1# 2# Based upon the NCSA server configuration files originally by Rob McCool. 3# 4# This is the main Apache server configuration file. It contains the 5# configuration directives that give the server its instructions. 6# See <URL:http://www.apache.org/docs/> for detailed information about 7# the directives. 8# 9# Do NOT simply read the instructions in here without understanding 10# what they do. They're here only as hints or reminders. If you are unsure 11# consult the online docs. You have been warned. 12# 13# After this file is processed, the server will look for and process 14# /etc/httpd/conf/srm.conf and then /etc/httpd/conf/access.conf 15# unless you have overridden these with ResourceConfig and/or 16# AccessConfig directives here. 17# 18# The configuration directives are grouped into three basic sections: 19# 1. Directives that control the operation of the Apache server process as a 20# whole (the 'global environment'). 21# 2. Directives that define the parameters of the 'main' or 'default' server, 22# which responds to requests that aren't handled by a virtual host. 23# These directives also provide default values for the settings 24# of all virtual hosts. 25# 3. Settings for virtual hosts, which allow Web requests to be sent to 26# different IP addresses or hostnames and have them handled by the 27# same Apache server process. 28# 29# Configuration and logfile names: If the filenames you specify for many 30# of the server's control files begin with "/" (or "drive:/" for Win32), the 31# server will use that explicit path. If the filenames do *not* begin 32# with "/", the value of ServerRoot is prepended -- so "logs/foo.log" 33# with ServerRoot set to "/usr/local/apache" will be interpreted by the 34# server as "/usr/local/apache/logs/foo.log". 35# 36 37### Section 1: Global Environment 38# 39# The directives in this section affect the overall operation of Apache, 40# such as the number of concurrent requests it can handle or where it 41# can find its configuration files. 42# 43 44# 45# ServerType is either inetd, or standalone. Inetd mode is only supported on 46# Unix platforms. 47# 48ServerType standalone 49 50# 51# ServerRoot: The top of the directory tree under which the server's 52# configuration, error, and log files are kept. 53# 54# NOTE! If you intend to place this on an NFS (or otherwise network) 55# mounted filesystem then please read the LockFile documentation 56# (available at <URL:http://www.apache.org/docs/mod/core.html#lockfile>); 57# you will save yourself a lot of trouble. 58# 59# Do NOT add a slash at the end of the directory path. 60# 61ServerRoot "/etc/httpd" 62 63# 64# The LockFile directive sets the path to the lockfile used when Apache 65# is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or 66# USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at 67# its default value. The main reason for changing it is if the logs 68# directory is NFS mounted, since the lockfile MUST BE STORED ON A LOCAL 69# DISK. The PID of the main server process is automatically appended to 70# the filename. 71# 72LockFile /var/run/httpd.lock 73 74# 75# PidFile: The file in which the server should record its process 76# identification number when it starts. 77# 78PidFile /var/run/httpd.pid 79 80# 81# ScoreBoardFile: File used to store internal server process information. 82# Not all architectures require this. But if yours does (you'll know because 83# this file will be created when you run Apache) then you *must* ensure that 84# no two invocations of Apache share the same scoreboard file. 85# 86ScoreBoardFile logs/apache_runtime_status 87 88# 89# In the standard configuration, the server will process httpd.conf (this 90# file, specified by the -f command line option), srm.conf, and access.conf 91# in that order. The latter two files are now distributed empty, as it is 92# recommended that all directives be kept in a single file for simplicity. 93# The commented-out values below are the built-in defaults. You can have the 94# server ignore these files altogether by using "/dev/null" (for Unix) or 95# "nul" (for Win32) for the arguments to the directives. 96# 97#ResourceConfig conf/srm.conf 98#AccessConfig conf/access.conf 99 100# 101# Timeout: The number of seconds before receives and sends time out. 102# 103Timeout 300 104 105# 106# KeepAlive: Whether or not to allow persistent connections (more than 107# one request per connection). Set to "Off" to deactivate. 108# 109KeepAlive On 110 111# 112# MaxKeepAliveRequests: The maximum number of requests to allow 113# during a persistent connection. Set to 0 to allow an unlimited amount. 114# We recommend you leave this number high, for maximum performance. 115# 116MaxKeepAliveRequests 100 117 118# 119# KeepAliveTimeout: Number of seconds to wait for the next request from the 120# same client on the same connection. 121# 122KeepAliveTimeout 15 123 124# 125# Server-pool size regulation. Rather than making you guess how many 126# server processes you need, Apache dynamically adapts to the load it 127# sees --- that is, it tries to maintain enough server processes to 128# handle the current load, plus a few spare servers to handle transient 129# load spikes (e.g., multiple simultaneous requests from a single 130# Netscape browser). 131# 132# It does this by periodically checking how many servers are waiting 133# for a request. If there are fewer than MinSpareServers, it creates 134# a new spare. If there are more than MaxSpareServers, some of the 135# spares die off. The default values are probably OK for most sites. 136# 137MinSpareServers 2 138MaxSpareServers 20 139 140# 141# Number of servers to start initially --- should be a reasonable ballpark 142# figure. 143# 144StartServers 2 145 146# 147# Limit on total number of servers running, i.e., limit on the number 148# of clients who can simultaneously connect --- if this limit is ever 149# reached, clients will be LOCKED OUT, so it should NOT BE SET TOO LOW. 150# It is intended mainly as a brake to keep a runaway server from taking 151# the system with it as it spirals down... 152# 153MaxClients 150 154 155# 156# MaxRequestsPerChild: the number of requests each child process is 157# allowed to process before the child dies. The child will exit so 158# as to avoid problems after prolonged use when Apache (and maybe the 159# libraries it uses) leak memory or other resources. On most systems, this 160# isn't really needed, but a few (such as Solaris) do have notable leaks 161# in the libraries. For these platforms, set to something like 10000 162# or so; a setting of 0 means unlimited. 163# 164# NOTE: This value does not include keepalive requests after the initial 165# request per connection. For example, if a child process handles 166# an initial request and 10 subsequent "keptalive" requests, it 167# would only count as 1 request towards this limit. 168# 169MaxRequestsPerChild 1000 170 171# 172# Listen: Allows you to bind Apache to specific IP addresses and/or 173# ports, in addition to the default. See also the <VirtualHost> 174# directive. 