httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Greg Brooks" <gr...@west-third.com>
Subject [users@httpd] httpd.conf -- addition of SSI and other minor changes on FreeBSD breaks basic HTTP
Date Sun, 20 Apr 2003 23:21:11 GMT
::::OS: FreeBSD 4.8, fresh install:::

All,

This morning, I had a working (but not highly configured) apache SSL
setup; now it's busted. For the life of me, I can't figure out what I
did wrong, and I'm hoping someone on the list can lend me a clue.

Working behaviors included:
  -- Default apache index.html.en came up
  -- I could get to my webmail, which was aliased to
/mydomain/squirrelmail/


Broken behaviors include:
  -- No homepage
  -- No webmail

Config file is below. Only changes I (think) I made between working and
non-working states include:

-- Changing the alias from /squirrelmail/ to /web-mail/ without changing
the source that the alias pointed to.
-- trying to add server-side includes via
   AddType  text/html   .shtml
   AddHandler  server-parsed  .shtml
   Options +Includes (within a <Directory> block... ideally, I want
every directory within my webroot to be able to handle SSIs and I'm not
sure how to do this)
-- Trying to add a virtual domain (saint-theodore.org)

Conf. file below... as I said, any help MUCH appreciated.

Greg



* * * * 
##
## httpd.conf -- Apache HTTP server configuration file
##

### Section 1: Global Environment
#
ServerType standalone
ServerRoot "/usr/local"
PidFile /var/run/httpd.pid
ScoreBoardFile /var/run/httpd.scoreboard

Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 5
MaxSpareServers 10
StartServers 5

MaxClients 150
MaxRequestsPerChild 0

#Listen 3000
#Listen 12.34.56.78:80

#BindAddress *

#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a
DSO you # have to place corresponding `LoadModule' lines at this
location so the # directives contained in it are actually available
_before_ they are used. # Please read the file
http://httpd.apache.org/docs/dso.html for more # details about the DSO
mechanism and run `httpd -l' for the list of already # built-in
(statically linked and thus always available) modules in your httpd #
binary. # # Note: The order in which modules are loaded is important.
Don't change # the order below without expert advice. # # Example: #
LoadModule foo_module libexec/mod_foo.so LoadModule vhost_alias_module
libexec/apache/mod_vhost_alias.so
LoadModule env_module         libexec/apache/mod_env.so
LoadModule define_module      libexec/apache/mod_define.so
LoadModule config_log_module  libexec/apache/mod_log_config.so
LoadModule mime_magic_module  libexec/apache/mod_mime_magic.so
LoadModule mime_module        libexec/apache/mod_mime.so
LoadModule negotiation_module libexec/apache/mod_negotiation.so
LoadModule status_module      libexec/apache/mod_status.so
LoadModule info_module        libexec/apache/mod_info.so
LoadModule includes_module    libexec/apache/mod_include.so
LoadModule autoindex_module   libexec/apache/mod_autoindex.so
LoadModule dir_module         libexec/apache/mod_dir.so
LoadModule cgi_module         libexec/apache/mod_cgi.so
LoadModule asis_module        libexec/apache/mod_asis.so
LoadModule imap_module        libexec/apache/mod_imap.so
LoadModule action_module      libexec/apache/mod_actions.so
LoadModule speling_module     libexec/apache/mod_speling.so
LoadModule userdir_module     libexec/apache/mod_userdir.so
LoadModule alias_module       libexec/apache/mod_alias.so
LoadModule rewrite_module     libexec/apache/mod_rewrite.so
LoadModule access_module      libexec/apache/mod_access.so
LoadModule auth_module        libexec/apache/mod_auth.so
LoadModule anon_auth_module   libexec/apache/mod_auth_anon.so
LoadModule dbm_auth_module    libexec/apache/mod_auth_dbm.so
LoadModule digest_module      libexec/apache/mod_digest.so
LoadModule proxy_module       libexec/apache/libproxy.so
LoadModule cern_meta_module   libexec/apache/mod_cern_meta.so
LoadModule expires_module     libexec/apache/mod_expires.so
LoadModule headers_module     libexec/apache/mod_headers.so
LoadModule usertrack_module   libexec/apache/mod_usertrack.so
LoadModule unique_id_module   libexec/apache/mod_unique_id.so
LoadModule setenvif_module    libexec/apache/mod_setenvif.so
<IfDefine SSL>
LoadModule ssl_module         libexec/apache/libssl.so
LoadModule php4_module        libexec/apache/libphp4.so
</IfDefine>

