1 <?xml version="1.0" encoding="ISO-8859-1"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5 This file is generated from xml source: DO NOT EDIT
6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8 <title>suEXEC Support - Apache HTTP Server</title>
9 <link href="./style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
10 <link href="./style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
11 <link href="./style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="./style/css/prettify.css" />
12 <script src="./style/scripts/prettify.js" type="text/javascript">
15 <link href="./images/favicon.ico" rel="shortcut icon" /></head>
16 <body id="manual-page"><div id="page-header">
17 <p class="menu"><a href="./mod/">Modules</a> | <a href="./mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="./glossary.html">Glossary</a> | <a href="./sitemap.html">Sitemap</a></p>
18 <p class="apache">Apache HTTP Server Version 2.5</p>
19 <img alt="" src="./images/feather.gif" /></div>
20 <div class="up"><a href="./"><img title="<-" alt="<-" src="./images/left.gif" /></a></div>
22 <a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="./">Version 2.5</a></div><div id="page-content"><div id="preamble"><h1>suEXEC Support</h1>
24 <p><span>Available Languages: </span><a href="./en/suexec.html" title="English"> en </a> |
25 <a href="./fr/suexec.html" hreflang="fr" rel="alternate" title="Français"> fr </a> |
26 <a href="./ja/suexec.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a> |
27 <a href="./ko/suexec.html" hreflang="ko" rel="alternate" title="Korean"> ko </a> |
28 <a href="./tr/suexec.html" hreflang="tr" rel="alternate" title="Türkçe"> tr </a></p>
31 <p>The <strong>suEXEC</strong> feature provides users of the Apache
32 HTTP Server the ability
33 to run <strong>CGI</strong> and <strong>SSI</strong> programs
34 under user IDs different from the user ID of the calling
35 web server. Normally, when a CGI or SSI program executes, it
36 runs as the same user who is running the web server.</p>
38 <p>Used properly, this feature can reduce
39 considerably the security risks involved with allowing users to
40 develop and run private CGI or SSI programs. However, if suEXEC
41 is improperly configured, it can cause any number of problems
42 and possibly create new holes in your computer's security. If
43 you aren't familiar with managing <em>setuid root</em> programs
44 and the security issues they present, we highly recommend that
45 you not consider using suEXEC.</p>
47 <div id="quickview"><ul id="toc"><li><img alt="" src="./images/down.gif" /> <a href="#before">Before we begin</a></li>
48 <li><img alt="" src="./images/down.gif" /> <a href="#model">suEXEC Security Model</a></li>
49 <li><img alt="" src="./images/down.gif" /> <a href="#install">Configuring & Installing
51 <li><img alt="" src="./images/down.gif" /> <a href="#enable">Enabling & Disabling
53 <li><img alt="" src="./images/down.gif" /> <a href="#usage">Using suEXEC</a></li>
54 <li><img alt="" src="./images/down.gif" /> <a href="#debug">Debugging suEXEC</a></li>
55 <li><img alt="" src="./images/down.gif" /> <a href="#jabberwock">Beware the Jabberwock:
56 Warnings & Examples</a></li>
57 </ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
58 <div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
60 <h2><a name="before" id="before">Before we begin</a></h2>
62 <p>Before jumping head-first into this document,
63 you should be aware that certain assumptions are made about you and
64 the environment in which you will be using suexec.</p>
66 <p>First, it is assumed that you are using a UNIX
67 derivative operating system that is capable of
68 <strong>setuid</strong> and <strong>setgid</strong> operations.