175# 176#Listen 3000 177#Listen 12.34.56.78:80 178Listen 80 179 180# 181# BindAddress: You can support virtual hosts with this option. This directive 182# is used to tell the server which IP address to listen to. It can either 183# contain "*", an IP address, or a fully qualified Internet domain name. 184# See also the <VirtualHost> and Listen directives. 185# 186#BindAddress * 187 188# 189# Dynamic Shared Object (DSO) Support 190# 191# To be able to use the functionality of a module which was built as a DSO you 192# have to place corresponding `LoadModule' lines at this location so the 193# directives contained in it are actually available _before_ they are used. 194# Please read the file README.DSO in the Apache 1.3 distribution for more 195# details about the DSO mechanism and run `httpd -l' for the list of already 196# built-in (statically linked and thus always available) modules in your httpd 197# binary. 198# 199# Note: The order in which modules are loaded is important. Don't change 200# the order below without expert advice. 201# 202# Example: 203# LoadModule foo_module modules/mod_foo.so 204 205#LoadModule mmap_static_module modules/mod_mmap_static.so 206LoadModule vhost_alias_module modules/mod_vhost_alias.so 207<IfDefine HAVE_BANDWIDTH> 208LoadModule bandwidth_module modules/mod_bandwidth.so 209</IfDefine> 210<IfDefine HAVE_THROTTLE> 211LoadModule throttle_module modules/mod_throttle.so 212</IfDefine> 213LoadModule env_module modules/mod_env.so 214LoadModule config_log_module modules/mod_log_config.so 215LoadModule agent_log_module modules/mod_log_agent.so 216LoadModule referer_log_module modules/mod_log_referer.so 217#LoadModule mime_magic_module modules/mod_mime_magic.so 218LoadModule mime_module modules/mod_mime.so 219LoadModule negotiation_module modules/mod_negotiation.so 220LoadModule status_module modules/mod_status.so 221LoadModule info_module modules/mod_info.so 222LoadModule includes_module modules/mod_include.so 223LoadModule autoindex_module modules/mod_autoindex.so 224LoadModule dir_module modules/mod_dir.so 225LoadModule cgi_module modules/mod_cgi.so 226LoadModule asis_module modules/mod_asis.so 227LoadModule imap_module modules/mod_imap.so 228LoadModule action_module modules/mod_actions.so 229#LoadModule speling_module modules/mod_speling.so 230LoadModule userdir_module modules/mod_userdir.so 231LoadModule alias_module modules/mod_alias.so 232LoadModule rewrite_module modules/mod_rewrite.so 233LoadModule access_module modules/mod_access.so 234LoadModule auth_module modules/mod_auth.so 235LoadModule anon_auth_module modules/mod_auth_anon.so 236LoadModule db_auth_module modules/mod_auth_db.so 237#LoadModule auth_any_module modules/mod_auth_any.so 238#LoadModule dbm_auth_module modules/mod_auth_dbm.so 239#LoadModule auth_ldap_module modules/mod_auth_ldap.so 240#LoadModule mysql_auth_module modules/mod_auth_mysql.so 241#LoadModule auth_pgsql_module modules/mod_auth_pgsql.so 242#LoadModule digest_module modules/mod_digest.so 243#LoadModule proxy_module modules/libproxy.so 244#LoadModule cern_meta_module modules/mod_cern_meta.so 245LoadModule expires_module modules/mod_expires.so 246LoadModule headers_module modules/mod_headers.so 247#LoadModule usertrack_module modules/mod_usertrack.so 248#LoadModule example_module modules/mod_example.so 249#LoadModule unique_id_module modules/mod_unique_id.so 250LoadModule setenvif_module modules/mod_setenvif.so 251<IfDefine HAVE_PERL> 252LoadModule perl_module modules/libperl.so 253</IfDefine> 254<IfDefine HAVE_PHP> 255LoadModule php_module modules/mod_php.so 256</IfDefine> 257<IfDefine HAVE_PHP3> 258LoadModule php3_module modules/libphp3.so 259</IfDefine> 260<IfDefine HAVE_PHP4> 261LoadModule php4_module modules/libphp4.so 262</IfDefine> 263<IfDefine HAVE_DAV> 264LoadModule dav_module modules/libdav.so 265</IfDefine> 266<IfDefine HAVE_ROAMING> 267LoadModule roaming_module modules/mod_roaming.so 268</IfDefine> 269<IfDefine HAVE_SSL> 270LoadModule ssl_module modules/libssl.so 271</IfDefine> 272<IfDefine HAVE_PUT> 273LoadModule put_module modules/mod_put.so 274</IfDefine> 275<IfDefine HAVE_PYTHON> 276LoadModule python_module modules/mod_python.so 277</IfDefine> 278 279# Reconstruction of the complete module list from all available modules 280# (static and shared ones) to achieve correct module execution order. 281# [WHENEVER YOU CHANGE THE LOADMODULE SECTION ABOVE UPDATE THIS, TOO] 282ClearModuleList 283#AddModule mod_mmap_static.c 284AddModule mod_vhost_alias.c 285<IfDefine HAVE_BANDWIDTH> 286AddModule mod_bandwidth.c 287</IfDefine> 288<IfDefine HAVE_THROTTLE> 289AddModule mod_throttle.c 290</IfDefine> 291AddModule mod_env.c 292AddModule mod_log_config.c 293AddModule mod_log_agent.c 294AddModule mod_log_referer.c 295#AddModule mod_mime_magic.c 296AddModule mod_mime.c 297AddModule mod_negotiation.c 298AddModule mod_status.c 299AddModule mod_info.c 300AddModule mod_include.c 301AddModule mod_autoindex.c 302AddModule mod_dir.c 303AddModule mod_cgi.c 304AddModule mod_asis.c 305AddModule mod_imap.c 306AddModule mod_actions.c 307#AddModule mod_speling.c 308AddModule mod_userdir.c 309AddModule mod_alias.c 310AddModule mod_rewrite.c 311AddModule mod_access.c 312AddModule mod_auth.c 313AddModule mod_auth_anon.c 314AddModule mod_auth_db.c 315#AddModule mod_auth_any.c 316#AddModule mod_auth_dbm.c 317#AddModule auth_ldap.c 318#AddModule mod_auth_mysql.c 319#AddModule mod_auth_pgsql.c 320#AddModule mod_digest.c 321#AddModule mod_proxy.c 322#AddModule mod_cern_meta.c 323AddModule mod_expires.c 324AddModule mod_headers.c 325#AddModule mod_usertrack.c 326#AddModule mod_example.c 327#AddModule mod_unique_id.c 328AddModule mod_so.c 329AddModule mod_setenvif.c 330<IfDefine HAVE_PERL> 331AddModule mod_perl.c 332</IfDefine> 333<IfDefine HAVE_PHP> 334AddModule mod_php.c 335</IfDefine> 336<IfDefine HAVE_PHP3> 337AddModule mod_php3.c 338</IfDefine> 339<IfDefine HAVE_PHP4> 340AddModule mod_php4.c 341</IfDefine> 342<IfDefine HAVE_DAV> 343AddModule mod_dav.c 344</IfDefine> 345<IfDefine HAVE_ROAMING> 346AddModule mod_roaming.c 347</IfDefine> 348<IfDefine HAVE_SSL> 349AddModule mod_ssl.c 350</IfDefine> 351<IfDefine HAVE_PUT> 352AddModule mod_put.c 353</IfDefine> 354<IfDefine HAVE_PYTHON> 355AddModule mod_python.c 356</IfDefine> 357 358# 359# ExtendedStatus controls whether Apache will generate "full" status 360# information (ExtendedStatus On) or just basic information (ExtendedStatus 361# Off) when the "server-status" handler is called. The default is Off. 362# 363ExtendedStatus On 364 365### Section 2: 'Main' server configuration 366# 367# The directives in this section set up the values used by the 'main' 368# server, which responds to any requests that aren't handled by a 369# <VirtualHost> definition. These values also provide defaults for 370# any <VirtualHost> containers you may define later in the file. 371# 372# All of these directives may appear inside <VirtualHost> containers, 373# in which case these default settings will be overridden for the 374# virtual host being defined. 