<dt>A (partial) domain-name</dt>
<dd>
- <example><title>Example:</title>
- Allow from example.org<br />
- Allow from .net example.edu
- </example>
+ <highlight language="config">
+Allow from example.org
+Allow from .net example.edu
+ </highlight>
<p>Hosts whose names match, or end in, this string are allowed
access. Only complete components are matched, so the above
example will match <code>foo.example.org</code> but it will not
<dt>A full IP address</dt>
<dd>
- <example><title>Example:</title>
- Allow from 10.1.2.3<br />
- Allow from 192.168.1.104 192.168.1.205
- </example>
+ <highlight language="config">
+Allow from 10.1.2.3
+Allow from 192.168.1.104 192.168.1.205
+ </highlight>
<p>An IP address of a host allowed access</p></dd>
<dt>A partial IP address</dt>
<dd>
- <example><title>Example:</title>
- Allow from 10.1<br />
- Allow from 10 172.20 192.168.2
- </example>
+ <highlight language="config">
+Allow from 10.1
+Allow from 10 172.20 192.168.2
+ </highlight>
<p>The first 1 to 3 bytes of an IP address, for subnet
restriction.</p></dd>
<dt>A network/netmask pair</dt>
<dd>
- <example><title>Example:</title>
+ <highlight language="config">
Allow from 10.1.0.0/255.255.0.0
- </example>
+ </highlight>
<p>A network a.b.c.d, and a netmask w.x.y.z. For more
fine-grained subnet restriction.</p></dd>
<dt>A network/nnn CIDR specification</dt>
<dd>
- <example><title>Example:</title>
+ <highlight language="config">
Allow from 10.1.0.0/16
- </example>
+ </highlight>
<p>Similar to the previous case, except the netmask consists of
nnn high-order 1 bits.</p></dd>
</dl>
<p>IPv6 addresses and IPv6 subnets can be specified as shown
below:</p>
- <example>
- Allow from 2001:db8::a00:20ff:fea7:ccea<br />
- Allow from 2001:db8::a00:20ff:fea7:ccea/10
- </example>
+ <highlight language="config">
+Allow from 2001:db8::a00:20ff:fea7:ccea
+Allow from 2001:db8::a00:20ff:fea7:ccea/10
+ </highlight>
<p>The third format of the arguments to the
<directive>Allow</directive> directive allows access to the server
<code>User-Agent</code> (browser type), <code>Referer</code>, or
other HTTP request header fields.</p>
- <example><title>Example:</title>
- SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in<br />
- <Directory /docroot><br />
- <indent>
- Order Deny,Allow<br />
- Deny from all<br />
- Allow from env=let_me_in<br />
- </indent>
- </Directory>
- </example>
+ <highlight language="config">
+SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in
+<Directory /docroot>
+ Order Deny,Allow
+ Deny from all
+ Allow from env=let_me_in
+</Directory>
+ </highlight>
<p>In this case, browsers with a user-agent string beginning
with <code>KnockKnock/2.0</code> will be allowed access, and all
<p>In the following example, all hosts in the example.org domain
are allowed access; all other hosts are denied access.</p>
- <example>
- Order Deny,Allow<br />
- Deny from all<br />
- Allow from example.org
- </example>
+ <highlight language="config">
+Order Deny,Allow
+Deny from all
+Allow from example.org
+ </highlight>
<p>In the next example, all hosts in the example.org domain are
allowed access, except for the hosts which are in the
state is to <directive module="mod_access_compat">Deny</directive>
access to the server.</p>
- <example>
- Order Allow,Deny<br />
- Allow from example.org<br />
- Deny from foo.example.org
- </example>
+ <highlight language="config">
+Order Allow,Deny
+Allow from example.org
+Deny from foo.example.org
+ </highlight>
<p>On the other hand, if the <directive>Order</directive> in the
last example is changed to <code>Deny,Allow</code>, all hosts will
directives because of its effect on the default access state. For
example,</p>
- <example>
- <Directory /www><br />
- <indent>
- Order Allow,Deny<br />
- </indent>
- </Directory>
- </example>
+ <highlight language="config">
+<Directory /www>
+ Order Allow,Deny
+</Directory>
+ </highlight>
<p>will Deny all access to the <code>/www</code> directory
because the default access state is set to
people outside of your network provide a password, you could use a
configuration similar to the following:</p>
- <example>
- Require valid-user<br />
- Allow from 192.168.1<br />
- Satisfy Any
- </example>
+ <highlight language="config">
+Require valid-user
+Allow from 192.168.1
+Satisfy Any
+ </highlight>
<p>
Another frequent use of the <directive>Satisfy</directive> directive
is to relax access restrictions for a subdirectory:
</p>
- <example>
- <Directory /var/www/private><br />
- Require valid-user<br />
- </Directory><br />
- <br />
- <Directory /var/www/private/public><br />
- Allow from all<br />
- Satisfy Any<br />
- </Directory>
- </example>
+ <highlight language="config">
+<Directory /var/www/private>
+ Require valid-user
+</Directory>
+
+<Directory /var/www/private/public>
+ Allow from all
+ Satisfy Any
+</Directory>
+ </highlight>
<p>In the above example, authentication will be required for the
<code>/var/www/private</code> directory, but will not be required
is passed using the <code>REDIRECT_HANDLER</code> variable.</p>
<example><title>Example: MIME type</title>
- # Requests for files of a particular MIME content type:<br />
- Action image/gif /cgi-bin/images.cgi<br />
- <br />
+ <highlight language="config">
+# Requests for files of a particular MIME content type:
+Action image/gif /cgi-bin/images.cgi
+ </highlight>
</example>
<p>In this example, requests for files with a MIME content
type of <code>image/gif</code> will be handled by the
specified cgi script <code>/cgi-bin/images.cgi</code>.</p>
- <example><title>Example: File extension</title>
- # Files of a particular file extension<br />
- AddHandler my-file-type .xyz<br />
- Action my-file-type /cgi-bin/program.cgi<br />
+ <example>
+ <title>Example: File extension</title>
+ <highlight language="config">
+# Files of a particular file extension
+AddHandler my-file-type .xyz
+Action my-file-type /cgi-bin/program.cgi
+ </highlight>
</example>
-
<p>In this example, requests for files with a file extension of
<code>.xyz</code> are handled by the specified cgi script
<code>/cgi-bin/program.cgi</code>.</p>
if you want to use the <directive>Action</directive> directive in
virtual locations.</p>
- <example><title>Example</title>
- <Location /news><br />
- <indent>
- SetHandler news-handler<br />
- Action news-handler /cgi-bin/news.cgi virtual<br />
- </indent>
- </Location>
- </example>
+ <highlight language="config">
+<Location /news>
+ SetHandler news-handler
+ Action news-handler /cgi-bin/news.cgi virtual
+</Location>
+ </highlight>
</usage>
<seealso><directive module="mod_mime">AddHandler</directive></seealso>
(<em>e.g.</em>, foo.html?hi). Otherwise, the request will
proceed normally.</p>
- <example><title>Examples</title>
- # All GET requests go here<br />
- Script GET /cgi-bin/search<br />
- <br />
- # A CGI PUT handler<br />
- Script PUT /~bob/put.cgi<br />
- </example>
+ <highlight language="config">
+# All GET requests go here
+Script GET /cgi-bin/search
+
+# A CGI PUT handler
+Script PUT /~bob/put.cgi
+ </highlight>
</usage>
</directivesynopsis>
all the directives to have an effect. For example, the following
configuration will work as expected:</p>
- <example>
- Alias /foo/bar /baz<br />
- Alias /foo /gaq
- </example>
+ <highlight language="config">
+Alias /foo/bar /baz
+Alias /foo /gaq
+ </highlight>
<p>But if the above two directives were reversed in order, the
<code>/foo</code> <directive module="mod_alias">Alias</directive>
