From: Daniel Gruno Date: Fri, 4 May 2012 15:16:50 +0000 (+0000) Subject: Backporting syntax highlighting and igalic's ssl changes for mod_r|s*.xml X-Git-Tag: 2.4.3~480 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0684cee44e86064035d69079d01e0cd987b90831;p=apache Backporting syntax highlighting and igalic's ssl changes for mod_r|s*.xml git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1334024 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/mod_ratelimit.xml b/docs/manual/mod/mod_ratelimit.xml index 0128def459..e386dd581d 100644 --- a/docs/manual/mod/mod_ratelimit.xml +++ b/docs/manual/mod/mod_ratelimit.xml @@ -38,12 +38,12 @@ The connection speed to be simulated is specified, in KiB/s, using the environme variable rate-limit.

Example Configuration -<Location /downloads>
- -SetOutputFilter RATE_LIMIT
-SetEnv rate-limit 400
- + +<Location /downloads> + SetOutputFilter RATE_LIMIT + SetEnv rate-limit 400 </Location> + diff --git a/docs/manual/mod/mod_reflector.xml b/docs/manual/mod/mod_reflector.xml index 880170e8b7..17e5d2c813 100644 --- a/docs/manual/mod/mod_reflector.xml +++ b/docs/manual/mod/mod_reflector.xml @@ -43,23 +43,23 @@
Pass the request body through the DEFLATE filter to compress the body. This request requires a Content-Encoding request header containing "gzip" for the filter to return compressed data. - - <Location /compress>
- SetHandler reflector
- SetOutputFilter DEFLATE
- </Location> - + +<Location /compress> + SetHandler reflector + SetOutputFilter DEFLATE +</Location> +
Image downsampling service
Pass the request body through an image downsampling filter, and reflect the results to the caller. - - <Location /downsample>
- SetHandler reflector
- SetOutputFilter DOWNSAMPLE
- </Location> - + +<Location /downsample> + SetHandler reflector + SetOutputFilter DOWNSAMPLE +</Location> +
diff --git a/docs/manual/mod/mod_remoteip.xml b/docs/manual/mod/mod_remoteip.xml index cfe6d2380d..bb764d33eb 100644 --- a/docs/manual/mod/mod_remoteip.xml +++ b/docs/manual/mod/mod_remoteip.xml @@ -118,11 +118,15 @@ via the request headers. hosts presenting a RemoteIPHeader IP value.

Internal (Load Balancer) Example + RemoteIPHeader X-Client-IP + Proxy Example + RemoteIPHeader X-Forwarded-For + @@ -142,9 +146,11 @@ via the request headers. trusted when passed from these proxies.

Internal (Load Balancer) Example - RemoteIPHeader X-Client-IP
- RemoteIPTrustedProxy 10.0.2.0/24
- RemoteIPTrustedProxy gateway.localdomain + +RemoteIPHeader X-Client-IP +RemoteIPInternalProxy 10.0.2.0/24 +RemoteIPInternalProxy gateway.localdomain + @@ -165,14 +171,18 @@ via the request headers. the RemoteIPInternalProxy directive.

Internal (Load Balancer) Example - RemoteIPHeader X-Client-IP
- RemoteIPTrustedProxyList conf/trusted-proxies.lst + +RemoteIPHeader X-Client-IP +RemoteIPInternalProxyList conf/trusted-proxies.lst + conf/trusted-proxies.lst contents - # Our internally trusted proxies;
- 10.0.2.0/24 #Everyone in the testing group
- gateway.localdomain #The front end balancer + 
+# Our internally trusted proxies;
+10.0.2.0/24         #Everyone in the testing group
+gateway.localdomain #The front end balancer
+
@@ -193,8 +203,10 @@ via the request headers. RemoteIPInternalProxy addresses are discarded.

Example - RemoteIPHeader X-Forwarded-For
- RemoteIPProxiesHeader X-Forwarded-By + +RemoteIPHeader X-Forwarded-For +RemoteIPProxiesHeader X-Forwarded-By + @@ -216,9 +228,11 @@ via the request headers. RemoteIPHeader header's value.

Trusted (Load Balancer) Example - RemoteIPHeader X-Forwarded-For
- RemoteIPTrustedProxy 10.0.2.16/28
- RemoteIPTrustedProxy proxy.example.com + +RemoteIPHeader X-Forwarded-For +RemoteIPTrustedProxy 10.0.2.16/28 +RemoteIPTrustedProxy proxy.example.com + @@ -235,12 +249,14 @@ via the request headers. to trust as presenting a valid RemoteIPHeader value of the useragent IP.

The '#' hash character designates a comment line, otherwise - each whitespace or newline seperated entry is processed identically to + each whitespace or newline separated entry is processed identically to the RemoteIPTrustedProxy directive.