375# 376 377# 378# If your ServerType directive (set earlier in the 'Global Environment' 379# section) is set to "inetd", the next few directives don't have any 380# effect since their settings are defined by the inetd configuration. 381# Skip ahead to the ServerAdmin directive. 382# 383 384# 385# Port: The port to which the standalone server listens. For 386# ports < 1023, you will need httpd to be run as root initially. 387# 388Port 80 389 390## 391## SSL Support 392## 393## When we also provide SSL we have to listen to the 394## standard HTTP port (see above) and to the HTTPS port 395## 396<IfDefine HAVE_SSL> 397Listen 443 398</IfDefine> 399 400# 401# If you wish httpd to run as a different user or group, you must run 402# httpd as root initially and it will switch. 403# 404# User/Group: The name (or #number) of the user/group to run httpd as. 405# . On SCO (ODT 3) use "User nouser" and "Group nogroup". 406# . On HPUX you may not be able to use shared memory as nobody, and the 407# suggested workaround is to create a user www and use that user. 408# NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET) 409# when the value of (unsigned)Group is above 60000; 410# don't use Group nobody on these systems! 411# 412User apache 413Group apache 414 415# 416# ServerAdmin: Your address, where problems with the server should be 417# e-mailed. This address appears on some server-generated pages, such 418# as error documents. 419# 420ServerAdmin root@abc.com 421 422# 423# ServerName allows you to set a host name which is sent back to clients for 424# your server if it's different than the one the program would get (i.e., use 425# "www" instead of the host's real name). 426# 427# Note: You cannot just invent host names and hope they work. The name you 428# define here must be a valid DNS name for your host. If you don't understand 429# this, ask your network administrator. 430# If your host doesn't have a registered DNS name, enter its IP address here. 431# You will have to access it by its address (e.g., http://123.45.67.89/) 432# anyway, and this will make redirections work in a sensible way. 433# 434# 127.0.0.1 is the TCP/IP local loop-back address, often named localhost. Your 435# machine always knows itself by this address. If you use Apache strictly for 436# local testing and development, you may use 127.0.0.1 as the server name. 437# 438ServerName www.xyz.com 439 440# 441# DocumentRoot: The directory out of which you will serve your 442# documents. By default, all requests are taken from this directory, but 443# symbolic links and aliases may be used to point to other locations. 444# 445DocumentRoot "/home/xyz/public_website_html" 446 447# 448# Each directory to which Apache has access, can be configured with respect 449# to which services and features are allowed and/or disabled in that 450# directory (and its subdirectories). 451# 452# First, we configure the "default" to be a very restrictive set of 453# permissions. 454# 455<Directory /> 456 Options FollowSymLinks 457 AllowOverride None 458 Order Deny,Allow 459 Deny from all 460</Directory> 461 462# 463# Note that from this point forward you must specifically allow 464# particular features to be enabled - so if something's not working as 465# you might expect, make sure that you have specifically enabled it 466# below. 467# 468 469# 470# This should be changed to whatever you set DocumentRoot to. 471# 472<Directory "/home/xyz/public_website_html"> 473 474# 475# This may also be "None", "All", or any combination of "Indexes", 476# "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews". 477# 478# Note that "MultiViews" must be named *explicitly* --- "Options All" 479# doesn't give it to you. 480# 481 Options Indexes FollowSymLinks 482 483# 484# This controls which options the .htaccess files in directories can 485# override. Can also be "All", or any combination of "Options", "FileInfo", 486# "AuthConfig", and "Limit" 487# 488 AllowOverride None 489 490# 491# Controls who can get stuff from this server. 492# 493 Order allow,deny 494 Allow from all 495</Directory> 496 497<Directory "/home/xyz/intranet_html"> 498 Options Indexes Includes FollowSymLinks 499 AllowOverride None 500 Order allow,deny 501 Allow from 127.0.0.1 502 Allow from 192.168.0.0/24 503 Allow from 66.12.216.238 504 Allow from 66.12.233.174 505</Directory> 506 507<Directory "/home/abc/public_website_html"> 508 Options Indexes Includes FollowSymLinks 509 AllowOverride AuthConfig FileInfo Indexes Limit 510 Order allow,deny 511 Allow from all 512</Directory> 513 514<Directory "/home/abc/intranet_html"> 515 Options Indexes Includes FollowSymLinks 516 AllowOverride None 517 Order allow,deny 518 Allow from 66.12.233.174 519</Directory> 520 521# 522# UserDir: The name of the directory which is appended onto a user's home 523# directory if a ~user request is received. 524# 525# The path to the end user account 'public_html' directory must be 526# accessible to the webserver userid. This usually means that ~userid 527# must have permissions of 711, ~userid/public_html must have permissions 528# of 755, and documents contained therein must be world-readable. 529# Otherwise, the client will only receive a "403 Forbidden" message. 530# 531# See also: http://httpd.apache.org/docs/misc/FAQ.html#forbidden 532# 533#<IfModule mod_userdir.c> 534# UserDir public_html 535#</IfModule> 536 537# 538# Control access to UserDir directories. The following is an example 539# for a site where these directories are restricted to read-only. 540# 541#<Directory /home/*/public_html> 542# AllowOverride FileInfo AuthConfig Limit 543# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec 544# <Limit GET POST OPTIONS PROPFIND> 545# Order allow,deny 546# Allow from all 547# </Limit> 548# <LimitExcept GET POST OPTIONS PROPFIND> 549# Order deny,allow 550# Deny from all 551# </LimitExcept> 552#</Directory> 553 554# 555# DirectoryIndex: Name of the file or files to use as a pre-written HTML 556# directory index. Separate multiple entries with spaces. 557# 558<IfModule mod_dir.c> 559 DirectoryIndex index.html index.htm index.shtml index.php index.php4 index.php3 index.phtml index.cgi 560</IfModule> 561 562# 563# AccessFileName: The name of the file to look for in each directory 564# for access control information. 565# 566AccessFileName .htaccess 567 568# 569# The following lines prevent .htaccess files from being viewed by 570# Web clients. Since .htaccess files often contain authorization 571# information, access is disallowed for security reasons. Comment 572# these lines out if you want Web visitors to see the contents of 573# .htaccess files. If you change the AccessFileName directive above, 574# be sure to make the corresponding changes here. 575# 576# Also, folks tend to use names such as .htpasswd for password 577# files, so this will protect those as well. 578# 579<Files ~ "^\.ht"> 580 Order allow,deny 581 Deny from all 582</Files> 583 584# 585# CacheNegotiatedDocs: By default, Apache sends "Pragma: no-cache" with each 586# document that was negotiated on the basis of content. This asks proxy 587# servers not to cache the document. Uncommenting the following line disables 588# this behavior, and proxies will be allowed to cache the documents. 