#  Reconstruction of the complete module list from all available modules
#  (static and shared ones) to achieve correct module execution order. #
[WHENEVER YOU CHANGE THE LOADMODULE SECTION ABOVE UPDATE THIS, TOO]
ClearModuleList AddModule mod_vhost_alias.c AddModule mod_env.c
AddModule mod_define.c AddModule mod_log_config.c AddModule
mod_mime_magic.c AddModule mod_mime.c AddModule mod_negotiation.c
AddModule mod_status.c AddModule mod_info.c AddModule mod_include.c
AddModule mod_autoindex.c AddModule mod_dir.c AddModule mod_cgi.c
AddModule mod_asis.c AddModule mod_imap.c AddModule mod_actions.c
AddModule mod_speling.c AddModule mod_userdir.c AddModule mod_alias.c
AddModule mod_rewrite.c AddModule mod_access.c AddModule mod_auth.c
AddModule mod_auth_anon.c AddModule mod_auth_dbm.c AddModule
mod_digest.c AddModule mod_proxy.c AddModule mod_cern_meta.c AddModule
mod_expires.c AddModule mod_headers.c AddModule mod_usertrack.c
AddModule mod_unique_id.c AddModule mod_so.c AddModule mod_setenvif.c
<IfDefine SSL> AddModule mod_ssl.c </IfDefine> AddModule mod_perl.c
AddModule mod_php4.c

#
# ExtendedStatus controls whether Apache will generate "full" status #
information (ExtendedStatus On) or just basic information
(ExtendedStatus # Off) when the "server-status" handler is called. The
default is Off. # #ExtendedStatus On

### Section 2: 'Main' server configuration
#
Port 80

<IfDefine SSL>
Listen 80
Listen 443
</IfDefine>

User www
Group www

ServerAdmin gregb@west-third.com

#ServerName www.west-third.com

#
# DocumentRoot: The directory out of which you will serve your #
documents. By default, all requests are taken from this directory, but #
symbolic links and aliases may be used to point to other locations. #
DocumentRoot "/usr/local/www/data"

#
# Each directory to which Apache has access, can be configured with
respect # to which services and features are allowed and/or disabled in
that # directory (and its subdirectories). 
#
# First, we configure the "default" to be a very restrictive set of 
# permissions.  
#
<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>

#
# Note that from this point forward you must specifically allow #
particular features to be enabled - so if something's not working as #
you might expect, make sure that you have specifically enabled it #
below. #

#
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "/usr/local/www/data">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

<IfModule mod_userdir.c>
    UserDir public_html
</IfModule>

<Directory "/usr/local/www/data/bmadmind"
Options +Includes
</Directory>
#
# Control access to UserDir directories.  The following is an example #
for a site where these directories are restricted to read-only. #
#<Directory /home/*/public_html>
#    AllowOverride FileInfo AuthConfig Limit
#    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
#    <Limit GET POST OPTIONS PROPFIND>
#        Order allow,deny
#        Allow from all
#    </Limit>
#    <LimitExcept GET POST OPTIONS PROPFIND>
#        Order deny,allow
#        Deny from all
#    </LimitExcept>
#</Directory>

#
# DirectoryIndex: Name of the file or files to use as a pre-written HTML
# directory index.  Separate multiple entries with spaces. # <IfModule
mod_dir.c>
    DirectoryIndex index.html index.php index.shtml
</IfModule>

#
# AccessFileName: The name of the file to look for in each directory #
for access control information. # AccessFileName .htaccess

#
# The following lines prevent .htaccess files from being viewed by # Web
clients.  Since .htaccess files often contain authorization #
information, access is disallowed for security reasons.  Comment # these
lines out if you want Web visitors to see the contents of # .htaccess
files.  If you change the AccessFileName directive above, # be sure to
make the corresponding changes here. # # Also, folks tend to use names
such as .htpasswd for password # files, so this will protect those as
well. # <Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>

#
# CacheNegotiatedDocs: By default, Apache sends "Pragma: no-cache" with
each # document that was negotiated on the basis of content. This asks
proxy # servers not to cache the document. Uncommenting the following
line disables # this behavior, and proxies will be allowed to cache the
documents. # #CacheNegotiatedDocs

