following directives, either placed in the file
<code>/usr/local/apache/htdocs/secret/.htaccess</code>, or
placed in <code>httpd.conf</code> inside a <Directory
- /usr/local/apache/htdocs/secret> section.</p>
+ "/usr/local/apache/htdocs/secret"> section.</p>
<pre class="prettyprint lang-config">AuthType Basic
AuthName "Restricted Files"
# (Following line optional)
AuthBasicProvider file
-AuthUserFile /usr/local/apache/passwd/passwords
+AuthUserFile "/usr/local/apache/passwd/passwords"
Require user rbowen</pre>
AuthName "By Invitation Only"
# Optional line:
AuthBasicProvider file
-AuthUserFile /usr/local/apache/passwd/passwords
-AuthGroupFile /usr/local/apache/passwd/groups
+AuthUserFile "/usr/local/apache/passwd/passwords"
+AuthGroupFile "/usr/local/apache/passwd/groups"
Require group GroupName</pre>
<p>To select a dbm file rather than a text file, for example:</p>
- <pre class="prettyprint lang-config"><Directory /www/docs/private>
+ <pre class="prettyprint lang-config"><Directory "/www/docs/private">
AuthName "Private"
AuthType Basic
AuthBasicProvider dbm
- AuthDBMUserFile /www/passwords/passwd.dbm
+ AuthDBMUserFile "/www/passwords/passwd.dbm"
Require valid-user
</Directory></pre>
scheme that meets your needs. In the following example, both the
file and LDAP based authentication providers are being used.</p>
- <pre class="prettyprint lang-config"><Directory /www/docs/private>
+ <pre class="prettyprint lang-config"><Directory "/www/docs/private">
AuthName "Private"
AuthType Basic
AuthBasicProvider file ldap
- AuthUserFile /usr/local/apache/passwd/passwords
+ AuthUserFile "/usr/local/apache/passwd/passwords"
AuthLDAPURL ldap://ldaphost/o=yourorg
Require valid-user
</Directory></pre>
authorization methods can also be used. In this example both file group
authorization as well as LDAP group authorization is being used.</p>
- <pre class="prettyprint lang-config"><Directory /www/docs/private>
+ <pre class="prettyprint lang-config"><Directory "/www/docs/private">
AuthName "Private"
AuthType Basic
AuthBasicProvider file
- AuthUserFile /usr/local/apache/passwd/passwords
+ AuthUserFile "/usr/local/apache/passwd/passwords"
AuthLDAPURL ldap://ldaphost/o=yourorg
- AuthGroupFile /usr/local/apache/passwd/groups
+ AuthGroupFile "/usr/local/apache/passwd/groups"
Require group GroupName
Require ldap-group cn=mygroup,o=yourorg
</Directory></pre>
following directives, either placed in the file
<code>/usr/local/apache/htdocs/secret/.htaccess</code>, or
placed in <code>httpd.conf</code> inside a <Directory
- /usr/local/apache/htdocs/secret> section.</p>
+ "/usr/local/apache/htdocs/secret"> section.</p>
<highlight language="config">
AuthType Basic
AuthName "Restricted Files"
# (Following line optional)
AuthBasicProvider file
-AuthUserFile /usr/local/apache/passwd/passwords
+AuthUserFile "/usr/local/apache/passwd/passwords"
Require user rbowen
</highlight>
AuthName "By Invitation Only"
# Optional line:
AuthBasicProvider file
-AuthUserFile /usr/local/apache/passwd/passwords
-AuthGroupFile /usr/local/apache/passwd/groups
+AuthUserFile "/usr/local/apache/passwd/passwords"
+AuthGroupFile "/usr/local/apache/passwd/groups"
Require group GroupName
</highlight>
<p>To select a dbm file rather than a text file, for example:</p>
<highlight language="config">
-<Directory /www/docs/private>
+<Directory "/www/docs/private">
AuthName "Private"
AuthType Basic
AuthBasicProvider dbm
- AuthDBMUserFile /www/passwords/passwd.dbm
+ AuthDBMUserFile "/www/passwords/passwd.dbm"
Require valid-user
</Directory>
</highlight>
file and LDAP based authentication providers are being used.</p>
<highlight language="config">
-<Directory /www/docs/private>
+<Directory "/www/docs/private">
AuthName "Private"
AuthType Basic
AuthBasicProvider file ldap
- AuthUserFile /usr/local/apache/passwd/passwords
+ AuthUserFile "/usr/local/apache/passwd/passwords"
AuthLDAPURL ldap://ldaphost/o=yourorg
Require valid-user
</Directory>
authorization as well as LDAP group authorization is being used.</p>
<highlight language="config">
-<Directory /www/docs/private>
+<Directory "/www/docs/private">
AuthName "Private"
AuthType Basic
AuthBasicProvider file
- AuthUserFile /usr/local/apache/passwd/passwords
+ AuthUserFile "/usr/local/apache/passwd/passwords"
AuthLDAPURL ldap://ldaphost/o=yourorg
- AuthGroupFile /usr/local/apache/passwd/groups
+ AuthGroupFile "/usr/local/apache/passwd/groups"
Require group GroupName
Require ldap-group cn=mygroup,o=yourorg
</Directory>
if you would rather call the file <code>.config</code> then you
can put the following in your server configuration file:</p>
- <pre class="prettyprint lang-config">AccessFileName .config</pre>
+ <pre class="prettyprint lang-config">AccessFileName ".config"</pre>
</div>
<p>Note that it is completely equivalent to put a <code>.htaccess</code>
file in a directory <code>/www/htdocs/example</code> containing a
directive, and to put that same directive in a Directory section
- <code><Directory /www/htdocs/example></code> in your main server
+ <code><Directory "/www/htdocs/example"></code> in your main server
configuration:</p>
<p><code>.htaccess</code> file in <code>/www/htdocs/example</code>:</p>
<div class="example"><h3>Contents of .htaccess file in
- <code>/www/htdocs/example</code></h3><pre class="prettyprint lang-config">AddType text/example .exm</pre>
+ <code>/www/htdocs/example</code></h3><pre class="prettyprint lang-config">AddType text/example ".exm"</pre>
</div>
<div class="example"><h3>Section from your <code>httpd.conf</code>
- file</h3><pre class="prettyprint lang-config"><Directory /www/htdocs/example>
- AddType text/example .exm
+ file</h3><pre class="prettyprint lang-config"><Directory "/www/htdocs/example">
+ AddType text/example ".exm"
</Directory></pre>
</div>
prevent script execution while allowing anything else to be set in
<code>.htaccess</code> you can use:</p>
- <pre class="prettyprint lang-config"><Directory /www/htdocs>
+ <pre class="prettyprint lang-config"><Directory "/www/htdocs">
AllowOverride All
</Directory>
-<Location />
+<Location "/">
Options +IncludesNoExec -ExecCGI<br />
</Location></pre>
<pre class="prettyprint lang-config">AuthType Basic
AuthName "Password Required"
-AuthUserFile /www/passwords/password.file
-AuthGroupFile /www/passwords/group.file
+AuthUserFile "/www/passwords/password.file"
+AuthGroupFile "/www/passwords/group.file"
Require group admins</pre>
<code>.htaccess</code> file in the desired directory:</p>
<pre class="prettyprint lang-config">Options +Includes
-AddType text/html shtml
+AddType text/html "shtml"
AddHandler server-parsed shtml</pre>
Consider the following examples:</p>
<pre class="prettyprint lang-config"># In httpd.conf
-RewriteRule ^/images/(.+)\.jpg /images/$1.png
+RewriteRule "^/images/(.+)\.jpg" "/images/$1.png"
# In .htaccess in root dir
-RewriteRule ^images/(.+)\.jpg images/$1.png
+RewriteRule "^images/(.+)\.jpg" "images/$1.png"
# In .htaccess in images/
-RewriteRule ^(.+)\.jpg $1.png</pre>
