Return-Path:
Available in versions 2.2 and later Available in versions after 2.0.54 When Apache issues a redirect in response to a client request,
the response includes some actual text to be displayed in case
Modified: httpd/httpd/branches/2.2.x/docs/manual/faq/all_in_one.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/docs/manual/faq/all_in_one.xml?rev=290427&r1=290426&r2=290427&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/faq/all_in_one.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/faq/all_in_one.xml Tue Sep 20 04:57:56 2005
@@ -32,10 +32,10 @@
web site, at <http://httpd.apache.org/docs-2.1/faq/>. Since Apache 2.0 is quite new, we don't yet know what the Frequently
- Asked Questions will be. While this section fills up, you should also
- consult the Apache 1.3
- FAQ to see if your question is answered there. If you don't find the answer to your question in the below
+ sections, please also consult the Apache 1.3
+ FAQ to see if your question is answered there.
A Permission denied
error in the
+ error_log
, accompanied by a Forbidden
+ message to the client usually indicates a problem with your
+ filesystem permissions, rather than a problem in the Apache HTTP
+ Server configuration files. Check to make sure that the
+ chmod
+ +x
).
Recent releases of Fedora Core and other Linux distributions
+ using SELinux have additional access restrictions beyond those
+ used by the basic filesystem. Violations of these restrictions
+ will also result in a Permission denied
message. See
+ the Fedora
+ SELinux FAQ and Apache
+ SELinux Policy Document.
Since Apache 2.0 is quite new, we don't yet know what the - Frequently Asked Questions will be. While this section fills up, - you should also consult the Apache 1.3 FAQ to see - if your question is answered there.
+If you don't find the answer to your question in the below + sections, please also consult the Apache 1.3 + FAQ to see if your question is answered there.
&categories; Modified: httpd/httpd/branches/2.2.x/docs/manual/install.xml URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/docs/manual/install.xml?rev=290427&r1=290426&r2=290427&view=diff ============================================================================== --- httpd/httpd/branches/2.2.x/docs/manual/install.xml (original) +++ httpd/httpd/branches/2.2.x/docs/manual/install.xml Tue Sep 20 04:57:56 2005 @@ -152,14 +152,15 @@--with-perl
- option (see below) to make sure the correct one is selected
- by --with-perl
option (see below) to make sure the
+ correct one is used by The Redirect directive maps an old URL into a new one. The - new URL is returned to the client which attempts to fetch it - again with the new address. URL-path a (%-decoded) - path; any requests for documents beginning with this path will - be returned a redirect error to a new (%-encoded) URL beginning - with URL.
+The Redirect directive maps an old URL into a new one by asking + the client to refetch the resource at the new location.
+ +The old URL-path is a (%-decoded) path beginning with + a slash. A relative path is not allowed. The new URL + should be an absolute URL beginning with a scheme and hostname, + but a URL-path beginning with a slash may also be used, in which + case the scheme and hostname of the current server will be + added.
+ +Then any request beginning with URL-Path will return a + redirect request to the client at the location of the target + URL. Additional path information beyond the matched + URL-Path will be appended to the target URL.
If the client requests http://myserver/service/foo.txt, it - will be told to access http://foo2.bar.com/service/foo.txt +
If the client requests http://example.com/service/foo.txt, it + will be told to access http://foo2.example.com/service/foo.txt instead.
Redirect directives take precedence over
Alias and ScriptAlias directives, irrespective of their ordering in
-the configuration file. Also, URL-path must be a fully
-qualified URL, not a relative path, even when used with .htaccess files or
-inside of
If no status argument is given, the redirect will
be "temporary" (HTTP status 302). This indicates to the client
Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mod_cache.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/docs/manual/mod/mod_cache.xml?rev=290427&r1=290426&r2=290427&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/mod/mod_cache.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/mod/mod_cache.xml Tue Sep 20 04:57:56 2005
@@ -86,8 +86,8 @@
<IfModule mod_cache.c>
- # If you want to use mod_disk_cache instead of mod_mem_cache,
- # uncomment the line above and comment out the LoadModule line below.