Trusted (Load Balancer) Example - RemoteIPHeader X-Forwarded-For
- RemoteIPTrustedProxyList conf/trusted-proxies.lst + +RemoteIPHeader X-Forwarded-For +RemoteIPTrustedProxyList conf/trusted-proxies.lst + conf/trusted-proxies.lst contents diff --git a/docs/manual/mod/mod_reqtimeout.xml b/docs/manual/mod/mod_reqtimeout.xml index 3707843081..cb5d5c89b2 100644 --- a/docs/manual/mod/mod_reqtimeout.xml +++ b/docs/manual/mod/mod_reqtimeout.xml @@ -37,21 +37,21 @@ Allow 10 seconds to receive the request including the headers and 30 seconds for receiving the request body: - + RequestReadTimeout header=10 body=30 - +
  • Allow at least 10 seconds to receive the request body. If the client sends data, increase the timeout by 1 second for every - 1000 bytes received, with no upper limit for the timeout (exept for + 1000 bytes received, with no upper limit for the timeout (except for the limit given indirectly by LimitRequestBody): - + RequestReadTimeout body=10,MinRate=1000 - +
  • @@ -60,9 +60,9 @@ 500 bytes received. But do not allow more than 30 seconds for the request including the headers: - + RequestReadTimeout header=10-30,MinRate=500 - +
  • @@ -70,9 +70,9 @@ If a common configuration is used for http and https virtual hosts, the timeouts should not be set too low: - + RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500 - +
    • diff --git a/docs/manual/mod/mod_rewrite.xml b/docs/manual/mod/mod_rewrite.xml index 6dc853f500..7ba1eddd3f 100644 --- a/docs/manual/mod/mod_rewrite.xml +++ b/docs/manual/mod/mod_rewrite.xml @@ -69,7 +69,9 @@ URLs on the fly Example + LogLevel alert rewrite:trace3 + RewriteLog @@ -234,16 +236,16 @@ Apache HTTP Server 2.0.41 and later

    For example, you might define a RewriteMap as:

    - + RewriteMap examplemap txt:/path/to/file/map.txt - +

    You would then be able to use this map in a RewriteRule as follows:

    - + RewriteRule ^/ex/(.*) ${examplemap:$1} - +

    The following combinations for MapType and MapSource can be used:

    @@ -293,42 +295,38 @@ Apache HTTP Server 2.0.41 and later FileInfo -

    The RewriteBase directive explicitly - sets the base URL-path (not filesystem directory path!) for per-directory rewrites - that result in the substitution of a relative path. - When you use a RewriteRule - in a .htaccess file, mod_rewrite strips off - the local directory prefix before processing, then rewrites the rest of - the URL. When the rewrite is completed, mod_rewrite - automatically adds the local directory prefix (or the - RewriteBase when set) back on to the substitution - before handing it back to the core of the server as if it were the original - URL.

    - -

    This directive is required for per-directory rewrites whose context - is a directory made available via the Alias - directive, when the substitution uses a relative path.

    - -

    If your URL path does not exist verbatim on the filesystem, - or isn't directly under your DocumentRoot, - you must use RewriteBase in every - .htaccess file where you want to use RewriteRule directives.

    - -

    The example below demonstrates how to map - http://example.com/myapp/index.html to - /home/www/example/newsite.html, in a .htaccess file. This - assumes that the content available at - http://example.com/ is on disk at /home/www/example/

    - -
    -RewriteEngine On
-# The URL-path used to get to this context, not the filesystem path
-RewriteBase /myapp/
-RewriteRule ^index\.html$  newsite.html
-
    -     +

    The RewriteBase directive specifies the + URL prefix to be used for per-directory (htaccess) + RewriteRule directives that substitute a relative + path.

    +

    This directive is required when you use a relative path + in a substitution in per-directory (htaccess) context unless either + of the following conditions are true:

    +
      +
    • The original request, and the substitution, are underneath the + DocumentRoot + (as opposed to reachable by other means, such as + Alias).
      • +
    • The filesystem path to the directory containing the + RewriteRule, suffixed by the relative + substitution is also valid as a URL path on the server + (this is rare).
      • +
    +

    In the example below, RewriteBase is necessary + to avoid rewriting to http://example.com/opt/myapp-1.2.3/welcome.html + since the resource was not relative to the document root. This + misconfiguration would normally cause the server to look for an "opt" + directory under the document root.

    + +DocumentRoot /var/www/example.com +Alias /myapp /opt/myapp-1.2.3 +<Directory /opt/myapp-1.2.3> + RewriteEngine On + RewriteBase /myapp/ + RewriteRule ^index\.html$ welcome.html +</Directory> +     @@ -805,10 +803,10 @@ RewriteRule ^index\.html$ newsite.html to block unwanted hotlinking.

    - + RewriteCond expr "! %{HTTP_REFERER} -strmatch '*://%{HTTP_HOST}/*'"
    RewriteRule ^/images - [F] -     +
  • You can also set special flags for @@ -834,14 +832,12 @@ RewriteRule ^index\.html$ newsite.html Use this to combine rule conditions with a local OR instead of the implicit AND. Typical example: - -
    +
 RewriteCond %{REMOTE_HOST}  ^host1  [OR]
 RewriteCond %{REMOTE_HOST}  ^host2  [OR]
 RewriteCond %{REMOTE_HOST}  ^host3
 RewriteRule ...some special stuff for any of these hosts...
-
    -     + Without this flag you would have to write the condition/rule pair three times. @@ -866,8 +862,7 @@ RewriteRule ...some special stuff for any of these hosts... ``User-Agent:'' header of the request, you can use the following:

    - -
    +
 RewriteCond  %{HTTP_USER_AGENT}  ^Mozilla
 RewriteRule  ^/$                 /homepage.max.html  [L]
 
@@ -875,8 +870,7 @@ RewriteCond  %{HTTP_USER_AGENT}  ^Lynx
 RewriteRule  ^/$                 /homepage.min.html  [L]
 
 RewriteRule  ^/$                 /homepage.std.html  [L]
-
    -     +

    Explanation: If you use a browser which identifies itself as 'Mozilla' (including Netscape Navigator, Mozilla etc), then you @@ -911,10 +905,11 @@ RewriteRule ^/$ /homepage.std.html [L]

    Pattern is a perl compatible regular - expression. On the first RewriteRule it is applied to the (%-decoded) - URL-path of the request; - subsequent patterns are applied to the output of the last matched - RewriteRule.

