1 <?xml version="1.0" encoding="ISO-8859-1"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
4 <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" />
6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
7 This file is generated from xml source: DO NOT EDIT
8 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
10 <title>suEXEC Support - Apache HTTP Server Version 2.5</title>
11 <link href="./style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
12 <link href="./style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
13 <link href="./style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="./style/css/prettify.css" />
14 <script src="./style/scripts/prettify.min.js" type="text/javascript">
17 <link href="./images/favicon.ico" rel="shortcut icon" /></head>
18 <body id="manual-page"><div id="page-header">
19 <p class="menu"><a href="./mod/">Modules</a> | <a href="./mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="./glossary.html">Glossary</a> | <a href="./sitemap.html">Sitemap</a></p>
20 <p class="apache">Apache HTTP Server Version 2.5</p>
21 <img alt="" src="./images/feather.png" /></div>
22 <div class="up"><a href="./"><img title="<-" alt="<-" src="./images/left.gif" /></a></div>
24 <a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="./">Version 2.5</a></div><div id="page-content"><div id="preamble"><h1>suEXEC Support</h1>
26 <p><span>Available Languages: </span><a href="./en/suexec.html" title="English"> en </a> |
27 <a href="./fr/suexec.html" hreflang="fr" rel="alternate" title="Français"> fr </a> |
28 <a href="./ja/suexec.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a> |
29 <a href="./ko/suexec.html" hreflang="ko" rel="alternate" title="Korean"> ko </a> |
30 <a href="./tr/suexec.html" hreflang="tr" rel="alternate" title="Türkçe"> tr </a></p>
33 <p>The <strong>suEXEC</strong> feature provides users of the Apache
34 HTTP Server the ability
35 to run <strong>CGI</strong> and <strong>SSI</strong> programs
36 under user IDs different from the user ID of the calling
37 web server. Normally, when a CGI or SSI program executes, it
38 runs as the same user who is running the web server.</p>
40 <p>Used properly, this feature can reduce
41 considerably the security risks involved with allowing users to
42 develop and run private CGI or SSI programs. However, if suEXEC
43 is improperly configured, it can cause any number of problems
44 and possibly create new holes in your computer's security. If
45 you aren't familiar with managing <em>setuid root</em> programs
46 and the security issues they present, we highly recommend that
47 you not consider using suEXEC.</p>
49 <div id="quickview"><ul id="toc"><li><img alt="" src="./images/down.gif" /> <a href="#before">Before we begin</a></li>
50 <li><img alt="" src="./images/down.gif" /> <a href="#model">suEXEC Security Model</a></li>
51 <li><img alt="" src="./images/down.gif" /> <a href="#install">Configuring & Installing
53 <li><img alt="" src="./images/down.gif" /> <a href="#enable">Enabling & Disabling
55 <li><img alt="" src="./images/down.gif" /> <a href="#usage">Using suEXEC</a></li>
56 <li><img alt="" src="./images/down.gif" /> <a href="#debug">Debugging suEXEC</a></li>
57 <li><img alt="" src="./images/down.gif" /> <a href="#jabberwock">Beware the Jabberwock:
58 Warnings & Examples</a></li>
59 </ul><h3>See also</h3><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
60 <div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
62 <h2><a name="before" id="before">Before we begin</a></h2>
64 <p>Before jumping head-first into this document,
65 you should be aware that certain assumptions are made about you and
66 the environment in which you will be using suexec.</p>
68 <p>First, it is assumed that you are using a UNIX
69 derivative operating system that is capable of
70 <strong>setuid</strong> and <strong>setgid</strong> operations.
