From af77363fb6f133c726935a44a9afb435f4d8957b Mon Sep 17 00:00:00 2001 From: Daniel Gruno Date: Fri, 4 May 2012 14:59:59 +0000 Subject: [PATCH] Backporting syntax highlighting for core.xml, mod_a*.xml git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1334008 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/mod/core.xml | 837 ++++++++++++-------------- docs/manual/mod/mod_access_compat.xml | 120 ++-- docs/manual/mod/mod_actions.xml | 47 +- docs/manual/mod/mod_alias.xml | 122 ++-- docs/manual/mod/mod_allowmethods.xml | 20 +- docs/manual/mod/mod_asis.xml | 2 +- docs/manual/mod/mod_auth_basic.xml | 22 +- docs/manual/mod/mod_auth_digest.xml | 36 +- docs/manual/mod/mod_auth_form.xml | 140 +++-- docs/manual/mod/mod_authn_anon.xml | 36 +- docs/manual/mod/mod_authn_core.xml | 131 ++-- docs/manual/mod/mod_authn_dbd.xml | 21 +- docs/manual/mod/mod_authn_socache.xml | 30 +- docs/manual/mod/mod_authnz_ldap.xml | 150 ++--- docs/manual/mod/mod_authz_core.xml | 235 ++++---- docs/manual/mod/mod_authz_dbd.xml | 36 +- docs/manual/mod/mod_authz_dbm.xml | 8 +- docs/manual/mod/mod_authz_host.xml | 44 +- docs/manual/mod/mod_authz_owner.xml | 50 +- docs/manual/mod/mod_autoindex.xml | 142 ++--- 20 files changed, 1036 insertions(+), 1193 deletions(-) diff --git a/docs/manual/mod/core.xml b/docs/manual/mod/core.xml index 852e62174a..41f5fcb800 100644 --- a/docs/manual/mod/core.xml +++ b/docs/manual/mod/core.xml @@ -48,7 +48,9 @@ On Windows from Apache httpd 2.3.3 and later.

Using none for an argument will disable any accept filters for that protocol. This is useful for protocols that require a server send data first, such as ftp: or nntp:

- AcceptFilter nntp none + + AcceptFilter nntp none +

The default protocol names are https for port 443 and http for all other ports. To specify another protocol @@ -57,10 +59,10 @@ On Windows from Apache httpd 2.3.3 and later. directive.

The default values on FreeBSD are:

- - AcceptFilter http httpready
- AcceptFilter https dataready - + +AcceptFilter http httpready +AcceptFilter https dataready +

The httpready accept filter buffers entire HTTP requests at the kernel level. Once an entire request is received, the kernel then @@ -71,10 +73,10 @@ On Windows from Apache httpd 2.3.3 and later. accf_data(9) filter is used.

The default values on Linux are:

- - AcceptFilter http data
- AcceptFilter https data - + +AcceptFilter http data +AcceptFilter https data +

Linux's TCP_DEFER_ACCEPT does not support buffering http requests. Any value besides none will enable @@ -84,10 +86,10 @@ On Windows from Apache httpd 2.3.3 and later. tcp(7) man page.

The default values on Windows are:

- - AcceptFilter http data
- AcceptFilter https data - + +AcceptFilter http data +AcceptFilter https data +

Window's mpm_winnt interprets the AcceptFilter to toggle the AcceptEx() API, and does not support http protocol buffering. There are two values @@ -107,7 +109,7 @@ On Windows from Apache httpd 2.3.3 and later. filters.

-Protocol +Protocol @@ -170,15 +172,13 @@ On Windows from Apache httpd 2.3.3 and later. the request, so you can use the following configuration to enable such a script:

- - <Files "mypaths.shtml">
- - Options +Includes
- SetOutputFilter INCLUDES
- AcceptPathInfo On
- - </Files> - + +<Files "mypaths.shtml"> + Options +Includes + SetOutputFilter INCLUDES + AcceptPathInfo On +</Files> + @@ -198,9 +198,7 @@ On Windows from Apache httpd 2.3.3 and later. configuration files are enabled for that directory. For example:

- - AccessFileName .acl - + AccessFileName .acl

before returning the document /usr/local/web/index.html, the server will read @@ -208,13 +206,11 @@ On Windows from Apache httpd 2.3.3 and later. /usr/local/.acl and /usr/local/web/.acl for directives, unless they have been disabled with

- - <Directory />
- - AllowOverride None
- - </Directory> - + +<Directory /> + AllowOverride None +</Directory> + AllowOverride Configuration Files @@ -247,9 +243,7 @@ content-type is text/plain or text/html charset values for use in Internet media types (MIME types). For example:

- - AddDefaultCharset utf-8 - + AddDefaultCharset utf-8

AddDefaultCharset should only be used when all of the text resources to which it applies are known to be in that @@ -460,9 +454,7 @@ NoDecode option available in 2.3.12 and later.

Example:

- - AllowOverride AuthConfig Indexes - + AllowOverride AuthConfig Indexes

In the example above all directives that are neither in the group AuthConfig nor Indexes cause an internal @@ -514,10 +506,10 @@ NoDecode option available in 2.3.12 and later.

Example:

- - AllowOverride None
- AllowOverrideList Redirect RedirectMatch - + +AllowOverride None +AllowOverrideList Redirect RedirectMatch +

In the example above only the Redirect and RedirectMatch directives are allowed. All others will @@ -525,10 +517,10 @@ NoDecode option available in 2.3.12 and later.

Example:

- - AllowOverride AuthConfig
- AllowOverrideList CookieTracking CookieName - + +AllowOverride AuthConfig +AllowOverrideList CookieTracking CookieName +

In the example above AllowOverride grants permission to the AuthConfig @@ -617,9 +609,10 @@ headers (shared memory, locks, etc.). If set as a relative path, the full path will be relative to ServerRoot

- Example - DefaultRuntimeDir scratch/ - +

Example

+ +DefaultRuntimeDir scratch/ +

The default location of DefaultRuntimeDir may be modified by changing the DEFAULT_REL_RUNTIMEDIR #define @@ -655,9 +648,7 @@ which no other media type configuration could be found. of configuration files, it may be specified with the value none, meaning no default media type. For example:

- - DefaultType None - + DefaultType None

DefaultType None is only available in httpd-2.2.7 and later.

@@ -692,15 +683,15 @@ which no other media type configuration could be found. the ${VAR} syntax. The variable is always globally defined and not limited to the scope of the surrounding config section.

- - <IfDefine TEST>
-   Define servername test.example.com
- </IfDefine>
- <IfDefine !TEST>
-   Define servername www.example.com
-   Define SSL
- </IfDefine>
- + +<IfDefine TEST> + Define servername test.example.com +</IfDefine> +<IfDefine !TEST> + Define servername www.example.com + Define SSL +</IfDefine> +

Variable names may not contain colon ":" characters, to avoid clashes with RewriteMap's syntax.

@@ -732,13 +723,11 @@ named file-system directory, sub-directories, and their contents. /home/user/public_html, but <Directory /home/*/public_html> will match. Example:

- - <Directory /usr/local/httpd/htdocs>
- - Options Indexes FollowSymLinks
- - </Directory> - + +<Directory "/usr/local/httpd/htdocs"> + Options Indexes FollowSymLinks +</Directory> +

Be careful with the directory-path arguments: @@ -753,9 +742,11 @@ named file-system directory, sub-directories, and their contents. expressions can also be used, with the addition of the ~ character. For example:

- - <Directory ~ "^/www/.*/[0-9]{3}"> - + +<Directory ~ "^/www/.*/[0-9]{3}"> + +</Directory> +

would match directories in /www/ that consisted of three numbers.

@@ -768,19 +759,15 @@ named file-system directory, sub-directories, and their contents. href="#accessfilename">.htaccess files. For example, with

- - <Directory />
- - AllowOverride None
- - </Directory>
-
- <Directory /home>
- - AllowOverride FileInfo
- - </Directory> - + +<Directory /> + AllowOverride None +</Directory> + +<Directory "/home"> + AllowOverride FileInfo +</Directory> +

for access to the document /home/web/dir/doc.html the steps are:

@@ -802,13 +789,11 @@ named file-system directory, sub-directories, and their contents. expressions are tested in the order they appeared in the configuration file. For example, with

- - <Directory ~ abc$>
- - # ... directives here ...
- - </Directory> - + +<Directory ~ "abc$"> + # ... directives here ... +</Directory> +

the regular expression section won't be considered until after all normal Directorys and @@ -823,13 +808,11 @@ named file-system directory, sub-directories, and their contents. recommended that you change this with a block such as

- - <Directory />
- - Require all denied
- - </Directory> - + +<Directory /> + Require all denied +</Directory> +

and then override this for directories you want accessible. See the regular expression. For example:

- - <DirectoryMatch "^/www/(.+/)?[0-9]{3}"> - + +<DirectoryMatch "^/www/(.+/)?[0-9]{3}"> + # ... +</DirectoryMatch> +

would match directories in /www/ that consisted of three numbers.

@@ -911,9 +896,7 @@ from the web path from the requested URL to the document root to make the path to the document. Example:

- - DocumentRoot /usr/web - + DocumentRoot "/usr/web"

then an access to http://my.example.com/index.html refers to @@ -948,14 +931,14 @@ satisfied by a request at runtime in the same scope has not been applied. For example: In

- - <If "-z req('Host')">
- ...
- </If>
- <Else>
- ...
- </Else>
- + +<If "-z req('Host')"> + # ... +</If> +<Else> + # ... +</Else> +

The If would match HTTP/1.0 requests without a Host: header and the @@ -993,17 +976,17 @@ satisfied ElseIf section in the same scope has not been applied. For example: In

- - <If "-R '10.1.0.0/16'">
- ...
- </If>
- <ElseIf "-R '10.0.0.0/8'">
- ...
- </ElseIf>
- <Else>
- ...
- </Else>
- + +<If "-R '10.1.0.0/16'"> + #... +</If> +<ElseIf "-R '10.0.0.0/8'"> + #... +</ElseIf> +<Else> + #... +</Else> +

The ElseIf would match if the remote address of a request belongs to the subnet 10.0.0.0/8 but @@ -1058,20 +1041,16 @@ for a complete reference and more examples.

For server configurations that are vulnerable to these problems, you should disable memory-mapping of delivered files by specifying:

- - EnableMMAP Off - + EnableMMAP Off

For NFS mounted files, this feature may be disabled explicitly for the offending files by specifying:

- - <Directory "/path-to-nfs-files"> - - EnableMMAP Off - - </Directory> - + +<Directory "/path-to-nfs-files"> + EnableMMAP Off +</Directory> + @@ -1118,20 +1097,16 @@ version 2.3.9.

For server configurations that are not vulnerable to these problems, you may enable this feature by specifying:

- - EnableSendfile On - + EnableSendfile On

For network mounted files, this feature may be disabled explicitly for the offending files by specifying:

- - <Directory "/path-to-nfs-files"> - - EnableSendfile Off - - </Directory> - + +<Directory "/path-to-nfs-files"> + EnableSendfile Off +</Directory> +

Please note that the per-directory and .htaccess configuration of EnableSendfile is not supported by mod_cache_disk. @@ -1156,24 +1131,25 @@ version 2.3.9. configuration parsing. The typical use is for reporting required modules which are missing from the configuration.