    + expression. On the first RewriteRule, it is matched against + the (%-decoded) URL-path (or + file-path, depending + on the context) of the request. Subsequent patterns are matched against the + output of the last matching RewriteRule.

    <a id="what_is_matched" name="what_is_matched">What is matched?</a>

    In VirtualHost context, @@ -923,7 +918,7 @@ RewriteRule ^/$ /homepage.std.html [L]

    In Directory and htaccess context, the Pattern will initially be matched against the - filesystem path, after removing the prefix that lead the server + filesystem path, after removing the prefix that led the server to the current RewriteRule (e.g. "app1/index.html" or "index.html" depending on where the directives are defined).

    @@ -955,7 +950,7 @@ and automatically added after any relative (not starting with a slash or protocol name) substitution encounters the end of a rule set. See the RewriteBase directive for more information regarding what prefix will be added back to -relative substitions.
    • +relative substitutions.
  • If you wish to match against the full URL-path in a per-directory (htaccess) RewriteRule, use the %{REQUEST_URI} variable in @@ -1006,7 +1001,7 @@ cannot use $N in the substitution string! to be delivered to the client. Substitutions are only treated as a file-system path when the rule is configured in server (virtualhost) context and the first component of the - path in the substitution is exists in the file-system + path in the substitution exists in the file-system
    URL-path
    @@ -1045,7 +1040,7 @@ cannot use $N in the substitution string! -

    In addition to plain text, the Substition string can include

    +

    In addition to plain text, the Substitution string can include

    1. back-references ($N) to the RewriteRule @@ -1073,7 +1068,7 @@ cannot use $N in the substitution string!

      Rewrite rules are applied to the results of previous rewrite rules, in the order in which they are defined - in the config file. The URI or file path (see "What is matched?", above) is completely replaced by the Substitution and the rewriting process continues until all rules have been applied, diff --git a/docs/manual/mod/mod_sed.xml b/docs/manual/mod/mod_sed.xml index 1a0c991ec2..639a909d5e 100644 --- a/docs/manual/mod/mod_sed.xml +++ b/docs/manual/mod/mod_sed.xml @@ -62,33 +62,29 @@ the author's blog.

      Sample Configuration Adding an output filter - # In the following example, the sed filter will change the string
      - # "monday" to "MON" and the string "sunday" to SUN in html documents
      - # before sending to the client.
      - - <Directory "/var/www/docs/sed">
      - - AddOutputFilter Sed html
      - OutputSed "s/monday/MON/g"
      - OutputSed "s/sunday/SUN/g"
      -       - </Directory>
      -       + +# In the following example, the sed filter will change the string +# "monday" to "MON" and the string "sunday" to SUN in html documents +# before sending to the client. +<Directory "/var/www/docs/sed"> + AddOutputFilter Sed html + OutputSed "s/monday/MON/g" + OutputSed "s/sunday/SUN/g" +</Directory> +       Adding an input filter - # In the following example, the sed filter will change the string
      - # "monday" to "MON" and the string "sunday" to SUN in the POST data
      - # sent to PHP.
      - - <Directory "/var/www/docs/sed">
      - - AddInputFilter Sed php
      - InputSed "s/monday/MON/g"
      - InputSed "s/sunday/SUN/g"
      -       - </Directory>
      -       + +# In the following example, the sed filter will change the string +# "monday" to "MON" and the string "sunday" to SUN in the POST data +# sent to PHP. +<Directory "/var/www/docs/sed"> + AddInputFilter Sed php + InputSed "s/monday/MON/g" + InputSed "s/sunday/SUN/g" +</Directory> +
      Sed Commands diff --git a/docs/manual/mod/mod_session.xml b/docs/manual/mod/mod_session.xml index 32c7c4fae6..963c0f0ccb 100644 --- a/docs/manual/mod/mod_session.xml +++ b/docs/manual/mod/mod_session.xml @@ -131,8 +131,10 @@ stored on the browser, in a cookie called session.

      Browser based session - Session On
      - SessionCookieName session path=/
      + +Session On +SessionCookieName session path=/ +

      The session is not useful unless it can be written to or read from. The @@ -141,9 +143,11 @@ X-Replace-Session.

      Writing to a session - Session On
      - SessionCookieName session path=/
      - SessionHeader X-Replace-Session
      + +Session On +SessionCookieName session path=/ +SessionHeader X-Replace-Session +

      The header should contain name value pairs expressed in the same format @@ -151,11 +155,13 @@ empty string has the effect of removing that key from the session.

      CGI to write to a session - #!/bin/bash
      - echo "Content-Type: text/plain"
      - echo "X-Replace-Session: key1=foo&key2=&key3=bar"
      - echo
      - env
      + +#!/bin/bash +echo "Content-Type: text/plain" +echo "X-Replace-Session: key1=foo&key2=&key3=bar" +echo +env +

      If configured, the session can be read back from the HTTP_SESSION @@ -164,10 +170,12 @@ SessionEnv directive.

      Read from a session - Session On
      - SessionEnv On
      - SessionCookieName session path=/
      - SessionHeader X-Replace-Session
      + +Session On +SessionEnv On +SessionCookieName session path=/ +SessionHeader X-Replace-Session +

      Once read, the CGI variable HTTP_SESSION should contain @@ -187,9 +195,11 @@ module.

      Browser based encrypted session - Session On
      - SessionCryptoPassphrase secret
      - SessionCookieName session path=/
      + +Session On +SessionCryptoPassphrase secret +SessionCookieName session path=/ +

      The session will be automatically decrypted on load, and encrypted on @@ -223,9 +233,11 @@ as in the example below.

