most systems, this
160: # isn't really needed, but a few (such as Solaris) do have notable leaks
161: # in the libraries. For these platforms, set to something like 10000
162: # or so; a setting of 0 means unlimited.
163: #
164: # NOTE: This value does not include keepalive requests after the initial
165: # request per connection. For example, if a child process handles
166: # an initial request and 10 subsequent "keptalive" requests, it
167: # would only count as 1 request towards this limit.
168: #
169: MaxRequestsPerChild 1000
170:
171: #
172: # Listen: Allows you to bind Apache to specific IP addresses and/or
173: # ports, in addition to the default. See also the <VirtualHost>
174: # directive.
175: #
176: #Listen 3000
177: #Listen 12.34.56.78:80
178: #Listen 80
179:
180: #
181: # BindAddress: You can support virtual hosts with this option. This directive
182: # is used to tell the server which IP address to listen to. It can either
183: # contain "*", an IP address, or a fully qualified Internet domain name.
184: # See also the <VirtualHost> and Listen directives.
185: #
186: #BindAddress *
187:
188: #
189: # Dynamic Shared Object (DSO) Support
190: #
191: # To be able to use the functionality of a module which was built as a DSO you
192: # have to place corresponding `LoadModule' lines at this location so the
193: # directives contained in it are actually available _before_ they are used.
194: # Please read the file http://httpd.apache.org/docs/dso.html for more
195: # details about the DSO mechanism and run `httpd -l' for the list of already
196: # built-in (statically linked and thus always available) modules in your httpd
197: # binary.
198: #
199: # Note: The order in which modules are loaded is important. Don't change
200: # the order below without expert advice.
201: #
202: # Example:
203: # LoadModule foo_module modules/mod_foo.so
204:
205: #LoadModule mmap_static_module modules/mod_mmap_static.so
206: LoadModule vhost_alias_module modules/mod_vhost_alias.so
207: <IfDefine HAVE_BANDWIDTH>
208: LoadModule bandwidth_module modules/mod_bandwidth.so
209: </IfDefine>
210: <IfDefine HAVE_THROTTLE>
211: LoadModule throttle_module modules/mod_throttle.so
212: </IfDefine>
213: LoadModule env_module modules/mod_env.so
214: LoadModule config_log_module modules/mod_log_config.so
215: LoadModule agent_log_module modules/mod_log_agent.so
216: LoadModule referer_log_module modules/mod_log_referer.so
217: #LoadModule mime_magic_module modules/mod_mime_magic.so
218: LoadModule mime_module modules/mod_mime.so
219: LoadModule negotiation_module modules/mod_negotiation.so
220: LoadModule status_module modules/mod_status.so
221: LoadModule info_module modules/mod_info.so
222: LoadModule includes_module modules/mod_include.so
223: LoadModule autoindex_module modules/mod_autoindex.so
224: LoadModule dir_module modules/mod_dir.so
225: LoadModule cgi_module modules/mod_cgi.so
226: LoadModule asis_module modules/mod_asis.so
227: LoadModule imap_module modules/mod_imap.so
228: LoadModule action_module modules/mod_actions.so
229: #LoadModule speling_module modules/mod_speling.so
230: LoadModule userdir_module modules/mod_userdir.so
231: LoadModule alias_module modules/mod_alias.so
232: LoadModule rewrite_module modules/mod_rewrite.so
233: LoadModule access_module modules/mod_access.so
234: LoadModule auth_module modules/mod_auth.so
235: LoadModule anon_auth_module modules/mod_auth_anon.so
236: LoadModule db_auth_module modules/mod_auth_db.so
237: #LoadModule auth_any_module modules/mod_auth_any.so
238: #LoadModule dbm_auth_module modules/mod_auth_dbm.so
239: #LoadModule auth_ldap_module modules/mod_auth_ldap.so
240: #LoadModule mysql_auth_module modules/mod_auth_mysql.so
241: #LoadModule auth_pgsql_module modules/mod_auth_pgsql.so
242: #LoadModule digest_module modules/mod_digest.so
243: #LoadModule proxy_module modules/libproxy.so
244: #LoadModule cern_meta_module modules/mod_cern_meta.so
245: LoadModule expires_module modules/mod_expires.so
246: LoadModule headers_module modules/mod_headers.so
247: #LoadModule usertrack_module modules/mod_usertrack.so
248: #LoadModule example_module modules/mod_example.so
249: #LoadModule unique_id_module modules/mod_unique_id.so
250: LoadModule setenvif_module modules/mod_setenvif.so
251: <IfDefine HAVE_PERL>
252: LoadModule perl_module modules/libperl.so
253: </IfDefine>
254: <IfDefine HAVE_PHP>
255: LoadModule php_module modules/mod_php.so
256: </IfDefine>
257: <IfDefine HAVE_PHP3>
258: LoadModule php3_module modules/libphp3.so
259: </IfDefine>
260: <IfDefine HAVE_PHP4>
261: LoadModule php4_module modules/libphp4.so
262: </IfDefine>
263: <IfDefine HAVE_DAV>
264: LoadModule dav_module modules/libdav.so
265: </IfDefine>
266: <IfDefine HAVE_ROAMING>
267: LoadModule roaming_module modules/mod_roaming.so
268: </IfDefine>
269: <IfDefine HAVE_SSL>
270: LoadModule ssl_module modules/libssl.so
271: </IfDefine>
272: <IfDefine HAVE_PUT>
273: LoadModule put_module modules/mod_put.so
274: </IfDefine>
275: <IfDefine HAVE_PYTHON>
276: LoadModule python_module modules/mod_python.so
277: </IfDefine>
278:
279: # Reconstruction of the complete module list from all available modules
280: # (static and shared ones) to achieve correct module execution order.