<var>URL-path</var> is case-sensitive, even on case-insensitive
file systems.</p>
- <example><title>Example:</title>
+ <highlight language="config">
Alias /image /ftp/pub/image
- </example>
+ </highlight>
<p>A request for <code>http://example.com/image/foo.gif</code> would cause
the server to return the file <code>/ftp/pub/image/foo.gif</code>. Only
module="core">DocumentRoot</directive>, you may need to explicitly
permit access to the target directory.</p>
- <example><title>Example:</title>
- Alias /image /ftp/pub/image<br />
- <Directory /ftp/pub/image><br />
- <indent>
- Require all granted<br />
- </indent>
- </Directory>
- </example>
+ <highlight language="config">
+Alias /image /ftp/pub/image
+<Directory /ftp/pub/image>
+ Require all granted
+</Directory>
+ </highlight>
</usage>
</directivesynopsis>
example, to activate the <code>/icons</code> directory, one might
use:</p>
- <example>
+ <highlight language="config">
AliasMatch ^/icons(.*) /usr/local/apache/icons$1
- </example>
+ </highlight>
<p>The full range of <glossary ref="regex">regular expression</glossary>
power is available. For example,
it is possible to construct an alias with case-insensitive
matching of the URL-path:</p>
- <example>
+ <highlight language="config">
AliasMatch (?i)^/image(.*) /ftp/pub/image$1
- </example>
+ </highlight>
<p>One subtle difference
between <directive module="mod_alias">Alias</directive>
<p>For example, suppose you want to replace this with AliasMatch:</p>
- <example>
+ <highlight language="config">
Alias /image/ /ftp/pub/image/
- </example>
+ </highlight>
<p>This is NOT equivalent - don't do this! This will send all
requests that have /image/ anywhere in them to /ftp/pub/image/:</p>
- <example>
+ <highlight language="config">
AliasMatch /image/ /ftp/pub/image/
- </example>
+ </highlight>
<p>This is what you need to get the same effect:</p>
- <example>
+ <highlight language="config">
AliasMatch ^/image/(.*)$ /ftp/pub/image/$1
- </example>
+ </highlight>
<p>Of course, there's no point in
using <directive module="mod_alias">AliasMatch</directive>
you do more complicated things. For example, you could
serve different kinds of files from different directories:</p>
- <example>
+ <highlight language="config">
AliasMatch ^/image/(.*)\.jpg$ /files/jpg.images/$1.jpg<br/>
AliasMatch ^/image/(.*)\.gif$ /files/gif.images/$1.gif
- </example>
+ </highlight>
</usage>
</directivesynopsis>
<em>URL</em>. Additional path information beyond the matched
<em>URL-Path</em> will be appended to the target URL.</p>
- <example><title>Example:</title>
- # Redirect to a URL on a different host<br />
- Redirect /service http://foo2.example.com/service<br />
- <br />
- # Redirect to a URL on the same host<br />
- Redirect /one /two
- </example>
+ <highlight language="config">
+# Redirect to a URL on a different host
+Redirect /service http://foo2.example.com/service
+
+# Redirect to a URL on the same host
+Redirect /one /two
+ </highlight>
<p>If the client requests <code>http://example.com/service/foo.txt</code>,
it will be told to access
HTTP status code, known to the Apache HTTP Server (see the function
<code>send_error_response</code> in http_protocol.c).</p>
- <example><title>Example:</title>
- Redirect permanent /one http://example.com/two<br />
- Redirect 303 /three http://example.com/other
- </example>
+ <highlight language="config">
+Redirect permanent /one http://example.com/two
+Redirect 303 /three http://example.com/other
+ </highlight>
</usage>
</directivesynopsis>
example, to redirect all GIF files to like-named JPEG files on
another server, one might use:</p>
- <example>
+ <highlight language="config">
RedirectMatch (.*)\.gif$ http://other.example.com$1.jpg
- </example>
+ </highlight>
<p>The considerations related to the difference between
<directive module="mod_alias">Alias</directive> and
to scripts beginning with the second argument, which is a full
pathname in the local filesystem.</p>
- <example><title>Example:</title>
+ <highlight language="config">
ScriptAlias /cgi-bin/ /web/cgi-bin/
- </example>
+ </highlight>
<p>A request for <code>http://example.com/cgi-bin/foo</code> would cause the
server to run the script <code>/web/cgi-bin/foo</code>. This configuration
is essentially equivalent to:</p>
- <example>
- Alias /cgi-bin/ /web/cgi-bin/<br />
- <Location /cgi-bin ><br />
- <indent>
- SetHandler cgi-script<br />
- Options +ExecCGI<br />
- </indent>
- </Location>
- </example>
+ <highlight language="config">
+Alias /cgi-bin/ /web/cgi-bin/
+<Location /cgi-bin >
+ SetHandler cgi-script
+ Options +ExecCGI
+</Location>
+ </highlight>
<p><directive>ScriptAlias</directive> can also be used in conjunction with
a script or handler you have. For example:</p>
- <example>
+ <highlight language="config">
ScriptAlias /cgi-bin/ /web/cgi-handler.pl
- </example>
+ </highlight>
<p>In this scenario all files requested in <code>/cgi-bin/</code> will be
handled by the file you have configured, this allows you to use your own custom
module="core" type="section">Directory</directive>, <directive
module="core">SetHandler</directive>, and <directive
module="core">Options</directive> as in:
- <example>
- <Directory /usr/local/apache2/htdocs/cgi-bin ><br />
- <indent>
- SetHandler cgi-script<br />
- Options ExecCGI<br />
- </indent>
- </Directory>
- </example>
+ <highlight language="config">
+<Directory /usr/local/apache2/htdocs/cgi-bin >
+ SetHandler cgi-script
+ Options ExecCGI
+</Directory>
+ </highlight>
This is necessary since multiple <var>URL-paths</var> can map
to the same filesystem location, potentially bypassing the
<directive>ScriptAlias</directive> and revealing the source code
example, to activate the standard <code>/cgi-bin</code>, one
might use:</p>
- <example>
+ <highlight language="config">
ScriptAliasMatch ^/cgi-bin(.*) /usr/local/apache/cgi-bin$1
- </example>
+ </highlight>
<p>As for AliasMatch, the full range of <glossary ref="rexex">regular
expression</glossary> power is available.
For example, it is possible to construct an alias with case-insensitive
matching of the URL-path:</p>
- <example>
+ <highlight language="config">
ScriptAliasMatch (?i)^/cgi-bin(.*) /usr/local/apache/cgi-bin$1
- </example>
+ </highlight>
<p>The considerations related to the difference between
<directive module="mod_alias">Alias</directive> and
<p>This module makes it easy to restrict what HTTP methods can
used on an server. The most common configuration would be:</p>
-<example><title>Example</title>
-<Location /><br />
-<indent>
- AllowMethods GET POST OPTIONS<br />
-</indent>
+<highlight language="config">
+<Location />
+ AllowMethods GET POST OPTIONS
</Location>
-</example>
+</highlight>
</summary>
equivalent. The <code>reset</code> keyword can be used
turn off <module>mod_allowmethods</module> in a deeper nested context:</p>
-<example><title>Example</title>
-<Location /svn><br />
-<indent>
- AllowMethods reset<br />
-</indent>
+<highlight language="config">
+<Location /svn>
+ AllowMethods reset
</Location>
-</example>
+</highlight>
<note><title>Caution</title>
<p>The TRACE method can not be denied by this module,
<p>In the server configuration file, associate files with the
<code>send-as-is</code> handler <em>e.g.</em></p>
- <example>AddHandler send-as-is asis</example>
+ <highlight language="config">AddHandler send-as-is asis</highlight>
<p>The contents of any file with a <code>.asis</code> extension
will then be sent by Apache httpd to the client with almost no