      Setting cookie parameters - Session On
      - SessionCryptoPassphrase secret
      - SessionCookieName session path=/private;domain=example.com;httponly;secure;
      + +Session On +SessionCryptoPassphrase secret +SessionCookieName session path=/private;domain=example.com;httponly;secure; +

      In cases where the Apache server forms the frontend for backend origin servers, @@ -244,14 +256,16 @@ the session.

      Form based authentication - Session On
      - SessionCryptoPassphrase secret
      - SessionCookieName session path=/
      - AuthFormProvider file
      - AuthUserFile conf/passwd
      - AuthType form
      - AuthName realm
      - ...
      + +Session On +SessionCryptoPassphrase secret +SessionCookieName session path=/ +AuthFormProvider file +AuthUserFile conf/passwd +AuthType form +AuthName realm +#... +

      See the mod_auth_form module for documentation and complete diff --git a/docs/manual/mod/mod_session_cookie.xml b/docs/manual/mod/mod_session_cookie.xml index 5eadd4ffdb..39a86b531c 100644 --- a/docs/manual/mod/mod_session_cookie.xml +++ b/docs/manual/mod/mod_session_cookie.xml @@ -64,8 +64,10 @@ session, configure the session as follows:

      Browser based session - Session On
      - SessionCookieName session path=/
      + +Session On +SessionCookieName session path=/ +

      For more examples on how the session can be configured to be read @@ -100,8 +102,10 @@

      Cookie with attributes - Session On
      - SessionCookieName session path=/private;domain=example.com;httponly;secure;version=1;
      + +Session On +SessionCookieName session path=/private;domain=example.com;httponly;secure;version=1; +       @@ -130,8 +134,10 @@

      Cookie2 with attributes - Session On
      - SessionCookieName2 session path=/private;domain=example.com;httponly;secure;version=1;
      + +Session On +SessionCookieName2 session path=/private;domain=example.com;httponly;secure;version=1; +       diff --git a/docs/manual/mod/mod_session_crypto.xml b/docs/manual/mod/mod_session_crypto.xml index 0edfd96fea..1277dc7554 100644 --- a/docs/manual/mod/mod_session_crypto.xml +++ b/docs/manual/mod/mod_session_crypto.xml @@ -60,9 +60,11 @@ session, configure the session as follows:

      Browser based encrypted session - Session On
      - SessionCookieName session path=/
      - SessionCryptoPassphrase secret + +Session On +SessionCookieName session path=/ +SessionCryptoPassphrase secret +

      The session will be encrypted with the given key. Different servers can @@ -95,19 +97,27 @@ which are specified as parameters with optional values after the driver name.

      NSS without a certificate database + SessionCryptoDriver nss + NSS with certificate database + SessionCryptoDriver nss dir=certs + NSS with certificate database and parameters + SessionCryptoDriver nss dir=certs key3=key3.db cert7=cert7.db secmod=secmod + NSS with paths containing spaces + SessionCryptoDriver nss "dir=My Certs" key3=key3.db cert7=cert7.db secmod=secmod +

      The NSS crypto driver might have already been configured by another @@ -117,7 +127,9 @@ To avoid this warning, use the noinit parameter as follows.

      NSS with certificate database + SessionCryptoDriver nss noinit +

      To prevent confusion, ensure that all modules requiring NSS are configured with @@ -127,7 +139,9 @@ the engine to be used for encryption.

      OpenSSL with engine support + SessionCryptoDriver openssl engine=name + diff --git a/docs/manual/mod/mod_session_dbd.xml b/docs/manual/mod/mod_session_dbd.xml index b1663ed66a..88cb809f3f 100644 --- a/docs/manual/mod/mod_session_dbd.xml +++ b/docs/manual/mod/mod_session_dbd.xml @@ -73,13 +73,15 @@ session. These queries are configured as per the example below.

      Sample DBD configuration - DBDriver pgsql
      - DBDParams "dbname=apachesession user=apache password=xxxxx host=localhost"
      - DBDPrepareSQL "delete from session where key = %s" deletesession
      - DBDPrepareSQL "update session set value = %s, expiry = %lld where key = %s" updatesession
      - DBDPrepareSQL "insert into session (value, expiry, key) values (%s, %lld, %s)" insertsession
      - DBDPrepareSQL "select value from session where key = %s and (expiry = 0 or expiry > %lld)" selectsession
      - DBDPrepareSQL "delete from session where expiry != 0 and expiry < %lld" cleansession
      + +DBDriver pgsql +DBDParams "dbname=apachesession user=apache password=xxxxx host=localhost" +DBDPrepareSQL "delete from session where key = %s" deletesession +DBDPrepareSQL "update session set value = %s, expiry = %lld where key = %s" updatesession +DBDPrepareSQL "insert into session (value, expiry, key) values (%s, %lld, %s)" insertsession +DBDPrepareSQL "select value from session where key = %s and (expiry = 0 or expiry > %lld)" selectsession +DBDPrepareSQL "delete from session where expiry != 0 and expiry < %lld" cleansession +
      @@ -95,8 +97,10 @@ called session, configure the session as follows:

      SQL based anonymous session - Session On
      - SessionDBDCookieName session path=/
      + +Session On +SessionDBDCookieName session path=/ +

      For more examples on how the session can be configured to be read @@ -126,8 +130,10 @@ userid, configure the session as follows:

      SQL based per user session - Session On
      - SessionDBDPerUser On
      + +Session On +SessionDBDPerUser On +       @@ -167,8 +173,10 @@