281: # [WHENEVER YOU CHANGE THE LOADMODULE SECTION ABOVE UPDATE THIS, TOO]
282: ClearModuleList
283: #AddModule mod_mmap_static.c
284: AddModule mod_vhost_alias.c
285: <IfDefine HAVE_BANDWIDTH>
286: AddModule mod_bandwidth.c
287: </IfDefine>
288: <IfDefine HAVE_THROTTLE>
289: AddModule mod_throttle.c
290: </IfDefine>
291: AddModule mod_env.c
292: AddModule mod_log_config.c
293: AddModule mod_log_agent.c
294: AddModule mod_log_referer.c
295: #AddModule mod_mime_magic.c
296: AddModule mod_mime.c
297: AddModule mod_negotiation.c
298: AddModule mod_status.c
299: AddModule mod_info.c
300: AddModule mod_include.c
301: AddModule mod_autoindex.c
302: AddModule mod_dir.c
303: AddModule mod_cgi.c
304: AddModule mod_asis.c
305: AddModule mod_imap.c
306: AddModule mod_actions.c
307: #AddModule mod_speling.c
308: AddModule mod_userdir.c
309: AddModule mod_alias.c
310: AddModule mod_rewrite.c
311: AddModule mod_access.c
312: AddModule mod_auth.c
313: AddModule mod_auth_anon.c
314: AddModule mod_auth_db.c
315: #AddModule mod_auth_any.c
316: #AddModule mod_auth_dbm.c
317: #AddModule auth_ldap.c
318: #AddModule mod_auth_mysql.c
319: #AddModule mod_auth_pgsql.c
320: #AddModule mod_digest.c
321: #AddModule mod_proxy.c
322: #AddModule mod_cern_meta.c
323: AddModule mod_expires.c
324: AddModule mod_headers.c
325: #AddModule mod_usertrack.c
326: #AddModule mod_example.c
327: #AddModule mod_unique_id.c
328: AddModule mod_so.c
329: AddModule mod_setenvif.c
330: <IfDefine HAVE_PERL>
331: AddModule mod_perl.c
332: </IfDefine>
333: <IfDefine HAVE_PHP>
334: AddModule mod_php.c
335: </IfDefine>
336: <IfDefine HAVE_PHP3>
337: AddModule mod_php3.c
338: </IfDefine>
339: <IfDefine HAVE_PHP4>
340: AddModule mod_php4.c
341: </IfDefine>
342: <IfDefine HAVE_DAV>
343: AddModule mod_dav.c
344: </IfDefine>
345: <IfDefine HAVE_ROAMING>
346: AddModule mod_roaming.c
347: </IfDefine>
348: <IfDefine HAVE_SSL>
349: AddModule mod_ssl.c
350: </IfDefine>
351: <IfDefine HAVE_PUT>
352: AddModule mod_put.c
353: </IfDefine>
354: <IfDefine HAVE_PYTHON>
355: AddModule mod_python.c
356: </IfDefine>
357:
358: #
359: # ExtendedStatus controls whether Apache will generate "full" status
360: # information (ExtendedStatus On) or just basic information (ExtendedStatus
361: # Off) when the "server-status" handler is called. The default is Off.
362: #
363: #ExtendedStatus On
364:
365: ### Section 2: 'Main' server configuration
366: #
367: # The directives in this section set up the values used by the 'main'
368: # server, which responds to any requests that aren't handled by a
369: # <VirtualHost> definition. These values also provide defaults for
370: # any <VirtualHost> containers you may define later in the file.
371: #
372: # All of these directives may appear inside <VirtualHost> containers,
373: # in which case these default settings will be overridden for the
374: # virtual host being defined.
375: #
376:
377: #
378: # If your ServerType directive (set earlier in the 'Global Environment'
379: # section) is set to "inetd", the next few directives don't have any
380: # effect since their settings are defined by the inetd configuration.
381: # Skip ahead to the ServerAdmin directive.
382: #
383:
384: #
385: # Port: The port to which the standalone server listens. For
386: # ports < 1023, you will need httpd to be run as root initially.
387: #
388: Port 80
389:
390: ##
391: ## SSL Support
392: ##
393: ## When we also provide SSL we have to listen to the
394: ## standard HTTP port (see above) and to the HTTPS port
395: ##
396: <IfDefine HAVE_SSL>
397: Listen 80
398: Listen 443
399: </IfDefine>
400:
401: #
402: # If you wish httpd to run as a different user or group, you must run
403: # httpd as root initially and it will switch.
404: #
405: # User/Group: The name (or #number) of the user/group to run httpd as.
406: # . On SCO (ODT 3) use "User nouser" and "Group nogroup".
407: # . On HPUX you may not be able to use shared memory as nobody, and the
408: # suggested workaround is to create a user www and use that user.
409: # NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
410: # when the value of (unsigned)Group is above 60000;
411: # don't use Group "#-1" on these systems!
412: #
413: User apache
414: Group apache
415:
416: #
417: # ServerAdmin: Your address, where problems with the server should be
418: # e-mailed. This address appears on some server-generated pages, such
419: # as error documents.
420: #
421: ServerAdmin root@localhost
422:
423: #
424: # ServerName allows you to set a host name which is sent back to clients for
425: # your server if it's different than the one the program would get (i.e., use
426: # "www" instead of the host's real name).
427: #
428: # Note: You cannot just invent host names and hope they work. The name you
429: # define here must be a valid DNS name for your host. If you don't understand
430: # this, ask your network administrator.
431: # If your host doesn't have a registered DNS name, enter its IP address here.
432: # You will have to access it by its address (e.g., http://123.45.67.89/)
433: # anyway, and this will make redirections work in a sensible way.
434: #
435: # 127.0.0.1 is the TCP/IP local loop-back address, often named localhost. Your
436: # machine always knows itself by this address. If you use Apache strictly for
437: # local testing and development, you may use 127.0.0.1 as the server name.
438: #
439: ServerName nsdl.lon-capa.org
440:
441: #
442: # DocumentRoot: The directory out of which you will serve your
443: # documents. By default, all requests are taken from this directory, but
444: # symbolic links and aliases may be used to point to other locations.
445: #
446: DocumentRoot "/var/www/html"
447:
448: #
449: # Each directory to which Apache has access, can be configured with respect
450: # to which services and features are allowed and/or disabled in that
451: # directory (and its subdirectories).
452: #
453: # First, we configure the "default" to be a very restrictive set of
454: # permissions.
455: #
456: <Directory />
457: Options FollowSymLinks
458: AllowOverride None
459: </Directory>
460:
461: #
462: # Note that from this point forward you must specifically allow
463: # particular features to be enabled - so if something's not working as
464: # you might expect, make sure that you have specifically enabled it
465: # below.
466: #
467:
468: #
469: # This should be changed to whatever you set DocumentRoot to.