+ # If you want to use mod_disk_cache instead of mod_mem_cache,
+ # uncomment the line above and comment out the LoadModule line below.
<IfModule mod_disk_cache.c>
@@ -107,6 +107,9 @@
MCacheMaxObjectSize 2048
+
+ # When acting as a proxy, don't cache the list of security updates
+ CacheDisable http://security.update.server/update-list/
CacheEnable disk /
+
+
When acting as a forward proxy server, url-string can + also be used to specify remote sites and proxy protocols which + caching should be enabled for.
+ +It is up to dbd user modules to use the prepared statements - and document what statements can be specified in httpd.conf.
+ and document what statements can be specified in httpd.conf, + or to provide their own directives and useap_dbd_prepare
.
%{format}P
pid
and tid
.
+ request. Valid formats are pid
, tid
,
+ and hextid
. hextid
requires APR 1.2.0 or
+ higher.
%q
Enabled via lbmethod=byrequests
, the idea behind this
scheduler is that we distribute the requests among the
@@ -237,7 +237,7 @@
are selected with 3 b interspersed.
Enabled via
-This directive sets the Certificate verification level for the remote server
-Authentication. Notice that this directive can be used both in per-server and
-per-directory context. In per-server context it applies to the remote server
-authentication process used in the standard SSL handshake when a connection is
-established. In per-directory context it forces a SSL renegotation with the
-reconfigured remote server verification level after the HTTP request was read but
-before the HTTP response is sent. When a proxy is configured to forward requests to a remote SSL
+server, this directive can be used to configure certificate
+verification of the remote server. Notice that this directive can be
+used both in per-server and per-directory context. In per-server
+context it applies to the remote server authentication process used in
+the standard SSL handshake when a connection is established by the
+proxy. In per-directory context it forces a SSL renegotation with the
+reconfigured remote server verification level after the HTTP request
+was read but before the HTTP response is sent. Note that even when certificate verification is enabled,
+
The following levels are available for level: The Setting this value to zero means that the server will wait
+ indefinitely until all remaining requests have been fully served. The server will set the TCP receive buffer size to the number of
+ bytes specified. If set to the value of The server will set the TCP buffer size to the number of bytes
+ The server will set the TCP send buffer size to the number of bytes
specified. Very useful to increase past standard OS defaults on
high speed high latency (i.e., 100ms or so, such as
transcontinental fast pipes). If set to the value of lbmethod=bytraffic
, the idea behind this
scheduler is very similar to the Request Counting method, with
Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml?rev=290427&r1=290426&r2=290427&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml Tue Sep 20 04:57:56 2005
@@ -1390,14 +1390,29 @@
commonName
(hostname) attribute of the server certificate
+matches the hostname used to connect to the server. In other words,
+the proxy does not guarantee that the SSL connection to the backend
+server is "secure" beyond the fact that the certificate is signed by
+one of the CAs configured using the
+
Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mpm_common.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/docs/manual/mod/mpm_common.xml?rev=290427&r1=290426&r2=290427&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/mod/mpm_common.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/mod/mpm_common.xml Tue Sep 20 04:57:56 2005
@@ -157,6 +157,27 @@
0
, the server will use the
+ OS default.0
, the server will use the
- OS deault.
mod_disk_cache
setups.
+ prefork
and worker
MPMs now
+ allow httpd
to be shutdown gracefully via the
+ graceful-stop
+ signal. The GracefulShutdownTimeout
directive
+ has been added to specify an optional timeout, after which
+ httpd
will terminate regardless of the status
+ of any requests being served.mod_proxy_balancer
module provides
load balancing services for mod_proxy
.