      Cookie with attributes - Session On
      - SessionDBDCookieName session path=/private;domain=example.com;httponly;secure;version=1;
      + +Session On +SessionDBDCookieName session path=/private;domain=example.com;httponly;secure;version=1; +       @@ -197,8 +205,10 @@

      Cookie2 with attributes - Session On
      - SessionDBDCookieName2 session path=/private;domain=example.com;httponly;secure;version=1;
      + +Session On +SessionDBDCookieName2 session path=/private;domain=example.com;httponly;secure;version=1; +       diff --git a/docs/manual/mod/mod_setenvif.xml b/docs/manual/mod/mod_setenvif.xml index 9ff7ff404e..a41641794e 100644 --- a/docs/manual/mod/mod_setenvif.xml +++ b/docs/manual/mod/mod_setenvif.xml @@ -44,10 +44,10 @@ on characteristics of the request such as this example, which sets netscape if the browser is mozilla but not MSIE.

      - - BrowserMatch ^Mozilla netscape
      - BrowserMatch MSIE !netscape
      -       + +BrowserMatch ^Mozilla netscape +BrowserMatch MSIE !netscape + Environment Variables in Apache HTTP Server @@ -69,17 +69,17 @@ on characteristics of the request sets environment variables conditional on the User-Agent HTTP request header. The following two lines have the same effect:

      - - BrowserMatchNoCase Robot is_a_robot
      - SetEnvIfNoCase User-Agent Robot is_a_robot
      -       + +BrowserMatchNoCase Robot is_a_robot +SetEnvIfNoCase User-Agent Robot is_a_robot +

      Some additional examples:

      - - BrowserMatch ^Mozilla forms jpeg=yes browser=netscape
      - BrowserMatch "^Mozilla/[2-3]" tables agif frames javascript
      - BrowserMatch MSIE !javascript
      -       + +BrowserMatch ^Mozilla forms jpeg=yes browser=netscape +BrowserMatch "^Mozilla/[2-3]" tables agif frames javascript +BrowserMatch MSIE !javascript + @@ -101,20 +101,20 @@ respect to case module="mod_setenvif">BrowserMatch directive. However, it provides for case-insensitive matching. For example:

      - - BrowserMatchNoCase mac platform=macintosh
      - BrowserMatchNoCase win platform=windows
      -       + +BrowserMatchNoCase mac platform=macintosh +BrowserMatchNoCase win platform=windows +

      The BrowserMatch and BrowserMatchNoCase directives are special cases of the SetEnvIf and SetEnvIfNoCase directives. The following two lines have the same effect:

      - - BrowserMatchNoCase Robot is_a_robot
      - SetEnvIfNoCase User-Agent Robot is_a_robot
      -       + +BrowserMatchNoCase Robot is_a_robot +SetEnvIfNoCase User-Agent Robot is_a_robot + @@ -211,18 +211,17 @@ of

      value and replace them by parenthesized subexpressions of regex.

      - -Example: - SetEnvIf Request_URI "\.gif$" object_is_image=gif
      - SetEnvIf Request_URI "\.jpg$" object_is_image=jpg
      - SetEnvIf Request_URI "\.xbm$" object_is_image=xbm
      - :
      - SetEnvIf Referer www\.mydomain\.example\.com intra_site_referral
      - :
      - SetEnvIf object_is_image xbm XBIT_PROCESSING=1
      - :
      - SetEnvIf ^TS ^[a-z] HAVE_TS
      -       + +SetEnvIf Request_URI "\.gif$" object_is_image=gif +SetEnvIf Request_URI "\.jpg$" object_is_image=jpg +SetEnvIf Request_URI "\.xbm$" object_is_image=xbm + +SetEnvIf Referer www\.mydomain\.example\.com intra_site_referral + +SetEnvIf object_is_image xbm XBIT_PROCESSING=1 + +SetEnvIf ^TS ^[a-z] HAVE_TS +

      The first three will set the environment variable object_is_image if the request was for an image @@ -261,9 +260,9 @@ for additional examples. and applied env-variable in the same fashion as SetEnvIf.

      - + SetEnvIfExpr "tolower(req('X-Sendfile')) == 'd:\images\very_big.iso')" iso_delivered - +

      This would set the environment variable iso_delivered every time our application attempts to send it via X-Sendfile

      @@ -271,9 +270,9 @@ for additional examples.

      A more useful example would be to set the variable rfc1918 if the remote IP address is a private address according to RFC 1918:

      - + SetEnvIfExpr "-R '10.0.0.0/8' || -R '172.16.0.0/12' || -R '192.168.0.0/16'" rfc1918 - + Expressions in Apache HTTP Server, @@ -301,9 +300,9 @@ without respect to case the SetEnvIf directive, and differs only in that the regular expression matching is performed in a case-insensitive manner. For example:

      - + SetEnvIfNoCase Host Example\.Org site=example - +

      This will cause the site environment variable to be set to "example" if the HTTP request header diff --git a/docs/manual/mod/mod_so.xml b/docs/manual/mod/mod_so.xml index cef79cb8da..045cab3395 100644 --- a/docs/manual/mod/mod_so.xml +++ b/docs/manual/mod/mod_so.xml @@ -144,7 +144,7 @@ Windows

      For example:

      - LoadFile libexec/libxmlparse.so + LoadFile libexec/libxmlparse.so @@ -167,9 +167,9 @@ of active modules href="module-dict.html#ModuleIdentifier">Module Identifier in the module documentation. Example:

      - + LoadModule status_module modules/mod_status.so - +

      loads the named module from the modules subdirectory of the ServerRoot.

      diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index 21c79382fe..9a40a4d7c0 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -169,8 +169,9 @@ For backward compatibility there is additionally a special provided. Information about this function is provided in the Compatibility chapter.