#
# UseCanonicalName:  (new for 1.3)  With this setting turned on,
whenever # Apache needs to construct a self-referencing URL (a URL that
refers back # to the server the response is coming from) it will use
ServerName and # Port to form a "canonical" name.  With this setting
off, Apache will # use the hostname:port that the client supplied, when
possible.  This # also affects SERVER_NAME and SERVER_PORT in CGI
scripts. # UseCanonicalName On

#
# TypesConfig describes where the mime.types file (or equivalent) is #
to be found. # <IfModule mod_mime.c>
    TypesConfig /usr/local/etc/apache/mime.types
</IfModule>

#
# DefaultType is the default MIME type the server will use for a
document # if it cannot otherwise determine one, such as from filename
extensions. # If your server contains mostly text or HTML documents,
"text/plain" is # a good value.  If most of your content is binary, such
as applications # or images, you may want to use
"application/octet-stream" instead to # keep browsers from trying to
display binary files as though they are # text. # DefaultType text/plain

#
# The mod_mime_magic module allows the server to use various hints from
the # contents of the file itself to determine its type.  The
MIMEMagicFile # directive tells the module where the hint definitions
are located. # mod_mime_magic is not part of the default server (you
have to add # it yourself with a LoadModule [see the DSO paragraph in
the 'Global # Environment' section], or recompile the server and include
mod_mime_magic # as part of the configuration), so it's enclosed in an
<IfModule> container. # This means that the MIMEMagicFile directive will
only be processed if the # module is part of the server. # <IfModule
mod_mime_magic.c>
    MIMEMagicFile /usr/local/etc/apache/magic
</IfModule>

#
# HostnameLookups: Log the names of clients or just their IP addresses #
e.g., www.apache.org (on) or 204.62.129.132 (off). # The default is off
because it'd be overall better for the net if people # had to knowingly
turn this feature on, since enabling it means that # each client request
will result in AT LEAST one lookup request to the # nameserver. #
HostnameLookups Off

#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost> #
container, error messages relating to that virtual host will be # logged
here.  If you *do* define an error logfile for a <VirtualHost> #
container, that host's errors will be logged there and not here. #
ErrorLog /var/log/apache/error.log

#
# LogLevel: Control the number of messages logged to the error_log. #
Possible values include: debug, info, notice, warn, error, crit, #
alert, emerg. # LogLevel warn

#
# The following directives define some format nicknames for use with # a
CustomLog directive (see below). # LogFormat "%h %l %u %t \"%r\" %>s %b
\"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t
\"%r\" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat
"%{User-agent}i" agent

#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost> #
container, they will be logged here.  Contrariwise, if you *do* # define
per-<VirtualHost> access logfiles, transactions will be # logged therein
and *not* in this file. # CustomLog /var/log/apache/access.log combined

#
# Optionally add a line containing the server version and virtual host #
name to server-generated pages (error documents, FTP directory listings,
# mod_status and mod_info output etc., but not CGI generated documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin. #
Set to one of:  On | Off | EMail # ServerSignature On

# EBCDIC configuration:
# (only for mainframes using the EBCDIC codeset, currently one of: #
Fujitsu-Siemens' BS2000/OSD, IBM's OS/390 and IBM's TPF)!! # The
following default configuration assumes that "text files" # are stored
in EBCDIC (so that you can operate on them using the # normal POSIX
tools like grep and sort) while "binary files" are # stored with
identical octets as on an ASCII machine. # # The directives are
evaluated in configuration file order, with # the EBCDICConvert
directives applied before EBCDICConvertByType. # # If you want to have
ASCII HTML documents and EBCDIC HTML documents # at the same time, you
can use the file extension to force # conversion off for the ASCII
documents:
# > AddType       text/html .ahtml
# > EBCDICConvert Off=InOut .ahtml
#
# EBCDICConvertByType  On=InOut text/* message/* multipart/*
# EBCDICConvertByType  On=In    application/x-www-form-urlencoded
# EBCDICConvertByType  On=InOut application/postscript model/vrml #
EBCDICConvertByType Off=InOut */*


#
# Aliases: Add here as many aliases as you need (with no limit). The
format is 
# Alias fakename realname
#
<IfModule mod_alias.c>