- Example - # ensure that mod_include is loaded
- <IfModule !include_module>
- Error mod_include is required by mod_foo. Load it with LoadModule.
- </IfModule>
-
- # ensure that exactly one of SSL,NOSSL is defined
- <IfDefine SSL>
- <IfDefine NOSSL>
- Error Both SSL and NOSSL are defined. Define only one of them.
- </IfDefine>
- </IfDefine>
- <IfDefine !SSL>
- <IfDefine !NOSSL>
- Error Either SSL or NOSSL must be defined.
- </IfDefine>
- </IfDefine>
- + +# Example +# ensure that mod_include is loaded +<IfModule !include_module> + Error "mod_include is required by mod_foo. Load it with LoadModule." +</IfModule> + +# ensure that exactly one of SSL,NOSSL is defined +<IfDefine SSL> +<IfDefine NOSSL> + Error "Both SSL and NOSSL are defined. Define only one of them." +</IfDefine> +</IfDefine> +<IfDefine !SSL> +<IfDefine !NOSSL> + Error "Either SSL or NOSSL must be defined." +</IfDefine> +</IfDefine> + @@ -1215,13 +1191,13 @@ in case of an error full URL which the client can resolve. Alternatively, a message can be provided to be displayed by the browser. Examples:

- - ErrorDocument 500 http://foo.example.com/cgi-bin/tester
- ErrorDocument 404 /cgi-bin/bad_urls.pl
- ErrorDocument 401 /subscription_info.html
- ErrorDocument 403 "Sorry can't allow you access today"
- ErrorDocument 403 Forbidden! - + +ErrorDocument 500 http://foo.example.com/cgi-bin/tester +ErrorDocument 404 /cgi-bin/bad_urls.pl +ErrorDocument 401 /subscription_info.html +ErrorDocument 403 "Sorry can't allow you access today" +ErrorDocument 403 Forbidden! +

Additionally, the special value default can be used to specify Apache httpd's simple hardcoded message. While not required @@ -1229,14 +1205,13 @@ in case of an error Apache httpd's simple hardcoded message for configurations that would otherwise inherit an existing ErrorDocument.

- - ErrorDocument 404 /cgi-bin/bad_urls.pl

- <Directory /web/docs>
- - ErrorDocument 404 default
- - </Directory> - + +ErrorDocument 404 /cgi-bin/bad_urls.pl + +<Directory /web/docs> + ErrorDocument 404 default +</Directory> +

Note that when you specify an ErrorDocument that points to a remote URL (ie. anything with a method such as @@ -1264,7 +1239,7 @@ in case of an error href="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q294807" >Q294807.

-

Although most error messages can be overriden, there are certain +

Although most error messages can be overridden, there are certain circumstances where the internal messages are used regardless of the setting of ErrorDocument. In particular, if a malformed request is detected, normal request processing @@ -1296,17 +1271,13 @@ in case of an error the file-path is not absolute then it is assumed to be relative to the ServerRoot.

- Example - ErrorLog /var/log/httpd/error_log - + ErrorLog "/var/log/httpd/error_log"

If the file-path begins with a pipe character "|" then it is assumed to be a command to spawn to handle the error log.

- Example - ErrorLog "|/usr/local/bin/httpd_errors" - + ErrorLog "|/usr/local/bin/httpd_errors"

See the notes on piped logs for more information.

@@ -1320,9 +1291,7 @@ in case of an error in individual virtual hosts, the final facility specified affects the entire server.

- Example - ErrorLog syslog:user - + ErrorLog syslog:user

SECURITY: See the security tips @@ -1353,9 +1322,10 @@ in case of an error supplementary information is logged in the error log in addition to the actual log message.

- Simple example - ErrorLogFormat "[%t] [%l] [pid %P] %F: %E: [client %a] %M" - + +#Simple example +ErrorLogFormat "[%t] [%l] [pid %P] %F: %E: [client %a] %M" +

Specifying connection or request as first parameter allows to specify additional formats, causing additional @@ -1369,11 +1339,11 @@ in case of an error example, the Referer header is only present if the log message is associated to a request and the log message happens at a time when the Referer header has already been read from the client. If no output is - produced, the default behavior is to delete everything from the preceeding + produced, the default behavior is to delete everything from the preceding space character to the next space character. This means the log line is implicitly divided into fields on non-whitespace to whitespace transitions. If a format string item does not produce output, the whole field is - ommitted. For example, if the remote address %a in the log + omitted. For example, if the remote address %a in the log format [%t] [%l] [%a] %M  is not available, the surrounding brackets are not logged either. Space characters can be escaped with a backslash to prevent them from delimiting a field. The combination '% ' @@ -1385,7 +1355,7 @@ in case of an error respective item does not produce any output. In once-per-connection/request formats, it is also possible to use the + (plus) modifier. If an item with the plus modifier does not produce any output, the whole line is - ommitted.

+ omitted.

A number as modifier can be used to assign a log severity level to a format item. The item will only be logged if the severity of the log @@ -1519,32 +1489,33 @@ in case of an error with error log lines. If mod_unique_id is loaded, its unique id will be used as log ID for requests.

- Example (default format) - ErrorLogFormat "[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] - %M% ,\ referer\ %{Referer}i" - + +#Example (default format) +ErrorLogFormat "[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i" +

This would result in error messages such as:

- + [Thu May 12 08:28:57.652118 2011] [core:error] [pid 8777:tid 4326490112] [client ::1:58619] File does not exist: /usr/local/apache2/htdocs/favicon.ico -

Notice that, as discussed above, some fields are ommitted +

Notice that, as discussed above, some fields are omitted entirely because they are not defined.

- Example (similar to the 2.2.x format) - ErrorLogFormat "[%t] [%l] %7F: %E: [client\ %a] - %M% ,\ referer\ %{Referer}i" - + +#Example (similar to the 2.2.x format) +ErrorLogFormat "[%t] [%l] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i" + - Advanced example with request/connection log IDs - ErrorLogFormat "[%{uc}t] [%-m:%-l] [R:%L] [C:%{C}L] %7F: %E: %M"
- ErrorLogFormat request "[%{uc}t] [R:%L] Request %k on C:%{c}L pid:%P tid:%T"
- ErrorLogFormat request "[%{uc}t] [R:%L] UA:'%+{User-Agent}i'"
- ErrorLogFormat request "[%{uc}t] [R:%L] Referer:'%+{Referer}i'"
- ErrorLogFormat connection "[%{uc}t] [C:%{c}L] local\ %a remote\ %A"
- + +#Advanced example with request/connection log IDs +ErrorLogFormat "[%{uc}t] [%-m:%-l] [R:%L] [C:%{C}L] %7F: %E: %M" +ErrorLogFormat request "[%{uc}t] [R:%L] Request %k on C:%{c}L pid:%P tid:%T" +ErrorLogFormat request "[%{uc}t] [R:%L] UA:'%+{User-Agent}i'" +ErrorLogFormat request "[%{uc}t] [R:%L] Referer:'%+{Referer}i'" +ErrorLogFormat connection "[%{uc}t] [C:%{c}L] local\ %a remote\ %A" + ErrorLog @@ -1619,7 +1590,7 @@ earlier.
The number of bytes in the file will be included
All
All available fields will be used. This is equivalent to: - FileETag INode MTime Size
+ FileETag INode MTime Size
None
If a document is file-based, no ETag field will be included in the response
@@ -1690,9 +1661,11 @@ filenames can also be used, with the addition of the ~ character. For example:

- - <Files ~ "\.(gif|jpe?g|png)$"> - + +<Files ~ "\.(gif|jpe?g|png)$"> + #... +</Files> +

would match most common Internet graphics formats. FilesMatch is preferred, @@ -1728,9 +1701,11 @@ filenames does. However, it accepts a regular expression. For example:

- - <FilesMatch "\.(gif|jpe?g|png)$"> - + +<FilesMatch "\.(gif|jpe?g|png)$"> + # ... +</FilesMatch> +

would match most common Internet graphics formats.

@@ -1761,9 +1736,7 @@ media type in the HTTP Content-Type header field GIF files, but did not want to label them all with .gif, you might want to use:

- - ForceType image/gif - + ForceType image/gif

Note that this directive overrides other indirect media type associations defined in mime.types or via the @@ -1773,21 +1746,17 @@ media type in the HTTP Content-Type header field ForceType settings by using the value of None:

- - # force all files to be image/gif:
- <Location /images>
- - ForceType image/gif
- - </Location>
-
- # but normal mime-type associations here:
- <Location /images/mixed>
- - ForceType None
- - </Location> - + +# force all files to be image/gif: +<Location /images> + ForceType image/gif +</Location> + +# but normal mime-type associations here: +<Location /images/mixed> + ForceType None +</Location> +

This directive primarily overrides the content types generated for static files served out of the filesystem. For resources other than @@ -1804,7 +1773,7 @@ media type in the HTTP Content-Type header field -

When the server has been compiled with gprof profiling suppport, +

When the server has been compiled with gprof profiling support, GprofDir causes gmon.out files to be written to the specified directory when the process exits. If the argument ends with a percent symbol ('%'), subdirectories are created @@ -1877,9 +1846,7 @@ satisfied by a request at runtime directives if and only if the expression evaluates to true. For example:

- - <If "-z req('Host')"> - + <If "-z req('Host')">

would match HTTP/1.0 requests without a Host: header. Expressions may contain various shell-like operators for string @@ -1888,9 +1855,7 @@ satisfied by a request at runtime and others (-n, -z, -f, ...). It is also possible to use regular expressions,

- - <If "%{QUERY_STRING} =~ /(delete|commit)=.*?elem/"> - + <If "%{QUERY_STRING} =~ /(delete|commit)=.*?elem/">

shell-like pattern matches and many other operations. These operations can be done on request headers (req), environment variables @@ -1955,32 +1920,22 @@ if a test is true at startup nest-able, which can be used to implement simple multiple-parameter tests. Example:

- - httpd -DReverseProxy -DUseCache -DMemCache ...
-
- # httpd.conf
- <IfDefine ReverseProxy>
- - LoadModule proxy_module modules/mod_proxy.so
- LoadModule proxy_http_module modules/mod_proxy_http.so
- <IfDefine UseCache>
- - LoadModule cache_module modules/mod_cache.so
- <IfDefine MemCache>
- - LoadModule mem_cache_module modules/mod_mem_cache.so
- - </IfDefine>
- <IfDefine !MemCache>
- - LoadModule cache_disk_module modules/mod_cache_disk.so
- - </IfDefine> - - </IfDefine> - - </IfDefine> - + httpd -DReverseProxy -DUseCache -DMemCache ... + +<IfDefine ReverseProxy> + LoadModule proxy_module modules/mod_proxy.so + LoadModule proxy_http_module modules/mod_proxy_http.so + <IfDefine UseCache> + LoadModule cache_module modules/mod_cache.so + <IfDefine MemCache> + LoadModule mem_cache_module modules/mod_mem_cache.so + </IfDefine> + <IfDefine !MemCache> + LoadModule cache_disk_module modules/mod_cache_disk.so + </IfDefine> + </IfDefine> +</IfDefine> + @@ -2077,33 +2032,29 @@ wildcard matching available in 2.3.6 and later

Examples:

- - Include /usr/local/apache2/conf/ssl.conf
- Include /usr/local/apache2/conf/vhosts/*.conf - + +Include /usr/local/apache2/conf/ssl.conf +Include /usr/local/apache2/conf/vhosts/*.conf +

Or, providing paths relative to your ServerRoot directory:

- - Include conf/ssl.conf
- Include conf/vhosts/*.conf - + +Include conf/ssl.conf +Include conf/vhosts/*.conf +

Wildcards may be included in the directory or file portion of the path. This example will fail if there is no subdirectory in conf/vhosts that contains at least one *.conf file:

- - Include conf/vhosts/*/*.conf - + Include conf/vhosts/*/*.conf

Alternatively, the following command will just be ignored in case of missing files or directories:

- - IncludeOptional conf/vhosts/*/*.conf - + IncludeOptional conf/vhosts/*/*.conf @@ -2226,13 +2177,11 @@ methods only to the methods POST, PUT, and DELETE, leaving all other methods unprotected:

- - <Limit POST PUT DELETE>
- - Require valid-user
- - </Limit> - + +<Limit POST PUT DELETE> + Require valid-user +</Limit> +

The method names listed can be one or more of: GET, POST, PUT, DELETE, @@ -2272,18 +2221,14 @@ methods Require group editors directive will be ignored in all cases:

- - <LimitExcept GET> - - Require valid-user - - </LimitExcept>
- <Limit POST> - - Require group editors - - </Limit> - + +<LimitExcept GET> + Require valid-user +</LimitExcept> +<Limit POST> + Require group editors +</Limit> + @@ -2310,13 +2255,11 @@ except the named ones

For example:

- - <LimitExcept POST GET>
- - Require valid-user
- - </LimitExcept> - + +<LimitExcept POST GET> + Require valid-user +</LimitExcept> + @@ -2350,9 +2293,7 @@ subrequests determines, how deep subrequests may be nested. If you specify only one number, it will be assigned to both limits.