589# 590#CacheNegotiatedDocs 591 592# 593# UseCanonicalName: (new for 1.3) With this setting turned on, whenever 594# Apache needs to construct a self-referencing URL (a URL that refers back 595# to the server the response is coming from) it will use ServerName and 596# Port to form a "canonical" name. With this setting off, Apache will 597# use the hostname:port that the client supplied, when possible. This 598# also affects SERVER_NAME and SERVER_PORT in CGI scripts. 599# 600UseCanonicalName On 601 602# 603# TypesConfig describes where the mime.types file (or equivalent) is 604# to be found. 605# 606<IfModule mod_mime.c> 607 TypesConfig /etc/mime.types 608</IfModule> 609 610# 611# DefaultType is the default MIME type the server will use for a document 612# if it cannot otherwise determine one, such as from filename extensions. 613# If your server contains mostly text or HTML documents, "text/plain" is 614# a good value. If most of your content is binary, such as applications 615# or images, you may want to use "application/octet-stream" instead to 616# keep browsers from trying to display binary files as though they are 617# text. 618# 619DefaultType text/plain 620 621# 622# The mod_mime_magic module allows the server to use various hints from the 623# contents of the file itself to determine its type. The MIMEMagicFile 624# directive tells the module where the hint definitions are located. 625# mod_mime_magic is not part of the default server (you have to add 626# it yourself with a LoadModule [see the DSO paragraph in the 'Global 627# Environment' section], or recompile the server and include mod_mime_magic 628# as part of the configuration), so it's enclosed in an <IfModule> container. 629# This means that the MIMEMagicFile directive will only be processed if the 630# module is part of the server. 631# 632<IfModule mod_mime_magic.c> 633# MIMEMagicFile /usr/share/magic.mime 634 MIMEMagicFile conf/magic 635</IfModule> 636 637# 638# HostnameLookups: Log the names of clients or just their IP addresses 639# e.g., www.apache.org (on) or 204.62.129.132 (off). 640# The default is off because it'd be overall better for the net if people 641# had to knowingly turn this feature on, since enabling it means that 642# each client request will result in AT LEAST one lookup request to the 643# nameserver. 644# 645HostnameLookups Off 646 647# 648# ErrorLog: The location of the error log file. 649# If you do not specify an ErrorLog directive within a <VirtualHost> 650# container, error messages relating to that virtual host will be 651# logged here. If you *do* define an error logfile for a <VirtualHost> 652# container, that host's errors will be logged there and not here. 653# 654ErrorLog logs/error_log 655 656# 657# LogLevel: Control the number of messages logged to the error_log. 658# Possible values include: debug, info, notice, warn, error, crit, 659# alert, emerg. 660# 661LogLevel warn 662 663# 664# The following directives define some format nicknames for use with 665# a CustomLog directive (see below). 666# 667LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined 668LogFormat "%h %l %u %t \"%r\" %>s %b" common 669LogFormat "%{Referer}i -> %U" referer 670LogFormat "%{User-agent}i" agent 671 672# 673# The location and format of the access logfile (Common Logfile Format). 674# If you do not define any access logfiles within a <VirtualHost> 675# container, they will be logged here. Contrariwise, if you *do* 676# define per-<VirtualHost> access logfiles, transactions will be 677# logged therein and *not* in this file. 678# 679# CustomLog /var/log/httpd/access_log common 680CustomLog logs/access_log combined 681 682# 683# If you would like to have agent and referer logfiles, uncomment the 684# following directives. 685# 686#CustomLog logs/referer_log referer 687#CustomLog logs/agent_log agent 688 689# 690# If you prefer a single logfile with access, agent, and referer information 691# (Combined Logfile Format) you can use the following directive. 692# 693#CustomLog logs/access_log combined 694 695# 696# Optionally add a line containing the server version and virtual host 697# name to server-generated pages (error documents, FTP directory listings, 698# mod_status and mod_info output etc., but not CGI generated documents). 699# Set to "EMail" to also include a mailto: link to the ServerAdmin. 700# Set to one of: On | Off | EMail 701# 702ServerSignature EMail 703 704# EBCDIC configuration: 705# (only for mainframes using the EBCDIC codeset, currently one of: 706# Fujitsu-Siemens' BS2000/OSD, IBM's OS/390 and IBM's TPF)!! 707# The following default configuration assumes that "text files" 708# are stored in EBCDIC (so that you can operate on them using the 709# normal POSIX tools like grep and sort) while "binary files" are 710# stored with identical octets as on an ASCII machine. 711# 712# The directives are evaluated in configuration file order, with 713# the EBCDICConvert directives applied before EBCDICConvertByType. 714# 715# If you want to have ASCII HTML documents and EBCDIC HTML documents 716# at the same time, you can use the file extension to force 717# conversion off for the ASCII documents: 718# > AddType text/html .ahtml 719# > EBCDICConvert Off=InOut .ahtml 720# 721# EBCDICConvertByType On=InOut text/* message/* multipart/* 722# EBCDICConvertByType On=In application/x-www-form-urlencoded 723# EBCDICConvertByType On=InOut application/postscript model/vrml 724# EBCDICConvertByType Off=InOut */* 725 726 727# 728# Aliases: Add here as many aliases as you need (with no limit). The format is 729# Alias fakename realname 730# 731<IfModule mod_alias.c> 732 733 # 734 # Note that if you include a trailing / on fakename then the server will 735 # require it to be present in the URL. So "/icons" isn't aliased in this 736 # example, only "/icons/". If the fakename is slash-terminated, then the 737 # realname must also be slash terminated, and if the fakename omits the 738 # trailing slash, the realname must also omit it. 739 # 740 Alias /icons/ "/var/www/icons/" 741 742 <Directory "/var/www/icons"> 743 Options Indexes MultiViews 744 AllowOverride None 745 Order allow,deny 746 Allow from all 747 </Directory> 748 749 # 750 # ScriptAlias: This controls which directories contain server scripts. 751 # ScriptAliases are essentially the same as Aliases, except that 752 # documents in the realname directory are treated as applications and 753 # run by the server when requested rather than as documents sent to the client. 754 # The same rules about trailing "/" apply to ScriptAlias directives as to 755 # Alias. 756 # 757 #ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" 758 759 # 760 # "/var/www/cgi-bin" should be changed to whatever your ScriptAliased 761 # CGI directory exists, if you have that configured. 762 # 763 #<Directory "/var/www/cgi-bin"> 764 # AllowOverride None 765 # Options None 766 # Order allow,deny 767 # Allow from all 768 #</Directory> 769 770</IfModule> 771# End of aliases. 