The default <code>file</code> provider is implemented
by the <module>mod_authn_file</module> module. Make sure
that the chosen provider module is present in the server.</p>
-
<example><title>Example</title>
- <Location /secure><br />
- <indent>
- AuthType basic<br />
- AuthName "private area"<br />
- AuthBasicProvider dbm<br />
- AuthDBMType SDBM<br />
- AuthDBMUserFile /www/etc/dbmpasswd<br />
- Require valid-user<br />
- </indent>
- </Location>
+ <highlight language="config">
+<Location /secure>
+ AuthType basic
+ AuthName "private area"
+ AuthBasicProvider dbm
+ AuthDBMType SDBM
+ AuthDBMUserFile /www/etc/dbmpasswd
+ Require valid-user
+</Location>
+ </highlight>
</example>
-
<p> Providers are queried in order until a provider finds a match
for the requested username, at which point this sole provider will
attempt to check the password. A failure to verify the password does
<program>htdigest</program> tool.</p>
<example><title>Example:</title>
- <Location /private/><br />
- <indent>
- AuthType Digest<br />
- AuthName "private area"<br />
- AuthDigestDomain /private/ http://mirror.my.dom/private2/<br />
- <br />
- AuthDigestProvider file<br />
- AuthUserFile /web/auth/.digest_pw<br />
- Require valid-user<br />
- </indent>
- </Location>
+ <highlight language="config">
+<Location /private/>
+ AuthType Digest
+ AuthName "private area"
+ AuthDigestDomain /private/ http://mirror.my.dom/private2/
+
+ AuthDigestProvider file
+ AuthUserFile /web/auth/.digest_pw
+ Require valid-user
+</Location>
+ </highlight>
</example>
<note><title>Note</title>
method would look similar to the following.</p>
<example><title>Using Digest Authentication with MSIE:</title>
- BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
+ <highlight language="config">
+ BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
+ </highlight>
</example>
<p>This workaround is not necessary for MSIE 7, though enabling it does
express your value as KBytes or MBytes. For example, the following
directives are all equivalent:</p>
- <example>
- AuthDigestShmemSize 1048576<br />
- AuthDigestShmemSize 1024K<br />
- AuthDigestShmemSize 1M
- </example>
+<highlight language="config">
+AuthDigestShmemSize 1048576
+AuthDigestShmemSize 1024K
+AuthDigestShmemSize 1M
+ </highlight>
</usage>
</directivesynopsis>
the user will be redirected to the form login page.</p>
<example><title>Basic example</title>
- AuthFormProvider file<br />
- AuthUserFile conf/passwd<br />
- AuthType form<br />
- AuthName realm<br />
- AuthFormLoginRequiredLocation http://example.com/login.html<br />
- Session On<br />
- SessionCookieName session path=/<br />
- SessionCryptoPassphrase secret<br />
+ <highlight language="config">
+AuthFormProvider file
+AuthUserFile conf/passwd
+AuthType form
+AuthName realm
+AuthFormLoginRequiredLocation http://example.com/login.html
+Session On
+SessionCookieName session path=/
+SessionCryptoPassphrase secret
+ </highlight>
</example>
<p>The directive <directive module="mod_authn_core">AuthType</directive> will enable
Apache httpd as follows:</p>
<example><title>Form login handler example</title>
- <Location /dologin.html>
- <indent>
- SetHandler form-login-handler<br />
- AuthFormLoginRequiredLocation http://example.com/login.html<br />
- AuthFormLoginSuccessLocation http://example.com/success.html<br />
- AuthFormProvider file<br />
- AuthUserFile conf/passwd<br />
- AuthType form<br />
- AuthName realm<br />
- Session On<br />
- SessionCookieName session path=/<br />
- SessionCryptoPassphrase secret<br />
- </indent>
- </Location>
+ <highlight language="config">
+<Location /dologin.html>
+ SetHandler form-login-handler
+ AuthFormLoginRequiredLocation http://example.com/login.html
+ AuthFormLoginSuccessLocation http://example.com/success.html
+ AuthFormProvider file
+ AuthUserFile conf/passwd
+ AuthType form
+ AuthName realm
+ Session On
+ SessionCookieName session path=/
+ SessionCryptoPassphrase secret
+</Location>
+ </highlight>
</example>
<p>The URLs specified by the
containing the login form, as follows:</p>
<example><title>Basic inline example</title>
- AuthFormProvider file<br />
- <strong>ErrorDocument 401 /login.shtml</strong><br />
- AuthUserFile conf/passwd<br />
- AuthType form<br />
- AuthName realm<br />
- AuthFormLoginRequiredLocation http://example.com/login.html<br />
- Session On<br />
- SessionCookieName session path=/<br />
- SessionCryptoPassphrase secret<br />
+ <highlight language="config">
+AuthFormProvider file
+ErrorDocument 401 /login.shtml
+AuthUserFile conf/passwd
+AuthType form
+AuthName realm
+AuthFormLoginRequiredLocation http://example.com/login.html
+Session On
+SessionCookieName session path=/
+SessionCryptoPassphrase secret
+ </highlight>
</example>
<p>The error document page should contain a login form with an empty action property,
technology.</p>
<example><title>CGI example</title>
- AuthFormProvider file<br />
- <strong>ErrorDocument 401 /cgi-bin/login.cgi</strong><br />
- ...<br />
+ <highlight language="config">
+ AuthFormProvider file
+ <strong>ErrorDocument 401 /cgi-bin/login.cgi</strong>
+ ...
+ </highlight>
</example>
</section>
give the user the option to log in again.</p>
<example><title>Basic logout example</title>
- SetHandler form-logout-handler<br />
- AuthName realm<br />
- AuthFormLogoutLocation http://example.com/loggedout.html<br />
- Session On<br />
- SessionCookieName session path=/<br />
- SessionCryptoPassphrase secret<br />
+ <highlight language="config">
+SetHandler form-logout-handler
+AuthName realm
+AuthFormLogoutLocation http://example.com/loggedout.html
+Session On
+SessionCookieName session path=/
+SessionCryptoPassphrase secret
+ </highlight>
</example>
<p>Note that logging a user out does not delete the session; it merely removes
</p>
<example><title>Basic session expiry example</title>
- SetHandler form-logout-handler<br />
- AuthFormLogoutLocation http://example.com/loggedout.html<br />
- Session On<br />
- SessionMaxAge 1<br />
- SessionCookieName session path=/<br />
- SessionCryptoPassphrase secret<br />
+ <highlight language="config">
+SetHandler form-logout-handler
+AuthFormLogoutLocation http://example.com/loggedout.html
+Session On
+SessionMaxAge 1
+SessionCookieName session path=/
+SessionCryptoPassphrase secret
+ </highlight>
</example>
</section>
that the chosen provider module is present in the server.</p>
<example><title>Example</title>
- <Location /secure><br />
- <indent>
- AuthType form<br />
- AuthName "private area"<br />
- AuthFormProvider dbm<br />
- AuthDBMType SDBM<br />
- AuthDBMUserFile /www/etc/dbmpasswd<br />
- Require valid-user<br />
- ...<br />
- </indent>
- </Location>
+ <highlight language="config">
+<Location /secure>
+ AuthType form
+ AuthName "private area"
+ AuthFormProvider dbm
+ AuthDBMType SDBM
+ AuthDBMUserFile /www/etc/dbmpasswd
+ Require valid-user
+ #...
+</Location>
+ </highlight>
</example>
<p>Providers are implemented by <module>mod_authn_dbm</module>,
the page specified by this directive will be shown to the end user. For example:</p>
<example><title>Example</title>
- <Location /logout><br />
- <indent>
- SetHandler form-logout-handler<br />
- AuthFormLogoutLocation http://example.com/loggedout.html<br />
- Session on<br />
- ...
- </indent>
- </Location>
+ <highlight language="config">
+<Location /logout>
+ SetHandler form-logout-handler
+ AuthFormLogoutLocation http://example.com/loggedout.html
+ Session on
+ #...