    #
    # Note that if you include a trailing / on fakename then the server
will
    # require it to be present in the URL.  So "/icons" isn't aliased in
this
    # example, only "/icons/".  If the fakename is slash-terminated,
then the 
    # realname must also be slash terminated, and if the fakename omits
the 
    # trailing slash, the realname must also omit it.
    #
    Alias /icons/ "/usr/local/www/icons/"

    Alias /web-mail/ "/usr/local/squirrelmail/"

    <Directory "/usr/local/www/icons">
        Options Indexes MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>

    # This Alias will project the on-line documentation tree under
/manual/
    # even if you change the DocumentRoot. Comment it if you don't want
to 
    # provide access to the on-line documentation.
    #
    Alias /manual/ "/usr/local/share/doc/apache/"

    <Directory "/usr/local/share/doc/apache">
        Options Indexes FollowSymlinks MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>

    #
    # ScriptAlias: This controls which directories contain server
scripts.
    # ScriptAliases are essentially the same as Aliases, except that
    # documents in the realname directory are treated as applications
and
    # run by the server when requested rather than as documents sent to
the client.
    # The same rules about trailing "/" apply to ScriptAlias directives
as to
    # Alias.
    #
    ScriptAlias /cgi-bin/ "/usr/local/www/cgi-bin/"

    #
    # "/usr/local/www/cgi-bin" should be changed to whatever your
ScriptAliased
    # CGI directory exists, if you have that configured.
    #
    <Directory "/usr/local/www/cgi-bin">
        AllowOverride None
        Options None
        Order allow,deny
        Allow from all
    </Directory>

</IfModule>
# End of aliases.

#
# Redirect allows you to tell clients about documents which used to
exist in # your server's namespace, but do not anymore. This allows you
to tell the # clients where to look for the relocated document. #
Format: Redirect old-URI new-URL #

#
# Directives controlling the display of server-generated directory
listings. # <IfModule mod_autoindex.c>

    #
    # FancyIndexing is whether you want fancy directory indexing or
standard
    #
    IndexOptions FancyIndexing

    #
    # AddIcon* directives tell the server which icon to show for
different
    # files or filename extensions.  These are only displayed for
    # FancyIndexed directories.
    #
    AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

    AddIconByType (TXT,/icons/text.gif) text/*
    AddIconByType (IMG,/icons/image2.gif) image/*
    AddIconByType (SND,/icons/sound2.gif) audio/*
    AddIconByType (VID,/icons/movie.gif) video/*

    AddIcon /icons/binary.gif .bin .exe
    AddIcon /icons/binhex.gif .hqx
    AddIcon /icons/tar.gif .tar
    AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
    AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
    AddIcon /icons/a.gif .ps .ai .eps
    AddIcon /icons/layout.gif .html .shtml .htm .pdf
    AddIcon /icons/text.gif .txt
    AddIcon /icons/c.gif .c
    AddIcon /icons/p.gif .pl .py
    AddIcon /icons/f.gif .for
    AddIcon /icons/dvi.gif .dvi
    AddIcon /icons/uuencoded.gif .uu
    AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
    AddIcon /icons/tex.gif .tex
    AddIcon /icons/bomb.gif core

    AddIcon /icons/back.gif ..
    AddIcon /icons/hand.right.gif README
    AddIcon /icons/folder.gif ^^DIRECTORY^^
    AddIcon /icons/blank.gif ^^BLANKICON^^

    #
    # DefaultIcon is which icon to show for files which do not have an
icon
    # explicitly set.
    #
    DefaultIcon /icons/unknown.gif

    #
    # AddDescription allows you to place a short description after a
file in
    # server-generated indexes.  These are only displayed for
FancyIndexed
    # directories.
    # Format: AddDescription "description" filename
    #
    #AddDescription "GZIP compressed document" .gz
    #AddDescription "tar archive" .tar
    #AddDescription "GZIP compressed tar archive" .tgz

    #
    # ReadmeName is the name of the README file the server will look for
by
    # default, and append to directory listings.
    #
    # HeaderName is the name of a file which should be prepended to
    # directory indexes. 
    #
    # If MultiViews are amongst the Options in effect, the server will
    # first look for name.html and include it if found.  If name.html
    # doesn't exist, the server will then look for name.txt and include
    # it as plaintext if found.
    #
    ReadmeName README
    HeaderName HEADER

    #
    # IndexIgnore is a set of filenames which directory indexing should
ignore
    # and not include in the listing.  Shell-style wildcarding is
permitted.
    #
    IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

</IfModule>
# End of indexing directives.