772 773# 774# Redirect allows you to tell clients about documents which used to exist in 775# your server's namespace, but do not anymore. This allows you to tell the 776# clients where to look for the relocated document. 777# Format: Redirect old-URI new-URL 778# 779 780# 781# Directives controlling the display of server-generated directory listings. 782# 783<IfModule mod_autoindex.c> 784 785 # 786 # FancyIndexing is whether you want fancy directory indexing or standard 787 # 788 IndexOptions FancyIndexing NameWidth=* FoldersFirst TrackModified 789 790 # 791 # AddIcon* directives tell the server which icon to show for different 792 # files or filename extensions. These are only displayed for 793 # FancyIndexed directories. 794 # 795 AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip 796 797 AddIconByType (TXT,/icons/text.gif) text/* 798 AddIconByType (IMG,/icons/image2.gif) image/* 799 AddIconByType (SND,/icons/sound2.gif) audio/* 800 AddIconByType (VID,/icons/movie.gif) video/* 801 802 AddIcon /icons/binary.gif .bin .exe 803 AddIcon /icons/binhex.gif .hqx 804 AddIcon /icons/tar.gif .tar 805 AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv 806 AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip 807 AddIcon /icons/a.gif .ps .ai .eps 808 AddIcon /icons/layout.gif .html .shtml .htm .pdf 809 AddIcon /icons/text.gif .txt 810 AddIcon /icons/c.gif .c 811 AddIcon /icons/p.gif .pl .py 812 AddIcon /icons/f.gif .for 813 AddIcon /icons/dvi.gif .dvi 814 AddIcon /icons/uuencoded.gif .uu 815 AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl 816 AddIcon /icons/tex.gif .tex 817 AddIcon /icons/bomb.gif core 818 819 AddIcon /icons/back.gif .. 820 AddIcon /icons/hand.right.gif README 821 AddIcon /icons/folder.gif ^^DIRECTORY^^ 822 AddIcon /icons/blank.gif ^^BLANKICON^^ 823 824 # 825 # DefaultIcon is which icon to show for files which do not have an icon 826 # explicitly set. 827 # 828 DefaultIcon /icons/unknown.gif 829 830 # 831 # AddDescription allows you to place a short description after a file in 832 # server-generated indexes. These are only displayed for FancyIndexed 833 # directories. 834 # Format: AddDescription "description" filename 835 # 836 #AddDescription "GZIP compressed document" .gz 837 #AddDescription "tar archive" .tar 838 #AddDescription "GZIP compressed tar archive" .tgz 839 840 # 841 # ReadmeName is the name of the README file the server will look for by 842 # default, and append to directory listings. 843 # 844 # HeaderName is the name of a file which should be prepended to 845 # directory indexes. 846 # 847 # If MultiViews are amongst the Options in effect, the server will 848 # first look for name.html and include it if found. If name.html 849 # doesn't exist, the server will then look for name.txt and include 850 # it as plaintext if found. 851 # 852 ReadmeName README 853 HeaderName HEADER 854 855 # 856 # IndexIgnore is a set of filenames which directory indexing should ignore 857 # and not include in the listing. Shell-style wildcarding is permitted. 858 # 859# IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t 860 IndexIgnore .htaccess *~ *# HEADER* README* RCS CVS *,v *,t 861 862</IfModule> 863# End of indexing directives. 864 865# 866# Document types. 867# 868<IfModule mod_mime.c> 869 870 # 871 # AddEncoding allows you to have certain browsers (Mosaic/X 2.1+) uncompress 872 # information on the fly. Note: Not all browsers support this. 873 # Despite the name similarity, the following Add* directives have nothing 874 # to do with the FancyIndexing customization directives above. 875 # 876 AddEncoding x-compress Z 877 AddEncoding x-gzip gz tgz 878 879 # 880 # AddLanguage allows you to specify the language of a document. You can 881 # then use content negotiation to give a browser a file in a language 882 # it can understand. 883 # 884 # Note 1: The suffix does not have to be the same as the language 885 # keyword --- those with documents in Polish (whose net-standard 886 # language code is pl) may wish to use "AddLanguage pl .po" to 887 # avoid the ambiguity with the common suffix for perl scripts. 888 # 889 # Note 2: The example entries below illustrate that in quite 890 # some cases the two character 'Language' abbreviation is not 891 # identical to the two character 'Country' code for its country, 892 # E.g. 'Danmark/dk' versus 'Danish/da'. 893 # 894 # Note 3: In the case of 'ltz' we violate the RFC by using a three char 895 # specifier. But there is 'work in progress' to fix this and get 896 # the reference data for rfc1766 cleaned up. 897 # 898 # Danish (da) - Dutch (nl) - English (en) - Estonian (ee) 899 # French (fr) - German (de) - Greek-Modern (el) 900 # Italian (it) - Korean (kr) - Norwegian (no) 901 # Portugese (pt) - Luxembourgeois* (ltz) 902 # Spanish (es) - Swedish (sv) - Catalan (ca) - Czech(cz) 903 # Polish (pl) - Brazilian Portuguese (pt-br) - Japanese (ja) 904 # Russian (ru) 905 # 906 AddLanguage da .dk 907 AddLanguage nl .nl 908 AddLanguage en .en 909 AddLanguage et .ee 910 AddLanguage fr .fr 911 AddLanguage de .de 912 AddLanguage el .el 913 AddLanguage he .he 914 AddCharset ISO-8859-8 .iso8859-8 915 AddLanguage it .it 916 AddLanguage ja .ja 917 AddCharset ISO-2022-JP .jis 918 AddLanguage kr .kr 919 AddCharset ISO-2022-KR .iso-kr 920 AddLanguage no .no 921 AddLanguage pl .po 922 AddCharset ISO-8859-2 .iso-pl 923 AddLanguage pt .pt 924 AddLanguage pt-br .pt-br 925 AddLanguage ltz .lu 926 AddLanguage ca .ca 927 AddLanguage es .es 928 AddLanguage sv .se 929 AddLanguage cz .cz 930 AddLanguage ru .ru 931 AddLanguage zh-tw .tw 932 AddLanguage tw .tw 933 AddCharset Big5 .Big5 .big5 934 AddCharset WINDOWS-1251 .cp-1251 935 AddCharset CP866 .cp866 936 AddCharset ISO-8859-5 .iso-ru 937 AddCharset KOI8-R .koi8-r 938 AddCharset UCS-2 .ucs2 939 AddCharset UCS-4 .ucs4 940 AddCharset UTF-8 .utf8 941 942 # LanguagePriority allows you to give precedence to some languages 943 # in case of a tie during content negotiation. 944 # 945 # Just list the languages in decreasing order of preference. We have 946 # more or less alphabetized them here. You probably want to change this. 947 # 948 <IfModule mod_negotiation.c> 949 LanguagePriority en da nl et fr de el it ja kr no pl pt pt-br ru ltz ca es sv tw 950 </IfModule> 951 952 # 953 # AddType allows you to tweak mime.types without actually editing it, or to 954 # make certain files to be certain types. 955 # 956 # For example, the PHP 3.x module (not part of the Apache distribution - see 957 # http://www.php.net) will typically use: 958 # 959 <IfModule mod_php3.c> 960 AddType application/x-httpd-php3 .php3 961 AddType application/x-httpd-php3-source .phps 962 </IfModule> 963 # 964 # And for PHP 4.x, use: 965 # 966 <IfModule mod_php4.c> 967 AddType application/x-httpd-php .php .php4 .php3 .phtml 968 AddType application/x-httpd-php-source .phps 969 </IfModule> 970 971 # 972 # For PHP/FI (PHP2), use: 973 # 974 <IfModule mod_php.c> 975 AddType application/x-httpd-php .phtml 976 </IfModule> 977 978 AddType application/x-tar .tgz 979 980 # 981 # AddHandler allows you to map certain file extensions to "handlers", 982 # actions unrelated to filetype. These can be either built into the server 983 # or added with the Action command (see below) 984 # 985 # If you want to use server side includes, or CGI outside 986 # ScriptAliased directories, uncomment the following lines. 