Modified: httpd/httpd/branches/2.2.x/docs/manual/new_features_2_2.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/docs/manual/new_features_2_2.xml?rev=290427&r1=290426&r2=290427&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/new_features_2_2.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/new_features_2_2.xml Tue Sep 20 04:57:56 2005
@@ -48,6 +48,17 @@
has been introduced to cleanup graceful-stop
+ signal. The apachectl -k graceful
.graceful-stop
apachectl -k graceful-stop
.configtest
conf/httpd.conf
.-k start|restart|graceful|stop
-k start|restart|graceful|stop|graceful-stop
httpd
to start, restart, or stop. See Stopping Apache for more information.The presented content is mainly derived, with permission by the author, +
The presented content is mainly derived, with the author's permission, from the article Introducing -SSL and Certificates using SSLeay from Frederick J. Hirsch, of The +href="http://home.comcast.net/~fjhirsch/Papers/wwwj/">Introducing +SSL and Certificates using SSLeay by Frederick J. Hirsch, of The Open Group Research Institute, which was published in Web Security: A Matter of Trust, World Wide Web Journal, Volume 2, Issue 3, Summer 1997. @@ -73,10 +73,10 @@ money. Alice would like the message to be private, since it will include information such as her account number and transfer amount. One solution is to use a cryptographic algorithm, a technique that would - transform her message into an encrypted form, unreadable except by - those it is intended for. Once in this form, the message may only be - interpreted through the use of a secret key. Without the key the - message is useless: good cryptographic algorithms make it so difficult + transform her message into an encrypted form, unreadable until it is + decrypted. Once in this form, the message can only be + decrypted by using a secret key. Without the key the message is useless: + good cryptographic algorithms make it so difficult for intruders to decode the original text that it isn't worth their effort.
@@ -87,11 +87,12 @@Anyone may encrypt a message using the public key, but only the +
Anyone can encrypt a message using the public key, but only the owner of the private key will be able to read it. In this way, Alice - may send private messages to the owner of a key-pair (the bank), by + can send private messages to the owner of a key-pair (the bank), by encrypting it using their public key. Only the bank will be able to decrypt it.
A summary such as this is called a message digest, one-way -function or hash function. Message digests are used to create -short, fixed-length representations of longer, variable-length messages. -Digest algorithms are designed to produce unique digests for different -messages. Message digests are designed to make it too difficult to determine -the message from the digest, and also impossible to find two different -messages which create the same digest -- thus eliminating the possibility of -substituting one message for another while maintaining the same digest.
-Another challenge that Alice faces is finding a way to send the digest to the -bank securely; when this is achieved, the integrity of the associated message -is assured. One way to do this is to include the digest in a digital -signature.
+ function or hash function. Message digests are used to create + a short, fixed-length representation of a longer, variable-length message. + Digest algorithms are designed to produce a unique digests for each + message. Message digests are designed to make it impractically difficult + to determine the message from the digest, and (in theory) impossible to + find two different messages which create the same digest -- thus + eliminating the possibility of substituting one message for another while + maintaining the same digest. + +Another challenge that Alice faces is finding a way to send the digest + to the bank securely; if the digest is not sent securely, its integrity may + be compromised, and with it, the possibility for the bank to determine the + integrity of the original message. Only if the digest is sent securely can + the integrity of the associated message be determined.
+ +One way to send the digest securely is to include it in a digital + signature.
When Alice sends a message to the bank, the bank needs to ensure that the -message is really from her, so an intruder does not request a transaction +message is really from her, so an intruder cannot request a transaction involving her account. A digital signature, created by Alice and included with the message, serves this purpose.
Digital signatures are created by encrypting a digest of the message, and other information (such as a sequence number) with the sender's -private key. Though anyone may decrypt the signature using the public -key, only the signer knows the private key. This means that only they may +private key. Though anyone can decrypt the signature using the public +key, only the sender knows the private key. This means that only they can have signed it. Including the digest in the signature means the signature is only good for that message; it also ensures the integrity of the message since no one can change the digest and still sign it.
@@ -160,13 +168,13 @@Although Alice could have sent a private message to the bank, signed it, and ensured the integrity of the message, she still needs to be sure that she is really communicating with the bank. This means that she needs -to be sure that the public key she is using corresponds to the bank's -private key. Similarly, the bank also needs to verify that the message -signature really corresponds to Alice's signature.
+to be sure that the public key she is using is part of the bank's key-pair, +and not an intruder's. Similarly, the bank needs to verify that the message +signature really was signed by the private key that belongs to Alice.If each party has a certificate which validates the other's identity, -confirms the public key, and is signed by a trusted agency, then they both -will be assured that they are communicating with whom they think they are. +confirms the public key, and is signed by a trusted agency, then both +can be assured that they are communicating with whom they think they are. Such a trusted agency is called a Certificate Authority, and certificates are used for authentication.