- Example - LimitInternalRecursion 5 - + LimitInternalRecursion 5 @@ -2395,9 +2336,7 @@ from the client location, and wish to limit the size of the uploaded file to 100K, you might use the following directive:

- - LimitRequestBody 102400 - + LimitRequestBody 102400

For a full description of how this directive is interpreted by proxy requests, see the mod_proxy documentation.

@@ -2440,9 +2379,7 @@ will be accepted from the client

For example:

- - LimitRequestFields 50 - + LimitRequestFields 50 Warning

When name-based virtual hosting is used, the value for this @@ -2481,9 +2418,7 @@ client

For example:

- - LimitRequestFieldSize 4094 - + LimitRequestFieldSize 4094 Under normal conditions, the value should not be changed from the default. Also, you can't set this higher than 8190 without @@ -2525,9 +2460,7 @@ from the client

For example:

- - LimitRequestLine 4094 - + LimitRequestLine 4094 Under normal conditions, the value should not be changed from the default. Also, you can't set this higher than 8190 without @@ -2557,9 +2490,7 @@ from the client

Example:

- - LimitXMLRequestBody 0 - + LimitXMLRequestBody 0 @@ -2610,19 +2541,21 @@ URLs /private1, /private1/ and /private1/file.txt will have the enclosed directives applied, but /private1other would not.

- - <Location /private1> - ... - + +<Location /private1> + # ... +</Location> +

In the example below, where a trailing slash is used, requests to /private2/ and /private2/file.txt will have the enclosed directives applied, but /private2 and /private2other would not.

- - <Location /private2/> - ... - + +<Location /private2/> + # ... +</Location> + When to use <directive type="section">Location</directive> @@ -2651,9 +2584,11 @@ URLs can also be used, with the addition of the ~ character. For example:

- - <Location ~ "/(extra|special)/data"> - + +<Location ~ "/(extra|special)/data"> + #... +</Location> +

would match URLs that contained the substring /extra/data or /special/data. The directive directive. For example, to enable status requests, but allow them only from browsers at example.com, you might use:

- - <Location /status>
- - SetHandler server-status
- Require host example.com
- - </Location> - + +<Location /status> + SetHandler server-status + Require host example.com +</Location> + Note about / (slash)

The slash character has special meaning depending on where in a @@ -2722,9 +2655,11 @@ matching URLs it takes a regular expression as an argument instead of a simple string. For example:

- - <LocationMatch "/(extra|special)/data"> - + +<LocationMatch "/(extra|special)/data"> + # ... +</LocationMatch> +

would match URLs that contained the substring /extra/data or /special/data.

@@ -2901,9 +2836,7 @@ matching URLs

For example:

- - LogLevel notice - + LogLevel notice Note

When logging to a regular file messages of the level @@ -2920,20 +2853,20 @@ matching URLs as module specification. This means the following three specifications are equivalent:

- - LogLevel info ssl:warn
- LogLevel info mod_ssl.c:warn
- LogLevel info ssl_module:warn
- + +LogLevel info ssl:warn +LogLevel info mod_ssl.c:warn +LogLevel info ssl_module:warn +

It is also possible to change the level per directory:

- - LogLevel info
- <Directory /usr/local/apache/htdocs/app>
-   LogLevel debug
- </Files> - + +LogLevel info +<Directory "/usr/local/apache/htdocs/app"> + LogLevel debug +</Directory> + Per directory loglevel configuration only affects messages that are @@ -2963,9 +2896,7 @@ connection

For example:

- - MaxKeepAliveRequests 500 - + MaxKeepAliveRequests 500 @@ -3288,10 +3219,10 @@ or specified mutexes /var/httpd/locks. The mutex mechanism for all other mutexes will be changed from the compiled-in default to sysvsem.

- - Mutex sysvsem default
- Mutex fcntl:/var/httpd/locks mpm-accept - + +Mutex sysvsem default +Mutex fcntl:/var/httpd/locks mpm-accept + @@ -3439,38 +3370,30 @@ directory

For example, without any + and - symbols:

- - <Directory /web/docs>
- - Options Indexes FollowSymLinks
- - </Directory>
-
- <Directory /web/docs/spec>
- - Options Includes
- - </Directory> - + +<Directory "/web/docs"> + Options Indexes FollowSymLinks +</Directory> + +<Directory "/web/docs/spec"> + Options Includes +</Directory> +

then only Includes will be set for the /web/docs/spec directory. However if the second Options directive uses the + and - symbols:

- - <Directory /web/docs>
- - Options Indexes FollowSymLinks
- - </Directory>
-
- <Directory /web/docs/spec>
- - Options +Includes -Indexes
- - </Directory> - + +<Directory "/web/docs"> + Options Indexes FollowSymLinks +</Directory> + +<Directory "/web/docs/spec"> + Options +Includes -Indexes +</Directory> +

then the options FollowSymLinks and Includes are set for the /web/docs/spec @@ -3505,13 +3428,11 @@ On Windows from Apache 2.3.3 and later.

For example, if you are running https on a non-standard port, specify the protocol explicitly:

- - Protocol https - + Protocol https

You can also specify the protocol using the Listen directive.

-AcceptFilter +AcceptFilter Listen @@ -3643,15 +3564,11 @@ later by the shebang line (first line, starting with #!) in the script. On Win32 systems this line usually looks like:

- - #!C:/Perl/bin/perl.exe - + #!C:/Perl/bin/perl.exe

or, if perl is in the PATH, simply:

- - #!perl - + #!perl

Setting ScriptInterpreterSource Registry will cause the Windows Registry tree HKEY_CLASSES_ROOT to be @@ -3747,9 +3664,7 @@ messages sent to the client

It may be worth setting up a dedicated address for this, e.g.

- - ServerAdmin www-admin@foo.example.com - + ServerAdmin www-admin@foo.example.com

as users do not always mention that they are talking about the server!

@@ -3768,18 +3683,18 @@ to name-virtual hosts href="../vhosts/name-based.html">name-based virtual hosts. The ServerAlias may include wildcards, if appropriate.

- - <VirtualHost *:80>
- ServerName server.example.com
- ServerAlias server server2.example.com server2
- ServerAlias *.example.com
- UseCanonicalName Off
- # ...
- </VirtualHost> - + +<VirtualHost *:80> + ServerName server.example.com + ServerAlias server server2.example.com server2 + ServerAlias *.example.com + UseCanonicalName Off + # ... +</VirtualHost> +

Name-based virtual hosts for the best-matching set of virtualhosts are processsed + type="section" module="core">virtualhosts are processed in the order they appear in the configuration. The first matching ServerName or ServerAlias is used, with no different precedence for wildcards @@ -3814,9 +3729,7 @@ itself and you wish the web server to be so identified, the following directive should be used:

- - ServerName www.example.com - + ServerName www.example.com

The ServerName directive may appear anywhere within the definition of a server. However, @@ -3908,9 +3821,7 @@ is accessed by an incompatible browser module="mod_so">LoadModule, for example) are taken as relative to this directory.

- Example - ServerRoot /home/httpd - + ServerRoot "/home/httpd"

The default location of ServerRoot may be modified by using the --prefix argument to @@ -3980,7 +3891,7 @@ header

ServerTokens Full (or not specified)
-
Server sends (e.g.): Server: Apache/2.4.1 +
Server sends (e.g.): Server: Apache/2.4.2 (Unix) PHP/4.2.2 MyMod/1.2
ServerTokens Prod[uctOnly]
@@ -4001,11 +3912,11 @@ header
ServerTokens Min[imal]
Server sends (e.g.): Server: - Apache/2.4.1
+ Apache/2.4.2
ServerTokens OS
-
Server sends (e.g.): Server: Apache/2.4.1 +
Server sends (e.g.): Server: Apache/2.4.2 (Unix)
@@ -4050,22 +3961,18 @@ handler of extension, you might put the following into an .htaccess file in that directory:

- - SetHandler imap-file - + SetHandler imap-file

Another example: if you wanted to have the server display a status report whenever a URL of http://servername/status was called, you might put the following into httpd.conf:

- - <Location /status>
- - SetHandler server-status
- - </Location> - + +<Location "/status"> + SetHandler server-status +</Location> +

You can override an earlier defined SetHandler directive by using the value None.

@@ -4127,13 +4034,11 @@ server in the /www/data/ directory for server-side includes.

- - <Directory /www/data/>
- - SetOutputFilter INCLUDES
- - </Directory> - + +<Directory "/www/data/"> + SetOutputFilter INCLUDES +</Directory> +

If more than one filter is specified, they must be separated by semicolons in the order in which they should process the @@ -4264,8 +4169,8 @@ port authentication enabled, this will cause the user to have to authenticate twice (once for www and once again for www.example.com -- see the - FAQ on this subject for more information). But if + href="http://wiki.apache.org/httpd/FAQ#Why_does_Apache_ask_for_my_password_twice_before_serving_a_file.3F"> + the FAQ on this subject for more information). But if UseCanonicalName is set Off, then Apache httpd will redirect to http://www/splat/.

@@ -4374,34 +4279,30 @@ hostname or IP address - Example - <VirtualHost 10.1.2.3:80>
- - ServerAdmin webmaster@host.example.com
- DocumentRoot /www/docs/host.example.com
- ServerName host.example.com
- ErrorLog logs/host.example.com-error_log
- TransferLog logs/host.example.com-access_log
- - </VirtualHost> - + +<VirtualHost 10.1.2.3:80> + ServerAdmin webmaster@host.example.com + DocumentRoot /www/docs/host.example.com + ServerName host.example.com + ErrorLog logs/host.example.com-error_log + TransferLog logs/host.example.com-access_log +</VirtualHost> +

IPv6 addresses must be specified in square brackets because the optional port number could not be determined otherwise. An IPv6 example is shown below:

- - <VirtualHost [2001:db8::a00:20ff:fea7:ccea]:80>
- - ServerAdmin webmaster@host.example.com
- DocumentRoot /www/docs/host.example.com
- ServerName host.example.com
- ErrorLog logs/host.example.com-error_log
- TransferLog logs/host.example.com-access_log
- - </VirtualHost> - + +<VirtualHost [2001:db8::a00:20ff:fea7:ccea]:80> + ServerAdmin webmaster@host.example.com + DocumentRoot /www/docs/host.example.com + ServerName host.example.com + ErrorLog logs/host.example.com-error_log + TransferLog logs/host.example.com-access_log +</VirtualHost> +

Each Virtual Host must correspond to a different IP address, different port number or a different host name for the server, diff --git a/docs/manual/mod/mod_access_compat.xml b/docs/manual/mod/mod_access_compat.xml index 4611412483..cf974c73ef 100644 --- a/docs/manual/mod/mod_access_compat.xml +++ b/docs/manual/mod/mod_access_compat.xml @@ -113,10 +113,10 @@ server

A (partial) domain-name
- Example: - Allow from example.org
- Allow from .net example.edu - + +Allow from example.org +Allow from .net example.edu +

Hosts whose names match, or end in, this string are allowed access. Only complete components are matched, so the above example will match foo.example.org but it will not @@ -133,37 +133,37 @@ server

A full IP address
- Example: - Allow from 10.1.2.3
- Allow from 192.168.1.104 192.168.1.205 - + +Allow from 10.1.2.3 +Allow from 192.168.1.104 192.168.1.205 +

An IP address of a host allowed access

A partial IP address
- Example: - Allow from 10.1
- Allow from 10 172.20 192.168.2 - + +Allow from 10.1 +Allow from 10 172.20 192.168.2 +

The first 1 to 3 bytes of an IP address, for subnet restriction.