      Example -CustomLog logs/ssl_request_log \ - "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + +CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + @@ -214,9 +215,9 @@ string in mod_log_config.

      encrypted with SSL. This is similar to the SSLRequireSSL directive.

      - + Require ssl - + @@ -229,10 +230,10 @@ string in mod_log_config.

      The following example grants access if the user is authenticated either with a client certificate or by username and password.

      - + Require ssl-verify-client
      Require valid-user -       + @@ -311,7 +312,9 @@ query can be done in two ways which can be configured by program is called only once per unique Pass Phrase.

      2. Example + SSLPassPhraseDialog exec:/usr/local/apache/sbin/pp-filter + @@ -365,16 +368,7 @@ The following source variants are available:

      can take a long time). Here using an existing /dev/urandom is better, because it never blocks and actually gives the amount of requested data. The drawback is just that the quality of the received data may not - be the best.

      -

      - On some platforms like FreeBSD one can even control how the entropy is - actually generated, i.e. by which system interrupts. More details one can - find under rndcontrol(8) on those platforms. Alternatively, when - your system lacks such a random device, you can use tool - like EGD - (Entropy Gathering Daemon) and run it's client program with the - exec:/path/to/program/ variant (see below) or use - egd:/path/to/egd-socket (see below).

      + be the best.

    2. exec:/path/to/program

      @@ -400,13 +394,15 @@ The following source variants are available:

      on your platform.

      3. Example -SSLRandomSeed startup builtin
      -SSLRandomSeed startup file:/dev/random
      -SSLRandomSeed startup file:/dev/urandom 1024
      -SSLRandomSeed startup exec:/usr/local/bin/truerand 16
      -SSLRandomSeed connect builtin
      -SSLRandomSeed connect file:/dev/random
      -SSLRandomSeed connect file:/dev/urandom 1024
      + +SSLRandomSeed startup builtin +SSLRandomSeed startup file:/dev/random +SSLRandomSeed startup file:/dev/urandom 1024 +SSLRandomSeed startup exec:/usr/local/bin/truerand 16 +SSLRandomSeed connect builtin +SSLRandomSeed connect file:/dev/random +SSLRandomSeed connect file:/dev/urandom 1024 +       @@ -477,8 +473,10 @@ The following five storage types are currently supported:

      Examples -SSLSessionCache dbm:/usr/local/apache/logs/ssl_gcache_data
      + +SSLSessionCache dbm:/usr/local/apache/logs/ssl_gcache_data SSLSessionCache shmcb:/usr/local/apache/logs/ssl_gcache_data(512000) +

      The ssl-cache mutex is used to serialize access to @@ -503,7 +501,9 @@ global/inter-process SSL Session Cache and the OpenSSL internal memory cache. It can be set as low as 15 for testing, but should be set to higher values like 300 in real life.

      Example + SSLSessionCacheTimeout 600 + @@ -524,10 +524,12 @@ type="section">VirtualHost section to enable SSL/TLS for a that virtual host. By default the SSL/TLS Protocol Engine is disabled for both the main server and all configured virtual hosts.

      Example -<VirtualHost _default_:443>
      -SSLEngine on
      -...
      + +<VirtualHost _default_:443> +SSLEngine on +#... </VirtualHost> +

      In Apache 2.1 and later, SSLEngine can be set to optional. This enables support for @@ -608,7 +610,9 @@ The available (case-insensitive) protocols are:

      ``+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively.

      Example + SSLProtocol TLSv1 + @@ -716,28 +720,31 @@ prefixes are:

      -v'' command which provides a nice way to successively create the correct cipher-spec string. The default cipher-spec string depends on the version of the OpenSSL libraries used. Let's suppose it is -``ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'' which -means the following: first, remove from consideration any ciphers that do not -authenticate, i.e. for SSL the Anonymous Diffie-Hellman ciphers. Next, -use ciphers using RC4 and RSA. Next include the high, medium and then the low -security ciphers. Finally pull all SSLv2 and export ciphers to the -end of the list.

      +``RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5'' which +means the following: Put RC4-SHA and AES128-SHA at +the beginning. We do this, because these ciphers offer a good compromise +between speed and security. Next, include high and medium security ciphers. +Finally, remove all ciphers which do not authenticate, i.e. for SSL the +Anonymous Diffie-Hellman ciphers, as well as all ciphers which use +MD5 as hash algorithm, because it has been proven insufficient.

      -$ openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'
-NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
-NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5
-EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
+$ openssl ciphers -v 'RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5'
+RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
+AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
+DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
 ...                     ...               ...     ...           ...
-EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
-EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
-EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
+SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1
+PSK-RC4-SHA             SSLv3 Kx=PSK      Au=PSK  Enc=RC4(128)  Mac=SHA1
+KRB5-RC4-SHA            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=SHA1

      The complete list of particular RSA & DH ciphers for SSL is given in Table 2.

      Example + SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW + @@ -795,7 +802,9 @@ Pass Phrase dialog is forced at startup time. This directive can be used up to two times (referencing different filenames) when both a RSA and a DSA based server certificate is used in parallel.

      Example + SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt + @@ -822,7 +831,9 @@ at startup time. This directive can be used up to two times (referencing different filenames) when both a RSA and a DSA based private key is used in parallel.

      Example + SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key + @@ -861,7 +872,9 @@ using a coupled RSA+DSA certificate pair, this will work only if actually both certificates use the same certificate chain. Else the browsers will be confused in this situation.