+RewriteRule "^(.+)\.jpg" "$1.png"</pre>
<p>In a <code>.htaccess</code> in your document directory, the leading
implemented with the following configuration:</p>
<pre class="prettyprint lang-config">Options +ExecCGI
-AddHandler cgi-script cgi pl</pre>
+AddHandler cgi-script "cgi" "pl"</pre>
<p>Alternately, if you wish to have all files in the given directory be
if you would rather call the file <code>.config</code> then you
can put the following in your server configuration file:</p>
- <highlight language="config">AccessFileName .config</highlight>
+ <highlight language="config">
+AccessFileName ".config"
+ </highlight>
</note>
<p>In general, <code>.htaccess</code> files use the same syntax as
<p>Note that it is completely equivalent to put a <code>.htaccess</code>
file in a directory <code>/www/htdocs/example</code> containing a
directive, and to put that same directive in a Directory section
- <code><Directory /www/htdocs/example></code> in your main server
+ <code><Directory "/www/htdocs/example"></code> in your main server
configuration:</p>
<p><code>.htaccess</code> file in <code>/www/htdocs/example</code>:</p>
<example><title>Contents of .htaccess file in
<code>/www/htdocs/example</code></title>
- <highlight language="config">AddType text/example .exm</highlight>
+ <highlight language="config">
+AddType text/example ".exm"
+ </highlight>
</example>
<example><title>Section from your <code>httpd.conf</code>
file</title>
<highlight language="config">
-<Directory /www/htdocs/example>
- AddType text/example .exm
+<Directory "/www/htdocs/example">
+ AddType text/example ".exm"
</Directory>
</highlight>
</example>
by setting the <directive module="core">AllowOverride</directive>
directive to <code>none</code>:</p>
- <highlight language="config">AllowOverride None</highlight>
+ <highlight language="config">
+AllowOverride None
+ </highlight>
</section>
<section id="how"><title>How directives are applied</title>
<p>In the directory <code>/www/htdocs/example1</code> we have a
<code>.htaccess</code> file containing the following:</p>
- <highlight language="config">Options +ExecCGI</highlight>
+ <highlight language="config">
+Options +ExecCGI
+ </highlight>
<p>(Note: you must have "<code>AllowOverride Options</code>" in effect
to permit the use of the "<directive
<p>In the directory <code>/www/htdocs/example1/example2</code> we have
a <code>.htaccess</code> file containing:</p>
- <highlight language="config">Options Includes</highlight>
+ <highlight language="config">
+Options Includes
+ </highlight>
<p>Because of this second <code>.htaccess</code> file, in the directory
<code>/www/htdocs/example1/example2</code>, CGI execution is not
<code>.htaccess</code> you can use:</p>
<highlight language="config">
-<Directory /www/htdocs>
+<Directory "/www/htdocs">
AllowOverride All
</Directory>
-<Location />
+<Location "/">
Options +IncludesNoExec -ExecCGI<br />
</Location>
</highlight>
<highlight language="config">
AuthType Basic
AuthName "Password Required"
-AuthUserFile /www/passwords/password.file
-AuthGroupFile /www/passwords/group.file
+AuthUserFile "/www/passwords/password.file"
+AuthGroupFile "/www/passwords/group.file"
Require group admins
</highlight>
<highlight language="config">
Options +Includes
-AddType text/html shtml
+AddType text/html "shtml"
AddHandler server-parsed shtml
</highlight>
<highlight language="config">
# In httpd.conf
-RewriteRule ^/images/(.+)\.jpg /images/$1.png
+RewriteRule "^/images/(.+)\.jpg" "/images/$1.png"
# In .htaccess in root dir
-RewriteRule ^images/(.+)\.jpg images/$1.png
+RewriteRule "^images/(.+)\.jpg" "images/$1.png"
# In .htaccess in images/
-RewriteRule ^(.+)\.jpg $1.png
+RewriteRule "^(.+)\.jpg" "$1.png"
</highlight>
<p>In a <code>.htaccess</code> in your document directory, the leading
<highlight language="config">
Options +ExecCGI
-AddHandler cgi-script cgi pl
+AddHandler cgi-script "cgi" "pl"
</highlight>
<p>Alternately, if you wish to have all files in the given directory be
<p>In this example, we pass a fixed username and password to a
backend server.</p>
- <div class="example"><h3>Fixed Example</h3><pre class="prettyprint lang-config"><Location /demo>
+ <div class="example"><h3>Fixed Example</h3><pre class="prettyprint lang-config"><Location "/demo">
AuthBasicFake demo demopass
</Location></pre>
</div>
directive. Like the FakeBasicAuth option, the password is set to the
fixed string "password".</p>
- <div class="example"><h3>Certificate Example</h3><pre class="prettyprint lang-config"><Location /secure>
- AuthBasicFake %{SSL_CLIENT_S_DN_Email}
+ <div class="example"><h3>Certificate Example</h3><pre class="prettyprint lang-config"><Location "/secure">
+ AuthBasicFake "%{SSL_CLIENT_S_DN_Email}"
</Location></pre>
</div>
backend server. This can be used to gate into legacy systems that do
not support client certificates.</p>
- <div class="example"><h3>Password Example</h3><pre class="prettyprint lang-config"><Location /secure>
- AuthBasicFake %{SSL_CLIENT_S_DN_Email} %{sha1:passphrase-%{SSL_CLIENT_S_DN_Email}}
+ <div class="example"><h3>Password Example</h3><pre class="prettyprint lang-config"><Location "/secure">
+ AuthBasicFake "%{SSL_CLIENT_S_DN_Email}" "%{sha1:passphrase-%{SSL_CLIENT_S_DN_Email}}"
</Location></pre>
</div>
- <div class="example"><h3>Exclusion Example</h3><pre class="prettyprint lang-config"><Location /public>
+ <div class="example"><h3>Exclusion Example</h3><pre class="prettyprint lang-config"><Location "/public">
AuthBasicFake off
</Location></pre>
</div>
The default <code>file</code> provider is implemented
by the <code class="module"><a href="../mod/mod_authn_file.html">mod_authn_file</a></code> module. Make sure
that the chosen provider module is present in the server.</p>
- <div class="example"><h3>Example</h3><pre class="prettyprint lang-config"><Location /secure>
+ <div class="example"><h3>Example</h3><pre class="prettyprint lang-config"><Location "/secure">
AuthType basic
AuthName "private area"
AuthBasicProvider dbm
AuthDBMType SDBM
- AuthDBMUserFile /www/etc/dbmpasswd
+ AuthDBMUserFile "/www/etc/dbmpasswd"
Require valid-user
</Location></pre>
</div>
that the chosen provider module is present in the server.</p>
<example><title>Example</title>
<highlight language="config">
-<Location /secure>
+<Location "/secure">
AuthType basic
AuthName "private area"
AuthBasicProvider dbm
AuthDBMType SDBM
- AuthDBMUserFile /www/etc/dbmpasswd
+ AuthDBMUserFile "/www/etc/dbmpasswd"
Require valid-user
</Location>
</highlight>
<example><title>Fixed Example</title>
<highlight language="config">
-<Location /demo>
+<Location "/demo">
AuthBasicFake demo demopass
</Location>
</highlight>
<example><title>Certificate Example</title>
<highlight language="config">
-<Location /secure>
- AuthBasicFake %{SSL_CLIENT_S_DN_Email}
+<Location "/secure">
+ AuthBasicFake "%{SSL_CLIENT_S_DN_Email}"
</Location>
</highlight>
</example>
<example><title>Password Example</title>
<highlight language="config">
-<Location /secure>