71 All command examples are given in this regard. Other platforms,
72 if they are capable of supporting suEXEC, may differ in their
75 <p>Second, it is assumed you are familiar with
76 some basic concepts of your computer's security and its
77 administration. This involves an understanding of
78 <strong>setuid/setgid</strong> operations and the various
79 effects they may have on your system and its level of
82 <p>Third, it is assumed that you are using an
83 <strong>unmodified</strong> version of suEXEC code. All code
84 for suEXEC has been carefully scrutinized and tested by the
85 developers as well as numerous beta testers. Every precaution
86 has been taken to ensure a simple yet solidly safe base of
87 code. Altering this code can cause unexpected problems and new
88 security risks. It is <strong>highly</strong> recommended you
89 not alter the suEXEC code unless you are well versed in the
90 particulars of security programming and are willing to share
91 your work with the Apache HTTP Server development team for consideration.</p>
93 <p>Fourth, and last, it has been the decision of
94 the Apache HTTP Server development team to <strong>NOT</strong> make suEXEC part of
95 the default installation of Apache httpd. To this end, suEXEC
96 configuration requires of the administrator careful attention
97 to details. After due consideration has been given to the
98 various settings for suEXEC, the administrator may install
99 suEXEC through normal installation methods. The values for
100 these settings need to be carefully determined and specified by
101 the administrator to properly maintain system security during
102 the use of suEXEC functionality. It is through this detailed
103 process that we hope to limit suEXEC
104 installation only to those who are careful and determined
105 enough to use it.</p>
107 <p>Still with us? Yes? Good. Let's move on!</p>
108 </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
109 <div class="section">
110 <h2><a name="model" id="model">suEXEC Security Model</a></h2>
112 <p>Before we begin configuring and installing
113 suEXEC, we will first discuss the security model you are about
114 to implement. By doing so, you may better understand what
115 exactly is going on inside suEXEC and what precautions are
116 taken to ensure your system's security.</p>
118 <p><strong>suEXEC</strong> is based on a setuid
119 "wrapper" program that is called by the main Apache HTTP Server.
120 This wrapper is called when an HTTP request is made for a CGI
121 or SSI program that the administrator has designated to run as
122 a userid other than that of the main server. When such a
123 request is made, Apache httpd provides the suEXEC wrapper with the
124 program's name and the user and group IDs under which the
125 program is to execute.</p>
127 <p>The wrapper then employs the following process
128 to determine success or failure -- if any one of these
129 conditions fail, the program logs the failure and exits with an
130 error, otherwise it will continue:</p>
134 <strong>Is the user executing this wrapper a valid user of
135 this system?</strong>
138 This is to ensure that the user executing the wrapper is
139 truly a user of the system.
144 <strong>Was the wrapper called with the proper number of
148 The wrapper will only execute if it is given the proper
149 number of arguments. The proper argument format is known
150 to the Apache HTTP Server. If the wrapper is not receiving
151 the proper number of arguments, it is either being
152 hacked, or there is something wrong with the suEXEC
153 portion of your Apache httpd binary.
158 <strong>Is this valid user allowed to run the
162 Is this user the user allowed to run this wrapper? Only
163 one user (the Apache user) is allowed to execute this
169 <strong>Does the target CGI or SSI program have an unsafe
170 hierarchical reference?</strong>
173 Does the target CGI or SSI program's path contain a leading
174 '/' or have a '..' backreference? These are not allowed; the
175 target CGI/SSI program must reside within suEXEC's document
176 root (see <code>--with-suexec-docroot=<em>DIR</em></code>
182 <strong>Is the target user name valid?</strong>
185 Does the target user exist?
190 <strong>Is the target group name valid?</strong>
193 Does the target group exist?
198 <strong>Is the target user <em>NOT</em> superuser?</strong>
202 suEXEC does not allow <code><em>root</em></code>
203 to execute CGI/SSI programs.
208 <strong>Is the target userid <em>ABOVE</em> the minimum ID
212 The minimum user ID number is specified during
213 configuration. This allows you to set the lowest possible
214 userid that will be allowed to execute CGI/SSI programs.
215 This is useful to block out "system" accounts.
220 <strong>Is the target group <em>NOT</em> the superuser
224 Presently, suEXEC does not allow the <code><em>root</em></code>
225 group to execute CGI/SSI programs.