470: #
471: <Directory "/var/www/html">
472:
473: #
474: # This may also be "None", "All", or any combination of "Indexes",
475: # "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".
476: #
477: # Note that "MultiViews" must be named *explicitly* --- "Options All"
478: # doesn't give it to you.
479: #
480: Options Indexes FollowSymLinks
481:
482: #
483: # This controls which options the .htaccess files in directories can
484: # override. Can also be "All", or any combination of "Options", "FileInfo",
485: # "AuthConfig", and "Limit"
486: #
487: AllowOverride None
488:
489: #
490: # Controls who can get stuff from this server.
491: #
492: Order allow,deny
493: Allow from all
494: </Directory>
495:
496: #
497: # UserDir: The name of the directory which is appended onto a user's home
498: # directory if a ~user request is received.
499: #
500: # The path to the end user account 'public_html' directory must be
501: # accessible to the webserver userid. This usually means that ~userid
502: # must have permissions of 711, ~userid/public_html must have permissions
503: # of 755, and documents contained therein must be world-readable.
504: # Otherwise, the client will only receive a "403 Forbidden" message.
505: #
506: # See also: http://httpd.apache.org/docs/misc/FAQ.html#forbidden
507: #
508: #<IfModule mod_userdir.c>
509: # UserDir public_html
510: #</IfModule>
511:
512: #
513: # Control access to UserDir directories. The following is an example
514: # for a site where these directories are restricted to read-only.
515: #
516: #<Directory /home/*/public_html>
517: # AllowOverride FileInfo AuthConfig Limit
518: # Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
519: # <Limit GET POST OPTIONS PROPFIND>
520: # Order allow,deny
521: # Allow from all
522: # </Limit>
523: # <LimitExcept GET POST OPTIONS PROPFIND>
524: # Order deny,allow
525: # Deny from all
526: # </LimitExcept>
527: #</Directory>
528:
529: #
530: # DirectoryIndex: Name of the file or files to use as a pre-written HTML
531: # directory index. Separate multiple entries with spaces.
532: #
533: <IfModule mod_dir.c>
534: DirectoryIndex index.html index.htm index.shtml index.php index.php4 index.php3 index.phtml index.cgi
535: </IfModule>
536:
537: #
538: # AccessFileName: The name of the file to look for in each directory
539: # for access control information.
540: #
541: AccessFileName .htaccess
542:
543: #
544: # The following lines prevent .htaccess files from being viewed by
545: # Web clients. Since .htaccess files often contain authorization
546: # information, access is disallowed for security reasons. Comment
547: # these lines out if you want Web visitors to see the contents of
548: # .htaccess files. If you change the AccessFileName directive above,
549: # be sure to make the corresponding changes here.
550: #
551: # Also, folks tend to use names such as .htpasswd for password
552: # files, so this will protect those as well.
553: #
554: <Files ~ "^\.ht">
555: Order allow,deny
556: Deny from all
557: Satisfy All
558: </Files>
559:
560: #
561: # CacheNegotiatedDocs: By default, Apache sends "Pragma: no-cache" with each
562: # document that was negotiated on the basis of content. This asks proxy
563: # servers not to cache the document. Uncommenting the following line disables
564: # this behavior, and proxies will be allowed to cache the documents.
565: #
566: #CacheNegotiatedDocs
567:
568: #
569: # UseCanonicalName: (new for 1.3) With this setting turned on, whenever
570: # Apache needs to construct a self-referencing URL (a URL that refers back
571: # to the server the response is coming from) it will use ServerName and
572: # Port to form a "canonical" name. With this setting off, Apache will
573: # use the hostname:port that the client supplied, when possible. This
574: # also affects SERVER_NAME and SERVER_PORT in CGI scripts.
575: #
576: UseCanonicalName On
577:
578: #
579: # TypesConfig describes where the mime.types file (or equivalent) is
580: # to be found.
581: #
582: <IfModule mod_mime.c>
583: TypesConfig /etc/mime.types
584: </IfModule>
585:
586: #
587: # DefaultType is the default MIME type the server will use for a document
588: # if it cannot otherwise determine one, such as from filename extensions.
589: # If your server contains mostly text or HTML documents, "text/plain" is
590: # a good value. If most of your content is binary, such as applications
591: # or images, you may want to use "application/octet-stream" instead to
592: # keep browsers from trying to display binary files as though they are
593: # text.
594: #
595: DefaultType text/plain
596:
597: #
598: # The mod_mime_magic module allows the server to use various hints from the
599: # contents of the file itself to determine its type. The MIMEMagicFile
600: # directive tells the module where the hint definitions are located.
601: # mod_mime_magic is not part of the default server (you have to add
602: # it yourself with a LoadModule [see the DSO paragraph in the 'Global
603: # Environment' section], or recompile the server and include mod_mime_magic
604: # as part of the configuration), so it's enclosed in an <IfModule> container.
605: # This means that the MIMEMagicFile directive will only be processed if the
606: # module is part of the server.
607: #
608: <IfModule mod_mime_magic.c>
609: # MIMEMagicFile /usr/share/magic.mime
610: MIMEMagicFile conf/magic
611: </IfModule>
612:
613: #
614: # HostnameLookups: Log the names of clients or just their IP addresses
615: # e.g., www.apache.org (on) or 204.62.129.132 (off).
616: # The default is off because it'd be overall better for the net if people
617: # had to knowingly turn this feature on, since enabling it means that
618: # each client request will result in AT LEAST one lookup request to the
619: # nameserver.
620: #
621: HostnameLookups Off
622:
623: #
624: # ErrorLog: The location of the error log file.
625: # If you do not specify an ErrorLog directive within a <VirtualHost>
626: # container, error messages relating to that virtual host will be
627: # logged here. If you *do* define an error logfile for a <VirtualHost>
628: # container, that host's errors will be logged there and not here.
629: #
630: ErrorLog logs/error_log
631:
632: #
633: # LogLevel: Control the number of messages logged to the error_log.
634: # Possible values include: debug, info, notice, warn, error, crit,
635: # alert, emerg.
636: #
637: LogLevel warn
638:
639: #
640: # The following directives define some format nicknames for use with
641: # a CustomLog directive (see below).
642: #
643: LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
644: LogFormat "%h %l %u %t \"%r\" %>s %b" common
645: LogFormat "%{Referer}i -> %U" referer
646: LogFormat "%{User-agent}i" agent
647:
648: #
649: # The location and format of the access logfile (Common Logfile Format).