- AuthBasicFake %{SSL_CLIENT_S_DN_Email} %{sha1:passphrase-%{SSL_CLIENT_S_DN_Email}}
+<Location "/secure">
+ AuthBasicFake "%{SSL_CLIENT_S_DN_Email}" "%{sha1:passphrase-%{SSL_CLIENT_S_DN_Email}}"
</Location>
</highlight>
</example>
<example><title>Exclusion Example</title>
<highlight language="config">
-<Location /public>
+<Location "/public">
AuthBasicFake off
</Location>
</highlight>
<p>Appropriate user (text) files can be created using the
<code class="program"><a href="../programs/htdigest.html">htdigest</a></code> tool.</p>
- <div class="example"><h3>Example:</h3><pre class="prettyprint lang-config"><Location /private/>
+ <div class="example"><h3>Example:</h3><pre class="prettyprint lang-config"><Location "/private/">
AuthType Digest
AuthName "private area"
- AuthDigestDomain /private/ http://mirror.my.dom/private2/
+ AuthDigestDomain "/private/" "http://mirror.my.dom/private2/"
AuthDigestProvider file
- AuthUserFile /web/auth/.digest_pw
+ AuthUserFile "/web/auth/.digest_pw"
Require valid-user
</Location></pre>
</div>
<example><title>Example:</title>
<highlight language="config">
-<Location /private/>
+<Location "/private/">
AuthType Digest
AuthName "private area"
- AuthDigestDomain /private/ http://mirror.my.dom/private2/
+ AuthDigestDomain "/private/" "http://mirror.my.dom/private2/"
AuthDigestProvider file
- AuthUserFile /web/auth/.digest_pw
+ AuthUserFile "/web/auth/.digest_pw"
Require valid-user
</Location>
</highlight>
the user will be redirected to the form login page.</p>
<div class="example"><h3>Basic example</h3><pre class="prettyprint lang-config">AuthFormProvider file
-AuthUserFile conf/passwd
+AuthUserFile "conf/passwd"
AuthType form
AuthName realm
-AuthFormLoginRequiredLocation http://example.com/login.html
+AuthFormLoginRequiredLocation "http://example.com/login.html"
Session On
SessionCookieName session path=/
SessionCryptoPassphrase secret</pre>
The action of the form should point at this handler, which is configured within
Apache httpd as follows:</p>
- <div class="example"><h3>Form login handler example</h3><pre class="prettyprint lang-config"><Location /dologin.html>
+ <div class="example"><h3>Form login handler example</h3><pre class="prettyprint lang-config"><Location "/dologin.html">
SetHandler form-login-handler
- AuthFormLoginRequiredLocation http://example.com/login.html
- AuthFormLoginSuccessLocation http://example.com/success.html
+ AuthFormLoginRequiredLocation "http://example.com/login.html"
+ AuthFormLoginSuccessLocation "http://example.com/success.html"
AuthFormProvider file
- AuthUserFile conf/passwd
+ AuthUserFile "conf/passwd"
AuthType form
AuthName realm
Session On
containing the login form, as follows:</p>
<div class="example"><h3>Basic inline example</h3><pre class="prettyprint lang-config">AuthFormProvider file
-ErrorDocument 401 /login.shtml
-AuthUserFile conf/passwd
+ErrorDocument 401 "/login.shtml"
+AuthUserFile "conf/passwd"
AuthType form
AuthName realm
-AuthFormLoginRequiredLocation http://example.com/login.html
+AuthFormLoginRequiredLocation "http://example.com/login.html"
Session On
SessionCookieName session path=/
SessionCryptoPassphrase secret</pre>
technology.</p>
<div class="example"><h3>CGI example</h3><pre class="prettyprint lang-config"> AuthFormProvider file
- ErrorDocument 401 /cgi-bin/login.cgi
+ ErrorDocument 401 "/cgi-bin/login.cgi"
...</pre>
</div>
<div class="example"><h3>Basic logout example</h3><pre class="prettyprint lang-config">SetHandler form-logout-handler
AuthName realm
-AuthFormLogoutLocation http://example.com/loggedout.html
+AuthFormLogoutLocation "http://example.com/loggedout.html"
Session On
SessionCookieName session path=/
SessionCryptoPassphrase secret</pre>
</p>
<div class="example"><h3>Basic session expiry example</h3><pre class="prettyprint lang-config">SetHandler form-logout-handler
-AuthFormLogoutLocation http://example.com/loggedout.html
+AuthFormLogoutLocation "http://example.com/loggedout.html"
Session On
SessionMaxAge 1
SessionCookieName session path=/
<div class="example"><h3>Example</h3><pre class="prettyprint lang-config"><Location /logout>
SetHandler form-logout-handler
- AuthFormLogoutLocation http://example.com/loggedout.html
+ AuthFormLogoutLocation "http://example.com/loggedout.html"
Session on
#...
</Location></pre>
AuthName "private area"
AuthFormProvider dbm
AuthDBMType SDBM
- AuthDBMUserFile /www/etc/dbmpasswd
+ AuthDBMUserFile "/www/etc/dbmpasswd"
Require valid-user
#...
</Location></pre>
<example><title>Basic example</title>
<highlight language="config">
AuthFormProvider file
-AuthUserFile conf/passwd
+AuthUserFile "conf/passwd"
AuthType form
AuthName realm
-AuthFormLoginRequiredLocation http://example.com/login.html
+AuthFormLoginRequiredLocation "http://example.com/login.html"
Session On
SessionCookieName session path=/
SessionCryptoPassphrase secret
<example><title>Form login handler example</title>
<highlight language="config">
-<Location /dologin.html>
+<Location "/dologin.html">
SetHandler form-login-handler
- AuthFormLoginRequiredLocation http://example.com/login.html
- AuthFormLoginSuccessLocation http://example.com/success.html
+ AuthFormLoginRequiredLocation "http://example.com/login.html"
+ AuthFormLoginSuccessLocation "http://example.com/success.html"
AuthFormProvider file
- AuthUserFile conf/passwd
+ AuthUserFile "conf/passwd"
AuthType form
AuthName realm
Session On
<example><title>Basic inline example</title>
<highlight language="config">
AuthFormProvider file
-ErrorDocument 401 /login.shtml
-AuthUserFile conf/passwd
+ErrorDocument 401 "/login.shtml"
+AuthUserFile "conf/passwd"
AuthType form
AuthName realm
-AuthFormLoginRequiredLocation http://example.com/login.html
+AuthFormLoginRequiredLocation "http://example.com/login.html"
Session On
SessionCookieName session path=/
SessionCryptoPassphrase secret
<example><title>CGI example</title>
<highlight language="config">
AuthFormProvider file
- ErrorDocument 401 /cgi-bin/login.cgi
+ ErrorDocument 401 "/cgi-bin/login.cgi"
...
</highlight>
</example>
<highlight language="config">
SetHandler form-logout-handler
AuthName realm
-AuthFormLogoutLocation http://example.com/loggedout.html
+AuthFormLogoutLocation "http://example.com/loggedout.html"
Session On
SessionCookieName session path=/
SessionCryptoPassphrase secret
<example><title>Basic session expiry example</title>
<highlight language="config">
SetHandler form-logout-handler
-AuthFormLogoutLocation http://example.com/loggedout.html
+AuthFormLogoutLocation "http://example.com/loggedout.html"
Session On
SessionMaxAge 1
SessionCookieName session path=/
AuthName "private area"
AuthFormProvider dbm
AuthDBMType SDBM
- AuthDBMUserFile /www/etc/dbmpasswd
+ AuthDBMUserFile "/www/etc/dbmpasswd"
Require valid-user
#...
</Location>
<highlight language="config">
<Location /logout>
SetHandler form-logout-handler
- AuthFormLogoutLocation http://example.com/loggedout.html
+ AuthFormLogoutLocation "http://example.com/loggedout.html"
Session on
#...