+</Location>
+ </highlight>
</example>
<p>An attempt to access the URI <var>/logout/</var> will result in the user being logged
</ul>
<example><title>Example</title>
- <Directory /var/www/html/private>
- <indent>
- AuthName "Use 'anonymous' & Email address for guest entry"<br />
- AuthType Basic<br />
- AuthBasicProvider file anon<br />
- AuthUserFile /path/to/your/.htpasswd<br />
- <br />
- Anonymous_NoUserID off<br />
- Anonymous_MustGiveEmail on<br />
- Anonymous_VerifyEmail on<br />
- Anonymous_LogEmail on<br />
- Anonymous anonymous guest www test welcome<br />
- <br />
- Require valid-user<br />
- </indent>
- </Directory>
+ <highlight language="config">
+<Directory /var/www/html/private>
+ AuthName "Use 'anonymous' & Email address for guest entry"
+ AuthType Basic
+ AuthBasicProvider file anon
+ AuthUserFile /path/to/your/.htpasswd
+
+ Anonymous_NoUserID off
+ Anonymous_MustGiveEmail on
+ Anonymous_VerifyEmail on
+ Anonymous_LogEmail on
+ Anonymous anonymous guest www test welcome
+
+ Require valid-user
+</Directory>
+ </highlight>
</example>
</section>
files.</p>
<example><title>Checking multiple text password files</title>
-
- # Check here first<br />
- <AuthnProviderAlias file file1><br />
- <indent>
- AuthUserFile /www/conf/passwords1<br />
- </indent>
- </AuthnProviderAlias><br />
- <br />
- # Then check here<br />
- <AuthnProviderAlias file file2> <br />
- <indent>
- AuthUserFile /www/conf/passwords2<br />
- </indent>
- </AuthnProviderAlias><br />
- <br />
- <Directory /var/web/pages/secure><br />
- <indent>
- AuthBasicProvider file1 file2<br />
- <br />
- AuthType Basic<br />
- AuthName "Protected Area"<br />
- Require valid-user<br />
- </indent>
- </Directory><br />
+ <highlight language="config">
+# Check here first
+<AuthnProviderAlias file file1>
+ AuthUserFile /www/conf/passwords1
+</AuthnProviderAlias>
+
+# Then check here
+<AuthnProviderAlias file file2>
+ AuthUserFile /www/conf/passwords2
+</AuthnProviderAlias>
+
+<Directory /var/web/pages/secure>
+ AuthBasicProvider file1 file2
+
+ AuthType Basic
+ AuthName "Protected Area"
+ Require valid-user
+</Directory>
+ </highlight>
</example>
<p>The example below creates two different ldap authentication
hosts:</p>
<example><title>Checking multiple LDAP servers</title>
- <AuthnProviderAlias ldap ldap-alias1><br />
- <indent>
- AuthLDAPBindDN cn=youruser,o=ctx<br />
- AuthLDAPBindPassword yourpassword<br />
- AuthLDAPURL ldap://ldap.host/o=ctx<br />
- </indent>
- </AuthnProviderAlias><br /><br />
- <AuthnProviderAlias ldap ldap-other-alias><br />
- <indent>
- AuthLDAPBindDN cn=yourotheruser,o=dev<br />
- AuthLDAPBindPassword yourotherpassword<br />
- AuthLDAPURL ldap://other.ldap.host/o=dev?cn<br />
- </indent>
- </AuthnProviderAlias><br /><br />
-
- Alias /secure /webpages/secure<br />
- <Directory /webpages/secure><br />
- <indent>
- Order deny,allow<br />
- Allow from all<br /><br />
-
- AuthBasicProvider ldap-other-alias ldap-alias1<br /><br />
-
- AuthType Basic<br />
- AuthName LDAP_Protected_Place<br />
- Require valid-user<br />
- </indent>
- </Directory><br />
+ <highlight language="config">
+<AuthnProviderAlias ldap ldap-alias1>
+ AuthLDAPBindDN cn=youruser,o=ctx
+ AuthLDAPBindPassword yourpassword
+ AuthLDAPURL ldap://ldap.host/o=ctx
+ </AuthnProviderAlias>
+ <AuthnProviderAlias ldap ldap-other-alias>
+ AuthLDAPBindDN cn=yourotheruser,o=dev
+ AuthLDAPBindPassword yourotherpassword
+ AuthLDAPURL ldap://other.ldap.host/o=dev?cn
+</AuthnProviderAlias>
+
+Alias /secure /webpages/secure
+<Directory /webpages/secure>
+ Order deny,allow
+ Allow from all
+
+ AuthBasicProvider ldap-other-alias ldap-alias1
+
+ AuthType Basic
+ AuthName LDAP_Protected_Place
+ Require valid-user
+</Directory>
+ </highlight>
</example>
</section>
<p>For example:</p>
- <example>
+ <highlight language="config">
AuthName "Top Secret"
- </example>
+ </highlight>
<p>The string provided for the <code>AuthName</code> is what will
appear in the password dialog provided by most browsers.</p>
in the following example, clients may access the
<code>/www/docs/public</code> directory without authenticating:</p>
- <example>
- <Directory /www/docs>
- <indent>
- AuthType Basic<br />
- AuthName Documents<br />
- AuthBasicProvider file<br />
- AuthUserFile /usr/local/apache/passwd/passwords<br />
- Require valid-user
- </indent>
- </Directory><br />
- <br />
- <Directory /www/docs/public>
- <indent>
- AuthType None<br />
- Require all granted
- </indent>
- </Directory>
- </example>
+ <highlight language="config">
+<Directory /www/docs>
+ AuthType Basic
+ AuthName Documents
+ AuthBasicProvider file
+ AuthUserFile /usr/local/apache/passwd/passwords
+ Require valid-user
+</Directory>
+
+<Directory /www/docs/public>
+ AuthType None
+ Require all granted
+</Directory>
+ </highlight>
<note>When disabling authentication, note that clients which have
already authenticated against another portion of the server's document
<title>Configuration Example</title>
<p>This simple example shows use of this module in the context of
the Authentication and DBD frameworks.</p>
+<
highlight language="config"><pre>
# mod_dbd configuration
# UPDATED to include authentication cacheing
DBDriver pgsql
AuthDBDUserPWQuery \
"SELECT password FROM authn WHERE user = %s"
</Directory>
-</pre></example>
+</pre></highlight>
</section>
<section id="exposed">
will be passed as a single string parameter when the SQL query is
executed. It may be referenced within the query statement using
a <code>%s</code> format specifier.</p>
- <
example><title>Example</title><pre>
+ <
highlight language="config"><pre>
AuthDBDUserPWQuery \
"SELECT password FROM authn WHERE user = %s"
-</pre></example>
+</pre></highlight>
<p>The first column value of the first row returned by the query
statement should be a string containing the encrypted password.
Subsequent rows will be ignored. If no rows are returned, the user
The user's ID and the realm, in that order, will be passed as string
parameters when the SQL query is executed. They may be referenced
within the query statement using <code>%s</code> format specifiers.</p>
- <
example><title>Example</title><pre>
+ <
highlight language="config"><pre>
AuthDBDUserRealmQuery \
"SELECT password FROM authn WHERE user = %s AND realm = %s"
-</pre></example>
+</pre></highlight>
<p>The first column value of the first row returned by the query
statement should be a string containing the encrypted password.
Subsequent rows will be ignored. If no rows are returned, the user
</ol>
<p>A simple usage example to accelerate <module>mod_authn_dbd</module>
using dbm as a cache engine:</p>
- <Directory /usr/www/myhost/private>
- AuthType Basic
- AuthName "Cached Authentication Example"
- AuthBasicProvider socache dbd
- AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s"
- AuthnCacheProvideFor dbd
- AuthnCacheContext dbd-authn-example
- AuthnCacheSOCache dbm
- Require valid-user
- </Directory>
- </pre></example>
+ <
highlight language="config"><pre>
+<Directory /usr/www/myhost/private>
+ AuthType Basic
+ AuthName "Cached Authentication Example"
+ AuthBasicProvider socache dbd
+ AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s"
+ AuthnCacheProvideFor dbd
+ AuthnCacheContext dbd-authn-example
+ AuthnCacheSOCache dbm
+ Require valid-user
+</Directory>
+ </pre></highlight>
</section>
<section id="dev"><title>Cacheing with custom modules</title>
<p>For example, to cache credentials found by <module>mod_authn_dbd</module>
or by a custom provider <var>myprovider</var>, but leave those looked
up by lightweight providers like file or dbm lookup alone:</p>
- <example>
+ <highlight language="config">
AuthnCacheProvideFor dbd myprovider
- </example>
+ </highlight>
</usage>
</directivesynopsis>
<code>ldap://ldap/o=Example?cn</code> (i.e., <code>cn</code> is
used for searches), the following Require directives could be used
to restrict access:</p>
-<example>
-Require ldap-user "Barbara Jenson"<br />
-Require ldap-user "Fred User"<br />
-Require ldap-user "Joe Manager"<br />
-</example>
+<highlight language="config">
+Require ldap-user "Barbara Jenson"
+Require ldap-user "Fred User"
+Require ldap-user "Joe Manager"
+</highlight>
<p>Because of the way that <module>mod_authnz_ldap</module> handles this
directive, Barbara Jenson could sign on as <em>Barbara
<p>If the <code>uid</code> attribute was used instead of the
<code>cn</code> attribute in the URL above, the above three lines
could be condensed to</p>
-<example>Require ldap-user bjenson fuser jmanager</example>
+<highlight language="config">Require ldap-user bjenson fuser jmanager</highlight>
</section>
<section id="reqgroup"><title>Require ldap-group</title>
group. Note: Do not surround the group name with quotes.