230 <strong>Is the target groupid <em>ABOVE</em> the minimum ID
234 The minimum group ID number is specified during
235 configuration. This allows you to set the lowest possible
236 groupid that will be allowed to execute CGI/SSI programs.
237 This is useful to block out "system" groups.
242 <strong>Can the wrapper successfully become the target user
246 Here is where the program becomes the target user and
247 group via setuid and setgid calls. The group access list
248 is also initialized with all of the groups of which the
254 <strong>Can we change directory to the one in which the target
255 CGI/SSI program resides?</strong>
258 If it doesn't exist, it can't very well contain files. If we
259 can't change directory to it, it might as well not exist.
264 <strong>Is the directory within the httpd webspace?</strong>
267 If the request is for a regular portion of the server, is
268 the requested directory within suEXEC's document root? If
269 the request is for a <code class="directive"><a href="./mod/mod_userdir.html#userdir">UserDir</a></code>, is the requested directory
270 within the directory configured as suEXEC's userdir (see
271 <a href="#install">suEXEC's configuration options</a>)?
276 <strong>Is the directory <em>NOT</em> writable by anyone
280 We don't want to open up the directory to others; only
281 the owner user may be able to alter this directories
287 <strong>Does the target CGI/SSI program exist?</strong>
290 If it doesn't exists, it can't very well be executed.
295 <strong>Is the target CGI/SSI program <em>NOT</em> writable
296 by anyone else?</strong>
299 We don't want to give anyone other than the owner the
300 ability to change the CGI/SSI program.
305 <strong>Is the target CGI/SSI program <em>NOT</em> setuid or
309 We do not want to execute programs that will then change
315 <strong>Is the target user/group the same as the program's
319 Is the user the owner of the file?
324 <strong>Can we successfully clean the process environment
325 to ensure safe operations?</strong>
328 suEXEC cleans the process' environment by establishing a
329 safe execution PATH (defined during configuration), as
330 well as only passing through those variables whose names
331 are listed in the safe environment list (also created
332 during configuration).
337 <strong>Can we successfully become the target CGI/SSI program
338 and execute?</strong>
341 Here is where suEXEC ends and the target CGI/SSI program begins.
346 <p>This is the standard operation of the
347 suEXEC wrapper's security model. It is somewhat stringent and
348 can impose new limitations and guidelines for CGI/SSI design,
349 but it was developed carefully step-by-step with security in
352 <p>For more information as to how this security
353 model can limit your possibilities in regards to server
354 configuration, as well as what security risks can be avoided
355 with a proper suEXEC setup, see the <a href="#jabberwock">"Beware the Jabberwock"</a> section of this
357 </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
358 <div class="section">
359 <h2><a name="install" id="install">Configuring & Installing
362 <p>Here's where we begin the fun.</p>
364 <p><strong>suEXEC configuration
365 options</strong><br />
369 <dt><code>--enable-suexec</code></dt>
371 <dd>This option enables the suEXEC feature which is never
372 installed or activated by default. At least one
373 <code>--with-suexec-xxxxx</code> option has to be provided
374 together with the <code>--enable-suexec</code> option to let
375 APACI accept your request for using the suEXEC feature.</dd>
377 <dt><code>--enable-suexec-capabilities</code></dt>
379 <dd><strong>Linux specific:</strong> Normally,
380 the <code>suexec</code> binary is installed "setuid/setgid
381 root", which allows it to run with the full privileges of the
382 root user. If this option is used, the <code>suexec</code>
383 binary will instead be installed with only the setuid/setgid
384 "capability" bits set, which is the subset of full root
385 priviliges required for suexec operation. Note that
386 the <code>suexec</code> binary may not be able to write to a log
387 file in this mode; it is recommended that the
388 <code>--with-suexec-syslog --without-suexec-logfile</code>
389 options are used in conjunction with this mode, so that syslog
390 logging is used instead.</dd>
392 <dt><code>--with-suexec-bin=<em>PATH</em></code></dt>
394 <dd>The path to the <code>suexec</code> binary must be hard-coded