650: # If you do not define any access logfiles within a <VirtualHost>
651: # container, they will be logged here. Contrariwise, if you *do*
652: # define per-<VirtualHost> access logfiles, transactions will be
653: # logged therein and *not* in this file.
654: #
655: # CustomLog /var/log/httpd/access_log common
656: CustomLog logs/access_log combined
657:
658: #
659: # If you would like to have agent and referer logfiles, uncomment the
660: # following directives.
661: #
662: #CustomLog logs/referer_log referer
663: #CustomLog logs/agent_log agent
664:
665: #
666: # If you prefer a single logfile with access, agent, and referer information
667: # (Combined Logfile Format) you can use the following directive.
668: #
669: #CustomLog logs/access_log combined
670:
671: #
672: # Optionally add a line containing the server version and virtual host
673: # name to server-generated pages (error documents, FTP directory listings,
674: # mod_status and mod_info output etc., but not CGI generated documents).
675: # Set to "EMail" to also include a mailto: link to the ServerAdmin.
676: # Set to one of: On | Off | EMail
677: #
678: ServerSignature On
679:
680: # EBCDIC configuration:
681: # (only for mainframes using the EBCDIC codeset, currently one of:
682: # Fujitsu-Siemens' BS2000/OSD, IBM's OS/390 and IBM's TPF)!!
683: # The following default configuration assumes that "text files"
684: # are stored in EBCDIC (so that you can operate on them using the
685: # normal POSIX tools like grep and sort) while "binary files" are
686: # stored with identical octets as on an ASCII machine.
687: #
688: # The directives are evaluated in configuration file order, with
689: # the EBCDICConvert directives applied before EBCDICConvertByType.
690: #
691: # If you want to have ASCII HTML documents and EBCDIC HTML documents
692: # at the same time, you can use the file extension to force
693: # conversion off for the ASCII documents:
694: # > AddType text/html .ahtml
695: # > EBCDICConvert Off=InOut .ahtml
696: #
697: # EBCDICConvertByType On=InOut text/* message/* multipart/*
698: # EBCDICConvertByType On=In application/x-www-form-urlencoded
699: # EBCDICConvertByType On=InOut application/postscript model/vrml
700: # EBCDICConvertByType Off=InOut */*
701:
702:
703: #
704: # Aliases: Add here as many aliases as you need (with no limit). The format is
705: # Alias fakename realname
706: #
707: <IfModule mod_alias.c>
708:
709: #
710: # Note that if you include a trailing / on fakename then the server will
711: # require it to be present in the URL. So "/icons" isn't aliased in this
712: # example, only "/icons/". If the fakename is slash-terminated, then the
713: # realname must also be slash terminated, and if the fakename omits the
714: # trailing slash, the realname must also omit it.
715: #
716: Alias /icons/ "/var/www/icons/"
717:
718: <Directory "/var/www/icons">
719: Options Indexes MultiViews
720: AllowOverride None
721: Order allow,deny
722: Allow from all
723: </Directory>
724:
725: # This Alias will project the on-line documentation tree under /manual/
726: # even if you change the DocumentRoot. Comment it if you don't want to
727: # provide access to the on-line documentation.
728: #
729: # Alias /manual/ "/etc/httpd/htdocs/manual/"
730: #
731: # <Directory "/etc/httpd/htdocs/manual">
732: # Options Indexes FollowSymlinks MultiViews
733: # AllowOverride None
734: # Order allow,deny
735: # Allow from all
736: # </Directory>
737:
738: #
739: # ScriptAlias: This controls which directories contain server scripts.
740: # ScriptAliases are essentially the same as Aliases, except that
741: # documents in the realname directory are treated as applications and
742: # run by the server when requested rather than as documents sent to the client.
743: # The same rules about trailing "/" apply to ScriptAlias directives as to
744: # Alias.
745: #
746: ScriptAlias /cgi-bin/ "/home/httpd/cgi-bin/"
747:
748: #
749: # "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
750: # CGI directory exists, if you have that configured.
751: #
752: <Directory "/home/httpd/cgi-bin">
753: AllowOverride None
754: Options None
755: Order allow,deny
756: Allow from all
757: </Directory>
758:
759: </IfModule>
760: # End of aliases.
761:
762: #
763: # Redirect allows you to tell clients about documents which used to exist in
764: # your server's namespace, but do not anymore. This allows you to tell the
765: # clients where to look for the relocated document.
766: # Format: Redirect old-URI new-URL
767: #
768:
769: #
770: # Directives controlling the display of server-generated directory listings.
771: #
772: <IfModule mod_autoindex.c>
773:
774: #
775: # FancyIndexing is whether you want fancy directory indexing or standard
776: #
777: IndexOptions FancyIndexing NameWidth=*
778:
779: #
780: # AddIcon* directives tell the server which icon to show for different
781: # files or filename extensions. These are only displayed for
782: # FancyIndexed directories.
783: #
784: AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
785:
786: AddIconByType (TXT,/icons/text.gif) text/*
787: AddIconByType (IMG,/icons/image2.gif) image/*
788: AddIconByType (SND,/icons/sound2.gif) audio/*
789: AddIconByType (VID,/icons/movie.gif) video/*
790:
791: AddIcon /icons/binary.gif .bin .exe
792: AddIcon /icons/binhex.gif .hqx
793: AddIcon /icons/tar.gif .tar
794: AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
795: AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
796: AddIcon /icons/a.gif .ps .ai .eps
797: AddIcon /icons/layout.gif .html .shtml .htm .pdf
798: AddIcon /icons/text.gif .txt
799: AddIcon /icons/c.gif .c
800: AddIcon /icons/p.gif .pl .py
801: AddIcon /icons/f.gif .for
802: AddIcon /icons/dvi.gif .dvi
803: AddIcon /icons/uuencoded.gif .uu
804: AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
805: AddIcon /icons/tex.gif .tex
806: AddIcon /icons/bomb.gif core
807:
808: AddIcon /icons/back.gif ..
809: AddIcon /icons/hand.right.gif README
810: AddIcon /icons/folder.gif ^^DIRECTORY^^
811: AddIcon /icons/blank.gif ^^BLANKICON^^
812:
813: #
814: # DefaultIcon is which icon to show for files which do not have an icon
815: # explicitly set.