</Location>
(<code class="directive"><a href="#anonymous_logemail">Anonymous_LogEmail</a></code>)</li>
</ul>
- <div class="example"><h3>Example</h3><pre class="prettyprint lang-config"><Directory /var/www/html/private>
+ <div class="example"><h3>Example</h3><pre class="prettyprint lang-config"><Directory "/var/www/html/private">
AuthName "Use 'anonymous' & Email address for guest entry"
AuthType Basic
AuthBasicProvider file anon
- AuthUserFile /path/to/your/.htpasswd
+ AuthUserFile "/path/to/your/.htpasswd"
Anonymous_NoUserID off
Anonymous_MustGiveEmail on
<example><title>Example</title>
<highlight language="config">
-<Directory /var/www/html/private>
+<Directory "/var/www/html/private">
AuthName "Use 'anonymous' & Email address for guest entry"
AuthType Basic
AuthBasicProvider file anon
- AuthUserFile /path/to/your/.htpasswd
+ AuthUserFile "/path/to/your/.htpasswd"
Anonymous_NoUserID off
Anonymous_MustGiveEmail on
<div class="example"><h3>Checking multiple text password files</h3><pre class="prettyprint lang-config"># Check here first
<AuthnProviderAlias file file1>
- AuthUserFile /www/conf/passwords1
+ AuthUserFile "/www/conf/passwords1"
</AuthnProviderAlias>
# Then check here
<AuthnProviderAlias file file2>
- AuthUserFile /www/conf/passwords2
+ AuthUserFile "/www/conf/passwords2"
</AuthnProviderAlias>
-<Directory /var/web/pages/secure>
+<Directory "/var/web/pages/secure">
AuthBasicProvider file1 file2
AuthType Basic
hosts:</p>
<div class="example"><h3>Checking multiple LDAP servers</h3><pre class="prettyprint lang-config"><AuthnProviderAlias ldap ldap-alias1>
- AuthLDAPBindDN cn=youruser,o=ctx
+ AuthLDAPBindDN "cn=youruser,o=ctx"
AuthLDAPBindPassword yourpassword
- AuthLDAPURL ldap://ldap.host/o=ctx
+ AuthLDAPURL "ldap://ldap.host/o=ctx"
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap-other-alias>
- AuthLDAPBindDN cn=yourotheruser,o=dev
+ AuthLDAPBindDN "cn=yourotheruser,o=dev"
AuthLDAPBindPassword yourotherpassword
- AuthLDAPURL ldap://other.ldap.host/o=dev?cn
+ AuthLDAPURL "ldap://other.ldap.host/o=dev?cn"
</AuthnProviderAlias>
-Alias /secure /webpages/secure
-<Directory /webpages/secure>
+Alias "/secure" "/webpages/secure"
+<Directory "/webpages/secure">
Order deny,allow
Allow from all
in the following example, clients may access the
<code>/www/docs/public</code> directory without authenticating:</p>
- <pre class="prettyprint lang-config"><Directory /www/docs>
+ <pre class="prettyprint lang-config"><Directory "/www/docs">
AuthType Basic
AuthName Documents
AuthBasicProvider file
- AuthUserFile /usr/local/apache/passwd/passwords
+ AuthUserFile "/usr/local/apache/passwd/passwords"
Require valid-user
</Directory>
-<Directory /www/docs/public>
+<Directory "/www/docs/public">
AuthType None
Require all granted
</Directory></pre>
<highlight language="config">
# Check here first
<AuthnProviderAlias file file1>
- AuthUserFile /www/conf/passwords1
+ AuthUserFile "/www/conf/passwords1"
</AuthnProviderAlias>
# Then check here
<AuthnProviderAlias file file2>
- AuthUserFile /www/conf/passwords2
+ AuthUserFile "/www/conf/passwords2"
</AuthnProviderAlias>
-<Directory /var/web/pages/secure>
+<Directory "/var/web/pages/secure">
AuthBasicProvider file1 file2
AuthType Basic
<example><title>Checking multiple LDAP servers</title>
<highlight language="config">
<AuthnProviderAlias ldap ldap-alias1>
- AuthLDAPBindDN cn=youruser,o=ctx
+ AuthLDAPBindDN "cn=youruser,o=ctx"
AuthLDAPBindPassword yourpassword
- AuthLDAPURL ldap://ldap.host/o=ctx
+ AuthLDAPURL "ldap://ldap.host/o=ctx"
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap-other-alias>
- AuthLDAPBindDN cn=yourotheruser,o=dev
+ AuthLDAPBindDN "cn=yourotheruser,o=dev"
AuthLDAPBindPassword yourotherpassword
- AuthLDAPURL ldap://other.ldap.host/o=dev?cn
+ AuthLDAPURL "ldap://other.ldap.host/o=dev?cn"
</AuthnProviderAlias>
-Alias /secure /webpages/secure
-<Directory /webpages/secure>
+Alias "/secure" "/webpages/secure"
+<Directory "/webpages/secure">
Order deny,allow
Allow from all
<code>/www/docs/public</code> directory without authenticating:</p>
<highlight language="config">
-<Directory /www/docs>
+<Directory "/www/docs">
AuthType Basic
AuthName Documents
AuthBasicProvider file
- AuthUserFile /usr/local/apache/passwd/passwords
+ AuthUserFile "/usr/local/apache/passwd/passwords"
Require valid-user
</Directory>
-<Directory /www/docs/public>
+<Directory "/www/docs/public">
AuthType None
Require all granted
</Directory>
<p>The following directive would grant access to anyone with
the attribute employeeType = active</p>
- <pre class="prettyprint lang-config">Require ldap-attribute employeeType=active</pre>
+ <pre class="prettyprint lang-config">Require ldap-attribute "employeeType=active"</pre>
<p>Multiple attribute/value pairs can be specified on the same line
<p>The following directive would grant access to anyone with
the city attribute equal to "San Jose" or status equal to "Active"</p>
- <pre class="prettyprint lang-config">Require ldap-attribute city="San Jose" status=active</pre>
+ <pre class="prettyprint lang-config">Require ldap-attribute city="San Jose" "status=active"</pre>
<p>The following directive would grant access to anyone having a cell phone
and is in the marketing department</p>
- <pre class="prettyprint lang-config">Require ldap-filter &(cell=*)(department=marketing)</pre>
+ <pre class="prettyprint lang-config">Require ldap-filter "&(cell=*)(department=marketing)"</pre>
<p>The difference between the <code>Require ldap-filter</code> directive and the
must be taken to ensure that LDAP filters are escaped correctly to guard against
LDAP injection. The ldap function can be used for this purpose.</p>
-<pre class="prettyprint lang-config"><LocationMatch ^/dav/(?<SITENAME>[^/]+)/>
- Require ldap-filter (memberOf=cn=%{ldap:%{unescape:%{env:MATCH_SITENAME}},ou=Websites,o=Example)
+<pre class="prettyprint lang-config"><LocationMatch "^/dav/(?<SITENAME>[^/]+)/">
+ Require ldap-filter "(memberOf=cn=%{ldap:%{unescape:%{env:MATCH_SITENAME}},ou=Websites,o=Example)"
</LocationMatch></pre>
<p>The following directive would grant access to URLs that match the given objects in the
LDAP server:</p>
-<pre class="prettyprint lang-config"><LocationMatch ^/dav/(?<SITENAME>[^/]+)/>
-Require ldap-search (cn=%{ldap:%{unescape:%{env:MATCH_SITENAME}} Website)
+<pre class="prettyprint lang-config"><LocationMatch "^/dav/(?<SITENAME>[^/]+)/">
+Require ldap-search "(cn=%{ldap:%{unescape:%{env:MATCH_SITENAME}} Website)"
</LocationMatch></pre>
<p>If the <code>uid</code> attribute was used instead of the
<code>cn</code> attribute in the URL above, the above three lines
could be condensed to</p>
-<highlight language="config">Require ldap-user bjenson fuser jmanager</highlight>
+<highlight language="config">
+Require ldap-user bjenson fuser jmanager
+</highlight>
</section>
<section id="reqgroup"><title>Require ldap-group</title>
<p>The following directive would grant access to both Fred and
Barbara:</p>
-<highlight language="config">Require ldap-group cn=Administrators, o=Example</highlight>
+<highlight language="config">
+Require ldap-group cn=Administrators, o=Example
+</highlight>
<p>Members can also be found within sub-groups of a specified LDAP group
if <directive module="mod_authnz_ldap">AuthLDAPMaxSubGroupDepth</directive>
<p>The following directive would grant access to a specific
DN:</p>
-<highlight language="config">Require ldap-dn cn=Barbara Jenson, o=Example</highlight>
+<highlight language="config">
+Require ldap-dn cn=Barbara Jenson, o=Example
+</highlight>
<p>Behavior of this directive is modified by the <directive
module="mod_authnz_ldap">AuthLDAPCompareDNOnServer</directive>
<p>The following directive would grant access to anyone with
the attribute employeeType = active</p>
- <highlight language="config">Require ldap-attribute employeeType=active</highlight>
+ <highlight language="config">
+Require ldap-attribute "employeeType=active"
+</highlight>
<p>Multiple attribute/value pairs can be specified on the same line