69 All command examples are given in this regard. Other platforms,
70 if they are capable of supporting suEXEC, may differ in their
73 <p>Second, it is assumed you are familiar with
74 some basic concepts of your computer's security and its
75 administration. This involves an understanding of
76 <strong>setuid/setgid</strong> operations and the various
77 effects they may have on your system and its level of
80 <p>Third, it is assumed that you are using an
81 <strong>unmodified</strong> version of suEXEC code. All code
82 for suEXEC has been carefully scrutinized and tested by the
83 developers as well as numerous beta testers. Every precaution
84 has been taken to ensure a simple yet solidly safe base of
85 code. Altering this code can cause unexpected problems and new
86 security risks. It is <strong>highly</strong> recommended you
87 not alter the suEXEC code unless you are well versed in the
88 particulars of security programming and are willing to share
89 your work with the Apache HTTP Server development team for consideration.</p>
91 <p>Fourth, and last, it has been the decision of
92 the Apache HTTP Server development team to <strong>NOT</strong> make suEXEC part of
93 the default installation of Apache httpd. To this end, suEXEC
94 configuration requires of the administrator careful attention
95 to details. After due consideration has been given to the
96 various settings for suEXEC, the administrator may install
97 suEXEC through normal installation methods. The values for
98 these settings need to be carefully determined and specified by
99 the administrator to properly maintain system security during
100 the use of suEXEC functionality. It is through this detailed
101 process that we hope to limit suEXEC
102 installation only to those who are careful and determined
103 enough to use it.</p>
105 <p>Still with us? Yes? Good. Let's move on!</p>
106 </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
107 <div class="section">
108 <h2><a name="model" id="model">suEXEC Security Model</a></h2>
110 <p>Before we begin configuring and installing
111 suEXEC, we will first discuss the security model you are about
112 to implement. By doing so, you may better understand what
113 exactly is going on inside suEXEC and what precautions are
114 taken to ensure your system's security.</p>
116 <p><strong>suEXEC</strong> is based on a setuid
117 "wrapper" program that is called by the main Apache HTTP Server.
118 This wrapper is called when an HTTP request is made for a CGI
119 or SSI program that the administrator has designated to run as
120 a userid other than that of the main server. When such a
121 request is made, Apache httpd provides the suEXEC wrapper with the
122 program's name and the user and group IDs under which the
123 program is to execute.</p>
125 <p>The wrapper then employs the following process
126 to determine success or failure -- if any one of these
127 conditions fail, the program logs the failure and exits with an
128 error, otherwise it will continue:</p>
132 <strong>Is the user executing this wrapper a valid user of
133 this system?</strong>
136 This is to ensure that the user executing the wrapper is
137 truly a user of the system.
142 <strong>Was the wrapper called with the proper number of
146 The wrapper will only execute if it is given the proper
147 number of arguments. The proper argument format is known
148 to the Apache HTTP Server. If the wrapper is not receiving
149 the proper number of arguments, it is either being
150 hacked, or there is something wrong with the suEXEC
151 portion of your Apache httpd binary.
156 <strong>Is this valid user allowed to run the
160 Is this user the user allowed to run this wrapper? Only
161 one user (the Apache user) is allowed to execute this
167 <strong>Does the target CGI or SSI program have an unsafe
168 hierarchical reference?</strong>
171 Does the target CGI or SSI program's path contain a leading
172 '/' or have a '..' backreference? These are not allowed; the
173 target CGI/SSI program must reside within suEXEC's document
174 root (see <code>--with-suexec-docroot=<em>DIR</em></code>
180 <strong>Is the target user name valid?</strong>
183 Does the target user exist?
188 <strong>Is the target group name valid?</strong>
191 Does the target group exist?
196 <strong>Is the target user <em>NOT</em> superuser?</strong>
200 suEXEC does not allow <code><em>root</em></code>
201 to execute CGI/SSI programs.
206 <strong>Is the target userid <em>ABOVE</em> the minimum ID
210 The minimum user ID number is specified during
211 configuration. This allows you to set the lowest possible
212 userid that will be allowed to execute CGI/SSI programs.
213 This is useful to block out "system" accounts.
218 <strong>Is the target group <em>NOT</em> the superuser
222 Presently, suEXEC does not allow the <code><em>root</em></code>
223 group to execute CGI/SSI programs.