A network/netmask pair
- Example: + Allow from 10.1.0.0/255.255.0.0 - +

A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet restriction.

A network/nnn CIDR specification
- Example: + Allow from 10.1.0.0/16 - +

Similar to the previous case, except the netmask consists of nnn high-order 1 bits.

@@ -174,10 +174,10 @@ server

IPv6 addresses and IPv6 subnets can be specified as shown below:

- - Allow from 2001:db8::a00:20ff:fea7:ccea
- Allow from 2001:db8::a00:20ff:fea7:ccea/10 - + +Allow from 2001:db8::a00:20ff:fea7:ccea +Allow from 2001:db8::a00:20ff:fea7:ccea/10 +

The third format of the arguments to the Allow directive allows access to the server @@ -196,16 +196,14 @@ server User-Agent (browser type), Referer, or other HTTP request header fields.

- Example: - SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in
- <Directory /docroot>
- - Order Deny,Allow
- Deny from all
- Allow from env=let_me_in
- - </Directory> - + +SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in +<Directory /docroot> + Order Deny,Allow + Deny from all + Allow from env=let_me_in +</Directory> +

In this case, browsers with a user-agent string beginning with KnockKnock/2.0 will be allowed access, and all @@ -341,11 +339,11 @@ evaluated.

In the following example, all hosts in the example.org domain are allowed access; all other hosts are denied access.

- - Order Deny,Allow
- Deny from all
- Allow from example.org - + +Order Deny,Allow +Deny from all +Allow from example.org +

In the next example, all hosts in the example.org domain are allowed access, except for the hosts which are in the @@ -354,11 +352,11 @@ evaluated. state is to Deny access to the server.

- - Order Allow,Deny
- Allow from example.org
- Deny from foo.example.org - + +Order Allow,Deny +Allow from example.org +Deny from foo.example.org +

On the other hand, if the Order in the last example is changed to Deny,Allow, all hosts will @@ -377,13 +375,11 @@ evaluated. directives because of its effect on the default access state. For example,

- - <Directory /www>
- - Order Allow,Deny
- - </Directory> - + +<Directory /www> + Order Allow,Deny +</Directory> +

will Deny all access to the /www directory because the default access state is set to @@ -448,27 +444,27 @@ later people outside of your network provide a password, you could use a configuration similar to the following:

- - Require valid-user
- Allow from 192.168.1
- Satisfy Any - + +Require valid-user +Allow from 192.168.1 +Satisfy Any +

Another frequent use of the Satisfy directive is to relax access restrictions for a subdirectory:

- - <Directory /var/www/private>
- Require valid-user
- </Directory>
-
- <Directory /var/www/private/public>
- Allow from all
- Satisfy Any
- </Directory> - + +<Directory /var/www/private> + Require valid-user +</Directory> + +<Directory /var/www/private/public> + Allow from all + Satisfy Any +</Directory> +

In the above example, authentication will be required for the /var/www/private directory, but will not be required diff --git a/docs/manual/mod/mod_actions.xml b/docs/manual/mod/mod_actions.xml index 110ded6554..465a8eeb10 100644 --- a/docs/manual/mod/mod_actions.xml +++ b/docs/manual/mod/mod_actions.xml @@ -74,21 +74,24 @@ introduced in Apache 2.1 is passed using the REDIRECT_HANDLER variable.

Example: MIME type - # Requests for files of a particular MIME content type:
- Action image/gif /cgi-bin/images.cgi
-
+ +# Requests for files of a particular MIME content type: +Action image/gif /cgi-bin/images.cgi +

In this example, requests for files with a MIME content type of image/gif will be handled by the specified cgi script /cgi-bin/images.cgi.

- Example: File extension - # Files of a particular file extension
- AddHandler my-file-type .xyz
- Action my-file-type /cgi-bin/program.cgi
+ + Example: File extension + +# Files of a particular file extension +AddHandler my-file-type .xyz +Action my-file-type /cgi-bin/program.cgi + -

In this example, requests for files with a file extension of .xyz are handled by the specified cgi script /cgi-bin/program.cgi.

@@ -98,14 +101,12 @@ introduced in Apache 2.1 if you want to use the Action directive in virtual locations.

- Example - <Location /news>
- - SetHandler news-handler
- Action news-handler /cgi-bin/news.cgi virtual
- - </Location> - + +<Location /news> + SetHandler news-handler + Action news-handler /cgi-bin/news.cgi virtual +</Location> + AddHandler @@ -145,13 +146,13 @@ method. (e.g., foo.html?hi). Otherwise, the request will proceed normally.

- Examples - # All GET requests go here
- Script GET /cgi-bin/search
-
- # A CGI PUT handler
- Script PUT /~bob/put.cgi
- + +# All GET requests go here +Script GET /cgi-bin/search + +# A CGI PUT handler +Script PUT /~bob/put.cgi + diff --git a/docs/manual/mod/mod_alias.xml b/docs/manual/mod/mod_alias.xml index d32c72eff7..b5ccc668ee 100644 --- a/docs/manual/mod/mod_alias.xml +++ b/docs/manual/mod/mod_alias.xml @@ -79,10 +79,10 @@ href="../urlmapping.html">Mapping URLs to the filesystem all the directives to have an effect. For example, the following configuration will work as expected:

- - Alias /foo/bar /baz
- Alias /foo /gaq - + +Alias /foo/bar /baz +Alias /foo /gaq +

But if the above two directives were reversed in order, the /foo Alias @@ -110,9 +110,9 @@ href="../urlmapping.html">Mapping URLs to the filesystem URL-path is case-sensitive, even on case-insensitive file systems.

- Example: + Alias /image /ftp/pub/image - +

A request for http://example.com/image/foo.gif would cause the server to return the file /ftp/pub/image/foo.gif. Only @@ -146,14 +146,12 @@ href="../urlmapping.html">Mapping URLs to the filesystem module="core">DocumentRoot, you may need to explicitly permit access to the target directory.

- Example: - Alias /image /ftp/pub/image
- <Directory /ftp/pub/image>
- - Require all granted
- - </Directory> - + +Alias /image /ftp/pub/image +<Directory /ftp/pub/image> + Require all granted +</Directory> + @@ -178,18 +176,18 @@ expressions example, to activate the /icons directory, one might use:

- + AliasMatch ^/icons(.*) /usr/local/apache/icons$1 - +

The full range of regular expression power is available. For example, it is possible to construct an alias with case-insensitive matching of the URL-path:

- + AliasMatch (?i)^/image(.*) /ftp/pub/image$1 - +

One subtle difference between Alias @@ -212,22 +210,22 @@ expressions

For example, suppose you want to replace this with AliasMatch:

- + Alias /image/ /ftp/pub/image/ - +

This is NOT equivalent - don't do this! This will send all requests that have /image/ anywhere in them to /ftp/pub/image/:

- + AliasMatch /image/ /ftp/pub/image/ - +

This is what you need to get the same effect:

- + AliasMatch ^/image/(.*)$ /ftp/pub/image/$1 - +

Of course, there's no point in using AliasMatch @@ -236,10 +234,10 @@ expressions you do more complicated things. For example, you could serve different kinds of files from different directories:

- + AliasMatch ^/image/(.*)\.jpg$ /files/jpg.images/$1.jpg
AliasMatch ^/image/(.*)\.gif$ /files/gif.images/$1.gif - + @@ -271,13 +269,13 @@ a different URL URL. Additional path information beyond the matched URL-Path will be appended to the target URL.

- Example: - # Redirect to a URL on a different host
- Redirect /service http://foo2.example.com/service
-
- # Redirect to a URL on the same host
- Redirect /one /two - + +# Redirect to a URL on a different host +Redirect /service http://foo2.example.com/service + +# Redirect to a URL on the same host +Redirect /one /two +

If the client requests http://example.com/service/foo.txt, it will be told to access @@ -335,10 +333,10 @@ a different URL HTTP status code, known to the Apache HTTP Server (see the function send_error_response in http_protocol.c).

- Example: - Redirect permanent /one http://example.com/two
- Redirect 303 /three http://example.com/other - + +Redirect permanent /one http://example.com/two +Redirect 303 /three http://example.com/other + @@ -364,9 +362,9 @@ of the current URL example, to redirect all GIF files to like-named JPEG files on another server, one might use:

- + RedirectMatch (.*)\.gif$ http://other.example.com$1.jpg - +

The considerations related to the difference between Alias and @@ -432,29 +430,27 @@ target as a CGI script to scripts beginning with the second argument, which is a full pathname in the local filesystem.

- Example: + ScriptAlias /cgi-bin/ /web/cgi-bin/ - +

A request for http://example.com/cgi-bin/foo would cause the server to run the script /web/cgi-bin/foo. This configuration is essentially equivalent to:

- - Alias /cgi-bin/ /web/cgi-bin/
- <Location /cgi-bin >
- - SetHandler cgi-script
- Options +ExecCGI
- - </Location> - + +Alias /cgi-bin/ /web/cgi-bin/ +<Location /cgi-bin > + SetHandler cgi-script + Options +ExecCGI +</Location> +

ScriptAlias can also be used in conjunction with a script or handler you have. For example:

- + ScriptAlias /cgi-bin/ /web/cgi-handler.pl - +

In this scenario all files requested in /cgi-bin/ will be handled by the file you have configured, this allows you to use your own custom @@ -473,14 +469,12 @@ target as a CGI script module="core" type="section">Directory, SetHandler, and Options as in: - - <Directory /usr/local/apache2/htdocs/cgi-bin >
- - SetHandler cgi-script
- Options ExecCGI
- - </Directory> - + +<Directory /usr/local/apache2/htdocs/cgi-bin > + SetHandler cgi-script + Options ExecCGI +</Directory> + This is necessary since multiple URL-paths can map to the same filesystem location, potentially bypassing the ScriptAlias and revealing the source code @@ -511,18 +505,18 @@ and designates the target as a CGI script example, to activate the standard /cgi-bin, one might use:

- + ScriptAliasMatch ^/cgi-bin(.*) /usr/local/apache/cgi-bin$1 - +

As for AliasMatch, the full range of regular expression power is available. For example, it is possible to construct an alias with case-insensitive matching of the URL-path:

- + ScriptAliasMatch (?i)^/cgi-bin(.*) /usr/local/apache/cgi-bin$1 - +

The considerations related to the difference between Alias and diff --git a/docs/manual/mod/mod_allowmethods.xml b/docs/manual/mod/mod_allowmethods.xml index e9fcca004d..d743b657c3 100644 --- a/docs/manual/mod/mod_allowmethods.xml +++ b/docs/manual/mod/mod_allowmethods.xml @@ -42,13 +42,11 @@ in order for it to rebuild correctly.