816: #
817: DefaultIcon /icons/unknown.gif
818:
819: #
820: # AddDescription allows you to place a short description after a file in
821: # server-generated indexes. These are only displayed for FancyIndexed
822: # directories.
823: # Format: AddDescription "description" filename
824: #
825: #AddDescription "GZIP compressed document" .gz
826: #AddDescription "tar archive" .tar
827: #AddDescription "GZIP compressed tar archive" .tgz
828:
829: #
830: # ReadmeName is the name of the README file the server will look for by
831: # default, and append to directory listings.
832: #
833: # HeaderName is the name of a file which should be prepended to
834: # directory indexes.
835: #
836: # If MultiViews are amongst the Options in effect, the server will
837: # first look for name.html and include it if found. If name.html
838: # doesn't exist, the server will then look for name.txt and include
839: # it as plaintext if found.
840: #
841: ReadmeName README
842: HeaderName HEADER
843:
844: #
845: # IndexIgnore is a set of filenames which directory indexing should ignore
846: # and not include in the listing. Shell-style wildcarding is permitted.
847: #
848: IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
849:
850: </IfModule>
851: # End of indexing directives.
852:
853: #
854: # Document types.
855: #
856: <IfModule mod_mime.c>
857:
858: #
859: # AddEncoding allows you to have certain browsers (Mosaic/X 2.1+) uncompress
860: # information on the fly. Note: Not all browsers support this.
861: # Despite the name similarity, the following Add* directives have nothing
862: # to do with the FancyIndexing customization directives above.
863: #
864: AddEncoding x-compress Z
865: AddEncoding x-gzip gz tgz
866:
867: #
868: # AddLanguage allows you to specify the language of a document. You can
869: # then use content negotiation to give a browser a file in a language
870: # it can understand.
871: #
872: # Note 1: The suffix does not have to be the same as the language
873: # keyword --- those with documents in Polish (whose net-standard
874: # language code is pl) may wish to use "AddLanguage pl .po" to
875: # avoid the ambiguity with the common suffix for perl scripts.
876: #
877: # Note 2: The example entries below illustrate that in quite
878: # some cases the two character 'Language' abbreviation is not
879: # identical to the two character 'Country' code for its country,
880: # E.g. 'Danmark/dk' versus 'Danish/da'.
881: #
882: # Note 3: In the case of 'ltz' we violate the RFC by using a three char
883: # specifier. But there is 'work in progress' to fix this and get
884: # the reference data for rfc1766 cleaned up.
885: #
886: # Danish (da) - Dutch (nl) - English (en) - Estonian (ee)
887: # French (fr) - German (de) - Greek-Modern (el)
888: # Italian (it) - Korean (kr) - Norwegian (no) - Norwegian Nynorsk (nn)
889: # Portugese (pt) - Luxembourgeois* (ltz)
890: # Spanish (es) - Swedish (sv) - Catalan (ca) - Czech(cz)
891: # Polish (pl) - Brazilian Portuguese (pt-br) - Japanese (ja)
892: # Russian (ru)
893: #
894: AddLanguage da .dk
895: AddLanguage nl .nl
896: AddLanguage en .en
897: AddLanguage et .ee
898: AddLanguage fr .fr
899: AddLanguage de .de
900: AddLanguage el .el
901: AddLanguage he .he
902: AddCharset ISO-8859-8 .iso8859-8
903: AddLanguage it .it
904: AddLanguage ja .ja
905: AddCharset ISO-2022-JP .jis
906: AddLanguage kr .kr
907: AddCharset ISO-2022-KR .iso-kr
908: AddLanguage nn .nn
909: AddLanguage no .no
910: AddLanguage pl .po
911: AddCharset ISO-8859-2 .iso-pl
912: AddLanguage pt .pt
913: AddLanguage pt-br .pt-br
914: AddLanguage ltz .lu
915: AddLanguage ca .ca
916: AddLanguage es .es
917: AddLanguage sv .se
918: AddLanguage cz .cz
919: AddLanguage ru .ru
920: AddLanguage zh-tw .tw
921: AddLanguage tw .tw
922: AddCharset Big5 .Big5 .big5
923: AddCharset WINDOWS-1251 .cp-1251
924: AddCharset CP866 .cp866
925: AddCharset ISO-8859-5 .iso-ru
926: AddCharset KOI8-R .koi8-r
927: AddCharset UCS-2 .ucs2
928: AddCharset UCS-4 .ucs4
929: AddCharset UTF-8 .utf8
930:
931: # LanguagePriority allows you to give precedence to some languages
932: # in case of a tie during content negotiation.
933: #
934: # Just list the languages in decreasing order of preference. We have
935: # more or less alphabetized them here. You probably want to change this.
936: #
937: <IfModule mod_negotiation.c>
938: LanguagePriority en da nl et fr de el it ja kr no pl pt pt-br ru ltz ca es sv tw
939: </IfModule>
940:
941: #
942: # AddType allows you to tweak mime.types without actually editing it, or to
943: # make certain files to be certain types.
944: #
945: AddType application/x-tar .tgz
946:
947: #
948: # These types cause httpd to let the PHP interpreter handle files with
949: # the specified extensions.
950: #
951: <IfModule mod_php4.c>
952: AddType application/x-httpd-php .php .php4 .php3 .phtml
953: AddType application/x-httpd-php-source .phps
954: </IfModule>
955: <IfModule mod_php3.c>
956: AddType application/x-httpd-php3 .php3
957: AddType application/x-httpd-php3-source .phps
958: </IfModule>
959: <IfModule mod_php.c>
960: AddType application/x-httpd-php .phtml
961: </IfModule>
962:
963: #
964: # AddHandler allows you to map certain file extensions to "handlers",
965: # actions unrelated to filetype. These can be either built into the server
966: # or added with the Action command (see below)
967: #
968: # If you want to use server side includes, or CGI outside
969: # ScriptAliased directories, uncomment the following lines.