@@ -248,9 +256,9 @@A Certificate Authority may define a policy specifying which
distinguished field names are optional, and which are required. It
may also place requirements upon the field contents, as may users of
- certificates. As an example, a Netscape browser requires that the
- Common Name for a certificate representing a server has a name which
- matches a wildcard pattern for the domain name of that server, such
+ certificates. For example, a Netscape browser requires that the
+ Common Name for a certificate representing a server matches a wildcard
+ pattern for the domain name of that server, such
as *.snakeoil.com
.
The binary format of a certificate is defined using the ASN.1 @@ -261,10 +269,9 @@ Rules (DER), which are based on the more general Basic Encoding Rules (BER). For those transmissions which cannot handle binary, the binary form may be translated into an ASCII form by using Base64 encoding - [MIME]. This encoded version is called PEM encoded - (the name comes from "Privacy Enhanced Mail"), when placed between - begin and end delimiter lines as illustrated in the following - example.
+ [MIME]. When placed between begin and end delimiter + lines (as below), this encoded version is called a PEM ("Privacy Enhanced + Mail") encoded certificate.The second method of signaling the -k
command line options: stop
,
- restart
, and graceful
,
+ restart
, graceful
and graceful-stop
,
as described below. These are arguments to the
USR1
to
- be used for a graceful restart, an alternative signal may be used (such
- as WINCH
). The command apachectl graceful
- will send the right signal for your platform.This code is designed to always respect the process control
directive of the MPMs, so the number of processes and threads
available to serve clients will be maintained at the appropriate
@@ -119,9 +114,10 @@
been created, then create enough to pick up the slack. Hence the
code tries to maintain both the number of children appropriate for
the current load on the server, and respect your wishes with the
-
Users of the
Users of USR1
is sent. The code was
written to both minimize the time in which the server is unable
@@ -185,29 +181,76 @@
error. See above for a method of avoiding this.
apachectl -k graceful-stop
The WINCH
or graceful-stop
signal causes
+ the parent process to advise the children to exit after
+ their current request (or to exit immediately if they're not
+ serving anything). The parent will then remove its TERM
signal
+ to force them to exit.
A TERM
signal will immediately terminate the
+ parent process and all children when in the "graceful" state. However
+ as the apachectl
or httpd
to send this signal,
The graceful-stop
signal allows you to run multiple
+ identically configured instances of
Care has been taken to ensure that on-disk files
+ such as the
You should also be wary of other potential race conditions, such as
+ using
Prior to Apache 1.2b9 there were several race - conditions involving the restart and die signals (a simple - description of race condition is: a time-sensitive problem, as - in if something happens at just the wrong time it won't behave - as expected). For those architectures that have the "right" + conditions involving the restart and die signals (a simply put, + a race condition is a time-sensitive problem - if something happens + at just the wrong time or things happen in the wrong order, + undesired behaviour will result. If the same thing happens at the right + time, all will be well). For those architectures that have the "right" feature set we have eliminated as many as we can. But it should - be noted that there still do exist race conditions on certain + be noted that race conditions do still exist on certain architectures.
-Architectures that use an on disk
Architectures that use an on-disk HUP
) or "long lost
child came home!" (after USR1
). The former is a fatal
error, while the latter just causes the server to lose a
- scoreboard slot. So it might be advisable to use graceful
+ scoreboard slot. So it may be advisable to use graceful
restarts, with an occasional hard restart. These problems are very
difficult to work around, but fortunately most architectures do
not require a scoreboard file. See the
All architectures have a small race condition in each child
involving the second and subsequent requests on a persistent
Modified: httpd/httpd/branches/2.2.x/docs/manual/vhosts/details.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/docs/manual/vhosts/details.xml?rev=290427&r1=290426&r2=290427&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/vhosts/details.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/vhosts/details.xml Tue Sep 20 04:57:56 2005
@@ -191,6 +191,7 @@