#
# Document types.
#
<IfModule mod_mime.c>

    #
    # AddEncoding allows you to have certain browsers (Mosaic/X 2.1+)
uncompress
    # information on the fly. Note: Not all browsers support this.
    # Despite the name similarity, the following Add* directives have
nothing
    # to do with the FancyIndexing customization directives above.
    #
    AddEncoding x-compress Z
    AddEncoding x-gzip gz tgz

    #
    # AddLanguage allows you to specify the language of a document. You
can
    # then use content negotiation to give a browser a file in a
language
    # it can understand.  
    #
    # Note 1: The suffix does not have to be the same as the language 
    # keyword --- those with documents in Polish (whose net-standard 
    # language code is pl) may wish to use "AddLanguage pl .po" to 
    # avoid the ambiguity with the common suffix for perl scripts.
    #
    # Note 2: The example entries below illustrate that in quite
    # some cases the two character 'Language' abbreviation is not
    # identical to the two character 'Country' code for its country,
    # E.g. 'Danmark/dk' versus 'Danish/da'.
    #
    # Note 3: In the case of 'ltz' we violate the RFC by using a three
char 
    # specifier. But there is 'work in progress' to fix this and get 
    # the reference data for rfc1766 cleaned up.
    #
    # Danish (da) - Dutch (nl) - English (en) - Estonian (ee)
    # French (fr) - German (de) - Greek-Modern (el)
    # Italian (it) - Korean (kr) - Norwegian (no) - Norwegian Nynorsk
(nn)
    # Portugese (pt) - Luxembourgeois* (ltz)
    # Spanish (es) - Swedish (sv) - Catalan (ca) - Czech(cz)
    # Polish (pl) - Brazilian Portuguese (pt-br) - Japanese (ja)
    # Russian (ru)
    #
    AddLanguage da .dk
    AddLanguage nl .nl
    AddLanguage en .en
    AddLanguage et .ee
    AddLanguage fr .fr
    AddLanguage de .de
    AddLanguage el .el
    AddLanguage he .he
    AddCharset ISO-8859-8 .iso8859-8
    AddLanguage it .it
    AddLanguage ja .ja
    AddCharset ISO-2022-JP .jis
    AddLanguage kr .kr
    AddCharset ISO-2022-KR .iso-kr
    AddLanguage nn .nn
    AddLanguage no .no
    AddLanguage pl .po
    AddCharset ISO-8859-2 .iso-pl
    AddLanguage pt .pt
    AddLanguage pt-br .pt-br
    AddLanguage ltz .lu
    AddLanguage ca .ca
    AddLanguage es .es
    AddLanguage sv .sv
    AddLanguage cz .cz
    AddLanguage ru .ru
    AddLanguage zh-tw .tw
    AddLanguage tw .tw
    AddCharset Big5         .Big5    .big5
    AddCharset WINDOWS-1251 .cp-1251
    AddCharset CP866        .cp866
    AddCharset ISO-8859-5   .iso-ru
    AddCharset KOI8-R       .koi8-r
    AddCharset UCS-2        .ucs2
    AddCharset UCS-4        .ucs4
    AddCharset UTF-8        .utf8

    # LanguagePriority allows you to give precedence to some languages
    # in case of a tie during content negotiation.
    #
    # Just list the languages in decreasing order of preference. We have
    # more or less alphabetized them here. You probably want to change
this.
    #
    <IfModule mod_negotiation.c>
        LanguagePriority en da nl et fr de el it ja kr no pl pt pt-br ru
ltz ca es sv tw
    </IfModule>

    #
    # AddType allows you to tweak mime.types without actually editing
it, or to
    # make certain files to be certain types.
    #
    AddType application/x-tar .tgz
    AddType image/x-icon .ico

    AddType application/x-httpd-php .php
    AddType application/x-httpd-php-source .phps
    AddHandler  server-parsed  .shtml
    AddType  text/html  .shtml 

    #
    # AddHandler allows you to map certain file extensions to
"handlers",
    # actions unrelated to filetype. These can be either built into the
server
    # or added with the Action command (see below)
    #
    # If you want to use server side includes, or CGI outside
    # ScriptAliased directories, uncomment the following lines.
    #
    # To use CGI scripts:
    #
    #AddHandler cgi-script .cgi

    #
    # To use server-parsed HTML files
    #
    #AddType text/html .shtml
    #AddHandler server-parsed .shtml

    #
    # Uncomment the following line to enable Apache's send-asis HTTP
file
    # feature
    #
    #AddHandler send-as-is asis

    #
    # If you wish to use server-parsed imagemap files, use
    #
    #AddHandler imap-file map

    #
    # To enable type maps, you might want to use
    #
    #AddHandler type-map var

</IfModule>
# End of document types.