970: #
971: # To use CGI scripts:
972: #
973: #AddHandler cgi-script .cgi
974:
975: #
976: # To use server-parsed HTML files
977: #
978: AddType text/html .shtml
979: AddHandler server-parsed .shtml
980:
981: #
982: # Uncomment the following line to enable Apache's send-asis HTTP file
983: # feature
984: #
985: #AddHandler send-as-is asis
986:
987: #
988: # If you wish to use server-parsed imagemap files, use
989: #
990: AddHandler imap-file map
991:
992: #
993: # To enable type maps, you might want to use
994: #
995: #AddHandler type-map var
996:
997: </IfModule>
998: # End of document types.
999:
1000: #
1001: # Action lets you define media types that will execute a script whenever
1002: # a matching file is called. This eliminates the need for repeated URL
1003: # pathnames for oft-used CGI file processors.
1004: # Format: Action media/type /cgi-script/location
1005: # Format: Action handler-name /cgi-script/location
1006: #
1007:
1008: #
1009: # MetaDir: specifies the name of the directory in which Apache can find
1010: # meta information files. These files contain additional HTTP headers
1011: # to include when sending the document
1012: #
1013: #MetaDir .web
1014:
1015: #
1016: # MetaSuffix: specifies the file name suffix for the file containing the
1017: # meta information.
1018: #
1019: #MetaSuffix .meta
1020:
1021: #
1022: # Customizable error response (Apache style)
1023: # these come in three flavors
1024: #
1025: # 1) plain text
1026: #ErrorDocument 500 "The server made a boo boo.
1027: # n.b. the single leading (") marks it as text, it does not get output
1028: #
1029: # 2) local redirects
1030: #ErrorDocument 404 /missing.html
1031: # to redirect to local URL /missing.html
1032: #ErrorDocument 404 /cgi-bin/missing_handler.pl
1033: # N.B.: You can redirect to a script or a document using server-side-includes.
1034: #
1035: # 3) external redirects
1036: #ErrorDocument 402 http://some.other-server.com/subscription_info.html
1037: # N.B.: Many of the environment variables associated with the original
1038: # request will *not* be available to such a script.
1039:
1040: #
1041: # Customize behaviour based on the browser
1042: #
1043: <IfModule mod_setenvif.c>
1044:
1045: #
1046: # The following directives modify normal HTTP response behavior.
1047: # The first directive disables keepalive for Netscape 2.x and browsers that
1048: # spoof it. There are known problems with these browser implementations.
1049: # The second directive is for Microsoft Internet Explorer 4.0b2
1050: # which has a broken HTTP/1.1 implementation and does not properly
1051: # support keepalive when it is used on 301 or 302 (redirect) responses.
1052: #
1053: BrowserMatch "Mozilla/2" nokeepalive
1054: BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
1055:
1056: #
1057: # The following directive disables HTTP/1.1 responses to browsers which
1058: # are in violation of the HTTP/1.0 spec by not being able to grok a
1059: # basic 1.1 response.
1060: #
1061: BrowserMatch "RealPlayer 4\.0" force-response-1.0
1062: BrowserMatch "Java/1\.0" force-response-1.0
1063: BrowserMatch "JDK/1\.0" force-response-1.0
1064:
1065: </IfModule>
1066: # End of browser customization directives
1067:
1068: #
1069: # If the perl module is installed, this will allow execution of mod_perl
1070: # to compile your scripts to subroutines which it will execute directly,
1071: # avoiding the costly compile process for most requests.
1072: #
1073: #<IfModule mod_perl.c>
1074: # Alias /perl /var/www/perl
1075: # <Directory /var/www/perl>
1076: # SetHandler perl-script
1077: # PerlHandler Apache::Registry
1078: # Options +ExecCGI
1079: # </Directory>
1080: #</IfModule>
1081:
1082: #
1083: # Allow http put (such as Netscape Gold's publish feature)
1084: # Use htpasswd to generate /etc/httpd/conf/passwd.
1085: #
1086: #<IfModule mod_put.c>
1087: # Alias /upload /tmp
1088: # <Directory /tmp>
1089: # EnablePut On
1090: # AuthType Basic
1091: # AuthName Temporary
1092: # AuthUserFile /etc/httpd/conf/passwd
1093: # EnableDelete Off
1094: # umask 007
1095: # <Limit PUT>
1096: # require valid-user
1097: # </Limit>
1098: # </Directory>
1099: #</IfModule>
1100:
1101: #
1102: # Allow server status reports, with the URL of http://servername/server-status
1103: # Change the ".your-domain.com" to match your domain to enable.
1104: #
1105: #<Location /server-status>
1106: # SetHandler server-status
1107: # Order deny,allow
1108: # Deny from all
1109: # Allow from .your-domain.com
1110: #</Location>
1111:
1112: #
1113: # Allow remote server configuration reports, with the URL of
1114: # http://servername/server-info (requires that mod_info.c be loaded).
1115: # Change the ".your-domain.com" to match your domain to enable.
1116: #
1117: #<Location /server-info>
1118: # SetHandler server-info
1119: # Order deny,allow
1120: # Deny from all
1121: # Allow from .your-domain.com
1122: #</Location>
1123:
1124: #
1125: # Allow access to local system documentation from localhost
1126: #
1127: Alias /doc/ /usr/share/doc/
1128: <Directory /usr/share/doc>
1129: order deny,allow
1130: deny from all
1131: allow from localhost .localdomain
1132: Options Indexes FollowSymLinks
1133: </Directory>
1134:
1135: #
1136: # There have been reports of people trying to abuse an old bug from pre-1.1
1137: # days. This bug involved a CGI script distributed as a part of Apache.
1138: # By uncommenting these lines you can redirect these attacks to a logging
1139: # script on phf.apache.org. Or, you can record them yourself, using the script
1140: # support/phf_abuse_log.cgi.
1141: #
1142: #<Location /cgi-bin/phf*>
1143: # Deny from all
1144: # ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
1145: #</Location>
1146:
1147: #
1148: # Proxy Server directives. Uncomment the following lines to
1149: # enable the proxy server:
1150: #
1151: #<IfModule mod_proxy.c>
1152: # ProxyRequests On
1153:
1154: # <Directory proxy:*>
1155: # Order deny,allow
1156: # Deny from all
1157: # Allow from .your-domain.com
1158: # </Directory>
1159:
1160: #
1161: # Enable/disable the handling of HTTP/1.1 "Via:" headers.