For example, assume that the following entry existed in
the LDAP directory:</p>
-<example>
-dn: cn=Administrators, o=Example<br />
-objectClass: groupOfUniqueNames<br />
-uniqueMember: cn=Barbara Jenson, o=Example<br />
-uniqueMember: cn=Fred User, o=Example<br />
-</example>
+<highlight language="config">
+dn: cn=Administrators, o=Example
+objectClass: groupOfUniqueNames
+uniqueMember: cn=Barbara Jenson, o=Example
+uniqueMember: cn=Fred User, o=Example
+</highlight>
<p>The following directive would grant access to both Fred and
Barbara:</p>
-<example>Require ldap-group cn=Administrators, o=Example</example>
+<highlight language="config">Require ldap-group cn=Administrators, o=Example</highlight>
<p>Members can also be found within sub-groups of a specified LDAP group
if <directive module="mod_authnz_ldap">AuthLDAPMaxSubGroupDepth</directive>
is set to a value greater than 0. For example, assume the following entries
exist in the LDAP directory:</p>
-<example>
-dn: cn=Employees, o=Example<br />
-objectClass: groupOfUniqueNames<br />
-uniqueMember: cn=Managers, o=Example<br />
-uniqueMember: cn=Administrators, o=Example<br />
-uniqueMember: cn=Users, o=Example<br />
-<br />
-dn: cn=Managers, o=Example<br />
-objectClass: groupOfUniqueNames<br />
-uniqueMember: cn=Bob Ellis, o=Example<br />
-uniqueMember: cn=Tom Jackson, o=Example<br />
-<br />
-dn: cn=Administrators, o=Example<br />
-objectClass: groupOfUniqueNames<br />
-uniqueMember: cn=Barbara Jenson, o=Example<br />
-uniqueMember: cn=Fred User, o=Example<br />
-<br />
-dn: cn=Users, o=Example<br />
-objectClass: groupOfUniqueNames<br />
-uniqueMember: cn=Allan Jefferson, o=Example<br />
-uniqueMember: cn=Paul Tilley, o=Example<br />
-uniqueMember: cn=Temporary Employees, o=Example<br />
-<br />
-dn: cn=Temporary Employees, o=Example<br />
-objectClass: groupOfUniqueNames<br />
-uniqueMember: cn=Jim Swenson, o=Example<br />
-uniqueMember: cn=Elliot Rhodes, o=Example<br />
-</example>
+<highlight language="config">
+dn: cn=Employees, o=Example
+objectClass: groupOfUniqueNames
+uniqueMember: cn=Managers, o=Example
+uniqueMember: cn=Administrators, o=Example
+uniqueMember: cn=Users, o=Example
+
+dn: cn=Managers, o=Example
+objectClass: groupOfUniqueNames
+uniqueMember: cn=Bob Ellis, o=Example
+uniqueMember: cn=Tom Jackson, o=Example
+
+dn: cn=Administrators, o=Example
+objectClass: groupOfUniqueNames
+uniqueMember: cn=Barbara Jenson, o=Example
+uniqueMember: cn=Fred User, o=Example
+
+dn: cn=Users, o=Example
+objectClass: groupOfUniqueNames
+uniqueMember: cn=Allan Jefferson, o=Example
+uniqueMember: cn=Paul Tilley, o=Example
+uniqueMember: cn=Temporary Employees, o=Example
+
+dn: cn=Temporary Employees, o=Example
+objectClass: groupOfUniqueNames
+uniqueMember: cn=Jim Swenson, o=Example
+uniqueMember: cn=Elliot Rhodes, o=Example
+</highlight>
<p>The following directives would allow access for Bob Ellis, Tom Jackson,
Barbara Jensen, Fred User, Allan Jefferson, and Paul Tilley but would not
allow access for Jim Swenson, or Elliot Rhodes (since they are at a
sub-group depth of 2):</p>
-<example>
-Require ldap-group cn=Employees, o-Example<br />
-AuthLDAPSubGroupDepth 1<br />
-</example>
+<highlight language="config">
+Require ldap-group cn=Employees, o-Example
+AuthLDAPSubGroupDepth 1
+</highlight>
<p>Behavior of this directive is modified by the <directive
module="mod_authnz_ldap">AuthLDAPGroupAttribute</directive>, <directive
<p>The following directive would grant access to a specific
DN:</p>
-<example>Require ldap-dn cn=Barbara Jenson, o=Example</example>
+<highlight language="config">Require ldap-dn cn=Barbara Jenson, o=Example</highlight>
<p>Behavior of this directive is modified by the <directive
module="mod_authnz_ldap">AuthLDAPCompareDNOnServer</directive>
<p>The following directive would grant access to anyone with
the attribute employeeType = active</p>
- <example>Require ldap-attribute employeeType=active</example>
+ <highlight language="config">Require ldap-attribute employeeType=active</highlight>
<p>Multiple attribute/value pairs can be specified on the same line
separated by spaces or they can be specified in multiple
<p>The following directive would grant access to anyone with
the city attribute equal to "San Jose" or status equal to "Active"</p>
- <example>Require ldap-attribute city="San Jose" status=active</example>
+ <highlight language="config">Require ldap-attribute city="San Jose" status=active</highlight>
</section>
<p>The following directive would grant access to anyone having a cell phone
and is in the marketing department</p>
- <example>Require ldap-filter &(cell=*)(department=marketing)</example>
+ <highlight language="config">Require ldap-filter &(cell=*)(department=marketing)</highlight>
<p>The difference between the <code>Require ldap-filter</code> directive and the
<code>Require ldap-attribute</code> directive is that <code>ldap-filter</code>
<li>
Grant access to anyone who exists in the LDAP directory,
using their UID for searches.
-<example>
-AuthLDAPURL "ldap://ldap1.example.com:389/ou=People, o=Example?uid?sub?(objectClass=*)"<br />
+<highlight language="config">
+AuthLDAPURL "ldap://ldap1.example.com:389/ou=People, o=Example?uid?sub?(objectClass=*)"
Require valid-user
-</example>
+</highlight>
</li>
<li>
The next example is the same as above; but with the fields
that have useful defaults omitted. Also, note the use of a
redundant LDAP server.
-<example>AuthLDAPURL "ldap://ldap1.example.com ldap2.example.com/ou=People, o=Example"<br />
+<highlight language="config">AuthLDAPURL "ldap://ldap1.example.com ldap2.example.com/ou=People, o=Example"
Require valid-user
-</example>
+</highlight>
</li>
<li>
this approach is not recommended: it's a better idea to
choose an attribute that is guaranteed unique in your
directory, such as <code>uid</code>.
-<example>
-AuthLDAPURL "ldap://ldap.example.com/ou=People, o=Example?cn"<br />
+<highlight language="config">
+AuthLDAPURL "ldap://ldap.example.com/ou=People, o=Example?cn"
Require valid-user
-</example>
+</highlight>
</li>
<li>
Grant access to anybody in the Administrators group. The
users must authenticate using their UID.
-<example>
-AuthLDAPURL ldap://ldap.example.com/o=Example?uid<br />
+<highlight language="config">
+AuthLDAPURL ldap://ldap.example.com/o=Example?uid
Require ldap-group cn=Administrators, o=Example
-</example>
+</highlight>
</li>
<li>
of <code>qpagePagerID</code>. The example will grant access
only to people (authenticated via their UID) who have
alphanumeric pagers:
-<example>
-AuthLDAPURL ldap://ldap.example.com/o=Example?uid??(qpagePagerID=*)<br />
+<highlight language="config">
+AuthLDAPURL ldap://ldap.example.com/o=Example?uid??(qpagePagerID=*)
Require valid-user
-</example>
+</highlight>
</li>
<li>
a pager, plus grant access to Joe Manager, who doesn't
have a pager, but does need to access the same
resource:</p>
-<example>
-AuthLDAPURL ldap://ldap.example.com/o=Example?uid??(|(qpagePagerID=*)(uid=jmanager))<br />
+<highlight language="config">
+AuthLDAPURL ldap://ldap.example.com/o=Example?uid??(|(qpagePagerID=*)(uid=jmanager))
Require valid-user
-</example>
+</highlight>
<p>This last may look confusing at first, so it helps to
evaluate what the search filter will look like based on who
subtree search for the attribute <em>userPrincipalName</em>, with
an empty search root, like so:</p>
-<example>
-AuthLDAPBindDN apache@example.com<br />
-AuthLDAPBindPassword password<br />
+<highlight language="config">
+AuthLDAPBindDN apache@example.com
+AuthLDAPBindPassword password
AuthLDAPURL ldap://10.0.0.1:3268/?userPrincipalName?sub
-</example>
+</highlight>
<p>Users will need to enter their User Principal Name as a login, in
the form <em>somebody@nz.example.com</em>.</p>
authentication to it is a matter of adding the following
directives to <em>every</em> <code>.htaccess</code> file
that gets created in the web</p>
+<
highlight language="config"><pre>
AuthLDAPURL "the url"
AuthGroupFile <em>mygroupfile</em>
Require group <em>mygroupfile</em>
-</pre></example>
+</pre></highlight>
<section id="howitworks"><title>How It Works</title>
<directive module="mod_authnz_ldap">AuthLDAPBindDN</directive>.