This module makes it easy to restrict what HTTP methods can used on an server. The most common configuration would be:

-Example -<Location />
- - AllowMethods GET POST OPTIONS
- + +<Location /> + AllowMethods GET POST OPTIONS </Location> - + @@ -68,13 +66,11 @@ RFC given in upper case. The GET and HEAD methods are treated as equivalent. The reset keyword can be used turn off mod_allowmethods in a deeper nested context:

-Example -<Location /svn>
- - AllowMethods reset
- + +<Location /svn> + AllowMethods reset </Location> - + Caution

The TRACE method can not be denied by this module, diff --git a/docs/manual/mod/mod_asis.xml b/docs/manual/mod/mod_asis.xml index 4da3831def..d42f8da662 100644 --- a/docs/manual/mod/mod_asis.xml +++ b/docs/manual/mod/mod_asis.xml @@ -51,7 +51,7 @@ HTTP headers

In the server configuration file, associate files with the send-as-is handler e.g.

- AddHandler send-as-is asis + AddHandler send-as-is asis

The contents of any file with a .asis extension will then be sent by Apache httpd to the client with almost no diff --git a/docs/manual/mod/mod_auth_basic.xml b/docs/manual/mod/mod_auth_basic.xml index b60ac91b03..b414b8fa4c 100644 --- a/docs/manual/mod/mod_auth_basic.xml +++ b/docs/manual/mod/mod_auth_basic.xml @@ -59,20 +59,18 @@ The default file provider is implemented by the mod_authn_file module. Make sure that the chosen provider module is present in the server.

- Example - <Location /secure>
- - AuthType basic
- AuthName "private area"
- AuthBasicProvider dbm
- AuthDBMType SDBM
- AuthDBMUserFile /www/etc/dbmpasswd
- Require valid-user
- - </Location> + +<Location /secure> + AuthType basic + AuthName "private area" + AuthBasicProvider dbm + AuthDBMType SDBM + AuthDBMUserFile /www/etc/dbmpasswd + Require valid-user +</Location> + -

Providers are queried in order until a provider finds a match for the requested username, at which point this sole provider will attempt to check the password. A failure to verify the password does diff --git a/docs/manual/mod/mod_auth_digest.xml b/docs/manual/mod/mod_auth_digest.xml index 8dad0c1dcc..1f1ba060d4 100644 --- a/docs/manual/mod/mod_auth_digest.xml +++ b/docs/manual/mod/mod_auth_digest.xml @@ -56,17 +56,17 @@ htdigest tool.

Example: - <Location /private/>
- - AuthType Digest
- AuthName "private area"
- AuthDigestDomain /private/ http://mirror.my.dom/private2/
-
- AuthDigestProvider file
- AuthUserFile /web/auth/.digest_pw
- Require valid-user
- - </Location> + +<Location /private/> + AuthType Digest + AuthName "private area" + AuthDigestDomain /private/ http://mirror.my.dom/private2/ + + AuthDigestProvider file + AuthUserFile /web/auth/.digest_pw + Require valid-user +</Location> + Note @@ -113,7 +113,9 @@ method would look similar to the following.

Using Digest Authentication with MSIE: - BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On + + BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On +

This workaround is not necessary for MSIE 7, though enabling it does @@ -335,11 +337,11 @@ of clients express your value as KBytes or MBytes. For example, the following directives are all equivalent:

- - AuthDigestShmemSize 1048576
- AuthDigestShmemSize 1024K
- AuthDigestShmemSize 1M - + +AuthDigestShmemSize 1048576 +AuthDigestShmemSize 1024K +AuthDigestShmemSize 1M + diff --git a/docs/manual/mod/mod_auth_form.xml b/docs/manual/mod/mod_auth_form.xml index 84d8483111..6817de517a 100644 --- a/docs/manual/mod/mod_auth_form.xml +++ b/docs/manual/mod/mod_auth_form.xml @@ -74,14 +74,16 @@ the user will be redirected to the form login page.

Basic example - AuthFormProvider file
- AuthUserFile conf/passwd
- AuthType form
- AuthName realm
- AuthFormLoginRequiredLocation http://example.com/login.html
- Session On
- SessionCookieName session path=/
- SessionCryptoPassphrase secret
+ +AuthFormProvider file +AuthUserFile conf/passwd +AuthType form +AuthName realm +AuthFormLoginRequiredLocation http://example.com/login.html +Session On +SessionCookieName session path=/ +SessionCryptoPassphrase secret +

The directive AuthType will enable @@ -128,20 +130,20 @@ Apache httpd as follows:

Form login handler example - <Location /dologin.html> - - SetHandler form-login-handler
- AuthFormLoginRequiredLocation http://example.com/login.html
- AuthFormLoginSuccessLocation http://example.com/success.html
- AuthFormProvider file
- AuthUserFile conf/passwd
- AuthType form
- AuthName realm
- Session On
- SessionCookieName session path=/
- SessionCryptoPassphrase secret
- - </Location> + +<Location /dologin.html> + SetHandler form-login-handler + AuthFormLoginRequiredLocation http://example.com/login.html + AuthFormLoginSuccessLocation http://example.com/success.html + AuthFormProvider file + AuthUserFile conf/passwd + AuthType form + AuthName realm + Session On + SessionCookieName session path=/ + SessionCryptoPassphrase secret +</Location> +

The URLs specified by the @@ -195,15 +197,17 @@ containing the login form, as follows:

Basic inline example - AuthFormProvider file
- ErrorDocument 401 /login.shtml
- AuthUserFile conf/passwd
- AuthType form
- AuthName realm
- AuthFormLoginRequiredLocation http://example.com/login.html
- Session On
- SessionCookieName session path=/
- SessionCryptoPassphrase secret
+ +AuthFormProvider file +ErrorDocument 401 /login.shtml +AuthUserFile conf/passwd +AuthType form +AuthName realm +AuthFormLoginRequiredLocation http://example.com/login.html +Session On +SessionCookieName session path=/ +SessionCryptoPassphrase secret +

The error document page should contain a login form with an empty action property, @@ -272,9 +276,11 @@ technology.

CGI example - AuthFormProvider file
- ErrorDocument 401 /cgi-bin/login.cgi
- ...
+ + AuthFormProvider file + ErrorDocument 401 /cgi-bin/login.cgi + ... + @@ -293,12 +299,14 @@ give the user the option to log in again.

Basic logout example - SetHandler form-logout-handler
- AuthName realm
- AuthFormLogoutLocation http://example.com/loggedout.html
- Session On
- SessionCookieName session path=/
- SessionCryptoPassphrase secret
+ +SetHandler form-logout-handler +AuthName realm +AuthFormLogoutLocation http://example.com/loggedout.html +Session On +SessionCookieName session path=/ +SessionCryptoPassphrase secret +

Note that logging a user out does not delete the session; it merely removes @@ -310,12 +318,14 @@

Basic session expiry example - SetHandler form-logout-handler
- AuthFormLogoutLocation http://example.com/loggedout.html
- Session On
- SessionMaxAge 1
- SessionCookieName session path=/
- SessionCryptoPassphrase secret
+ +SetHandler form-logout-handler +AuthFormLogoutLocation http://example.com/loggedout.html +Session On +SessionMaxAge 1 +SessionCookieName session path=/ +SessionCryptoPassphrase secret + @@ -345,17 +355,17 @@ that the chosen provider module is present in the server.

Example - <Location /secure>
- - AuthType form
- AuthName "private area"
- AuthFormProvider dbm
- AuthDBMType SDBM
- AuthDBMUserFile /www/etc/dbmpasswd
- Require valid-user
- ...
- - </Location> + +<Location /secure> + AuthType form + AuthName "private area" + AuthFormProvider dbm + AuthDBMType SDBM + AuthDBMUserFile /www/etc/dbmpasswd + Require valid-user + #... +</Location> +

Providers are implemented by mod_authn_dbm, @@ -614,14 +624,14 @@ lower level modules the page specified by this directive will be shown to the end user. For example:

Example - <Location /logout>
- - SetHandler form-logout-handler
- AuthFormLogoutLocation http://example.com/loggedout.html
- Session on
- ... - - </Location> + +<Location /logout> + SetHandler form-logout-handler + AuthFormLogoutLocation http://example.com/loggedout.html + Session on + #... +</Location> +

An attempt to access the URI /logout/ will result in the user being logged diff --git a/docs/manual/mod/mod_authn_anon.xml b/docs/manual/mod/mod_authn_anon.xml index 57696d7b2c..47abb94dd3 100644 --- a/docs/manual/mod/mod_authn_anon.xml +++ b/docs/manual/mod/mod_authn_anon.xml @@ -81,24 +81,22 @@ Example - <Directory /var/www/html/private> - - AuthName "Use 'anonymous' & Email address for guest entry"
- AuthType Basic
- AuthBasicProvider file anon
- AuthUserFile /path/to/your/.htpasswd
-
- Anonymous_NoUserID off
- Anonymous_MustGiveEmail on
- Anonymous_VerifyEmail on
- Anonymous_LogEmail on
- Anonymous anonymous guest www test welcome
-
- Require all granted
-
- Require valid-user
- - </Directory> + +<Directory /var/www/html/private> + AuthName "Use 'anonymous' & Email address for guest entry" + AuthType Basic + AuthBasicProvider file anon + AuthUserFile /path/to/your/.htpasswd + + Anonymous_NoUserID off + Anonymous_MustGiveEmail on + Anonymous_VerifyEmail on + Anonymous_LogEmail on + Anonymous anonymous guest www test welcome + + Require valid-user +</Directory> + @@ -124,7 +122,9 @@ password verification userIDs.

Example: + Anonymous anonymous "Not Registered" "I don't know" +

This would allow the user to enter without password diff --git a/docs/manual/mod/mod_authn_core.xml b/docs/manual/mod/mod_authn_core.xml index 0edbfc915b..fe629d64be 100644 --- a/docs/manual/mod/mod_authn_core.xml +++ b/docs/manual/mod/mod_authn_core.xml @@ -54,30 +54,25 @@ files.

Checking multiple text password files - - # Check here first
- <AuthnProviderAlias file file1>
- - AuthUserFile /www/conf/passwords1
- - </AuthnProviderAlias>
-
- # Then check here
- <AuthnProviderAlias file file2>
- - AuthUserFile /www/conf/passwords2
- - </AuthnProviderAlias>
-
- <Directory /var/web/pages/secure>
- - AuthBasicProvider file1 file2
-
- AuthType Basic
- AuthName "Protected Area"
- Require valid-user
- - </Directory>
+ +# Check here first +<AuthnProviderAlias file file1> + AuthUserFile /www/conf/passwords1 +</AuthnProviderAlias> + +# Then check here +<AuthnProviderAlias file file2> + AuthUserFile /www/conf/passwords2 +</AuthnProviderAlias> + +<Directory /var/web/pages/secure> + AuthBasicProvider file1 file2 + + AuthType Basic + AuthName "Protected Area" + Require valid-user +</Directory> +

The example below creates two different ldap authentication @@ -86,34 +81,30 @@ hosts:

Checking multiple LDAP servers - <AuthnProviderAlias ldap ldap-alias1>
- - AuthLDAPBindDN cn=youruser,o=ctx
- AuthLDAPBindPassword yourpassword
- AuthLDAPURL ldap://ldap.host/o=ctx
- - </AuthnProviderAlias>

- <AuthnProviderAlias ldap ldap-other-alias>
- - AuthLDAPBindDN cn=yourotheruser,o=dev
- AuthLDAPBindPassword yourotherpassword
- AuthLDAPURL ldap://other.ldap.host/o=dev?cn
- - </AuthnProviderAlias>

- - Alias /secure /webpages/secure
- <Directory /webpages/secure>
- - Order deny,allow
- Allow from all

- - AuthBasicProvider ldap-other-alias ldap-alias1

- - AuthType Basic
- AuthName LDAP_Protected_Place
- Require valid-user
- - </Directory>
+ +<AuthnProviderAlias ldap ldap-alias1> + AuthLDAPBindDN cn=youruser,o=ctx + AuthLDAPBindPassword yourpassword + AuthLDAPURL ldap://ldap.host/o=ctx + </AuthnProviderAlias> + <AuthnProviderAlias ldap ldap-other-alias> + AuthLDAPBindDN cn=yourotheruser,o=dev + AuthLDAPBindPassword yourotherpassword + AuthLDAPURL ldap://other.ldap.host/o=dev?cn +</AuthnProviderAlias> + +Alias /secure /webpages/secure +<Directory /webpages/secure> + Order deny,allow + Allow from all + + AuthBasicProvider ldap-other-alias ldap-alias1 + + AuthType Basic + AuthName LDAP_Protected_Place + Require valid-user +</Directory> + @@ -144,9 +135,9 @@ authentication

For example:

- + AuthName "Top Secret" - +

The string provided for the AuthName is what will appear in the password dialog provided by most browsers.