1162: # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
1163: # Set to one of: Off | On | Full | Block
1164: #
1165: # ProxyVia On
1166:
1167: #
1168: # To enable the cache as well, edit and uncomment the following lines:
1169: # (no caching without CacheRoot)
1170: #
1171: # CacheRoot "/var/cache/httpd"
1172: # CacheSize 5
1173: # CacheGcInterval 4
1174: # CacheMaxExpire 24
1175: # CacheLastModifiedFactor 0.1
1176: # CacheDefaultExpire 1
1177: # NoCache a-domain.com another-domain.edu joes.garage-sale.com
1178:
1179: #</IfModule>
1180: # End of proxy directives.
1181:
1182: ### Section 3: Virtual Hosts
1183: #
1184: # VirtualHost: If you want to maintain multiple domains/hostnames on your
1185: # machine you can setup VirtualHost containers for them. Most configurations
1186: # use only name-based virtual hosts so the server doesn't need to worry about
1187: # IP addresses. This is indicated by the asterisks in the directives below.
1188: #
1189: # Please see the documentation at <URL:http://www.apache.org/docs/vhosts/>
1190: # for further details before you try to setup virtual hosts.
1191: #
1192: # You may use the command line option '-S' to verify your virtual host
1193: # configuration.
1194:
1195: #
1196: # Use name-based virtual hosting.
1197: #
1198: #NameVirtualHost *
1199:
1200: #
1201: # VirtualHost example:
1202: # Almost any Apache directive may go into a VirtualHost container.
1203: # The first VirtualHost section is used for requests without a known
1204: # server name.
1205: #
1206: #<VirtualHost *>
1207: # ServerAdmin webmaster@dummy-host.example.com
1208: # DocumentRoot /www/docs/dummy-host.example.com
1209: # ServerName dummy-host.example.com
1210: # ErrorLog logs/dummy-host.example.com-error_log
1211: # CustomLog logs/dummy-host.example.com-access_log common
1212: #</VirtualHost>
1213:
1214: #<VirtualHost _default_:*>
1215: #</VirtualHost>
1216:
1217: ##
1218: ## SSL Global Context
1219: ##
1220: ## All SSL configuration in this context applies both to
1221: ## the main server and all SSL-enabled virtual hosts.
1222: ##
1223:
1224: #
1225: # Some MIME-types for downloading Certificates and CRLs
1226: #
1227: <IfDefine HAVE_SSL>
1228: AddType application/x-x509-ca-cert .crt
1229: AddType application/x-pkcs7-crl .crl
1230: </IfDefine>
1231:
1232: <IfModule mod_ssl.c>
1233:
1234: # Pass Phrase Dialog:
1235: # Configure the pass phrase gathering process.
1236: # The filtering dialog program (`builtin' is a internal
1237: # terminal dialog) has to provide the pass phrase on stdout.
1238: SSLPassPhraseDialog builtin
1239:
1240: # Inter-Process Session Cache:
1241: # Configure the SSL Session Cache: First the mechanism
1242: # to use and second the expiring timeout (in seconds).
1243: #SSLSessionCache none
1244: #SSLSessionCache shmht:logs/ssl_scache(512000)
1245: #SSLSessionCache shmcb:logs/ssl_scache(512000)
1246: SSLSessionCache dbm:logs/ssl_scache
1247: SSLSessionCacheTimeout 300
1248:
1249: # Semaphore:
1250: # Configure the path to the mutual exclusion semaphore the
1251: # SSL engine uses internally for inter-process synchronization.
1252: SSLMutex file:logs/ssl_mutex
1253:
1254: # Pseudo Random Number Generator (PRNG):
1255: # Configure one or more sources to seed the PRNG of the
1256: # SSL library. The seed data should be of good random quality.
1257: # WARNING! On some platforms /dev/random blocks if not enough entropy
1258: # is available. This means you then cannot use the /dev/random device
1259: # because it would lead to very long connection times (as long as
1260: # it requires to make more entropy available). But usually those
1261: # platforms additionally provide a /dev/urandom device which doesn't
1262: # block. So, if available, use this one instead. Read the mod_ssl User
1263: # Manual for more details.
1264: SSLRandomSeed startup builtin
1265: SSLRandomSeed connect builtin
1266: #SSLRandomSeed startup file:/dev/random 512
1267: #SSLRandomSeed startup file:/dev/urandom 512
1268: #SSLRandomSeed connect file:/dev/random 512
1269: #SSLRandomSeed connect file:/dev/urandom 512
1270:
1271: # Logging:
1272: # The home of the dedicated SSL protocol logfile. Errors are
1273: # additionally duplicated in the general error log file. Put
1274: # this somewhere where it cannot be used for symlink attacks on
1275: # a real server (i.e. somewhere where only root can write).
1276: # Log levels are (ascending order: higher ones include lower ones):
1277: # none, error, warn, info, trace, debug.
1278: SSLLog logs/ssl_engine_log
1279: SSLLogLevel error
1280:
1281: </IfModule>
1282:
1283: <IfDefine HAVE_SSL>
1284:
1285: ##
1286: ## SSL Virtual Host Context
1287: ##
1288:
1289: <VirtualHost _default_:443>
1290:
1291: # General setup for the virtual host
1292: #DocumentRoot "/etc/httpd/htdocs"
1293: #ServerName new.host.name
1294: #ServerAdmin you@your.address
1295: ErrorLog logs/error_log
1296: TransferLog logs/access_log
1297:
1298: # SSL Engine Switch:
1299: # Enable/Disable SSL for this virtual host.
1300: SSLEngine on
1301:
1302: # SSL Cipher Suite:
1303: # List the ciphers that the client is permitted to negotiate.
1304: # See the mod_ssl documentation for a complete list.
1305: #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
1306:
1307: # Server Certificate:
1308: # Point SSLCertificateFile at a PEM encoded certificate. If
1309: # the certificate is encrypted, then you will be prompted for a
1310: # pass phrase. Note that a kill -HUP will prompt again. A test
1311: # certificate can be generated with `make certificate' under
1312: # built time. Keep in mind that if you've both a RSA and a DSA
1313: # certificate you can configure both in parallel (to also allow
1314: # the use of DSA ciphers, etc.)
1315: SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
1316: #SSLCertificateFile /etc/httpd/conf/ssl.crt/server-dsa.crt
1317:
1318: # Server Private Key:
1319: # If the key is not combined with the certificate, use this
1320: # directive to point at the key file. Keep in mind that if
1321: # you've both a RSA and a DSA private key you can configure
1322: # both in parallel (to also allow the use of DSA ciphers, etc.)