228 <strong>Is the target groupid <em>ABOVE</em> the minimum ID
232 The minimum group ID number is specified during
233 configuration. This allows you to set the lowest possible
234 groupid that will be allowed to execute CGI/SSI programs.
235 This is useful to block out "system" groups.
240 <strong>Can the wrapper successfully become the target user
244 Here is where the program becomes the target user and
245 group via setuid and setgid calls. The group access list
246 is also initialized with all of the groups of which the
252 <strong>Can we change directory to the one in which the target
253 CGI/SSI program resides?</strong>
256 If it doesn't exist, it can't very well contain files. If we
257 can't change directory to it, it might as well not exist.
262 <strong>Is the directory within the httpd webspace?</strong>
265 If the request is for a regular portion of the server, is
266 the requested directory within suEXEC's document root? If
267 the request is for a <code class="directive"><a href="./mod/mod_userdir.html#userdir">UserDir</a></code>, is the requested directory
268 within the directory configured as suEXEC's userdir (see
269 <a href="#install">suEXEC's configuration options</a>)?
274 <strong>Is the directory <em>NOT</em> writable by anyone
278 We don't want to open up the directory to others; only
279 the owner user may be able to alter this directories
285 <strong>Does the target CGI/SSI program exist?</strong>
288 If it doesn't exists, it can't very well be executed.
293 <strong>Is the target CGI/SSI program <em>NOT</em> writable
294 by anyone else?</strong>
297 We don't want to give anyone other than the owner the
298 ability to change the CGI/SSI program.
303 <strong>Is the target CGI/SSI program <em>NOT</em> setuid or
307 We do not want to execute programs that will then change
313 <strong>Is the target user/group the same as the program's
317 Is the user the owner of the file?
322 <strong>Can we successfully clean the process environment
323 to ensure safe operations?</strong>
326 suEXEC cleans the process' environment by establishing a
327 safe execution PATH (defined during configuration), as
328 well as only passing through those variables whose names
329 are listed in the safe environment list (also created
330 during configuration).
335 <strong>Can we successfully become the target CGI/SSI program
336 and execute?</strong>
339 Here is where suEXEC ends and the target CGI/SSI program begins.
344 <p>This is the standard operation of the
345 suEXEC wrapper's security model. It is somewhat stringent and
346 can impose new limitations and guidelines for CGI/SSI design,
347 but it was developed carefully step-by-step with security in
350 <p>For more information as to how this security
351 model can limit your possibilities in regards to server
352 configuration, as well as what security risks can be avoided
353 with a proper suEXEC setup, see the <a href="#jabberwock">"Beware the Jabberwock"</a> section of this
355 </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
356 <div class="section">
357 <h2><a name="install" id="install">Configuring & Installing
360 <p>Here's where we begin the fun.</p>
362 <p><strong>suEXEC configuration
363 options</strong><br />
367 <dt><code>--enable-suexec</code></dt>
369 <dd>This option enables the suEXEC feature which is never
370 installed or activated by default. At least one
371 <code>--with-suexec-xxxxx</code> option has to be provided
372 together with the <code>--enable-suexec</code> option to let
373 APACI accept your request for using the suEXEC feature.</dd>
375 <dt><code>--enable-suexec-capabilities</code></dt>
377 <dd><strong>Linux specific:</strong> Normally,
378 the <code>suexec</code> binary is installed "setuid/setgid
379 root", which allows it to run with the full privileges of the
380 root user. If this option is used, the <code>suexec</code>
381 binary will instead be installed with only the setuid/setgid
382 "capability" bits set, which is the subset of full root
383 priviliges required for suexec operation. Note that
384 the <code>suexec</code> binary may not be able to write to a log
385 file in this mode; it is recommended that the
386 <code>--with-suexec-syslog --without-suexec-logfile</code>
387 options are used in conjunction with this mode, so that syslog
388 logging is used instead.</dd>
390 <dt><code>--with-suexec-bin=<em>PATH</em></code></dt>
392 <dd>The path to the <code>suexec</code> binary must be hard-coded