separated by spaces or they can be specified in multiple
<p>The following directive would grant access to anyone with
the city attribute equal to "San Jose" or status equal to "Active"</p>
- <highlight language="config">Require ldap-attribute city="San Jose" status=active</highlight>
+ <highlight language="config">
+Require ldap-attribute city="San Jose" "status=active"
+</highlight>
</section>
<p>The following directive would grant access to anyone having a cell phone
and is in the marketing department</p>
- <highlight language="config">Require ldap-filter &(cell=*)(department=marketing)</highlight>
+ <highlight language="config">
+Require ldap-filter "&(cell=*)(department=marketing)"
+</highlight>
<p>The difference between the <code>Require ldap-filter</code> directive and the
<code>Require ldap-attribute</code> directive is that <code>ldap-filter</code>
LDAP injection. The ldap function can be used for this purpose.</p>
<highlight language="config">
-<LocationMatch ^/dav/(?<SITENAME>[^/]+)/>
- Require ldap-filter (memberOf=cn=%{ldap:%{unescape:%{env:MATCH_SITENAME}},ou=Websites,o=Example)
+<LocationMatch "^/dav/(?<SITENAME>[^/]+)/">
+ Require ldap-filter "(memberOf=cn=%{ldap:%{unescape:%{env:MATCH_SITENAME}},ou=Websites,o=Example)"
</LocationMatch>
</highlight>
LDAP server:</p>
<highlight language="config">
-<LocationMatch ^/dav/(?<SITENAME>[^/]+)/>
-Require ldap-search (cn=%{ldap:%{unescape:%{env:MATCH_SITENAME}} Website)
+<LocationMatch "^/dav/(?<SITENAME>[^/]+)/">
+Require ldap-search "(cn=%{ldap:%{unescape:%{env:MATCH_SITENAME}} Website)"
</LocationMatch>
</highlight>
not belong to either the <code>temps</code> group or the
LDAP group <code>Temporary Employees</code>.</p>
- <pre class="prettyprint lang-config"><Directory /www/mydocs>
+ <pre class="prettyprint lang-config"><Directory "/www/mydocs">
<RequireAll>
<RequireAny>
Require user superadmin
<RequireAll>
Require group admins
- Require ldap-group cn=Administrators,o=Airius
+ Require ldap-group "cn=Administrators,o=Airius"
<RequireAny>
Require group sales
Require ldap-attribute dept="sales"
</RequireAny>
<RequireNone>
Require group temps
- Require ldap-group cn=Temporary Employees,o=Airius
+ Require ldap-group "cn=Temporary Employees,o=Airius"
</RequireNone>
</RequireAll>
</Directory></pre>
<code>User-Agent</code> (browser type), <code>Referer</code>, or
other HTTP request header fields.</p>
- <pre class="prettyprint lang-config">SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in
-<Directory /docroot>
+ <pre class="prettyprint lang-config">SetEnvIf User-Agent "^KnockKnock/2\.0" let_me_in
+<Directory "/docroot">
Require env let_me_in
</Directory></pre>
multiple ldap hosts:
</p>
- <pre class="prettyprint lang-config"><AuthzProviderAlias ldap-group ldap-group-alias1 cn=my-group,o=ctx>
- AuthLDAPBindDN cn=youruser,o=ctx
+ <pre class="prettyprint lang-config"><AuthzProviderAlias ldap-group ldap-group-alias1 "cn=my-group,o=ctx">
+ AuthLDAPBindDN "cn=youruser,o=ctx"
AuthLDAPBindPassword yourpassword
- AuthLDAPURL ldap://ldap.host/o=ctx
+ AuthLDAPURL "ldap://ldap.host/o=ctx"
</AuthzProviderAlias>
-<AuthzProviderAlias ldap-group ldap-group-alias2 cn=my-other-group,o=dev>
- AuthLDAPBindDN cn=yourotheruser,o=dev
+<AuthzProviderAlias ldap-group ldap-group-alias2 "cn=my-other-group,o=dev">
+ AuthLDAPBindDN "cn=yourotheruser,o=dev"
AuthLDAPBindPassword yourotherpassword
- AuthLDAPURL ldap://other.ldap.host/o=dev?cn
+ AuthLDAPURL "ldap://other.ldap.host/o=dev?cn"
</AuthzProviderAlias>
-Alias /secure /webpages/secure
-<Directory /webpages/secure>
+Alias "/secure" "/webpages/secure"
+<Directory "/webpages/secure">
Require all granted
AuthBasicProvider file
preceding sections. Thus only users belong to the group
<code>gamma</code> may access <code>/www/docs/ab/gamma</code>.</div>
- <pre class="prettyprint lang-config"><Directory /www/docs>
+ <pre class="prettyprint lang-config"><Directory "/www/docs">
AuthType Basic
AuthName Documents
AuthBasicProvider file
- AuthUserFile /usr/local/apache/passwd/passwords
+ AuthUserFile "/usr/local/apache/passwd/passwords"
Require group alpha
</Directory>
-<Directory /www/docs/ab>
+<Directory "/www/docs/ab">
AuthMerging Or
Require group beta
</Directory>
-<Directory /www/docs/ab/gamma>
+<Directory "/www/docs/ab/gamma">
Require group gamma
</Directory></pre>
<pre class="prettyprint lang-config">AuthType Basic
AuthName "Restricted Resource"
AuthBasicProvider file
-AuthUserFile /web/users
-AuthGroupFile /web/groups
+AuthUserFile "/web/users"
+AuthGroupFile "/web/groups"
Require group admin</pre>
and <code>beta</code> groups are authorized, except for those who
are also in the <code>reject</code> group.</p>
- <pre class="prettyprint lang-config"><Directory /www/docs>
+ <pre class="prettyprint lang-config"><Directory "/www/docs">
<RequireAll>
Require group alpha beta
Require not group reject
LDAP group <code>Temporary Employees</code>.</p>
<highlight language="config">
-<Directory /www/mydocs>
+<Directory "/www/mydocs">
<RequireAll>
<RequireAny>
Require user superadmin
<RequireAll>
Require group admins
- Require ldap-group cn=Administrators,o=Airius
+ Require ldap-group "cn=Administrators,o=Airius"
<RequireAny>
Require group sales
Require ldap-attribute dept="sales"
</RequireAny>
<RequireNone>
Require group temps
- Require ldap-group cn=Temporary Employees,o=Airius
+ Require ldap-group "cn=Temporary Employees,o=Airius"
</RequireNone>
</RequireAll>
</Directory>
other HTTP request header fields.</p>
<highlight language="config">
-SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in
-<Directory /docroot>
+SetEnvIf User-Agent "^KnockKnock/2\.0" let_me_in
+<Directory "/docroot">
Require env let_me_in
</Directory>
</highlight>
</p>
<highlight language="config">
-<AuthzProviderAlias ldap-group ldap-group-alias1 cn=my-group,o=ctx>
- AuthLDAPBindDN cn=youruser,o=ctx
+<AuthzProviderAlias ldap-group ldap-group-alias1 "cn=my-group,o=ctx">
+ AuthLDAPBindDN "cn=youruser,o=ctx"
AuthLDAPBindPassword yourpassword
- AuthLDAPURL ldap://ldap.host/o=ctx
+ AuthLDAPURL "ldap://ldap.host/o=ctx"
</AuthzProviderAlias>
-<AuthzProviderAlias ldap-group ldap-group-alias2 cn=my-other-group,o=dev>
- AuthLDAPBindDN cn=yourotheruser,o=dev
+<AuthzProviderAlias ldap-group ldap-group-alias2 "cn=my-other-group,o=dev">
+ AuthLDAPBindDN "cn=yourotheruser,o=dev"
AuthLDAPBindPassword yourotherpassword
- AuthLDAPURL ldap://other.ldap.host/o=dev?cn
+ AuthLDAPURL "ldap://other.ldap.host/o=dev?cn"
</AuthzProviderAlias>
-Alias /secure /webpages/secure
-<Directory /webpages/secure>
+Alias "/secure" "/webpages/secure"
+<Directory "/webpages/secure">
Require all granted
AuthBasicProvider file
AuthType Basic
AuthName "Restricted Resource"
AuthBasicProvider file
-AuthUserFile /web/users
-AuthGroupFile /web/groups
+AuthUserFile "/web/users"
+AuthGroupFile "/web/groups"
Require group admin
</highlight>
are also in the <code>reject</code> group.</p>
<highlight language="config">
-<Directory /www/docs>
+<Directory "/www/docs">
<RequireAll>
Require group alpha beta
Require not group reject
<code>gamma</code> may access <code>/www/docs/ab/gamma</code>.</note>
<highlight language="config">
-<Directory /www/docs>
+<Directory "/www/docs">
AuthType Basic
AuthName Documents
AuthBasicProvider file
- AuthUserFile /usr/local/apache/passwd/passwords
+ AuthUserFile "/usr/local/apache/passwd/passwords"
Require group alpha
</Directory>
-<Directory /www/docs/ab>
+<Directory "/www/docs/ab">
AuthMerging Or
Require group beta
</Directory>
-<Directory /www/docs/ab/gamma>
+<Directory "/www/docs/ab/gamma">
Require group gamma
</Directory>
</highlight>
<div class="section">
<h2><a name="examples" id="examples">Example usage</a></h2>
-<p><em>Note that using mod_authz_dbm requires you to require <code>dbm-group</code>
+<p><em>Note that using mod_authz_dbm requires you to require <code>dbm-group</code>
instead of <code>group</code>:</em>
</p>
<pre class="prettyprint lang-config"><Directory "/foo/bar">
- AuthType Basic
+ AuthType Basic
AuthName "Secure Area"