395 in the server for security reasons. Use this option to override
396 the default path. <em>e.g.</em>
397 <code>--with-suexec-bin=/usr/sbin/suexec</code></dd>
399 <dt><code>--with-suexec-caller=<em>UID</em></code></dt>
401 <dd>The <a href="mod/mpm_common.html#user">username</a> under which
402 httpd normally runs. This is the only user allowed to
403 execute the suEXEC wrapper.</dd>
405 <dt><code>--with-suexec-userdir=<em>DIR</em></code></dt>
407 <dd>Define to be the subdirectory under users' home
408 directories where suEXEC access should be allowed. All
409 executables under this directory will be executable by suEXEC
410 as the user so they should be "safe" programs. If you are
411 using a "simple" <code class="directive"><a href="./mod/mod_userdir.html#userdir">UserDir</a></code>
412 directive (ie. one without a "*" in it) this should be set to the same
413 value. suEXEC will not work properly in cases where the <code class="directive"><a href="./mod/mod_userdir.html#userdir">UserDir</a></code> directive points to
414 a location that is not the same as the user's home directory
415 as referenced in the <code>passwd</code> file. Default value is
416 "<code>public_html</code>".<br />
417 If you have virtual hosts with a different <code class="directive"><a href="./mod/mod_userdir.html#userdir">UserDir</a></code> for each,
418 you will need to define them to all reside in one parent
419 directory; then name that parent directory here. <strong>If
420 this is not defined properly, "~userdir" cgi requests will
421 not work!</strong></dd>
423 <dt><code>--with-suexec-docroot=<em>DIR</em></code></dt>
425 <dd>Define as the DocumentRoot set for httpd. This will be
426 the only hierarchy (aside from <code class="directive"><a href="./mod/mod_userdir.html#userdir">UserDir</a></code>s) that can be used for suEXEC behavior. The
427 default directory is the <code>--datadir</code> value with the suffix
428 "<code>/htdocs</code>", <em>e.g.</em> if you configure with
429 "<code>--datadir=/home/apache</code>" the directory
430 "<code>/home/apache/htdocs</code>" is used as document root for the
433 <dt><code>--with-suexec-uidmin=<em>UID</em></code></dt>
435 <dd>Define this as the lowest UID allowed to be a target user
436 for suEXEC. For most systems, 500 or 100 is common. Default
439 <dt><code>--with-suexec-gidmin=<em>GID</em></code></dt>
441 <dd>Define this as the lowest GID allowed to be a target
442 group for suEXEC. For most systems, 100 is common and
443 therefore used as default value.</dd>
445 <dt><code>--with-suexec-logfile=<em>FILE</em></code></dt>
447 <dd>This defines the filename to which all suEXEC
448 transactions and errors are logged (useful for auditing and
449 debugging purposes). By default the logfile is named
450 "<code>suexec_log</code>" and located in your standard logfile
451 directory (<code>--logfiledir</code>).</dd>
453 <dt><code>--with-suexec-syslog</code></dt>
455 <dd>If defined, suexec will log notices and errors to syslog
456 instead of a logfile. This option must be combined
457 with <code>--without-suexec-logfile</code>.</dd>
459 <dt><code>--with-suexec-safepath=<em>PATH</em></code></dt>
461 <dd>Define a safe PATH environment to pass to CGI
462 executables. Default value is
463 "<code>/usr/local/bin:/usr/bin:/bin</code>".</dd>
466 <h3>Compiling and installing the suEXEC wrapper</h3>
469 <p>If you have enabled the suEXEC feature with the
470 <code>--enable-suexec</code> option the <code>suexec</code> binary
471 (together with httpd itself) is automatically built if you execute
472 the <code>make</code> command.</p>
474 <p>After all components have been built you can execute the
475 command <code>make install</code> to install them. The binary image
476 <code>suexec</code> is installed in the directory defined by the
477 <code>--sbindir</code> option. The default location is
478 "/usr/local/apache2/bin/suexec".</p>
480 <p>Please note that you need <strong><em>root
481 privileges</em></strong> for the installation step. In order
482 for the wrapper to set the user ID, it must be installed as
483 owner <code><em>root</em></code> and must have the setuserid
484 execution bit set for file modes.</p>
487 <h3>Setting paranoid permissions</h3>
490 <p>Although the suEXEC wrapper will check to ensure that its
491 caller is the correct user as specified with the
492 <code>--with-suexec-caller</code> <code class="program"><a href="./programs/configure.html">configure</a></code>