393 in the server for security reasons. Use this option to override
394 the default path. <em>e.g.</em>
395 <code>--with-suexec-bin=/usr/sbin/suexec</code></dd>
397 <dt><code>--with-suexec-caller=<em>UID</em></code></dt>
399 <dd>The <a href="mod/mpm_common.html#user">username</a> under which
400 httpd normally runs. This is the only user allowed to
401 execute the suEXEC wrapper.</dd>
403 <dt><code>--with-suexec-userdir=<em>DIR</em></code></dt>
405 <dd>Define to be the subdirectory under users' home
406 directories where suEXEC access should be allowed. All
407 executables under this directory will be executable by suEXEC
408 as the user so they should be "safe" programs. If you are
409 using a "simple" <code class="directive"><a href="./mod/mod_userdir.html#userdir">UserDir</a></code>
410 directive (ie. one without a "*" in it) this should be set to the same
411 value. suEXEC will not work properly in cases where the <code class="directive"><a href="./mod/mod_userdir.html#userdir">UserDir</a></code> directive points to
412 a location that is not the same as the user's home directory
413 as referenced in the <code>passwd</code> file. Default value is
414 "<code>public_html</code>".<br />
415 If you have virtual hosts with a different <code class="directive"><a href="./mod/mod_userdir.html#userdir">UserDir</a></code> for each,
416 you will need to define them to all reside in one parent
417 directory; then name that parent directory here. <strong>If
418 this is not defined properly, "~userdir" cgi requests will
419 not work!</strong></dd>
421 <dt><code>--with-suexec-docroot=<em>DIR</em></code></dt>
423 <dd>Define as the DocumentRoot set for httpd. This will be
424 the only hierarchy (aside from <code class="directive"><a href="./mod/mod_userdir.html#userdir">UserDir</a></code>s) that can be used for suEXEC behavior. The
425 default directory is the <code>--datadir</code> value with the suffix
426 "<code>/htdocs</code>", <em>e.g.</em> if you configure with
427 "<code>--datadir=/home/apache</code>" the directory
428 "<code>/home/apache/htdocs</code>" is used as document root for the
431 <dt><code>--with-suexec-uidmin=<em>UID</em></code></dt>
433 <dd>Define this as the lowest UID allowed to be a target user
434 for suEXEC. For most systems, 500 or 100 is common. Default
437 <dt><code>--with-suexec-gidmin=<em>GID</em></code></dt>
439 <dd>Define this as the lowest GID allowed to be a target
440 group for suEXEC. For most systems, 100 is common and
441 therefore used as default value.</dd>
443 <dt><code>--with-suexec-logfile=<em>FILE</em></code></dt>
445 <dd>This defines the filename to which all suEXEC
446 transactions and errors are logged (useful for auditing and
447 debugging purposes). By default the logfile is named
448 "<code>suexec_log</code>" and located in your standard logfile
449 directory (<code>--logfiledir</code>).</dd>
451 <dt><code>--with-suexec-syslog</code></dt>
453 <dd>If defined, suexec will log notices and errors to syslog
454 instead of a logfile. This option must be combined
455 with <code>--without-suexec-logfile</code>.</dd>
457 <dt><code>--with-suexec-safepath=<em>PATH</em></code></dt>
459 <dd>Define a safe PATH environment to pass to CGI
460 executables. Default value is
461 "<code>/usr/local/bin:/usr/bin:/bin</code>".</dd>
464 <h3>Compiling and installing the suEXEC wrapper</h3>
467 <p>If you have enabled the suEXEC feature with the
468 <code>--enable-suexec</code> option the <code>suexec</code> binary
469 (together with httpd itself) is automatically built if you execute
470 the <code>make</code> command.</p>
472 <p>After all components have been built you can execute the
473 command <code>make install</code> to install them. The binary image
474 <code>suexec</code> is installed in the directory defined by the
475 <code>--sbindir</code> option. The default location is
476 "/usr/local/apache2/bin/suexec".</p>
478 <p>Please note that you need <strong><em>root
479 privileges</em></strong> for the installation step. In order
480 for the wrapper to set the user ID, it must be installed as
481 owner <code><em>root</em></code> and must have the setuserid
482 execution bit set for file modes.</p>
485 <h3>Setting paranoid permissions</h3>
488 <p>Although the suEXEC wrapper will check to ensure that its
489 caller is the correct user as specified with the
490 <code>--with-suexec-caller</code> <code class="program"><a href="./programs/configure.html">configure</a></code>