#
# Action lets you define media types that will execute a script whenever
# a matching file is called. This eliminates the need for repeated URL #
pathnames for oft-used CGI file processors. # Format: Action media/type
/cgi-script/location # Format: Action handler-name /cgi-script/location
#

#
# MetaDir: specifies the name of the directory in which Apache can find
# meta information files. These files contain additional HTTP headers #
to include when sending the document # #MetaDir .web

#
# MetaSuffix: specifies the file name suffix for the file containing the
# meta information. # #MetaSuffix .meta

#
# Customizable error response (Apache style)
#  these come in three flavors
#
#    1) plain text
#ErrorDocument 500 "The server made a boo boo.
#  n.b.  the single leading (") marks it as text, it does not get output
#
#    2) local redirects
#ErrorDocument 404 /missing.html
#  to redirect to local URL /missing.html
#ErrorDocument 404 /cgi-bin/missing_handler.pl
#  N.B.: You can redirect to a script or a document using
server-side-includes. #
#    3) external redirects
#ErrorDocument 402 http://some.other-server.com/subscription_info.html
#  N.B.: Many of the environment variables associated with the original
#  request will *not* be available to such a script.

#
# Customize behaviour based on the browser
#
<IfModule mod_setenvif.c>

    #
    # The following directives modify normal HTTP response behavior.
    # The first directive disables keepalive for Netscape 2.x and
browsers that
    # spoof it. There are known problems with these browser
implementations.
    # The second directive is for Microsoft Internet Explorer 4.0b2
    # which has a broken HTTP/1.1 implementation and does not properly
    # support keepalive when it is used on 301 or 302 (redirect)
responses.
    #
    BrowserMatch "Mozilla/2" nokeepalive
    BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0
force-response-1.0

    #
    # The following directive disables HTTP/1.1 responses to browsers
which
    # are in violation of the HTTP/1.0 spec by not being able to grok a
    # basic 1.1 response.
    #
    BrowserMatch "RealPlayer 4\.0" force-response-1.0
    BrowserMatch "Java/1\.0" force-response-1.0
    BrowserMatch "JDK/1\.0" force-response-1.0

</IfModule>
# End of browser customization directives

#
# Allow server status reports, with the URL of
http://servername/server-status # Change the ".your-domain.com" to match
your domain to enable. # #<Location /server-status>
#    SetHandler server-status
#    Order deny,allow
#    Deny from all
#    Allow from .your-domain.com
#</Location>

#
# Allow remote server configuration reports, with the URL of
# http://servername/server-info (requires that mod_info.c be loaded). #
Change the ".your-domain.com" to match your domain to enable. #
#<Location /server-info>
#    SetHandler server-info
#    Order deny,allow
#    Deny from all
#    Allow from .your-domain.com
#</Location>

#
# There have been reports of people trying to abuse an old bug from
pre-1.1 # days.  This bug involved a CGI script distributed as a part of
Apache. # By uncommenting these lines you can redirect these attacks to
a logging 
# script on phf.apache.org.  Or, you can record them yourself, using the
script # support/phf_abuse_log.cgi. # #<Location /cgi-bin/phf*>
#    Deny from all
#    ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
#</Location>

#
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
#<IfModule mod_proxy.c>
#    ProxyRequests On

#    <Directory proxy:*>
#        Order deny,allow
#        Deny from all
#        Allow from .your-domain.com
#    </Directory>

    #
    # Enable/disable the handling of HTTP/1.1 "Via:" headers.
    # ("Full" adds the server version; "Block" removes all outgoing Via:
headers)
    # Set to one of: Off | On | Full | Block
    #
#    ProxyVia On

    #
    # To enable the cache as well, edit and uncomment the following
lines:
    # (no cacheing without CacheRoot)
    #
#    CacheRoot "/usr/local/www/proxy"
#    CacheSize 5
#    CacheGcInterval 4
#    CacheMaxExpire 24
#    CacheLastModifiedFactor 0.1
#    CacheDefaultExpire 1
#    NoCache a-domain.com another-domain.edu joes.garage-sale.com

#</IfModule>
# End of proxy directives.