- AuthBasicProvider dbm
- AuthDBMUserFile site/data/users
- AuthDBMGroupFile site/data/users
- Require dbm-group admin
+ AuthBasicProvider dbm
+ AuthDBMUserFile "site/data/users"
+ AuthDBMGroupFile "site/data/users"
+ Require dbm-group admin
</Directory></pre>
</div>
accomplished by first setting the group and password files to
point to the same DBM:</p>
- <pre class="prettyprint lang-config">AuthDBMGroupFile /www/userbase
-AuthDBMUserFile /www/userbase</pre>
+ <pre class="prettyprint lang-config">AuthDBMGroupFile "/www/userbase"
+AuthDBMUserFile "/www/userbase"</pre>
<p>The key for the single DBM is the username. The value consists
<section id="examples">
<title>Example usage</title>
-<p><em>Note that using mod_authz_dbm requires you to require <code>dbm-group</code>
+<p><em>Note that using mod_authz_dbm requires you to require <code>dbm-group</code>
instead of <code>group</code>:</em>
</p>
<highlight language="config">
<Directory "/foo/bar">
- AuthType Basic
+ AuthType Basic
AuthName "Secure Area"
- AuthBasicProvider dbm
- AuthDBMUserFile site/data/users
- AuthDBMGroupFile site/data/users
- Require dbm-group admin
+ AuthBasicProvider dbm
+ AuthDBMUserFile "site/data/users"
+ AuthDBMGroupFile "site/data/users"
+ Require dbm-group admin
</Directory>
</highlight>
</section>
point to the same DBM:</p>
<highlight language="config">
-AuthDBMGroupFile /www/userbase
-AuthDBMUserFile /www/userbase
+AuthDBMGroupFile "/www/userbase"
+AuthDBMUserFile "/www/userbase"
</highlight>
<p>The key for the single DBM is the username. The value consists
files in <code>/home/smith/public_html/private</code> unless they
were owned by <code>jones</code> instead of <code>smith</code>.</p>
- <pre class="prettyprint lang-config"><Directory /home/*/public_html/private>
+ <pre class="prettyprint lang-config"><Directory "/home/*/public_html/private">
AuthType Basic
- AuthName MyPrivateFiles
+ AuthName "MyPrivateFiles"
AuthBasicProvider dbm
- AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all
+ AuthDBMUserFile "/usr/local/apache2/etc/.htdbm-all"
Require file-owner
</Directory></pre>
authorized to access the <code>project-foo</code> directories of
each other.</p>
- <pre class="prettyprint lang-config"><Directory /home/*/public_html/project-foo>
+ <pre class="prettyprint lang-config"><Directory "/home/*/public_html/project-foo">
AuthType Basic
AuthName "Project Foo Files"
AuthBasicProvider dbm
-
+
# combined user/group database
- AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all
- AuthDBMGroupFile /usr/local/apache2/etc/.htdbm-all
-
+ AuthDBMUserFile "/usr/local/apache2/etc/.htdbm-all"
+ AuthDBMGroupFile "/usr/local/apache2/etc/.htdbm-all"
+
Satisfy All
Require file-group
</Directory></pre>
were owned by <code>jones</code> instead of <code>smith</code>.</p>
<highlight language="config">
-<Directory /home/*/public_html/private>
+<Directory "/home/*/public_html/private">
AuthType Basic
- AuthName MyPrivateFiles
+ AuthName "MyPrivateFiles"
AuthBasicProvider dbm
- AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all
+ AuthDBMUserFile "/usr/local/apache2/etc/.htdbm-all"
Require file-owner
</Directory>
</highlight>
each other.</p>
<highlight language="config">
-<Directory /home/*/public_html/project-foo>
+<Directory "/home/*/public_html/project-foo">
AuthType Basic
AuthName "Project Foo Files"
AuthBasicProvider dbm
-
+
# combined user/group database
- AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all
- AuthDBMGroupFile /usr/local/apache2/etc/.htdbm-all
-
+ AuthDBMUserFile "/usr/local/apache2/etc/.htdbm-all"
+ AuthDBMGroupFile "/usr/local/apache2/etc/.htdbm-all"
+
Satisfy All
Require file-group
</Directory>
file using the <code class="directive"><a href="../mod/mod_dav_fs.html#davlockdb">DavLockDB</a></code>
directive:</p>
- <pre class="prettyprint lang-config">DavLockDB /usr/local/apache2/var/DavLock</pre>
+ <pre class="prettyprint lang-config">DavLockDB "/usr/local/apache2/var/DavLock"</pre>
<p>The directory containing the lock database file must be
directive. The "normal" <code class="directive"><a href="../mod/core.html#limitrequestbody">LimitRequestBody</a></code> directive has no effect on DAV
requests.</p>
- <div class="example"><h3>Full Example</h3><pre class="prettyprint lang-config">DavLockDB /usr/local/apache2/var/DavLock
+ <div class="example"><h3>Full Example</h3><pre class="prettyprint lang-config">DavLockDB "/usr/local/apache2/var/DavLock"
-<Directory /usr/local/apache2/htdocs/foo>
+<Directory "/usr/local/apache2/htdocs/foo">
Require all granted
Dav On
AuthType Basic
- AuthName DAV
- AuthUserFile user.passwd
+ AuthName "DAV"
+ AuthUserFile "user.passwd"
<LimitExcept GET POST OPTIONS>
Require user admin
will run the script, and one of which will allow it to be
downloaded and manipulated with DAV.</p>
-<pre class="prettyprint lang-config">Alias /phparea /home/gstein/php_files
-Alias /php-source /home/gstein/php_files
-<Location /php-source>
+<pre class="prettyprint lang-config">Alias "/phparea" "/home/gstein/php_files"
+Alias "/php-source" "/home/gstein/php_files"
+<Location "/php-source">
Dav On
ForceType text/plain
</Location></pre>
<p>Use the <code class="directive">Dav</code> directive to enable the
WebDAV HTTP methods for the given container:</p>
- <pre class="prettyprint lang-config"><Location /foo>
+ <pre class="prettyprint lang-config"><Location "/foo">
Dav On
</Location></pre>
(like 600 seconds) to reduce the chance of the client losing
the lock due to network latency.</p>
- <div class="example"><h3>Example</h3><pre class="prettyprint lang-config"><Location /MSWord>
+ <div class="example"><h3>Example</h3><pre class="prettyprint lang-config"><Location "/MSWord">
DavMinTimeout 600
</Location></pre>
</div>
<p>To enable <module>mod_dav</module>, add the following to a
container in your <code>httpd.conf</code> file:</p>
- <highlight language="config">Dav On</highlight>
+ <highlight language="config">
+Dav On
+ </highlight>
<p>This enables the DAV file system provider, which is implemented
by the <module>mod_dav_fs</module> module. Therefore, that module
directive:</p>
<highlight language="config">
- DavLockDB /usr/local/apache2/var/DavLock
+ DavLockDB "/usr/local/apache2/var/DavLock"
</highlight>
<p>The directory containing the lock database file must be
writable by the <directive module="mod_unixd">User</directive>
- and <directive module="mod_unixd" >Group</directive> under which
+ and <directive module="mod_unixd">Group</directive> under which
Apache is running.</p>
<p>You may wish to add a <directive module="core" type="section"
<example><title>Full Example</title>
<highlight language="config">
-DavLockDB /usr/local/apache2/var/DavLock
+DavLockDB "/usr/local/apache2/var/DavLock"
-<Directory /usr/local/apache2/htdocs/foo>
+<Directory "/usr/local/apache2/htdocs/foo">
Require all granted
Dav On
AuthType Basic
- AuthName DAV
- AuthUserFile user.passwd
+ AuthName "DAV"
+ AuthUserFile "user.passwd"
<LimitExcept GET POST OPTIONS>
Require user admin
downloaded and manipulated with DAV.</p>
<highlight language="config">
-Alias /phparea /home/gstein/php_files
-Alias /php-source /home/gstein/php_files
-<Location /php-source>
+Alias "/phparea" "/home/gstein/php_files"
+Alias "/php-source" "/home/gstein/php_files"
+<Location "/php-source">
Dav On
ForceType text/plain
</Location>
WebDAV HTTP methods for the given container:</p>
<highlight language="config">
-<Location /foo>
+<Location "/foo">
Dav On
</Location>
</highlight>
<example><title>Example</title>
<highlight language="config">
-<Location /MSWord>
+<Location "/MSWord">
DavMinTimeout 600
</Location>
</highlight>
SessionCryptoPassphrase secret
SessionCookieName session path=/
AuthFormProvider file
-AuthUserFile conf/passwd
+AuthUserFile "conf/passwd"
AuthType form
-AuthName realm
+AuthName "realm"
#...</pre>
</div>
SessionCryptoPassphrase secret
SessionCookieName session path=/
AuthFormProvider file
-AuthUserFile conf/passwd
+AuthUserFile "conf/passwd"
AuthType form
-AuthName realm
+AuthName "realm"
#...