</p>
- <example> AuthLDAPInitialBindPattern (.+) $1@example.com </example>
- <example> AuthLDAPInitialBindPattern (.+) cn=$1,dc=example,dc=com</example>
+ <highlight language="config"> AuthLDAPInitialBindPattern (.+) $1@example.com </highlight>
+ <highlight language="config"> AuthLDAPInitialBindPattern (.+) cn=$1,dc=example,dc=com</highlight>
<note><title>Not available with authorization-only</title>
This directive can only be used if this module authenticates the user, and
to use. The syntax of the URL is</p>
<example>ldap://host:port/basedn?attribute?scope?filter</example>
<p>If you want to specify more than one LDAP URL that Apache should try in turn, the syntax is:</p>
-<example>AuthLDAPUrl "ldap://ldap1.example.com ldap2.example.com/dc=..."</example>
+<highlight language="config">AuthLDAPUrl "ldap://ldap1.example.com ldap2.example.com/dc=..."</highlight>
<p><em><strong>Caveat: </strong>If you specify multiple servers, you need to enclose the entire URL string in quotes;
otherwise you will get an error: "AuthLDAPURL takes one argument, URL to define LDAP connection.." </em>
You can of course use search parameters on each of these.</p>
multiple ldap hosts:
</p>
- <example><title>Example</title>
- <AuthzProviderAlias ldap-group ldap-group-alias1 cn=my-group,o=ctx><br />
- <indent>
- AuthLDAPBindDN cn=youruser,o=ctx<br />
- AuthLDAPBindPassword yourpassword<br />
- AuthLDAPURL ldap://ldap.host/o=ctx<br />
- </indent>
- </AuthzProviderAlias><br /><br />
- <AuthzProviderAlias ldap-group ldap-group-alias2
- cn=my-other-group,o=dev><br />
- <indent>
- AuthLDAPBindDN cn=yourotheruser,o=dev<br />
- AuthLDAPBindPassword yourotherpassword<br />
- AuthLDAPURL ldap://other.ldap.host/o=dev?cn<br />
- </indent>
- </AuthzProviderAlias><br /><br />
-
- Alias /secure /webpages/secure<br />
- <Directory /webpages/secure><br />
- <indent>
- Require all granted<br /><br />
-
- AuthBasicProvider file<br /><br />
-
- AuthType Basic<br />
- AuthName LDAP_Protected_Place<br /><br />
-
- #implied OR operation<br />
- Require ldap-group-alias1<br />
- Require ldap-group-alias2<br />
- </indent> </Directory><br />
- </example>
+ <highlight language="config">
+<AuthzProviderAlias ldap-group ldap-group-alias1 cn=my-group,o=ctx>
+ AuthLDAPBindDN cn=youruser,o=ctx
+ AuthLDAPBindPassword yourpassword
+ AuthLDAPURL ldap://ldap.host/o=ctx
+</AuthzProviderAlias>
+
+<AuthzProviderAlias ldap-group ldap-group-alias2 cn=my-other-group,o=dev>
+ AuthLDAPBindDN cn=yourotheruser,o=dev
+ AuthLDAPBindPassword yourotherpassword
+ AuthLDAPURL ldap://other.ldap.host/o=dev?cn
+</AuthzProviderAlias>
+
+Alias /secure /webpages/secure
+<Directory /webpages/secure>
+ Require all granted
+
+ AuthBasicProvider file
+
+ AuthType Basic
+ AuthName LDAP_Protected_Place
+
+ #implied OR operation
+ Require ldap-group-alias1
+ Require ldap-group-alias2
+</Directory>
+ </highlight>
</section>
</section>
not belong to either the <code>temps</code> group or the
LDAP group <code>Temporary Employees</code>.</p>
- <example>
- <Directory /www/mydocs>
- <indent>
+ <highlight language="config">
+<Directory /www/mydocs>
+ <RequireAll>
+ <RequireAny>
+ Require user superadmin
<RequireAll>
- <indent>
+ Require group admins
+ Require ldap-group cn=Administrators,o=Airius
<RequireAny>
- <indent>
- Require user superadmin<br />
- <RequireAll>
- <indent>
- Require group admins<br />
- Require ldap-group cn=Administrators,o=Airius<br />
- <RequireAny>
- <indent>
- Require group sales<br />
- Require ldap-attribute dept="sales"
- </indent>
- </RequireAny>
- </indent>
- </RequireAll>
- </indent>
- </RequireAny><br />
- <RequireNone>
- <indent>
- Require group temps<br />
- Require ldap-group cn=Temporary Employees,o=Airius
- </indent>
- </RequireNone>
- </indent>
+ Require group sales
+ Require ldap-attribute dept="sales"
+ </RequireAny>
</RequireAll>
- </indent>
- </Directory>
- </example>
+ </RequireAny>
+ <RequireNone>
+ Require group temps
+ Require ldap-group cn=Temporary Employees,o=Airius
+ </RequireNone>
+ </RequireAll>
+</Directory>
+ </highlight>
</section>
<section id="requiredirectives"><title>The Require Directives</title>
<code>User-Agent</code> (browser type), <code>Referer</code>, or
other HTTP request header fields.</p>
- <example><title>Example:</title>
- SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in<br />
- <Directory /docroot><br />
- <indent>
- Require env let_me_in<br />
- </indent>
- </Directory>
- </example>
+ <highlight language="config">
+SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in
+<Directory /docroot>
+ Require env let_me_in
+</Directory>
+ </highlight>
<p>In this case, browsers with a user-agent string beginning
with <code>KnockKnock/2.0</code> will be allowed access, and all
'granted' or 'denied'. The following examples will grant or deny
access to all requests.</p>
- <example>
- Require all granted<br />
- </example>
+ <highlight language="config">
+ Require all granted
+ </highlight>
- <example>
- Require all denied<br />
- </example>
+ <highlight language="config">
+ Require all denied
+ </highlight>
</section>
<p>The following example will only allow GET, HEAD, POST, and OPTIONS
requests:</p>
- <example>
- Require method GET POST OPTIONS<br />
- </example>
+ <highlight language="config">
+ Require method GET POST OPTIONS
+ </highlight>
<p>The following example will allow GET, HEAD, POST, and OPTIONS
requests without authentication, and require a valid user for all other
methods:</p>
- <example>
- <RequireAny><br />
- Require method GET POST OPTIONS<br />
- Require valid-user<br />
- </RequireAny><br />
- </example>
+ <highlight language="config">
+<RequireAny>
+ Require method GET POST OPTIONS
+ Require valid-user
+</RequireAny>
+ </highlight>
</section>
<p>The <code>expr</code> provider allows to base authorization
decisions on arbitrary expressions.</p>
- <example>
- Require expr %{TIME_HOUR} >= 9 && %{TIME_HOUR} <= 17 <br />
- </example>
+ <highlight language="config">
+ Require expr %{TIME_HOUR} >= 9 && %{TIME_HOUR} <= 17
+ </highlight>
<p>The syntax is described in the <a href="../expr.html">ap_expr</a>
documentation.</p>
and <directive module="mod_authz_groupfile">AuthGroupFile</directive> (to
define users and groups) in order to work correctly. Example:</p>
- <example>
- AuthType Basic<br />
- AuthName "Restricted Resource"<br />
- AuthBasicProvider file<br />
- AuthUserFile /web/users<br />
- AuthGroupFile /web/groups<br />
- Require group admin
- </example>
+ <highlight language="config">
+AuthType Basic
+AuthName "Restricted Resource"
+AuthBasicProvider file
+AuthUserFile /web/users
+AuthGroupFile /web/groups
+Require group admin
+ </highlight>
<p>Access controls which are applied in this way are effective for
<strong>all</strong> methods. <strong>This is what is normally
and <code>beta</code> groups are authorized, except for those who
are also in the <code>reject</code> group.</p>
- <example>
- <Directory /www/docs>
- <indent>
- <RequireAll>
- <indent>
- Require group alpha beta<br />
- Require not group reject
- </indent>
- </RequireAll>
- </indent>
- </Directory>
- </example>
+ <highlight language="config">
+<Directory /www/docs>
+ <RequireAll>
+ Require group alpha beta
+ Require not group reject
+ </RequireAll>
+</Directory>
+ </highlight>
<p>When multiple <directive>Require</directive> directives are
used in a single
preceding sections. Thus only users belong to the group
<code>gamma</code> may access <code>/www/docs/ab/gamma</code>.</note>
- <example>
- <Directory /www/docs>
- <indent>
- AuthType Basic<br />
- AuthName Documents<br />
- AuthBasicProvider file<br />
- AuthUserFile /usr/local/apache/passwd/passwords<br />
- Require group alpha
- </indent>
- </Directory><br />
- <br />
- <Directory /www/docs/ab>
- <indent>
- AuthMerging Or<br />
- Require group beta
- </indent>
- </Directory><br />
- <br />
- <Directory /www/docs/ab/gamma>
- <indent>
- Require group gamma
- </indent>
- </Directory>
- </example>
+ <highlight language="config">
+<Directory /www/docs>
+ AuthType Basic
+ AuthName Documents
+ AuthBasicProvider file
+ AuthUserFile /usr/local/apache/passwd/passwords
+ Require group alpha
+</Directory>
+
+<Directory /www/docs/ab>
+ AuthMerging Or
+ Require group beta
+</Directory>
+
+<Directory /www/docs/ab/gamma>
+ Require group gamma
+</Directory>
+ </highlight>
</usage>
</directivesynopsis>
</section>
<section id="example">
-<title>Configuration Example</title>
+<title>Configuration example</title>
+<
highlight language="config"><pre>
# mod_dbd configuration
DBDriver pgsql
DBDParams "dbname=apacheauth user=apache pass=xxxxxx"
"UPDATE authn SET login = 'false' WHERE user = %s"
</Files>
</Directory>
-</pre></example>
+</pre></highlight>
</section>
<directivesynopsis>
The first column value of each row returned by the query statement
should be a string containing a group name. Zero, one, or more rows
may be returned.