987 # 988 # To use CGI scripts: 989 # 990 #AddHandler cgi-script .cgi 991 992 # 993 # To use server-parsed HTML files 994 # 995 AddType text/html .shtml 996 AddHandler server-parsed .shtml 997 998 # 999 # Uncomment the following line to enable Apache's send-asis HTTP file 1000 # feature 1001 # 1002 #AddHandler send-as-is asis 1003 1004 # 1005 # If you wish to use server-parsed imagemap files, use 1006 # 1007 AddHandler imap-file map 1008 1009 # 1010 # To enable type maps, you might want to use 1011 # 1012 #AddHandler type-map var 1013 1014</IfModule> 1015# End of document types. 1016 1017# 1018# Action lets you define media types that will execute a script whenever 1019# a matching file is called. This eliminates the need for repeated URL 1020# pathnames for oft-used CGI file processors. 1021# Format: Action media/type /cgi-script/location 1022# Format: Action handler-name /cgi-script/location 1023# 1024 1025# 1026# MetaDir: specifies the name of the directory in which Apache can find 1027# meta information files. These files contain additional HTTP headers 1028# to include when sending the document 1029# 1030#MetaDir .web 1031 1032# 1033# MetaSuffix: specifies the file name suffix for the file containing the 1034# meta information. 1035# 1036#MetaSuffix .meta 1037 1038# 1039# Customizable error response (Apache style) 1040# these come in three flavors 1041# 1042# 1) plain text 1043#ErrorDocument 500 "The server made a boo boo. 1044# n.b. the single leading (") marks it as text, it does not get output 1045# 1046# 2) local redirects 1047#ErrorDocument 404 /missing.html 1048# to redirect to local URL /missing.html 1049#ErrorDocument 404 /cgi-bin/missing_handler.pl 1050# N.B.: You can redirect to a script or a document using server-side-includes. 1051# 1052# 3) external redirects 1053#ErrorDocument 402 http://some.other_server.com/subscription_info.html 1054# N.B.: Many of the environment variables associated with the original 1055# request will *not* be available to such a script. 1056 1057# 1058# Customize behaviour based on the browser 1059# 1060<IfModule mod_setenvif.c> 1061 1062 # 1063 # The following directives modify normal HTTP response behavior. 1064 # The first directive disables keepalive for Netscape 2.x and browsers that 1065 # spoof it. There are known problems with these browser implementations. 1066 # The second directive is for Microsoft Internet Explorer 4.0b2 1067 # which has a broken HTTP/1.1 implementation and does not properly 1068 # support keepalive when it is used on 301 or 302 (redirect) responses. 1069 # 1070 BrowserMatch "Mozilla/2" nokeepalive 1071 BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 1072 1073 # 1074 # The following directive disables HTTP/1.1 responses to browsers which 1075 # are in violation of the HTTP/1.0 spec by not being able to grok a 1076 # basic 1.1 response. 1077 # 1078 BrowserMatch "RealPlayer 4\.0" force-response-1.0 1079 BrowserMatch "Java/1\.0" force-response-1.0 1080 BrowserMatch "JDK/1\.0" force-response-1.0 1081 1082</IfModule> 1083# End of browser customization directives 1084 1085# 1086# If the perl module is installed, this will allow execution of mod_perl 1087# to compile your scripts to subroutines which it will execute directly, 1088# avoiding the costly compile process for most requests. 1089# 1090#<IfModule mod_perl.c> 1091# Alias /perl /var/www/perl 1092# <Directory /var/www/perl> 1093# SetHandler perl-script 1094# PerlHandler Apache::Registry 1095# Options +ExecCGI 1096# </Directory> 1097#</IfModule> 1098 1099# 1100# Allow http put (such as Netscape Gold's publish feature) 1101# Use htpasswd to generate /etc/httpd/conf/passwd. 1102# 1103#<IfModule mod_put.c> 1104# Alias /upload /tmp 1105# <Directory /tmp> 1106# EnablePut On 1107# AuthType Basic 1108# AuthName Temporary 1109# AuthUserFile /etc/httpd/conf/passwd 1110# EnableDelete Off 1111# umask 007 1112# <Limit PUT> 1113# require valid-user 1114# </Limit> 1115# </Directory> 1116#</IfModule> 1117 1118# 1119# Allow server status reports, with the URL of http://servername/server-status 1120# Change the ".your_domain.com" to match your domain to enable. 1121# 1122<Location /ob-server-status> 1123 SetHandler server-status 1124 Order allow,deny 1125 Allow from 127.0.0.1 1126 Allow from 192.168.0.0/24 1127 Allow from 66.12.216.238 1128 Allow from 66.12.233.174 1129</Location> 1130 1131# 1132# Allow remote server configuration reports, with the URL of 1133# http://servername/server-info (requires that mod_info.c be loaded). 1134# Change the ".your_domain.com" to match your domain to enable. 1135# 1136<Location /ob-server-info> 1137 SetHandler server-info 1138 Order allow,deny 1139 Allow from 127.0.0.1 1140 Allow from 192.168.0.0/24 1141 Allow from 66.12.216.238 1142 Allow from 66.12.233.174 1143</Location> 1144 1145# 1146# Allow access to local system documentation from localhost 1147# 1148#Alias /doc/ /usr/share/doc/ 1149#<Directory /usr/share/doc> 1150# order deny,allow 1151# deny from all 1152# allow from localhost .localdomain 1153# Options Indexes FollowSymLinks 1154#</Directory> 1155 1156# 1157# There have been reports of people trying to abuse an old bug from pre-1.1 1158# days. This bug involved a CGI script distributed as a part of Apache. 1159# By uncommenting these lines you can redirect these attacks to a logging 1160# script on phf.apache.org. Or, you can record them yourself, using the script 1161# support/phf_abuse_log.cgi. 1162# 1163#<Location /cgi-bin/phf*> 1164# Deny from all 1165# ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi 1166#</Location> 1167 1168# 1169# Proxy Server directives. Uncomment the following lines to 1170# enable the proxy server: 1171# 1172#<IfModule mod_proxy.c> 1173# ProxyRequests On 1174 1175# <Directory proxy:*> 1176# Order deny,allow 1177# Deny from all 1178# Allow from .your_domain.com 1179# </Directory> 1180 1181 # 1182 # Enable/disable the handling of HTTP/1.1 "Via:" headers. 1183 # ("Full" adds the server version; "Block" removes all outgoing Via: headers) 1184 # Set to one of: Off | On | Full | Block 1185 # 1186# ProxyVia On 1187 1188 # 1189 # To enable the cache as well, edit and uncomment the following lines: 1190 # (no caching without CacheRoot) 1191 # 1192# CacheRoot "/var/cache/httpd" 1193# CacheSize 5 1194# CacheGcInterval 4 1195# CacheMaxExpire 24 1196# CacheLastModifiedFactor 0.1 1197# CacheDefaultExpire 1 1198# NoCache a_domain.com another_domain.edu joes.garage_sale.com 1199 1200#</IfModule> 1201# End of proxy directives. 1202 1203### Section 3: Virtual Hosts 1204# 1205# VirtualHost: If you want to maintain multiple domains/hostnames on your 1206# machine you can setup VirtualHost containers for them. Most configurations 1207# use only name-based virtual hosts so the server doesn't need to worry about 1208# IP addresses. This is indicated by the asterisks in the directives below. 