</highlight>
</example>
<VirtualHost *:443>
ServerName www.example.com
SSLEngine on
- SSLCertificateFile /path/to/www.example.com.cert
- SSLCertificateKeyFile /path/to/www.example.com.key
+ SSLCertificateFile "/path/to/www.example.com.cert"
+ SSLCertificateKeyFile "/path/to/www.example.com.key"
</VirtualHost></pre>
<pre class="prettyprint lang-config"># be liberal in general
SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
-<Location /strong/area>
+<Location "/strong/area">
# but https://hostname/strong/area/ and below
# requires strong ciphers
SSLCipherSuite HIGH:!aNULL:!MD5
<p>Because the client can obtain the certificate revocation status from
the server, without requiring an extra connection from the client to the
Certificate Authority, OCSP Stapling is the preferred way for the
-revocation status to be obtained. Other benefits of eliminating the
+revocation status to be obtained. Other benefits of eliminating the
communication between clients and the Certificate Authority are that the
client browsing history is not exposed to the Certificate Authority and
obtaining status is more reliable by not depending on potentially heavily
<p>These directives are placed at global scope (i.e., not within a virtual
host definition) wherever other global SSL configuration directives are
-placed, such as in <code>conf/extra/httpd-ssl.conf</code> for normal
+placed, such as in <code>conf/extra/httpd-ssl.conf</code> for normal
open source builds of httpd, <code>/etc/apache2/mods-enabled/ssl.conf</code>
for the Ubuntu or Debian-bundled httpd, etc.</p>
<code class="module"><a href="../mod/mod_socache_shmcb.html">mod_socache_shmcb</a></code> (from the <code>shmcb</code> prefix on the
directive's argument). This module is usually enabled already for
<code class="directive">SSLSessionCache</code> or on behalf of some module other than
-<code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>. If you enabled an SSL session cache using a
+<code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>. If you enabled an SSL session cache using a
mechanism other than <code class="module"><a href="../mod/mod_socache_shmcb.html">mod_socache_shmcb</a></code>, use that alternative
mechanism for <code class="directive">SSLStaplingCache</code> as well. For example:</p>
<pre>$ openssl s_client -connect www.example.com:443 -status -servername www.example.com
...
-OCSP response:
+OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
...</pre>
<p>The following sections highlight the most common situations which require
-further modification to the configuration. Refer also to the
+further modification to the configuration. Refer also to the
<code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> reference manual.</p>
<h3>If more than a few SSL certificates are used for the server</h3>
<p>OCSP responses are stored in the SSL stapling cache. While the responses
-are typically a few hundred to a few thousand bytes in size, mod_ssl
-supports OCSP responses up to around 10K bytes in size. With more than a
-few certificates, the stapling cache size (32768 bytes in the example above)
+are typically a few hundred to a few thousand bytes in size, mod_ssl
+supports OCSP responses up to around 10K bytes in size. With more than a
+few certificates, the stapling cache size (32768 bytes in the example above)
may need to be increased. Error message AH01929 will be logged in case of
an error storing a response.</p>
<h3>If the certificate does not point to an OCSP responder, or if a
different address must be used</h3>
-<p>Refer to the
+<p>Refer to the
<code class="directive"><a href="../mod/mod_ssl.html#sslstaplingforceurl">SSLStaplingForceURL</a></code> directive.</p>
<p>You can confirm that a server certificate points to an OCSP responder
<pre>AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate!</pre>
<p>In order to support OCSP Stapling when a particular server certificate is
-used, the certificate chain for that certificate must be configured. If it
+used, the certificate chain for that certificate must be configured. If it
was not configured as part of enabling SSL, the AH02217 error will be issued
when stapling is enabled, and an OCSP response will not be provided for clients
using the certificate.</p>
# signed by our CA certificate in ca.crt
SSLVerifyClient require
SSLVerifyDepth 1
-SSLCACertificateFile conf/ssl.crt/ca.crt</pre>
+SSLCACertificateFile "conf/ssl.crt/ca.crt"</pre>
<code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>:</p>
<pre class="prettyprint lang-config">SSLVerifyClient none
-SSLCACertificateFile conf/ssl.crt/ca.crt
+SSLCACertificateFile "conf/ssl.crt/ca.crt"
-<Location /secure/area>
+<Location "/secure/area">
SSLVerifyClient require
SSLVerifyDepth 1
</Location></pre>
clients allowed, as follows:</p>
<pre class="prettyprint lang-config">SSLVerifyClient none
-SSLCACertificateFile conf/ssl.crt/ca.crt
-SSLCACertificatePath conf/ssl.crt
+SSLCACertificateFile "conf/ssl.crt/ca.crt"
+SSLCACertificatePath "conf/ssl.crt"
-<Directory /usr/local/apache2/htdocs/secure/area>
+<Directory "/usr/local/apache2/htdocs/secure/area">
SSLVerifyClient require
SSLVerifyDepth 5
SSLOptions +FakeBasicAuth
AuthName "Snake Oil Authentication"
AuthType Basic
AuthBasicProvider file
- AuthUserFile /usr/local/apache2/conf/httpd.passwd
+ AuthUserFile "/usr/local/apache2/conf/httpd.passwd"
Require valid-user
</Directory></pre>
<pre class="prettyprint lang-config">SSLVerifyClient none
-SSLCACertificateFile conf/ssl.crt/ca.crt
-SSLCACertificatePath conf/ssl.crt
+SSLCACertificateFile "conf/ssl.crt/ca.crt"
+SSLCACertificatePath "conf/ssl.crt"
-<Directory /usr/local/apache2/htdocs/secure/area>
+<Directory "/usr/local/apache2/htdocs/secure/area">
SSLVerifyClient require
SSLVerifyDepth 5
SSLOptions +FakeBasicAuth
This configuration should remain outside of your HTTPS virtual host, so
that it applies to both HTTPS and HTTP.</p>
- <pre class="prettyprint lang-config">SSLCACertificateFile conf/ssl.crt/company-ca.crt
+ <pre class="prettyprint lang-config">SSLCACertificateFile "conf/ssl.crt/company-ca.crt"