@@ -189,24 +180,20 @@ authentication in the following example, clients may access the /www/docs/public directory without authenticating:

- - <Directory /www/docs> - - AuthType Basic
- AuthName Documents
- AuthBasicProvider file
- AuthUserFile /usr/local/apache/passwd/passwords
- Require valid-user - - </Directory>
-
- <Directory /www/docs/public> - - AuthType None
- Require all granted - - </Directory> - + +<Directory /www/docs> + AuthType Basic + AuthName Documents + AuthBasicProvider file + AuthUserFile /usr/local/apache/passwd/passwords + Require valid-user +</Directory> + +<Directory /www/docs/public> + AuthType None + Require all granted +</Directory> + When disabling authentication, note that clients which have already authenticated against another portion of the server's document diff --git a/docs/manual/mod/mod_authn_dbd.xml b/docs/manual/mod/mod_authn_dbd.xml index 03e3af18ce..d176f2e2aa 100644 --- a/docs/manual/mod/mod_authn_dbd.xml +++ b/docs/manual/mod/mod_authn_dbd.xml @@ -72,7 +72,7 @@ to cache credentials and take most of the load off the database.

Configuration Example

This simple example shows use of this module in the context of the Authentication and DBD frameworks.

-
+
 # mod_dbd configuration
 # UPDATED to include authentication cacheing
 DBDriver pgsql
@@ -100,10 +100,9 @@ DBDExptime 300
   Require valid-user
 
   # mod_authn_dbd SQL query to authenticate a user
-  AuthDBDUserPWQuery \
-    "SELECT password FROM authn WHERE user = %s"
+  AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s"
 </Directory>
-
 +
@@ -136,10 +135,9 @@ configuration required in some web applications. will be passed as a single string parameter when the SQL query is executed. It may be referenced within the query statement using a %s format specifier.

- Example
-AuthDBDUserPWQuery \
-  "SELECT password FROM authn WHERE user = %s"
-
 + +AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s" +

The first column value of the first row returned by the query statement should be a string containing the encrypted password. Subsequent rows will be ignored. If no rows are returned, the user @@ -171,10 +169,9 @@ AuthDBDUserPWQuery \ The user's ID and the realm, in that order, will be passed as string parameters when the SQL query is executed. They may be referenced within the query statement using %s format specifiers.

- Example
-AuthDBDUserRealmQuery \
-  "SELECT password FROM authn WHERE user = %s AND realm = %s"
-
 + +AuthDBDUserRealmQuery "SELECT password FROM authn WHERE user = %s AND realm = %s" +

The first column value of the first row returned by the query statement should be a string containing the encrypted password. Subsequent rows will be ignored. If no rows are returned, the user diff --git a/docs/manual/mod/mod_authn_socache.xml b/docs/manual/mod/mod_authn_socache.xml index 9331dda6b5..97cdeca380 100644 --- a/docs/manual/mod/mod_authn_socache.xml +++ b/docs/manual/mod/mod_authn_socache.xml @@ -69,18 +69,18 @@ the load on backends

A simple usage example to accelerate mod_authn_dbd using dbm as a cache engine:

- 
-    <Directory /usr/www/myhost/private>
-        AuthType Basic
-        AuthName "Cached Authentication Example"
-        AuthBasicProvider socache dbd
-        AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s"
-        AuthnCacheProvideFor dbd
-        AuthnCacheContext dbd-authn-example
-        AuthnCacheSOCache dbm
-        Require valid-user
-    </Directory>
-
+ +<Directory /usr/www/myhost/private> + AuthType Basic + AuthName "Cached Authentication Example" + AuthBasicProvider socache dbd + AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s" + AuthnCacheProvideFor dbd + AuthnCacheContext dbd-authn-example + AuthnCacheSOCache dbm + Require valid-user +</Directory> +
Cacheing with custom modules @@ -142,9 +142,9 @@ the load on backends

For example, to cache credentials found by mod_authn_dbd or by a custom provider myprovider, but leave those looked up by lightweight providers like file or dbm lookup alone:

- - AuthnCacheProvideFor dbd myprovider - + +AuthnCacheProvideFor dbd myprovider + diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml index 425f740c4c..af655eae1b 100644 --- a/docs/manual/mod/mod_authnz_ldap.xml +++ b/docs/manual/mod/mod_authnz_ldap.xml @@ -340,11 +340,11 @@ for HTTP Basic authentication. ldap://ldap/o=Example?cn (i.e., cn is used for searches), the following Require directives could be used to restrict access:

- -Require ldap-user "Barbara Jenson"
-Require ldap-user "Fred User"
-Require ldap-user "Joe Manager"
- + +Require ldap-user "Barbara Jenson" +Require ldap-user "Fred User" +Require ldap-user "Joe Manager" +

Because of the way that mod_authnz_ldap handles this directive, Barbara Jenson could sign on as Barbara @@ -356,7 +356,7 @@ Require ldap-user "Joe Manager"

If the uid attribute was used instead of the cn attribute in the URL above, the above three lines could be condensed to

-Require ldap-user bjenson fuser jmanager +Require ldap-user bjenson fuser jmanager
Require ldap-group @@ -366,58 +366,58 @@ Require ldap-user "Joe Manager"
group. Note: Do not surround the group name with quotes. For example, assume that the following entry existed in the LDAP directory:

- -dn: cn=Administrators, o=Example
-objectClass: groupOfUniqueNames
-uniqueMember: cn=Barbara Jenson, o=Example
-uniqueMember: cn=Fred User, o=Example
- +
+dn: cn=Administrators, o=Example
+objectClass: groupOfUniqueNames
+uniqueMember: cn=Barbara Jenson, o=Example
+uniqueMember: cn=Fred User, o=Example
+

The following directive would grant access to both Fred and Barbara:

-Require ldap-group cn=Administrators, o=Example +Require ldap-group cn=Administrators, o=Example

Members can also be found within sub-groups of a specified LDAP group if AuthLDAPMaxSubGroupDepth is set to a value greater than 0. For example, assume the following entries exist in the LDAP directory:

- -dn: cn=Employees, o=Example
-objectClass: groupOfUniqueNames
-uniqueMember: cn=Managers, o=Example
-uniqueMember: cn=Administrators, o=Example
-uniqueMember: cn=Users, o=Example
-
-dn: cn=Managers, o=Example
-objectClass: groupOfUniqueNames
-uniqueMember: cn=Bob Ellis, o=Example
-uniqueMember: cn=Tom Jackson, o=Example
-
-dn: cn=Administrators, o=Example
-objectClass: groupOfUniqueNames
-uniqueMember: cn=Barbara Jenson, o=Example
-uniqueMember: cn=Fred User, o=Example
-
-dn: cn=Users, o=Example
-objectClass: groupOfUniqueNames
-uniqueMember: cn=Allan Jefferson, o=Example
-uniqueMember: cn=Paul Tilley, o=Example
-uniqueMember: cn=Temporary Employees, o=Example
-
-dn: cn=Temporary Employees, o=Example
-objectClass: groupOfUniqueNames
-uniqueMember: cn=Jim Swenson, o=Example
-uniqueMember: cn=Elliot Rhodes, o=Example
- +
+dn: cn=Employees, o=Example
+objectClass: groupOfUniqueNames
+uniqueMember: cn=Managers, o=Example
+uniqueMember: cn=Administrators, o=Example
+uniqueMember: cn=Users, o=Example
+
+dn: cn=Managers, o=Example
+objectClass: groupOfUniqueNames
+uniqueMember: cn=Bob Ellis, o=Example
+uniqueMember: cn=Tom Jackson, o=Example
+
+dn: cn=Administrators, o=Example
+objectClass: groupOfUniqueNames
+uniqueMember: cn=Barbara Jenson, o=Example
+uniqueMember: cn=Fred User, o=Example
+
+dn: cn=Users, o=Example
+objectClass: groupOfUniqueNames
+uniqueMember: cn=Allan Jefferson, o=Example
+uniqueMember: cn=Paul Tilley, o=Example
+uniqueMember: cn=Temporary Employees, o=Example
+
+dn: cn=Temporary Employees, o=Example
+objectClass: groupOfUniqueNames
+uniqueMember: cn=Jim Swenson, o=Example
+uniqueMember: cn=Elliot Rhodes, o=Example
+

The following directives would allow access for Bob Ellis, Tom Jackson, Barbara Jensen, Fred User, Allan Jefferson, and Paul Tilley but would not allow access for Jim Swenson, or Elliot Rhodes (since they are at a sub-group depth of 2):

- -Require ldap-group cn=Employees, o-Example
-AuthLDAPSubGroupDepth 1
- + +Require ldap-group cn=Employees, o-Example +AuthLDAPSubGroupDepth 1 +

Behavior of this directive is modified by the AuthLDAPGroupAttribute,

The following directive would grant access to a specific DN:

-Require ldap-dn cn=Barbara Jenson, o=Example +Require ldap-dn cn=Barbara Jenson, o=Example

Behavior of this directive is modified by the AuthLDAPCompareDNOnServer @@ -457,7 +457,7 @@ AuthLDAPSubGroupDepth 1

The following directive would grant access to anyone with the attribute employeeType = active

- Require ldap-attribute employeeType=active + Require ldap-attribute employeeType=active

Multiple attribute/value pairs can be specified on the same line separated by spaces or they can be specified in multiple @@ -470,7 +470,7 @@ AuthLDAPSubGroupDepth 1

The following directive would grant access to anyone with the city attribute equal to "San Jose" or status equal to "Active"

- Require ldap-attribute city="San Jose" status=active + Require ldap-attribute city="San Jose" status=active
@@ -484,7 +484,7 @@ AuthLDAPSubGroupDepth 1

The following directive would grant access to anyone having a cell phone and is in the marketing department

- Require ldap-filter &(cell=*)(department=marketing) + Require ldap-filter &(cell=*)(department=marketing)

The difference between the Require ldap-filter directive and the Require ldap-attribute directive is that ldap-filter @@ -504,19 +504,19 @@ AuthLDAPSubGroupDepth 1

  • Grant access to anyone who exists in the LDAP directory, using their UID for searches. - -AuthLDAPURL "ldap://ldap1.example.com:389/ou=People, o=Example?uid?sub?(objectClass=*)"
    + +AuthLDAPURL "ldap://ldap1.example.com:389/ou=People, o=Example?uid?sub?(objectClass=*)" Require valid-user -     +
  • The next example is the same as above; but with the fields that have useful defaults omitted. Also, note the use of a redundant LDAP server. -AuthLDAPURL "ldap://ldap1.example.com ldap2.example.com/ou=People, o=Example"
    +AuthLDAPURL "ldap://ldap1.example.com ldap2.example.com/ou=People, o=Example" Require valid-user -     +
  • @@ -528,19 +528,19 @@ Require valid-user this approach is not recommended: it's a better idea to choose an attribute that is guaranteed unique in your directory, such as uid. - -AuthLDAPURL "ldap://ldap.example.com/ou=People, o=Example?cn"
    + +AuthLDAPURL "ldap://ldap.example.com/ou=People, o=Example?cn" Require valid-user -     +
  • Grant access to anybody in the Administrators group. The users must authenticate using their UID. - -AuthLDAPURL ldap://ldap.example.com/o=Example?uid
    + +AuthLDAPURL ldap://ldap.example.com/o=Example?uid Require ldap-group cn=Administrators, o=Example -     +
  • @@ -549,10 +549,10 @@ Require ldap-group cn=Administrators, o=Example of qpagePagerID. The example will grant access only to people (authenticated via their UID) who have alphanumeric pagers: - -AuthLDAPURL ldap://ldap.example.com/o=Example?uid??(qpagePagerID=*)
    + +AuthLDAPURL ldap://ldap.example.com/o=Example?uid??(qpagePagerID=*) Require valid-user -     +
  • @@ -565,10 +565,10 @@ Require valid-user a pager, plus grant access to Joe Manager, who doesn't have a pager, but does need to access the same resource:

    - -AuthLDAPURL ldap://ldap.example.com/o=Example?uid??(|(qpagePagerID=*)(uid=jmanager))
    + +AuthLDAPURL ldap://ldap.example.com/o=Example?uid??(|(qpagePagerID=*)(uid=jmanager)) Require valid-user -     +

    This last may look confusing at first, so it helps to evaluate what the search filter will look like based on who @@ -663,11 +663,11 @@ Require valid-user subtree search for the attribute userPrincipalName, with an empty search root, like so:

    - -AuthLDAPBindDN apache@example.com
    -AuthLDAPBindPassword password
    + +AuthLDAPBindDN apache@example.com +AuthLDAPBindPassword password AuthLDAPURL ldap://10.0.0.1:3268/?userPrincipalName?sub -     +

    Users will need to enter their User Principal Name as a login, in the form somebody@nz.example.com.