      Example + SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/ca.crt + @@ -886,7 +899,9 @@ there: you also have to create symbolic links named hash-value.N. And you should always make sure this directory contains the appropriate symbolic links.

      Example + SSLCACertificatePath /usr/local/apache2/conf/ssl.crt/ + @@ -908,7 +923,9 @@ concatenation of the various PEM-encoded Certificate files, in order of preference. This can be used alternatively and/or additionally to SSLCACertificatePath.

      Example + SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt + @@ -953,7 +970,9 @@ specify an all-in-one file containing a concatenation of PEM-encoded CA certificates.

      Example + SSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt + @@ -980,7 +999,9 @@ Certificate files there: you also have to create symbolic links named hash-value.N. And you should always make sure this directory contains the appropriate symbolic links.

      Example + SSLCADNRequestPath /usr/local/apache2/conf/ca-names.crt/ + @@ -1005,7 +1026,9 @@ Additionally you have to create symbolic links named hash-value.rN. And you should always make sure this directory contains the appropriate symbolic links.

      Example + SSLCARevocationPath /usr/local/apache2/conf/ssl.crl/ + @@ -1028,7 +1051,9 @@ the various PEM-encoded CRL files, in order of preference. This can be used alternatively and/or additionally to SSLCARevocationPath.

      Example + SSLCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle-client.crl + @@ -1065,7 +1090,9 @@ to succeed - otherwise it will fail with an

      Example + SSLCARevocationCheck chain + @@ -1109,7 +1136,9 @@ The following levels are available for level:

      optional_no_ca is actually against the idea of authentication (but can be used to establish SSL test pages, etc.)

      Example + SSLVerifyClient require + @@ -1144,7 +1173,9 @@ certificate can be self-signed or has to be signed by a CA which is directly known to the server (i.e. the CA's certificate is under SSLCACertificatePath), etc.

      Example + SSLVerifyDepth 10 + @@ -1250,10 +1281,12 @@ The available options are:

      Example -SSLOptions +FakeBasicAuth -StrictRequire
      -<Files ~ "\.(cgi|shtml)$">
      - SSLOptions +StdEnvVars -ExportCertData
      + +SSLOptions +FakeBasicAuth -StrictRequire +<Files ~ "\.(cgi|shtml)$"> + SSLOptions +StdEnvVars -ExportCertData <Files> +       @@ -1275,7 +1308,9 @@ host or directories for defending against configuration errors that expose stuff that should be protected. When this directive is present all requests are denied which are not using SSL.

      Example + SSLRequireSSL + @@ -1366,12 +1401,14 @@ both parsed and executed each time the .htaccess file is encountered during request processing.

      Example -
      SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)-/                \
+
+SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)-/                \
             and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd."        \
             and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}  \
             and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5          \
             and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
-           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
      + or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ +

      The PeerExtList(object-ID) function expects @@ -1383,7 +1420,9 @@ exactly against the value of an extension identified with this OID. extension must match).

      Example + SSLRequire "foobar" in PeerExtList("1.2.3.4.5.6") + Notes on the PeerExtList function @@ -1405,7 +1444,6 @@ the left-hand-side expression.

       - Environment Variables in Apache HTTP Server, for additional examples. @@ -1441,7 +1479,9 @@ memory must be considered when changing this configuration setting.

      Example + SSLRenegBufferSize 262144 + @@ -1473,7 +1513,9 @@ version of OpenSSL.

      Example + SSLStrictSNIVHostCheck on + @@ -1498,7 +1540,9 @@ directory contains the appropriate symbolic links.

      Currently there is no support for encrypted private keys

      Example + SSLProxyMachineCertificatePath /usr/local/apache2/conf/proxy.crt/ + @@ -1525,7 +1569,9 @@ or additionally to SSLProxyMachineCertificatePath.

      Currently there is no support for encrypted private keys

      Example + SSLProxyMachineCertificateFile /usr/local/apache2/conf/ssl.crt/proxy.pem + @@ -1555,7 +1601,9 @@ trusted as if they were also in SSLProxyCACertificateFile.

      Example + SSLProxyMachineCertificateChainFile /usr/local/apache2/conf/ssl.crt/proxyCA.pem + @@ -1592,7 +1640,9 @@ The following levels are available for level:

      optional_no_ca is actually against the idea of authentication (but can be used to establish SSL test pages, etc.)

      Example + SSLProxyVerify require + @@ -1619,7 +1669,9 @@ the remote server certificate can be self-signed or has to be signed by a CA which is directly known to the server (i.e. the CA's certificate is under SSLProxyCACertificatePath), etc.

      Example + SSLProxyVerifyDepth 10 + @@ -1640,7 +1692,9 @@ is expired or not. If the check fails a 502 status code (Bad Gateway) is sent.

      Example + SSLProxyCheckPeerExpire on + @@ -1661,7 +1715,9 @@ compared against the hostname of the request URL. If both are not equal a 502 status code (Bad Gateway) is sent.

      Example + SSLProxyCheckPeerCN on + @@ -1682,10 +1738,12 @@ type="section">VirtualHost section to enable SSL/TLS for proxy usage in a particular virtual host. By default the SSL/TLS Protocol Engine is disabled for proxy image both for the main server and all configured virtual hosts.

      Example -<VirtualHost _default_:443>
      -SSLProxyEngine on
      -...
      + +<VirtualHost _default_:443> + SSLProxyEngine on + #... </VirtualHost> +       @@ -1749,7 +1807,9 @@ there: you also have to create symbolic links named hash-value.N. And you should always make sure this directory contains the appropriate symbolic links.