- <example><title>Example</title><pre>
+ <highlight language="config">
Require dbd-group
AuthzDBDQuery \
"SELECT group FROM groups WHERE user = %s"
-</pre></example>
+</highlight>
</li>
<li>When used with a <code>Require dbd-login</code> or
<code>Require dbd-logout</code> directive, it will never deny access,
but will instead execute a SQL statement designed to log the user
in or out. The user must already be authenticated with
<module>mod_authn_dbd</module>.
- <
example><title>Example</title><pre>
+ <
highlight language="config"><pre>
Require dbd-login
AuthzDBDQuery \
"UPDATE authn SET login = 'true' WHERE user = %s"
-</pre></example>
+</pre></highlight>
</li>
</ul>
<p>In all cases, the user's ID will be passed as a single string
specific to the user. The user's ID will be passed as a single string
parameter when the SQL query is executed. It may be referenced within
the query statement using a <code>%s</code> format specifier.</p>
- <example><title>Example</title><pre>
+ <highlight language="config">
AuthzDBDRedirectQuery \
"SELECT userpage FROM userpages WHERE user = %s"
-</pre></example>
+</highlight>
<p>The first column value of the first row returned by the query
statement should be a string containing a URL to which to redirect
the client. Subsequent rows will be ignored. If no rows are returned,
accomplished by first setting the group and password files to
point to the same DBM:</p>
- <example>
- AuthDBMGroupFile /www/userbase<br />
- AuthDBMUserFile /www/userbase
- </example>
+ <highlight language="config">
+AuthDBMGroupFile /www/userbase
+AuthDBMUserFile /www/userbase
+ </highlight>
<p>The key for the single DBM is the username. The value consists
of</p>
<p>A full IP address:</p>
- <example>
- Require ip 10.1.2.3<br />
- Require ip 192.168.1.104 192.168.1.205
- </example>
+ <highlight language="config">
+Require ip 10.1.2.3
+Require ip 192.168.1.104 192.168.1.205
+ </highlight>
<p>An IP address of a host allowed access</p>
<p>A partial IP address:</p>
- <example>
- Require ip 10.1<br />
- Require ip 10 172.20 192.168.2
- </example>
+ <highlight language="config">
+Require ip 10.1
+Require ip 10 172.20 192.168.2
+ </highlight>
<p>The first 1 to 3 bytes of an IP address, for subnet
restriction.</p>
<p>A network/netmask pair:</p>
- <example>
+ <highlight language="config">
Require ip 10.1.0.0/255.255.0.0
- </example>
+ </highlight>
<p>A network a.b.c.d, and a netmask w.x.y.z. For more
fine-grained subnet restriction.</p>
<p>A network/nnn CIDR specification:</p>
- <example>
+ <highlight language="config">
Require ip 10.1.0.0/16
- </example>
+ </highlight>
<p>Similar to the previous case, except the netmask consists of
nnn high-order 1 bits.</p>
<p>IPv6 addresses and IPv6 subnets can be specified as shown
below:</p>
- <example>
- Require ip 2001:db8::a00:20ff:fea7:ccea<br />
- Require ip 2001:db8::a00:20ff:fea7:ccea/10
- </example>
+ <highlight language="config">
+Require ip 2001:db8::a00:20ff:fea7:ccea
+Require ip 2001:db8::a00:20ff:fea7:ccea/10
+ </highlight>
</section>
<p>A (partial) domain-name</p>
- <example>
- Require host example.org<br />
- Require host .net example.edu
- </example>
+ <highlight language="config">
+Require host example.org
+Require host .net example.edu
+ </highlight>
<p>Hosts whose names match, or end in, this string are allowed
access. Only complete components are matched, so the above
<p>This allows a convenient way to match connections that originate from
the local host:</p>
- <example>
+ <highlight language="config">
Require local
- </example>
+ </highlight>
</section>
</section>
files in <code>/home/smith/public_html/private</code> unless they
were owned by <code>jones</code> instead of <code>smith</code>.</p>
- <example>
- <Directory /home/*/public_html/private><br />
- <indent>
- AuthType Basic<br />
- AuthName MyPrivateFiles<br />
- AuthBasicProvider dbm<br />
- AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all<br />
- Require file-owner<br />
- </indent>
- </Directory>
- </example>
+ <highlight language="config">
+<Directory /home/*/public_html/private>
+ AuthType Basic
+ AuthName MyPrivateFiles
+ AuthBasicProvider dbm
+ AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all
+ Require file-owner
+</Directory>
+ </highlight>
</section>
<section id="examples.file-group"><title>Require file-group</title>
authorized to access the <code>project-foo</code> directories of
each other.</p>
- <example>
- <Directory /home/*/public_html/project-foo><br />
- <indent>
- AuthType Basic<br />
- AuthName "Project Foo Files"<br />
- AuthBasicProvider dbm<br />
- <br />
- # combined user/group database<br />
- AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all<br />
- AuthDBMGroupFile /usr/local/apache2/etc/.htdbm-all<br />
- <br />
- Satisfy All<br />
- Require file-group<br />
- </indent>
- </Directory>
- </example>
+ <highlight language="config">
+<Directory /home/*/public_html/project-foo>
+ AuthType Basic
+ AuthName "Project Foo Files"
+ AuthBasicProvider dbm
+
+ # combined user/group database
+ AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all
+ AuthDBMGroupFile /usr/local/apache2/etc/.htdbm-all
+
+ Satisfy All
+ Require file-group
+</Directory>
+ </highlight>
</section>
</section>
is displayed if the client is image-incapable, has image loading
disabled, or fails to retrieve the icon.</p>
- <example><title>Examples</title>
- AddAlt "PDF file" *.pdf<br />
- AddAlt Compressed *.gz *.zip *.Z
- </example>
+ <highlight language="config">
+AddAlt "PDF file" *.pdf
+AddAlt Compressed *.gz *.zip *.Z
+ </highlight>
</usage>
</directivesynopsis>
This alternate text is displayed if the client is image-incapable,
has image loading disabled, or fails to retrieve the icon.</p>
- <example><title>Example</title>
+ <highlight language="config">
AddAltByEncoding gzip x-gzip
- </example>
+ </highlight>
</usage>
</directivesynopsis>
This alternate text is displayed if the client is image-incapable,
has image loading disabled, or fails to retrieve the icon.</p>
- <example><title>Example</title>
+ <highlight language="config">
AddAltByType 'plain text' text/plain
- </example>
+ </highlight>
</usage>
</directivesynopsis>
expression or full filename for files to describe.