-<Directory /usr/local/apache2/htdocs>
+<Directory "/usr/local/apache2/htdocs">
# Outside the subarea only Intranet access is granted
Require ip 192.168.1.0/24
</Directory>
-<Directory /usr/local/apache2/htdocs/subarea>
+<Directory "/usr/local/apache2/htdocs/subarea">
# Inside the subarea any Intranet access is allowed
# but from the Internet only HTTPS + Strong-Cipher + Password
# or the alternative HTTPS + Strong-Cipher + Client-Certificate
-
+
# If HTTPS is used, make sure a strong cipher is used.
# Additionally allow client certs as alternative to basic auth.
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +FakeBasicAuth +StrictRequire
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
-
+
# Force clients from the Internet to use HTTPS
RewriteEngine on
- RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
- RewriteCond %{HTTPS} !=on
- RewriteRule . - [F]
-
+ RewriteCond "%{REMOTE_ADDR}" "!^192\.168\.1\.[0-9]+$"
+ RewriteCond "%{HTTPS}" "!=on"
+ RewriteRule "." "-" [F]
+
# Allow Network Access and/or Basic Auth
Satisfy any
-
+
# Network Access Control
Require ip 192.168.1.0/24
-
+
# HTTP Basic Authentication
AuthType basic
AuthName "Protected Intranet Area"
AuthBasicProvider file
- AuthUserFile conf/protected.passwd
+ AuthUserFile "conf/protected.passwd"
Require valid-user
</Directory></pre>
<VirtualHost *:443>
ServerName www.example.com
SSLEngine on
- SSLCertificateFile /path/to/www.example.com.cert
- SSLCertificateKeyFile /path/to/www.example.com.key
+ SSLCertificateFile "/path/to/www.example.com.cert"
+ SSLCertificateKeyFile "/path/to/www.example.com.key"
</VirtualHost>
</highlight>
# be liberal in general
SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
-<Location /strong/area>
+<Location "/strong/area">
# but https://hostname/strong/area/ and below
# requires strong ciphers
SSLCipherSuite HIGH:!aNULL:!MD5
<p>Because the client can obtain the certificate revocation status from
the server, without requiring an extra connection from the client to the
Certificate Authority, OCSP Stapling is the preferred way for the
-revocation status to be obtained. Other benefits of eliminating the
+revocation status to be obtained. Other benefits of eliminating the
communication between clients and the Certificate Authority are that the
client browsing history is not exposed to the Certificate Authority and
obtaining status is more reliable by not depending on potentially heavily
<p>These directives are placed at global scope (i.e., not within a virtual
host definition) wherever other global SSL configuration directives are
-placed, such as in <code>conf/extra/httpd-ssl.conf</code> for normal
+placed, such as in <code>conf/extra/httpd-ssl.conf</code> for normal
open source builds of httpd, <code>/etc/apache2/mods-enabled/ssl.conf</code>
for the Ubuntu or Debian-bundled httpd, etc.</p>
<module>mod_socache_shmcb</module> (from the <code>shmcb</code> prefix on the
directive's argument). This module is usually enabled already for
<directive>SSLSessionCache</directive> or on behalf of some module other than
-<module>mod_ssl</module>. If you enabled an SSL session cache using a
+<module>mod_ssl</module>. If you enabled an SSL session cache using a
mechanism other than <module>mod_socache_shmcb</module>, use that alternative
mechanism for <directive>SSLStaplingCache</directive> as well. For example:</p>
<pre>
$ openssl s_client -connect www.example.com:443 -status -servername www.example.com
...
-OCSP response:
+OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
</pre>
<p>The following sections highlight the most common situations which require
-further modification to the configuration. Refer also to the
+further modification to the configuration. Refer also to the
<module>mod_ssl</module> reference manual.</p>
<section>
<title>If more than a few SSL certificates are used for the server</title>
<p>OCSP responses are stored in the SSL stapling cache. While the responses
-are typically a few hundred to a few thousand bytes in size, mod_ssl
-supports OCSP responses up to around 10K bytes in size. With more than a
-few certificates, the stapling cache size (32768 bytes in the example above)
+are typically a few hundred to a few thousand bytes in size, mod_ssl
+supports OCSP responses up to around 10K bytes in size. With more than a
+few certificates, the stapling cache size (32768 bytes in the example above)
may need to be increased. Error message AH01929 will be logged in case of
an error storing a response.</p>
</section>
<section>
<title>If the certificate does not point to an OCSP responder, or if a
different address must be used</title>
-<p>Refer to the
+<p>Refer to the
<directive module="mod_ssl">SSLStaplingForceURL</directive> directive.</p>
<p>You can confirm that a server certificate points to an OCSP responder
AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate!
</pre>
<p>In order to support OCSP Stapling when a particular server certificate is
-used, the certificate chain for that certificate must be configured. If it
+used, the certificate chain for that certificate must be configured. If it
was not configured as part of enabling SSL, the AH02217 error will be issued
when stapling is enabled, and an OCSP response will not be provided for clients
using the certificate.</p>
# signed by our CA certificate in ca.crt
SSLVerifyClient require
SSLVerifyDepth 1
-SSLCACertificateFile conf/ssl.crt/ca.crt
+SSLCACertificateFile "conf/ssl.crt/ca.crt"
</highlight>
</section>
<highlight language="config">
SSLVerifyClient none
-SSLCACertificateFile conf/ssl.crt/ca.crt
+SSLCACertificateFile "conf/ssl.crt/ca.crt"
-<Location /secure/area>
+<Location "/secure/area">
SSLVerifyClient require
SSLVerifyDepth 1
</Location>
<highlight language="config">
SSLVerifyClient none
-SSLCACertificateFile conf/ssl.crt/ca.crt
-SSLCACertificatePath conf/ssl.crt
+SSLCACertificateFile "conf/ssl.crt/ca.crt"
+SSLCACertificatePath "conf/ssl.crt"
-<Directory /usr/local/apache2/htdocs/secure/area>
+<Directory "/usr/local/apache2/htdocs/secure/area">
SSLVerifyClient require
SSLVerifyDepth 5
SSLOptions +FakeBasicAuth
AuthName "Snake Oil Authentication"
AuthType Basic
AuthBasicProvider file
- AuthUserFile /usr/local/apache2/conf/httpd.passwd
+ AuthUserFile "/usr/local/apache2/conf/httpd.passwd"
Require valid-user
</Directory>
</highlight>
<highlight language="config">
SSLVerifyClient none
-SSLCACertificateFile conf/ssl.crt/ca.crt
-SSLCACertificatePath conf/ssl.crt
+SSLCACertificateFile "conf/ssl.crt/ca.crt"
+SSLCACertificatePath "conf/ssl.crt"
-<Directory /usr/local/apache2/htdocs/secure/area>
+<Directory "/usr/local/apache2/htdocs/secure/area">
SSLVerifyClient require
SSLVerifyDepth 5
SSLOptions +FakeBasicAuth
that it applies to both HTTPS and HTTP.</p>
<highlight language="config">
-SSLCACertificateFile conf/ssl.crt/company-ca.crt
+SSLCACertificateFile "conf/ssl.crt/company-ca.crt"
-<Directory /usr/local/apache2/htdocs>
+<Directory "/usr/local/apache2/htdocs">
# Outside the subarea only Intranet access is granted
Require ip 192.168.1.0/24
</Directory>
-<Directory /usr/local/apache2/htdocs/subarea>
+<Directory "/usr/local/apache2/htdocs/subarea">
# Inside the subarea any Intranet access is allowed
# but from the Internet only HTTPS + Strong-Cipher + Password
# or the alternative HTTPS + Strong-Cipher + Client-Certificate
-
+
# If HTTPS is used, make sure a strong cipher is used.
# Additionally allow client certs as alternative to basic auth.
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +FakeBasicAuth +StrictRequire
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
-
+
# Force clients from the Internet to use HTTPS
RewriteEngine on
- RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
- RewriteCond %{HTTPS} !=on
- RewriteRule . - [F]
-
+ RewriteCond "%{REMOTE_ADDR}" "!^192\.168\.1\.[0-9]+$"
+ RewriteCond "%{HTTPS}" "!=on"
+ RewriteRule "." "-" [F]
+
# Allow Network Access and/or Basic Auth
Satisfy any
-
+
# Network Access Control
Require ip 192.168.1.0/24
-
+
# HTTP Basic Authentication
AuthType basic
AuthName "Protected Intranet Area"
AuthBasicProvider file
- AuthUserFile conf/protected.passwd
+ AuthUserFile "conf/protected.passwd"
Require valid-user
</Directory>
</highlight>
</section>
</manualpage>
-
projects / apache / commitdiff