      Example + SSLProxyCACertificatePath /usr/local/apache2/conf/ssl.crt/ + @@ -1771,7 +1831,9 @@ concatenation of the various PEM-encoded Certificate files, in order of preference. This can be used alternatively and/or additionally to SSLProxyCACertificatePath.

      Example + SSLProxyCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-remote-server.crt + @@ -1796,7 +1858,9 @@ Additionally you have to create symbolic links named hash-value.rN. And you should always make sure this directory contains the appropriate symbolic links.

      Example + SSLProxyCARevocationPath /usr/local/apache2/conf/ssl.crl/ + @@ -1819,7 +1883,9 @@ the various PEM-encoded CRL files, in order of preference. This can be used alternatively and/or additionally to SSLProxyCARevocationPath.

      Example + SSLProxyCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle-remote-server.crl + @@ -1857,7 +1923,9 @@ to succeed - otherwise it will fail with an

      Example + SSLProxyCARevocationCheck chain + @@ -1885,7 +1953,9 @@ any of the SSL environment variables.

      href="#ssloptions">SSLOptions).

      Example + SSLUserName SSL_CLIENT_S_DN_CN + @@ -1903,7 +1973,9 @@ SSLUserName SSL_CLIENT_S_DN_CN the client's preference is used. If this directive is enabled, the server's preference will be used instead.

      Example + SSLHonorCipherOrder on + @@ -1927,8 +1999,10 @@ separate "-engine" releases of OpenSSL 0.9.6 must be used.

      "openssl engine".

      Example -# For a Broadcom accelerator:
      + +# For a Broadcom accelerator: SSLCryptoDevice ubsec +       @@ -1954,10 +2028,12 @@ itself, or derived by configuration; see the directives.

      Example -SSLVerifyClient on
      -SSLOCSPEnable on
      -SSLOCSPDefaultResponder http://responder.example.com:8888/responder
      + +SSLVerifyClient on +SSLOCSPEnable on +SSLOCSPDefaultResponder http://responder.example.com:8888/responder SSLOCSPOverrideResponder on +       @@ -2072,7 +2148,9 @@ in CVE-200 Example + SSLInsecureRenegotiation on +

      The SSL_SECURE_RENEG environment variable can be used diff --git a/docs/manual/mod/mod_status.xml b/docs/manual/mod/mod_status.xml index 20c7cc9049..12e94927b1 100644 --- a/docs/manual/mod/mod_status.xml +++ b/docs/manual/mod/mod_status.xml @@ -77,15 +77,12 @@ performance

      To enable status reports only for browsers from the example.com domain add this code to your httpd.conf configuration file

      - - <Location /server-status>
      - - SetHandler server-status
      -
      - Require host example.com
      -       - </Location> -       + +<Location /server-status> + SetHandler server-status + Require host example.com +</Location> +

      You can now access server statistics by using a Web browser to access the page diff --git a/docs/manual/mod/mod_substitute.xml b/docs/manual/mod/mod_substitute.xml index 0e0ab41e48..3c275decad 100644 --- a/docs/manual/mod/mod_substitute.xml +++ b/docs/manual/mod/mod_substitute.xml @@ -71,36 +71,36 @@ Example - <Location /> - - AddOutputFilterByType SUBSTITUTE text/html
      - Substitute s/foo/bar/ni
      -       - </Location> + +<Location /> + AddOutputFilterByType SUBSTITUTE text/html + Substitute s/foo/bar/ni +</Location> +

      If either the pattern or the substitution contain a slash character then an alternative delimiter should be used:

      Example of using an alternate delimiter - <Location /> - - AddOutputFilterByType SUBSTITUTE text/html
      - Substitute "s|<BR */?>|<br />|i" -       - </Location> + +<Location /> + AddOutputFilterByType SUBSTITUTE text/html + Substitute "s|<BR */?>|<br />|i" +</Location> +

      Backreferences can be used in the comparison and in the substitution, when regular expressions are used, as illustrated in the following example:

      Example of using backreferences and captures - <Location /> - - AddOutputFilterByType SUBSTITUTE text/html
      - # "foo=k,bar=k" -> "foo/bar=k"
      - Substitute "s|foo=(\w+),bar=\1|foo/bar=$1" -       - </Location> + +<Location /> + AddOutputFilterByType SUBSTITUTE text/html + # "foo=k,bar=k" -> "foo/bar=k" + Substitute "s|foo=(\w+),bar=\1|foo/bar=$1" +</Location> +

      A common use scenario for mod_substitute is the @@ -113,10 +113,12 @@ those URLs into something that will work from the front end:

      Rewriting URLs embedded in proxied content - ProxyPass /blog/ http://internal.blog.example.com
      - ProxyPassReverse /blog/ http://internal.blog.example.com/
      -
      - Substitute "s|http://internal.blog.example.com/|http://www.example.com/blog/|i" + +ProxyPass /blog/ http://internal.blog.example.com +ProxyPassReverse /blog/ http://internal.blog.example.com/ + +Substitute "s|http://internal.blog.example.com/|http://www.example.com/blog/|i" +

      ProxyPassReverse diff --git a/docs/manual/mod/mod_suexec.xml b/docs/manual/mod/mod_suexec.xml index f2d3ce0d78..2a8232b25c 100644 --- a/docs/manual/mod/mod_suexec.xml +++ b/docs/manual/mod/mod_suexec.xml @@ -57,7 +57,9 @@ later. Example + SuexecUserGroup nobody nogroup +

      In Apache httpd 2.3.9 and later, startup will fail if this