1209# 1210# Please see the documentation at <URL:http://www.apache.org/docs/vhosts/> 1211# for further details before you try to setup virtual hosts. 1212# 1213# You may use the command line option '-S' to verify your virtual host 1214# configuration. 1215 1216# 1217# Use name-based virtual hosting. 1218# 1219NameVirtualHost * 1220 1221# 1222# VirtualHost example: 1223# Almost any Apache directive may go into a VirtualHost container. 1224# The first VirtualHost section is used for requests without a known 1225# server name. 1226# 1227#<VirtualHost *> 1228# ServerAdmin webmaster@dummy-host.example.com 1229# DocumentRoot /www/docs/dummy-host.example.com 1230# ServerName dummy-host.example.com 1231# ErrorLog logs/dummy-host.example.com-error_log 1232# CustomLog logs/dummy-host.example.com-access_log common 1233#</VirtualHost> 1234 1235<VirtualHost *> 1236 ServerName wwww.xyz.com 1237 ErrorLog logs/www.xyz.com/error_log 1238 CustomLog logs/www.xyz.com/access_log combined 1239</VirtualHost> 1240 1241# Redirect def123.com and *.def123.com to www.xyz.com. 1242<VirtualHost *> 1243 ServerName xyz.com 1244 ServerAlias def123.com *.def123.com 1245 ErrorLog logs/www.xyz.com/error_log 1246 CustomLog logs/www.xyz.com/access_log combined 1247 RedirectMatch permanent .* http://www.xyz.com/ 1248</VirtualHost> 1249 1250<VirtualHost *> 1251 ServerName ns-roaming.la.xyz.com 1252 RoamingAlias /roaming /home/roaming 1253 ErrorLog logs/ns-roaming.la.xyz.com/error_log 1254 CustomLog logs/ns-roaming.la.xyz.com/access_log combined 1255 <Location /roaming> 1256 AuthUserFile /var/lib/mod_roaming/roaming-htpasswd 1257 AuthType Basic 1258 AuthName "Roaming Access" 1259 <Limit GET PUT MOVE DELETE> 1260 require valid-user 1261 </Limit> 1262 Order allow,deny 1263 Allow from all 1264 </Location> 1265 RedirectMatch permanent .* http://www.xyz.com/ 1266</VirtualHost> 1267 1268<VirtualHost *> 1269 ServerName www-internal.la.xyz.com 1270 DocumentRoot "/home/xyz/intranet_html" 1271 ErrorLog logs/www-internal.la.xyz.com/error_log 1272 CustomLog logs/www-internal.la.xyz.com/access_log combined 1273</VirtualHost> 1274 1275<VirtualHost *> 1276 ServerName www.abc.com 1277 DocumentRoot "/home/abc/public_website_html" 1278 ServerAdmin root@xyz.com 1279 ErrorLog logs/www.abc.com/error_log 1280 CustomLog logs/www.abc.com/access_log combined 1281 1282 # Add a bandwidth rate limiter to 8 Kbytes/sec for objects larger 1283 # than 100 Kbytes. 1284 <IfModule mod_throttle.c> 1285 <Directory /home/abc/public_website_html> 1286 BandWidthModule On 1287 BandWidthPulse 500000 1288 LargeFileLimit 100 8192 1289 </Directory> 1290 </IfModule> 1291</VirtualHost> 1292 1293# This is the statistics web site. 1294<VirtualHost *> 1295 ServerName www-internal.abc.com 1296 DocumentRoot "/home/abc/intranet_html" 1297 ErrorLog logs/www-internal.abc.com/error_log 1298 CustomLog logs/www-internal.abc.com/access_log combined 1299</VirtualHost> 1300 1301# Redirect any abc.com hostnames to www.abc.com. 1302<VirtualHost *> 1303 ServerName abc.com 1304 ServerAlias abc.com *.abc.com 1305 ErrorLog logs/www.abc.com/error_log 1306 CustomLog logs/www.abc.com/access_log combined 1307 RedirectMatch permanent .* http://www.abc.com/ 1308</VirtualHost> 1309 1310#<VirtualHost _default_:*> 1311#</VirtualHost> 1312 1313## 1314## SSL Global Context 1315## 1316## All SSL configuration in this context applies both to 1317## the main server and all SSL-enabled virtual hosts. 1318## 1319 1320# 1321# Some MIME-types for downloading Certificates and CRLs 1322# 1323<IfDefine HAVE_SSL> 1324AddType application/x-x509-ca-cert .crt 1325AddType application/x-pkcs7-crl .crl 1326</IfDefine> 1327 1328<IfModule mod_ssl.c> 1329 1330# Pass Phrase Dialog: 1331# Configure the pass phrase gathering process. 1332# The filtering dialog program (`builtin' is a internal 1333# terminal dialog) has to provide the pass phrase on stdout. 1334SSLPassPhraseDialog builtin 1335 1336# Inter-Process Session Cache: 1337# Configure the SSL Session Cache: First the mechanism 1338# to use and second the expiring timeout (in seconds). 1339#SSLSessionCache none 1340#SSLSessionCache shmht:logs/ssl_scache(512000) 1341#SSLSessionCache shmcb:logs/ssl_scache(512000) 1342SSLSessionCache shm:logs/ssl_scache(512000) 1343SSLSessionCacheTimeout 300 1344 1345# Semaphore: 1346# Configure the path to the mutual exclusion semaphore the 1347# SSL engine uses internally for inter-process synchronization. 1348SSLMutex file:logs/ssl_mutex 1349 1350# Pseudo Random Number Generator (PRNG): 1351# Configure one or more sources to seed the PRNG of the 1352# SSL library. The seed data should be of good random quality. 1353# WARNING! On some platforms /dev/random blocks if not enough entropy 1354# is available. This means you then cannot use the /dev/random device 1355# because it would lead to very long connection times (as long as 1356# it requires to make more entropy available). But usually those 1357# platforms additionally provide a /dev/urandom device which doesn't 1358# block. So, if available, use this one instead. Read the mod_ssl User 1359# Manual for more details. 1360SSLRandomSeed startup builtin 1361SSLRandomSeed connect builtin 1362#SSLRandomSeed startup file:/dev/random 512 1363#SSLRandomSeed startup file:/dev/urandom 512 1364#SSLRandomSeed connect file:/dev/random 512 1365#SSLRandomSeed connect file:/dev/urandom 512 1366 1367# Logging: 1368# The home of the dedicated SSL protocol logfile. Errors are 1369# additionally duplicated in the general error log file. Put 1370# this somewhere where it cannot be used for symlink attacks on 1371# a real server (i.e. somewhere where only root can write). 1372# Log levels are (ascending order: higher ones include lower ones): 1373# none, error, warn, info, trace, debug. 1374SSLLog logs/ssl_engine_log 1375SSLLogLevel error 1376 1377</IfModule> 1378 1379<IfDefine HAVE_SSL> 1380 1381## 1382## SSL Virtual Host Context 1383## 1384 1385<VirtualHost _default_:443> 1386 1387# General setup for the virtual host 1388#DocumentRoot "/etc/httpd/htdocs" 1389#ServerName new.host.name 1390#ServerAdmin you@your.address 1391ErrorLog logs/error_log 1392TransferLog logs/access_log 1393 1394# SSL Engine Switch: 1395# Enable/Disable SSL for this virtual host. 1396SSLEngine on 1397 1398# SSL Cipher Suite: 1399# List the ciphers that the client is permitted to negotiate. 