<var>String</var> is enclosed in double quotes (<code>"</code>).</p>
- <example><title>Example</title>
- AddDescription "The planet Mars" mars.gif <br/>
- AddDescription "My friend Marshall" friends/mars.gif
- </example>
+ <highlight language="config">
+AddDescription "The planet Mars" mars.gif
+AddDescription "My friend Marshall" friends/mars.gif
+ </highlight>
<p>The typical, default description field is 23 bytes wide. 6
more bytes are added by the <code><a href="#indexoptions.suppressicon"
is unnecessary if you're using <code>IndexOptions
HTMLTable</code>.</p>
- <example><title>Examples</title>
- AddIcon (IMG,/icons/image.png) .gif .jpg .png<br />
- AddIcon /icons/dir.png ^^DIRECTORY^^<br />
- AddIcon /icons/backup.png *~
- </example>
+ <highlight language="config">
+#Examples
+AddIcon (IMG,/icons/image.png) .gif .jpg .png
+AddIcon /icons/dir.png ^^DIRECTORY^^
+AddIcon /icons/backup.png *~
+ </highlight>
<p><directive module="mod_autoindex">AddIconByType</directive>
should be used in preference to <directive>AddIcon</directive>,
<p><var>MIME-encoding</var> is a valid content-encoding, such as
<code>x-compress</code>.</p>
- <example><title>Example</title>
+ <highlight language="config">
AddIconByEncoding /icons/compress.png x-compress
- </example>
+ </highlight>
</usage>
</directivesynopsis>
<p><var>MIME-type</var> is a wildcard expression matching
required the mime types.</p>
- <example><title>Example</title>
+ <highlight language="config">
AddIconByType (IMG,/icons/image.png) image/*
- </example>
+ </highlight>
</usage>
</directivesynopsis>
<var>Url-path</var> is a (%-escaped) relative URL to the icon,
or a fully qualified remote URL.</p>
- <example><title>Example</title>
+ <highlight language="config">
DefaultIcon /icon/unknown.png
- </example>
+ </highlight>
</usage>
</directivesynopsis>
of the file that will be inserted at the top of the index
listing. <var>Filename</var> is the name of the file to include.</p>
- <example><title>Example</title>
+ <highlight language="config">
HeaderName HEADER.html
- </example>
+ </highlight>
<note>
<p>Both HeaderName and <directive
with a slash, it will be taken to be relative to the <directive
module="core">DocumentRoot</directive>.</p>
- <example><title>Example</title>
+ <highlight language="config">
HeaderName /include/HEADER.html
- </example>
+ </highlight>
<p><var>Filename</var> must resolve to a document with a major
content type of <code>text/*</code> (<em>e.g.</em>,
actual file type (as opposed to its output) is marked as
<code>text/html</code> such as with a directive like:</p>
- <example>
+ <highlight language="config">
AddType text/html .cgi
- </example>
+ </highlight>
<p><a href="../content-negotiation.html">Content negotiation</a>
will be performed if <directive module="core">Options</directive>
files. By default, the list contains <code>.</code> (the current
directory).</p>
- <example>
+ <highlight language="config">
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
- </example>
+ </highlight>
<note><title>Regular Expressions</title>
<p>This directive does not currently work in configuration sections
any files ignored by <directive>IndexIgnore</directive> otherwise
inherited from other configuration sections. </p>
- <example>
- <Directory /var/www>
- IndexIgnore *.bak .??* *~ *# HEADER* README* RCS CVS *,v *,t
- </Directory>
- <Directory /var/www/backups>
- IndexIgnoreReset ON
- IndexIgnore .??* *# HEADER* README* RCS CVS *,v *,t
- </Directory>
- </example>
+ <highlight language="config">
+<Directory /var/www>
+ IndexIgnore *.bak .??* *~ *# HEADER* README* RCS CVS *,v *,t
+</Directory>
+<Directory /var/www/backups>
+ IndexIgnoreReset ON
+ IndexIgnore .??* *# HEADER* README* RCS CVS *,v *,t
+</Directory>
+ </highlight>
<note type="warning"><p> Review the default configuration for a list of
patterns that you might want to explicitly ignore after using this
(It depends on whether the underlying file system
uses Unicode filenames or not.)
- <example><title>Example:</title>
+ <highlight language="config">
IndexOptions Charset=UTF-8
- </example>
+ </highlight>
</dd>
<dt><a name="indexoptions.descriptionwidth"
specify the MIME content-type of the generated page. The default
is <var>text/html</var>.
- <example><title>Example:</title>
+ <highlight language="config">
IndexOptions Type=text/plain
- </example>
+ </highlight>
</dd>
<dt><a name="indexoptions.versionsort"
<li>Multiple <directive>IndexOptions</directive> directives for a
single directory are now merged together. The result of:
- <example>
- <Directory /foo>
- <indent>
- IndexOptions HTMLTable<br />
- IndexOptions SuppressColumnsorting
- </indent>
- </Directory>
- </example>
+ <highlight language="config">
+<Directory /foo>
+ IndexOptions HTMLTable
+ IndexOptions SuppressColumnsorting
+</Directory>
+ </highlight>
<p>will be the equivalent of</p>
- <example>
+ <highlight language="config">
IndexOptions HTMLTable SuppressColumnsorting
- </example>
+ </highlight>
</li>
<li>The addition of the incremental syntax (<em>i.e.</em>, prefixing
clears all inherited options and any incremental settings encountered
so far. Consider the following example:</p>
- <example>
- IndexOptions +ScanHTMLTitles -IconsAreLinks FancyIndexing<br />
- IndexOptions +SuppressSize
- </example>
+ <highlight language="config">
+IndexOptions +ScanHTMLTitles -IconsAreLinks FancyIndexing<br />
+IndexOptions +SuppressSize
+ </highlight>
<p>The net effect is equivalent to <code>IndexOptions FancyIndexing
+SuppressSize</code>, because the unprefixed <code>FancyIndexing</code>
<p>The <directive>IndexStyleSheet</directive> directive sets the name of
the file that will be used as the CSS for the index listing.
</p>
- <example>
- <title>Example</title>
+ <highlight language="config">
IndexStyleSheet "/css/style.css"
- </example>
+ </highlight>
<p>Using this directive in conjunction with <code>IndexOptions
HTMLTable</code> adds a number of CSS classes to the resulting HTML.
<p>The <directive>IndexHeadInsert</directive> directive specifies a
string to insert in the <var><head></var> section of the HTML
generated for the index page.</p>
- <example>
- <title>Example</title>
+ <highlight language="config">
IndexHeadInsert "<link rel=\"sitemap\" href=\"/sitemap.html\">"
- </example>
+ </highlight>
</usage>
</directivesynopsis>
relative to the <directive module="core">DocumentRoot</directive>.
</p>
- <example><title>Example 1</title>
- ReadmeName FOOTER.html
- </example>
+ <highlight language="config">
+# Example 1
+ReadmeName FOOTER.html
+ </highlight>
- <example><title>Example 2</title>
- ReadmeName /include/FOOTER.html
- </example>
+ <highlight language="config">
+# Example 2
+ReadmeName /include/FOOTER.html
+ </highlight>
<p>See also <directive module="mod_autoindex"
>HeaderName</directive>, where this behavior is described in greater
<p>A typical configuration of the process-thread controls in
the <module>worker</module> MPM could look as follows:</p>
- <example>
- ServerLimit 16<br />
- StartServers 2<br />
- MaxRequestWorkers 150<br />
- MinSpareThreads 25<br />
- MaxSpareThreads 75<br />
- ThreadsPerChild 25
- </example>
+ <highlight language="config">
+ServerLimit 16
+StartServers 2
+MaxRequestWorkers 150
+MinSpareThreads 25
+MaxSpareThreads 75
+ThreadsPerChild 25
+ </highlight>
<p>While the parent process is usually started as <code>root</code>
under Unix in order to bind to port 80, the child processes and threads
projects / apache / commitdiff