    @@ -690,11 +690,11 @@ AuthLDAPURL ldap://10.0.0.1:3268/?userPrincipalName?sub authentication to it is a matter of adding the following directives to every .htaccess file that gets created in the web

    -
    +
 AuthLDAPURL            "the url"
 AuthGroupFile mygroupfile
 Require group mygroupfile
-
     +
    How It Works @@ -864,8 +864,8 @@ to perform a DN lookup AuthLDAPBindDN.

    - AuthLDAPInitialBindPattern (.+) $1@example.com - AuthLDAPInitialBindPattern (.+) cn=$1,dc=example,dc=com + AuthLDAPInitialBindPattern (.+) $1@example.com + AuthLDAPInitialBindPattern (.+) cn=$1,dc=example,dc=com Not available with authorization-only This directive can only be used if this module authenticates the user, and @@ -1215,7 +1215,7 @@ objects that are groups during sub-group processing. to use. The syntax of the URL is

    ldap://host:port/basedn?attribute?scope?filter

    If you want to specify more than one LDAP URL that Apache should try in turn, the syntax is:

    -AuthLDAPUrl "ldap://ldap1.example.com ldap2.example.com/dc=..." +AuthLDAPUrl "ldap://ldap1.example.com ldap2.example.com/dc=..."

    Caveat: If you specify multiple servers, you need to enclose the entire URL string in quotes; otherwise you will get an error: "AuthLDAPURL takes one argument, URL to define LDAP connection.." You can of course use search parameters on each of these.

    diff --git a/docs/manual/mod/mod_authz_core.xml b/docs/manual/mod/mod_authz_core.xml index 5e17bd090b..07f6262d05 100644 --- a/docs/manual/mod/mod_authz_core.xml +++ b/docs/manual/mod/mod_authz_core.xml @@ -58,38 +58,33 @@ multiple ldap hosts:

    - Example - <AuthzProviderAlias ldap-group ldap-group-alias1 cn=my-group,o=ctx>
    - - AuthLDAPBindDN cn=youruser,o=ctx
    - AuthLDAPBindPassword yourpassword
    - AuthLDAPURL ldap://ldap.host/o=ctx
    -     - </AuthzProviderAlias>

    - <AuthzProviderAlias ldap-group ldap-group-alias2 - cn=my-other-group,o=dev>
    - - AuthLDAPBindDN cn=yourotheruser,o=dev
    - AuthLDAPBindPassword yourotherpassword
    - AuthLDAPURL ldap://other.ldap.host/o=dev?cn
    -     - </AuthzProviderAlias>

    - - Alias /secure /webpages/secure
    - <Directory /webpages/secure>
    - - Require all granted

    - - AuthBasicProvider file

    - - AuthType Basic
    - AuthName LDAP_Protected_Place

    - - #implied OR operation
    - Require ldap-group-alias1
    - Require ldap-group-alias2
    -     </Directory>
    -     + +<AuthzProviderAlias ldap-group ldap-group-alias1 cn=my-group,o=ctx> + AuthLDAPBindDN cn=youruser,o=ctx + AuthLDAPBindPassword yourpassword + AuthLDAPURL ldap://ldap.host/o=ctx +</AuthzProviderAlias> + +<AuthzProviderAlias ldap-group ldap-group-alias2 cn=my-other-group,o=dev> + AuthLDAPBindDN cn=yourotheruser,o=dev + AuthLDAPBindPassword yourotherpassword + AuthLDAPURL ldap://other.ldap.host/o=dev?cn +</AuthzProviderAlias> + +Alias /secure /webpages/secure +<Directory /webpages/secure> + Require all granted + + AuthBasicProvider file + + AuthType Basic + AuthName LDAP_Protected_Place + + #implied OR operation + Require ldap-group-alias1 + Require ldap-group-alias2 +</Directory> +
    @@ -115,39 +110,27 @@ not belong to either the temps group or the LDAP group Temporary Employees.

    - - <Directory /www/mydocs> - + +<Directory /www/mydocs> + <RequireAll> + <RequireAny> + Require user superadmin <RequireAll> - + Require group admins + Require ldap-group cn=Administrators,o=Airius <RequireAny> - - Require user superadmin
    - <RequireAll> - - Require group admins
    - Require ldap-group cn=Administrators,o=Airius
    - <RequireAny> - - Require group sales
    - Require ldap-attribute dept="sales" -     - </RequireAny> -     - </RequireAll> -     - </RequireAny>
    - <RequireNone> - - Require group temps
    - Require ldap-group cn=Temporary Employees,o=Airius -     - </RequireNone> -     + Require group sales + Require ldap-attribute dept="sales" + </RequireAny> </RequireAll> -     - </Directory> -     + </RequireAny> + <RequireNone> + Require group temps + Require ldap-group cn=Temporary Employees,o=Airius + </RequireNone> + </RequireAll> +</Directory> +
    The Require Directives @@ -171,14 +154,12 @@ User-Agent (browser type), Referer, or other HTTP request header fields.

    - Example: - SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in
    - <Directory /docroot>
    - - Require env let_me_in
    -     - </Directory> -     + +SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in +<Directory /docroot> + Require env let_me_in +</Directory> +

    In this case, browsers with a user-agent string beginning with KnockKnock/2.0 will be allowed access, and all @@ -194,13 +175,13 @@ 'granted' or 'denied'. The following examples will grant or deny access to all requests.

    - - Require all granted
    -     + + Require all granted + - - Require all denied
    -     + + Require all denied +
    @@ -214,20 +195,20 @@

    The following example will only allow GET, HEAD, POST, and OPTIONS requests:

    - - Require method GET POST OPTIONS
    -     + + Require method GET POST OPTIONS +

    The following example will allow GET, HEAD, POST, and OPTIONS requests without authentication, and require a valid user for all other methods:

    - - <RequireAny>
    -  Require method GET POST OPTIONS
    -  Require valid-user
    - </RequireAny>
    -     + +<RequireAny> +  Require method GET POST OPTIONS +  Require valid-user +</RequireAny> + @@ -236,9 +217,9 @@

    The expr provider allows to base authorization decisions on arbitrary expressions.

    - - Require expr %{TIME_HOUR} >= 9 && %{TIME_HOUR} <= 17
    -     + + Require expr %{TIME_HOUR} >= 9 && %{TIME_HOUR} <= 17 +

    The syntax is described in the ap_expr documentation.

    @@ -321,14 +302,14 @@ an authorization provider. and AuthGroupFile (to define users and groups) in order to work correctly. Example:

    - - AuthType Basic
    - AuthName "Restricted Resource"
    - AuthBasicProvider file
    - AuthUserFile /web/users
    - AuthGroupFile /web/groups
    - Require group admin -     + +AuthType Basic +AuthName "Restricted Resource" +AuthBasicProvider file +AuthUserFile /web/users +AuthGroupFile /web/groups +Require group admin +

    Access controls which are applied in this way are effective for all methods. This is what is normally @@ -350,18 +331,14 @@ an authorization provider. and beta groups are authorized, except for those who are also in the reject group.

    - - <Directory /www/docs> - - <RequireAll> - - Require group alpha beta
    - Require not group reject -     - </RequireAll> -     - </Directory> -     + +<Directory /www/docs> + <RequireAll> + Require group alpha beta + Require not group reject + </RequireAll> +</Directory> +

    When multiple Require directives are used in a single @@ -540,30 +517,24 @@ sections. preceding sections. Thus only users belong to the group gamma may access /www/docs/ab/gamma. - - <Directory /www/docs> - - AuthType Basic
    - AuthName Documents
    - AuthBasicProvider file
    - AuthUserFile /usr/local/apache/passwd/passwords
    - Require group alpha -     - </Directory>
    -
    - <Directory /www/docs/ab> - - AuthMerging Or
    - Require group beta -     - </Directory>
    -
    - <Directory /www/docs/ab/gamma> - - Require group gamma - - </Directory> -     + +<Directory /www/docs> + AuthType Basic + AuthName Documents + AuthBasicProvider file + AuthUserFile /usr/local/apache/passwd/passwords + Require group alpha +</Directory> + +<Directory /www/docs/ab> + AuthMerging Or + Require group beta +</Directory> + +<Directory /www/docs/ab/gamma> + Require group gamma +</Directory> + diff --git a/docs/manual/mod/mod_authz_dbd.xml b/docs/manual/mod/mod_authz_dbd.xml index df51339ff3..8b57120ea1 100644 --- a/docs/manual/mod/mod_authz_dbd.xml +++ b/docs/manual/mod/mod_authz_dbd.xml @@ -80,8 +80,8 @@ to implement functions that start and end client-side sessions.

    -Configuration Example -
    +Configuration example
+
 # mod_dbd configuration
 DBDriver pgsql
 DBDParams "dbname=apacheauth user=apache pass=xxxxxx"
@@ -115,13 +115,11 @@ DBDExptime 300
 
   <Files login.html>
     # don't require user to already be logged in!
-    AuthDBDUserPWQuery \
-      "SELECT password FROM authn WHERE user = %s"
+    AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s"
 
     # dbd-login action executes a statement to log user in
     Require dbd-login
-    AuthzDBDQuery \
-      "UPDATE authn SET login = 'true' WHERE user = %s"
+    AuthzDBDQuery "UPDATE authn SET login = 'true' WHERE user = %s"
 
     # return user to referring page (if any) after
     # successful login
@@ -131,11 +129,10 @@ DBDExptime 300
   <Files logout.html>
     # dbd-logout action executes a statement to log user out
     Require dbd-logout
-    AuthzDBDQuery \
-      "UPDATE authn SET login = 'false' WHERE user = %s"
+    AuthzDBDQuery "UPDATE authn SET login = 'false' WHERE user = %s"
   </Files>
 </Directory>
-
     +
    @@ -157,22 +154,20 @@ DBDExptime 300 The first column value of each row returned by the query statement should be a string containing a group name. Zero, one, or more rows may be returned. - Example
    +    
 Require dbd-group
-AuthzDBDQuery \
-  "SELECT group FROM groups WHERE user = %s"
-
     +AuthzDBDQuery "SELECT group FROM groups WHERE user = %s" +
  • When used with a Require dbd-login or Require dbd-logout directive, it will never deny access, but will instead execute a SQL statement designed to log the user in or out. The user must already be authenticated with mod_authn_dbd. - Example
    +    
 Require dbd-login
-AuthzDBDQuery \
-  "UPDATE authn SET login = 'true' WHERE user = %s"
-
     +AuthzDBDQuery "UPDATE authn SET login = 'true' WHERE user = %s" +

    • In all cases, the user's ID will be passed as a single string @@ -193,10 +188,9 @@ AuthzDBDQuery \ specific to the user. The user's ID will be passed as a single string parameter when the SQL query is executed. It may be referenced within the query statement using a %s format specifier.