494 always the possibility that a system or library call suEXEC uses
495 before this check may be exploitable on your system. To counter
496 this, and because it is best-practise in general, you should use
497 filesystem permissions to ensure that only the group httpd
498 runs as may execute suEXEC.</p>
500 <p>If for example, your web server is configured to run as:</p>
502 <pre class="prettyprint lang-config">User www
506 <p>and <code class="program"><a href="./programs/suexec.html">suexec</a></code> is installed at
507 "/usr/local/apache2/bin/suexec", you should run:</p>
509 <div class="example"><p><code>
510 chgrp webgroup /usr/local/apache2/bin/suexec<br />
511 chmod 4750 /usr/local/apache2/bin/suexec<br />
514 <p>This will ensure that only the group httpd runs as can even
515 execute the suEXEC wrapper.</p>
517 </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
518 <div class="section">
519 <h2><a name="enable" id="enable">Enabling & Disabling
522 <p>Upon startup of httpd, it looks for the file
523 <code class="program"><a href="./programs/suexec.html">suexec</a></code> in the directory defined by the
524 <code>--sbindir</code> option (default is
525 "/usr/local/apache/sbin/suexec"). If httpd finds a properly
526 configured suEXEC wrapper, it will print the following message
527 to the error log:</p>
529 <div class="example"><p><code>
530 [notice] suEXEC mechanism enabled (wrapper: <var>/path/to/suexec</var>)
533 <p>If you don't see this message at server startup, the server is
534 most likely not finding the wrapper program where it expects
535 it, or the executable is not installed <em>setuid root</em>.</p>
537 <p>If you want to enable the suEXEC mechanism for the first time
538 and an Apache HTTP Server is already running you must kill and
539 restart httpd. Restarting it with a simple HUP or USR1 signal
540 will not be enough. </p>
541 <p>If you want to disable suEXEC you should kill and restart
542 httpd after you have removed the <code class="program"><a href="./programs/suexec.html">suexec</a></code> file.</p>
543 </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
544 <div class="section">
545 <h2><a name="usage" id="usage">Using suEXEC</a></h2>
547 <p>Requests for CGI programs will call the suEXEC wrapper only if
548 they are for a virtual host containing a <code class="directive"><a href="./mod/mod_suexec.html#suexecusergroup">SuexecUserGroup</a></code> directive or if
549 they are processed by <code class="module"><a href="./mod/mod_userdir.html">mod_userdir</a></code>.</p>
551 <p><strong>Virtual Hosts:</strong><br /> One way to use the suEXEC
552 wrapper is through the <code class="directive"><a href="./mod/mod_suexec.html#suexecusergroup">SuexecUserGroup</a></code> directive in
553 <code class="directive"><a href="./mod/core.html#virtualhost">VirtualHost</a></code> definitions. By
554 setting this directive to values different from the main server
555 user ID, all requests for CGI resources will be executed as the
556 <em>User</em> and <em>Group</em> defined for that <code class="directive"><a href="./mod/core.html#virtualhost"><VirtualHost></a></code>. If this
557 directive is not specified for a <code class="directive"><a href="./mod/core.html#virtualhost"><VirtualHost></a></code> then the main server userid
560 <p><strong>User directories:</strong><br /> Requests that are
561 processed by <code class="module"><a href="./mod/mod_userdir.html">mod_userdir</a></code> will call the suEXEC
562 wrapper to execute CGI programs under the userid of the requested
563 user directory. The only requirement needed for this feature to
564 work is for CGI execution to be enabled for the user and that the
565 script must meet the scrutiny of the <a href="#model">security
566 checks</a> above. See also the
567 <code>--with-suexec-userdir</code> <a href="#install">compile
568 time option</a>.</p> </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
569 <div class="section">
570 <h2><a name="debug" id="debug">Debugging suEXEC</a></h2>
572 <p>The suEXEC wrapper will write log information
573 to the file defined with the <code>--with-suexec-logfile</code>
574 option as indicated above, or to syslog if <code>--with-suexec-syslog</code>
575 is used. If you feel you have configured and
576 installed the wrapper properly, have a look at the log and the
577 error_log for the server to see where you may have gone astray.