492 always the possibility that a system or library call suEXEC uses
493 before this check may be exploitable on your system. To counter
494 this, and because it is best-practise in general, you should use
495 filesystem permissions to ensure that only the group httpd
496 runs as may execute suEXEC.</p>
498 <p>If for example, your web server is configured to run as:</p>
500 <pre class="prettyprint lang-config">
506 <p>and <code class="program"><a href="./programs/suexec.html">suexec</a></code> is installed at
507 "/usr/local/apache2/bin/suexec", you should run:</p>
509 <div class="example"><p><code>
510 chgrp webgroup /usr/local/apache2/bin/suexec<br />
511 chmod 4750 /usr/local/apache2/bin/suexec<br />
514 <p>This will ensure that only the group httpd runs as can even
515 execute the suEXEC wrapper.</p>
517 </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
518 <div class="section">
519 <h2><a name="enable" id="enable">Enabling & Disabling
522 <p>Upon startup of httpd, it looks for the file
523 <code class="program"><a href="./programs/suexec.html">suexec</a></code> in the directory defined by the
524 <code>--sbindir</code> option (default is
525 "/usr/local/apache/sbin/suexec"). If httpd finds a properly
526 configured suEXEC wrapper, it will print the following message
527 to the error log:</p>
529 <div class="example"><p><code>
530 [notice] suEXEC mechanism enabled (wrapper: <var>/path/to/suexec</var>)
533 <p>If you don't see this message at server startup, the server is
534 most likely not finding the wrapper program where it expects
535 it, or the executable is not installed <em>setuid root</em>.</p>
537 <p>If you want to enable the suEXEC mechanism for the first time
538 and an Apache HTTP Server is already running you must kill and
539 restart httpd. Restarting it with a simple HUP or USR1 signal
540 will not be enough. </p>
541 <p>If you want to disable suEXEC you should kill and restart
542 httpd after you have removed the <code class="program"><a href="./programs/suexec.html">suexec</a></code> file.</p>
543 </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
544 <div class="section">
545 <h2><a name="usage" id="usage">Using suEXEC</a></h2>
547 <p>Requests for CGI programs will call the suEXEC wrapper only if
548 they are for a virtual host containing a <code class="directive"><a href="./mod/mod_suexec.html#suexecusergroup">SuexecUserGroup</a></code> directive or if
549 they are processed by <code class="module"><a href="./mod/mod_userdir.html">mod_userdir</a></code>.</p>
551 <p><strong>Virtual Hosts:</strong><br /> One way to use the suEXEC
552 wrapper is through the <code class="directive"><a href="./mod/mod_suexec.html#suexecusergroup">SuexecUserGroup</a></code> directive in
553 <code class="directive"><a href="./mod/core.html#virtualhost">VirtualHost</a></code> definitions. By
554 setting this directive to values different from the main server
555 user ID, all requests for CGI resources will be executed as the
556 <em>User</em> and <em>Group</em> defined for that <code class="directive"><a href="./mod/core.html#virtualhost"><VirtualHost></a></code>. If this
557 directive is not specified for a <code class="directive"><a href="./mod/core.html#virtualhost"><VirtualHost></a></code> then the main server userid
560 <p><strong>User directories:</strong><br /> Requests that are
561 processed by <code class="module"><a href="./mod/mod_userdir.html">mod_userdir</a></code> will call the suEXEC
562 wrapper to execute CGI programs under the userid of the requested
563 user directory. The only requirement needed for this feature to
564 work is for CGI execution to be enabled for the user and that the
565 script must meet the scrutiny of the <a href="#model">security
566 checks</a> above. See also the
567 <code>--with-suexec-userdir</code> <a href="#install">compile
568 time option</a>.</p> </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
569 <div class="section">
570 <h2><a name="debug" id="debug">Debugging suEXEC</a></h2>
572 <p>The suEXEC wrapper will write log information
573 to the file defined with the <code>--with-suexec-logfile</code>
574 option as indicated above, or to syslog if <code>--with-suexec-syslog</code>
575 is used. If you feel you have configured and
576 installed the wrapper properly, have a look at the log and the
577 error_log for the server to see where you may have gone astray.