    - Example
    -AuthzDBDRedirectQuery \
-  "SELECT userpage FROM userpages WHERE user = %s"
-
     + +AuthzDBDRedirectQuery "SELECT userpage FROM userpages WHERE user = %s" +

    The first column value of the first row returned by the query statement should be a string containing a URL to which to redirect the client. Subsequent rows will be ignored. If no rows are returned, diff --git a/docs/manual/mod/mod_authz_dbm.xml b/docs/manual/mod/mod_authz_dbm.xml index 5c589bfeb3..5b4768f66a 100644 --- a/docs/manual/mod/mod_authz_dbm.xml +++ b/docs/manual/mod/mod_authz_dbm.xml @@ -75,10 +75,10 @@ of user groups for authorization accomplished by first setting the group and password files to point to the same DBM:

    - - AuthDBMGroupFile /www/userbase
    - AuthDBMUserFile /www/userbase -     + +AuthDBMGroupFile /www/userbase +AuthDBMUserFile /www/userbase +

    The key for the single DBM is the username. The value consists of

    diff --git a/docs/manual/mod/mod_authz_host.xml b/docs/manual/mod/mod_authz_host.xml index 09993d17ea..30bef02669 100644 --- a/docs/manual/mod/mod_authz_host.xml +++ b/docs/manual/mod/mod_authz_host.xml @@ -75,35 +75,35 @@ address)

    A full IP address:

    - - Require ip 10.1.2.3
    - Require ip 192.168.1.104 192.168.1.205 -     + +Require ip 10.1.2.3 +Require ip 192.168.1.104 192.168.1.205 +

    An IP address of a host allowed access

    A partial IP address:

    - - Require ip 10.1
    - Require ip 10 172.20 192.168.2 -     + +Require ip 10.1 +Require ip 10 172.20 192.168.2 +

    The first 1 to 3 bytes of an IP address, for subnet restriction.

    A network/netmask pair:

    - + Require ip 10.1.0.0/255.255.0.0 - +

    A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet restriction.

    A network/nnn CIDR specification:

    - + Require ip 10.1.0.0/16 - +

    Similar to the previous case, except the netmask consists of nnn high-order 1 bits.

    @@ -113,10 +113,10 @@ address)

    IPv6 addresses and IPv6 subnets can be specified as shown below:

    - - Require ip 2001:db8::a00:20ff:fea7:ccea
    - Require ip 2001:db8::a00:20ff:fea7:ccea/10 -     + +Require ip 2001:db8::a00:20ff:fea7:ccea +Require ip 2001:db8::a00:20ff:fea7:ccea/10 + @@ -130,10 +130,10 @@ address)

    A (partial) domain-name

    - - Require host example.org
    - Require host .net example.edu -     + +Require host example.org +Require host .net example.edu +

    Hosts whose names match, or end in, this string are allowed access. Only complete components are matched, so the above @@ -164,9 +164,9 @@ address)

    This allows a convenient way to match connections that originate from the local host:

    - + Require local - + diff --git a/docs/manual/mod/mod_authz_owner.xml b/docs/manual/mod/mod_authz_owner.xml index f1f52c3eb5..475cc7d9f5 100644 --- a/docs/manual/mod/mod_authz_owner.xml +++ b/docs/manual/mod/mod_authz_owner.xml @@ -85,17 +85,15 @@ files in /home/smith/public_html/private unless they were owned by jones instead of smith.

    - - <Directory /home/*/public_html/private>
    - - AuthType Basic
    - AuthName MyPrivateFiles
    - AuthBasicProvider dbm
    - AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all
    - Require file-owner
    -     - </Directory> -     + +<Directory /home/*/public_html/private> + AuthType Basic + AuthName MyPrivateFiles + AuthBasicProvider dbm + AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all + Require file-owner +</Directory> +
    Require file-group @@ -111,22 +109,20 @@ authorized to access the project-foo directories of each other.

    - - <Directory /home/*/public_html/project-foo>
    - - AuthType Basic
    - AuthName "Project Foo Files"
    - AuthBasicProvider dbm
    -
    - # combined user/group database
    - AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all
    - AuthDBMGroupFile /usr/local/apache2/etc/.htdbm-all
    -
    - Satisfy All
    - Require file-group
    -     - </Directory> -     + +<Directory /home/*/public_html/project-foo> + AuthType Basic + AuthName "Project Foo Files" + AuthBasicProvider dbm + + # combined user/group database + AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all + AuthDBMGroupFile /usr/local/apache2/etc/.htdbm-all + + Satisfy All + Require file-group +</Directory> +
    diff --git a/docs/manual/mod/mod_autoindex.xml b/docs/manual/mod/mod_autoindex.xml index fe61a94bab..474b4ee86c 100644 --- a/docs/manual/mod/mod_autoindex.xml +++ b/docs/manual/mod/mod_autoindex.xml @@ -69,7 +69,8 @@ same header repeatedly toggles between ascending and descending order. These column header links are suppressed with the IndexOptions directive's - SuppressColumnSorting option.

    + SuppressColumnSorting + option.

    Note that when the display is sorted by "Size", it's the actual size of the files that's used, not the @@ -201,10 +202,10 @@ icon selected by filename is displayed if the client is image-incapable, has image loading disabled, or fails to retrieve the icon.

    - Examples - AddAlt "PDF file" *.pdf
    - AddAlt Compressed *.gz *.zip *.Z -     + +AddAlt "PDF file" *.pdf +AddAlt Compressed *.gz *.zip *.Z + @@ -229,9 +230,9 @@ selected by MIME-encoding This alternate text is displayed if the client is image-incapable, has image loading disabled, or fails to retrieve the icon.

    - Example + AddAltByEncoding gzip x-gzip - + @@ -256,9 +257,9 @@ icon selected by MIME content-type This alternate text is displayed if the client is image-incapable, has image loading disabled, or fails to retrieve the icon.

    - Example + AddAltByType 'plain text' text/plain - + @@ -279,10 +280,10 @@ icon selected by MIME content-type expression or full filename for files to describe. String is enclosed in double quotes (").

    - Example - AddDescription "The planet Mars" mars.gif
    - AddDescription "My friend Marshall" friends/mars.gif -     + +AddDescription "The planet Mars" mars.gif +AddDescription "My friend Marshall" friends/mars.gif +

    The typical, default description field is 23 bytes wide. 6 more bytes are added by the is unnecessary if you're using IndexOptions HTMLTable.

    - Examples - AddIcon (IMG,/icons/image.png) .gif .jpg .png
    - AddIcon /icons/dir.png ^^DIRECTORY^^
    - AddIcon /icons/backup.png *~ -     + +#Examples +AddIcon (IMG,/icons/image.png) .gif .jpg .png +AddIcon /icons/dir.png ^^DIRECTORY^^ +AddIcon /icons/backup.png *~ +

    AddIconByType should be used in preference to AddIcon, @@ -388,9 +390,9 @@ content-encoding

    MIME-encoding is a valid content-encoding, such as x-compress.

    - Example + AddIconByEncoding /icons/compress.png x-compress - + @@ -418,9 +420,9 @@ content-type

    MIME-type is a wildcard expression matching required the mime types.

    - Example + AddIconByType (IMG,/icons/image.png) image/* - + @@ -441,9 +443,9 @@ configured Url-path is a (%-escaped) relative URL to the icon, or a fully qualified remote URL.

    - Example + DefaultIcon /icon/unknown.png - + @@ -462,9 +464,9 @@ of the index listing of the file that will be inserted at the top of the index listing. Filename is the name of the file to include.

    - Example + HeaderName HEADER.html - +

    Both HeaderName and with a slash, it will be taken to be relative to the DocumentRoot.

    - Example + HeaderName /include/HEADER.html - +

    Filename must resolve to a document with a major content type of text/* (e.g., @@ -485,9 +487,9 @@ of the index listing actual file type (as opposed to its output) is marked as text/html such as with a directive like:

    - + AddType text/html .cgi - +

    Content negotiation will be performed if Options @@ -530,9 +532,9 @@ a directory files. By default, the list contains . (the current directory).

    - + IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t - + Regular Expressions

    This directive does not currently work in configuration sections @@ -560,15 +562,15 @@ a directory any files ignored by IndexIgnore otherwise inherited from other configuration sections.

    - - <Directory /var/www> - IndexIgnore *.bak .??* *~ *# HEADER* README* RCS CVS *,v *,t - </Directory> - <Directory /var/www/backups> - IndexIgnoreReset ON - IndexIgnore .??* *# HEADER* README* RCS CVS *,v *,t - </Directory> - + +<Directory /var/www> + IndexIgnore *.bak .??* *~ *# HEADER* README* RCS CVS *,v *,t +</Directory> +<Directory /var/www/backups> + IndexIgnoreReset ON + IndexIgnore .??* *# HEADER* README* RCS CVS *,v *,t +</Directory> +

    Review the default configuration for a list of patterns that you might want to explicitly ignore after using this @@ -620,9 +622,9 @@ indexing (It depends on whether the underlying file system uses Unicode filenames or not.) - Example: + IndexOptions Charset=UTF-8 - +

    specify the MIME content-type of the generated page. The default is text/html. - Example: + IndexOptions Type=text/plain - +
  • Multiple IndexOptions directives for a single directory are now merged together. The result of: - - <Directory /foo> - - IndexOptions HTMLTable
    - IndexOptions SuppressColumnsorting -     - </Directory> -     + +<Directory /foo> + IndexOptions HTMLTable + IndexOptions SuppressColumnsorting +</Directory> +

    will be the equivalent of

    - + IndexOptions HTMLTable SuppressColumnsorting - +
  • The addition of the incremental syntax (i.e., prefixing @@ -945,10 +945,10 @@ indexing clears all inherited options and any incremental settings encountered so far. Consider the following example:

    - - IndexOptions +ScanHTMLTitles -IconsAreLinks FancyIndexing
    - IndexOptions +SuppressSize -     + +IndexOptions +ScanHTMLTitles -IconsAreLinks FancyIndexing
    +IndexOptions +SuppressSize +

    The net effect is equivalent to IndexOptions FancyIndexing +SuppressSize, because the unprefixed FancyIndexing @@ -1014,10 +1014,9 @@ Name|Date|Size|Description

    The IndexStyleSheet directive sets the name of the file that will be used as the CSS for the index listing.

    - - Example + IndexStyleSheet "/css/style.css" - +

    Using this directive in conjunction with IndexOptions HTMLTable adds a number of CSS classes to the resulting HTML. @@ -1053,10 +1052,9 @@ Name|Date|Size|Description

    The IndexHeadInsert directive specifies a string to insert in the <head> section of the HTML generated for the index page.

    - - Example + IndexHeadInsert "<link rel=\"sitemap\" href=\"/sitemap.html\">" - + @@ -1079,13 +1077,15 @@ of the index listing relative to the DocumentRoot.

    - Example 1 - ReadmeName FOOTER.html - + +# Example 1 +ReadmeName FOOTER.html + - Example 2 - ReadmeName /include/FOOTER.html - + +# Example 2 +ReadmeName /include/FOOTER.html +

    See also HeaderName, where this behavior is described in greater -- 2.50.1