1323: SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
1324: #SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server-dsa.key
1325:
1326: # Server Certificate Chain:
1327: # Point SSLCertificateChainFile at a file containing the
1328: # concatenation of PEM encoded CA certificates which form the
1329: # certificate chain for the server certificate. Alternatively
1330: # the referenced file can be the same as SSLCertificateFile
1331: # when the CA certificates are directly appended to the server
1332: # certificate for convinience.
1333: #SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt
1334:
1335: # Certificate Authority (CA):
1336: # Set the CA certificate verification path where to find CA
1337: # certificates for client authentication or alternatively one
1338: # huge file containing all of them (file must be PEM encoded)
1339: # Note: Inside SSLCACertificatePath you need hash symlinks
1340: # to point to the certificate files. Use the provided
1341: # Makefile to update the hash symlinks after changes.
1342: #SSLCACertificatePath /etc/httpd/conf/ssl.crt
1343: #SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt
1344:
1345: # Certificate Revocation Lists (CRL):
1346: # Set the CA revocation path where to find CA CRLs for client
1347: # authentication or alternatively one huge file containing all
1348: # of them (file must be PEM encoded)
1349: # Note: Inside SSLCARevocationPath you need hash symlinks
1350: # to point to the certificate files. Use the provided
1351: # Makefile to update the hash symlinks after changes.
1352: #SSLCARevocationPath /etc/httpd/conf/ssl.crl
1353: #SSLCARevocationFile /etc/httpd/conf/ssl.crl/ca-bundle.crl
1354:
1355: # Client Authentication (Type):
1356: # Client certificate verification type and depth. Types are
1357: # none, optional, require and optional_no_ca. Depth is a
1358: # number which specifies how deeply to verify the certificate
1359: # issuer chain before deciding the certificate is not valid.
1360: #SSLVerifyClient require
1361: #SSLVerifyDepth 10
1362:
1363: # Access Control:
1364: # With SSLRequire you can do per-directory access control based
1365: # on arbitrary complex boolean expressions containing server
1366: # variable checks and other lookup directives. The syntax is a
1367: # mixture between C and Perl. See the mod_ssl documentation
1368: # for more details.
1369: #<Location />
1370: #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
1371: # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
1372: # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
1373: # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
1374: # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
1375: # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
1376: #</Location>
1377:
1378: # SSL Engine Options:
1379: # Set various options for the SSL engine.
1380: # o FakeBasicAuth:
1381: # Translate the client X.509 into a Basic Authorisation. This means that
1382: # the standard Auth/DBMAuth methods can be used for access control. The
1383: # user name is the `one line' version of the client's X.509 certificate.
1384: # Note that no password is obtained from the user. Every entry in the user
1385: # file needs this password: `xxj31ZMTZzkVA'.
1386: # o ExportCertData:
1387: # This exports two additional environment variables: SSL_CLIENT_CERT and
1388: # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
1389: # server (always existing) and the client (only existing when client
1390: # authentication is used). This can be used to import the certificates
1391: # into CGI scripts.
1392: # o StdEnvVars:
1393: # This exports the standard SSL/TLS related `SSL_*' environment variables.
1394: # Per default this exportation is switched off for performance reasons,
1395: # because the extraction step is an expensive operation and is usually
1396: # useless for serving static content. So one usually enables the
1397: # exportation for CGI and SSI requests only.
1398: # o CompatEnvVars:
1399: # This exports obsolete environment variables for backward compatibility
1400: # to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
1401: # to provide compatibility to existing CGI scripts.
1402: # o StrictRequire:
1403: # This denies access when "SSLRequireSSL" or "SSLRequire" applied even
1404: # under a "Satisfy any" situation, i.e. when it applies access is denied
1405: # and no other module can change it.
1406: # o OptRenegotiate:
1407: # This enables optimized SSL connection renegotiation handling when SSL
1408: # directives are used in per-directory context.
1409: #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
1410: <Files ~ "\.(cgi|shtml|phtml|php3?)$">
1411: SSLOptions +StdEnvVars
1412: </Files>
1413: <Directory "/var/www/cgi-bin">
1414: SSLOptions +StdEnvVars
1415: </Directory>
1416:
1417: # SSL Protocol Adjustments:
1418: # The safe and default but still SSL/TLS standard compliant shutdown
1419: # approach is that mod_ssl sends the close notify alert but doesn't wait for
1420: # the close notify alert from client. When you need a different shutdown
1421: # approach you can use one of the following variables:
1422: # o ssl-unclean-shutdown:
1423: # This forces an unclean shutdown when the connection is closed, i.e. no
1424: # SSL close notify alert is send or allowed to received. This violates
1425: # the SSL/TLS standard but is needed for some brain-dead browsers. Use
1426: # this when you receive I/O errors because of the standard approach where
1427: # mod_ssl sends the close notify alert.
1428: # o ssl-accurate-shutdown:
1429: # This forces an accurate shutdown when the connection is closed, i.e. a
1430: # SSL close notify alert is send and mod_ssl waits for the close notify
1431: # alert of the client. This is 100% SSL/TLS standard compliant, but in
1432: # practice often causes hanging connections with brain-dead browsers. Use
1433: # this only for browsers where you know that their SSL implementation
1434: # works correctly.
1435: # Notice: Most problems of broken clients are also related to the HTTP
1436: # keep-alive facility, so you usually additionally want to disable
1437: # keep-alive for those clients, too. Use variable "nokeepalive" for this.
1438: # Similarly, one has to force some clients to use HTTP/1.0 to workaround
1439: # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
1440: # "force-response-1.0" for this.
1441: SetEnvIf User-Agent ".*MSIE.*" \
1442: nokeepalive ssl-unclean-shutdown \
1443: downgrade-1.0 force-response-1.0
1444:
1445: # Per-Server Logging:
1446: # The home of a custom SSL log file. Use this when you want a
1447: # compact non-error SSL logfile on a virtual host basis.
1448: CustomLog logs/ssl_request_log \
1449: "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
1450:
1451: </VirtualHost>
1452:
1453: </IfDefine>
1454:
1455: Include conf/srm.conf
1456: Include conf/access.conf
1457: Include conf/loncapa_apache.conf
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>