1400# See the mod_ssl documentation for a complete list. 1401#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL 1402 1403# Server Certificate: 1404# Point SSLCertificateFile at a PEM encoded certificate. If 1405# the certificate is encrypted, then you will be prompted for a 1406# pass phrase. Note that a kill -HUP will prompt again. A test 1407# certificate can be generated with `make certificate' under 1408# built time. Keep in mind that if you've both a RSA and a DSA 1409# certificate you can configure both in parallel (to also allow 1410# the use of DSA ciphers, etc.) 1411SSLCertificateFile /usr/share/ssl/certs/www.xyz.com.pem 1412#SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt 1413#SSLCertificateFile /etc/httpd/conf/ssl.crt/server-dsa.crt 1414 1415# Server Private Key: 1416# If the key is not combined with the certificate, use this 1417# directive to point at the key file. Keep in mind that if 1418# you've both a RSA and a DSA private key you can configure 1419# both in parallel (to also allow the use of DSA ciphers, etc.) 1420#SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key 1421#SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server-dsa.key 1422 1423# Server Certificate Chain: 1424# Point SSLCertificateChainFile at a file containing the 1425# concatenation of PEM encoded CA certificates which form the 1426# certificate chain for the server certificate. Alternatively 1427# the referenced file can be the same as SSLCertificateFile 1428# when the CA certificates are directly appended to the server 1429# certificate for convinience. 1430#SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt 1431 1432# Certificate Authority (CA): 1433# Set the CA certificate verification path where to find CA 1434# certificates for client authentication or alternatively one 1435# huge file containing all of them (file must be PEM encoded) 1436# Note: Inside SSLCACertificatePath you need hash symlinks 1437# to point to the certificate files. Use the provided 1438# Makefile to update the hash symlinks after changes. 1439#SSLCACertificatePath /etc/httpd/conf/ssl.crt 1440#SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt 1441 1442# Certificate Revocation Lists (CRL): 1443# Set the CA revocation path where to find CA CRLs for client 1444# authentication or alternatively one huge file containing all 1445# of them (file must be PEM encoded) 1446# Note: Inside SSLCARevocationPath you need hash symlinks 1447# to point to the certificate files. Use the provided 1448# Makefile to update the hash symlinks after changes. 1449#SSLCARevocationPath /etc/httpd/conf/ssl.crl 1450#SSLCARevocationFile /etc/httpd/conf/ssl.crl/ca-bundle.crl 1451 1452# Client Authentication (Type): 1453# Client certificate verification type and depth. Types are 1454# none, optional, require and optional_no_ca. Depth is a 1455# number which specifies how deeply to verify the certificate 1456# issuer chain before deciding the certificate is not valid. 1457#SSLVerifyClient require 1458#SSLVerifyDepth 10 1459 1460# Access Control: 1461# With SSLRequire you can do per-directory access control based 1462# on arbitrary complex boolean expressions containing server 1463# variable checks and other lookup directives. The syntax is a 1464# mixture between C and Perl. See the mod_ssl documentation 1465# for more details. 1466#<Location /> 1467#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ 1468# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ 1469# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ 1470# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ 1471# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ 1472# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ 1473#</Location> 1474 1475# SSL Engine Options: 1476# Set various options for the SSL engine. 1477# o FakeBasicAuth: 1478# Translate the client X.509 into a Basic Authorisation. This means that 1479# the standard Auth/DBMAuth methods can be used for access control. The 1480# user name is the `one line' version of the client's X.509 certificate. 1481# Note that no password is obtained from the user. Every entry in the user 1482# file needs this password: `xxj31ZMTZzkVA'. 1483# o ExportCertData: 1484# This exports two additional environment variables: SSL_CLIENT_CERT and 1485# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the 1486# server (always existing) and the client (only existing when client 1487# authentication is used). This can be used to import the certificates 1488# into CGI scripts. 1489# o StdEnvVars: 1490# This exports the standard SSL/TLS related `SSL_*' environment variables. 1491# Per default this exportation is switched off for performance reasons, 1492# because the extraction step is an expensive operation and is usually 1493# useless for serving static content. So one usually enables the 1494# exportation for CGI and SSI requests only. 1495# o CompatEnvVars: 1496# This exports obsolete environment variables for backward compatibility 1497# to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this 1498# to provide compatibility to existing CGI scripts. 1499# o StrictRequire: 1500# This denies access when "SSLRequireSSL" or "SSLRequire" applied even 1501# under a "Satisfy any" situation, i.e. when it applies access is denied 1502# and no other module can change it. 1503# o OptRenegotiate: 1504# This enables optimized SSL connection renegotiation handling when SSL 1505# directives are used in per-directory context. 1506#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire 1507<Files ~ "\.(cgi|shtml|phtml|php3?)$"> 1508 SSLOptions +StdEnvVars 1509</Files> 1510#<Directory "/var/www/cgi-bin"> 1511# SSLOptions +StdEnvVars 1512#</Directory> 1513 1514# SSL Protocol Adjustments: 1515# The safe and default but still SSL/TLS standard compliant shutdown 1516# approach is that mod_ssl sends the close notify alert but doesn't wait for 1517# the close notify alert from client. When you need a different shutdown 1518# approach you can use one of the following variables: 1519# o ssl-unclean-shutdown: 1520# This forces an unclean shutdown when the connection is closed, i.e. no 1521# SSL close notify alert is send or allowed to received. This violates 1522# the SSL/TLS standard but is needed for some brain-dead browsers. Use 1523# this when you receive I/O errors because of the standard approach where 1524# mod_ssl sends the close notify alert. 1525# o ssl-accurate-shutdown: 1526# This forces an accurate shutdown when the connection is closed, i.e. a 1527# SSL close notify alert is send and mod_ssl waits for the close notify 1528# alert of the client. This is 100% SSL/TLS standard compliant, but in 1529# practice often causes hanging connections with brain-dead browsers. Use 1530# this only for browsers where you know that their SSL implementation 1531# works correctly. 1532# Notice: Most problems of broken clients are also related to the HTTP 1533# keep-alive facility, so you usually additionally want to disable 1534# keep-alive for those clients, too. Use variable "nokeepalive" for this. 1535# Similarly, one has to force some clients to use HTTP/1.0 to workaround 1536# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and 1537# "force-response-1.0" for this. 1538SetEnvIf User-Agent ".*MSIE.*" \ 1539 nokeepalive ssl-unclean-shutdown \ 1540 downgrade-1.0 force-response-1.0 1541 1542# Per-Server Logging: 1543# The home of a custom SSL log file. Use this when you want a 1544# compact non-error SSL logfile on a virtual host basis. 1545CustomLog logs/ssl_request_log \ 1546 "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" 1547 1548</VirtualHost> 1549 1550</IfDefine> 1551 1552