578 The output of <code>"suexec -V"</code> will show the options
579 used to compile suexec, if using a binary distribution.</p>
581 </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
582 <div class="section">
583 <h2><a name="jabberwock" id="jabberwock">Beware the Jabberwock:
584 Warnings & Examples</a></h2>
586 <p><strong>NOTE!</strong> This section may not be
587 complete. For the latest revision of this section of the
588 documentation, see the <a href="http://httpd.apache.org/docs/trunk/suexec.html">Online
589 Documentation</a> version.</p>
591 <p>There are a few points of interest regarding
592 the wrapper that can cause limitations on server setup. Please
593 review these before submitting any "bugs" regarding suEXEC.</p>
596 <li><strong>suEXEC Points Of Interest</strong></li>
599 Hierarchy limitations
602 For security and efficiency reasons, all suEXEC requests
603 must remain within either a top-level document root for
604 virtual host requests, or one top-level personal document
605 root for userdir requests. For example, if you have four
606 VirtualHosts configured, you would need to structure all
607 of your VHosts' document roots off of one main httpd
608 document hierarchy to take advantage of suEXEC for
609 VirtualHosts. (Example forthcoming.)
614 suEXEC's PATH environment variable
617 This can be a dangerous thing to change. Make certain
618 every path you include in this define is a
619 <strong>trusted</strong> directory. You don't want to
620 open people up to having someone from across the world
621 running a trojan horse on them.
626 Altering the suEXEC code
629 Again, this can cause <strong>Big Trouble</strong> if you
630 try this without knowing what you are doing. Stay away
631 from it if at all possible.
637 <div class="bottomlang">
638 <p><span>Available Languages: </span><a href="./en/suexec.html" title="English"> en </a> |
639 <a href="./fr/suexec.html" hreflang="fr" rel="alternate" title="Français"> fr </a> |
640 <a href="./ja/suexec.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a> |
641 <a href="./ko/suexec.html" hreflang="ko" rel="alternate" title="Korean"> ko </a> |
642 <a href="./tr/suexec.html" hreflang="tr" rel="alternate" title="Türkçe"> tr </a></p>
643 </div><div class="top"><a href="#page-header"><img src="./images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div>
644 <script type="text/javascript"><!--//--><![CDATA[//><!--
645 var comments_shortname = 'httpd';
646 var comments_identifier = 'http://httpd.apache.org/docs/trunk/suexec.html';
648 if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
649 d.write('<div id="comments_thread"><\/div>');
650 var s = d.createElement('script');
651 s.type = 'text/javascript';
653 s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
654 (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
657 d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
659 })(window, document);
660 //--><!]]></script></div><div id="footer">
661 <p class="apache">Copyright 2012 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
662 <p class="menu"><a href="./mod/">Modules</a> | <a href="./mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="./glossary.html">Glossary</a> | <a href="./sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
663 if (typeof(prettyPrint) !== 'undefined') {