578 The output of <code>"suexec -V"</code> will show the options
579 used to compile suexec, if using a binary distribution.</p>
581 </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
582 <div class="section">
583 <h2><a name="jabberwock" id="jabberwock">Beware the Jabberwock:
584 Warnings & Examples</a></h2>
586 <p><strong>NOTE!</strong> This section may not be
587 complete. For the latest revision of this section of the
588 documentation, see the <a href="http://httpd.apache.org/docs/trunk/suexec.html">Online
589 Documentation</a> version.</p>
591 <p>There are a few points of interest regarding
592 the wrapper that can cause limitations on server setup. Please
593 review these before submitting any "bugs" regarding suEXEC.</p>
596 <li><strong>suEXEC Points Of Interest</strong></li>
599 Hierarchy limitations
602 For security and efficiency reasons, all suEXEC requests
603 must remain within either a top-level document root for
604 virtual host requests, or one top-level personal document
605 root for userdir requests. For example, if you have four
606 VirtualHosts configured, you would need to structure all
607 of your VHosts' document roots off of one main httpd
608 document hierarchy to take advantage of suEXEC for
609 VirtualHosts. (Example forthcoming.)
614 suEXEC's PATH environment variable
617 This can be a dangerous thing to change. Make certain
618 every path you include in this define is a
619 <strong>trusted</strong> directory. You don't want to
620 open people up to having someone from across the world
621 running a trojan horse on them.
626 Altering the suEXEC code
629 Again, this can cause <strong>Big Trouble</strong> if you
630 try this without knowing what you are doing. Stay away
631 from it if at all possible.
637 <div class="bottomlang">
638 <p><span>Available Languages: </span><a href="./en/suexec.html" title="English"> en </a> |
639 <a href="./fr/suexec.html" hreflang="fr" rel="alternate" title="Français"> fr </a> |
640 <a href="./ja/suexec.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a> |
641 <a href="./ko/suexec.html" hreflang="ko" rel="alternate" title="Korean"> ko </a> |
642 <a href="./tr/suexec.html" hreflang="tr" rel="alternate" title="Türkçe"> tr </a></p>
643 </div><div class="top"><a href="#page-header"><img src="./images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div>
644 <script type="text/javascript"><!--//--><![CDATA[//><!--
645 var comments_shortname = 'httpd';
646 var comments_identifier = 'http://httpd.apache.org/docs/trunk/suexec.html';
648 if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
649 d.write('<div id="comments_thread"><\/div>');
650 var s = d.createElement('script');
651 s.type = 'text/javascript';
653 s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
654 (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
657 d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
659 })(window, document);
660 //--><!]]></script></div><div id="footer">
661 <p class="apache">Copyright 2016 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
662 <p class="menu"><a href="./mod/">Modules</a> | <a href="./mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="./glossary.html">Glossary</a> | <a href="./sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
663 if (typeof(prettyPrint) !== 'undefined') {