### Section 3: Virtual Hosts
#
# VirtualHost: If you want to maintain multiple domains/hostnames on
your # machine you can setup VirtualHost containers for them. Most
configurations # use only name-based virtual hosts so the server doesn't
need to worry about # IP addresses. This is indicated by the asterisks
in the directives below. # # Please see the documentation at
<URL:http://www.apache.org/docs/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host #
configuration.

#
# Use name-based virtual hosting.
#
#NameVirtualHost *

#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container. # The
first VirtualHost section is used for requests without a known # server
name. # #<VirtualHost *>
#    ServerAdmin webmaster@dummy-host.example.com
#    DocumentRoot /www/docs/dummy-host.example.com
#    ServerName dummy-host.example.com
#    ErrorLog logs/dummy-host.example.com-error_log
#    CustomLog logs/dummy-host.example.com-access_log common
#</VirtualHost>

#<VirtualHost _default_:*>
#</VirtualHost>

NameVirtualHost *

<VirtualHost *>
ServerName www.saint-theodore.org
DocumentRoot /saint-theodore
</VirtualHost>

##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

#
#   Some MIME-types for downloading Certificates and CRLs
#
<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
</IfDefine>

<IfModule mod_ssl.c>

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism 
#   to use and second the expiring timeout (in seconds).
#SSLSessionCache        none
#SSLSessionCache        shmht:/var/run/ssl_scache(512000)
#SSLSessionCache        shmcb:/var/run/ssl_scache(512000)
SSLSessionCache         dbm:/var/run/ssl_scache
SSLSessionCacheTimeout  300

#   Semaphore:
#   Configure the path to the mutual exclusion semaphore the
#   SSL engine uses internally for inter-process synchronization. 
SSLMutex  file:/var/run/ssl_mutex

#   Pseudo Random Number Generator (PRNG):
#   Configure one or more sources to seed the PRNG of the 
#   SSL library. The seed data should be of good random quality.
#   WARNING! On some platforms /dev/random blocks if not enough entropy
#   is available. This means you then cannot use the /dev/random device
#   because it would lead to very long connection times (as long as
#   it requires to make more entropy available). But usually those
#   platforms additionally provide a /dev/urandom device which doesn't
#   block. So, if available, use this one instead. Read the mod_ssl User
#   Manual for more details.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

#   Logging:
#   The home of the dedicated SSL protocol logfile. Errors are
#   additionally duplicated in the general error log file.  Put
#   this somewhere where it cannot be used for symlink attacks on
#   a real server (i.e. somewhere where only root can write).
#   Log levels are (ascending order: higher ones include lower ones):
#   none, error, warn, info, trace, debug.
SSLLog      /var/log/ssl_engine_log
SSLLogLevel info

</IfModule>

<IfDefine SSL>

##
## SSL Virtual Host Context
##

<VirtualHost _default_:443>

#  General setup for the virtual host
DocumentRoot "/usr/local/www/data"
ServerName new.host.name
ServerAdmin you@your.address

Alias /web-mail/ "/usr/local/squirrelmail/"

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

#   Server Certificate:
#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that a kill -HUP will prompt again. A test
#   certificate can be generated with `make certificate' under
#   built time. Keep in mind that if you've both a RSA and a DSA
#   certificate you can configure both in parallel (to also allow
#   the use of DSA ciphers, etc.)
SSLCertificateFile /usr/local/etc/apache/ssl.crt/server.crt
#SSLCertificateFile /usr/local/etc/apache/ssl.crt/server-dsa.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /usr/local/etc/apache/ssl.key/server.key
#SSLCertificateKeyFile /usr/local/etc/apache/ssl.key/server-dsa.key

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile /usr/local/etc/apache/ssl.crt/ca.crt

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#   Note: Inside SSLCACertificatePath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /usr/local/etc/apache/ssl.crt
#SSLCACertificateFile /usr/local/etc/apache/ssl.crt/ca-bundle.crt

#   Certificate Revocation Lists (CRL):
#   Set the CA revocation path where to find CA CRLs for client
#   authentication or alternatively one huge file containing all
#   of them (file must be PEM encoded)
#   Note: Inside SSLCARevocationPath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /usr/local/etc/apache/ssl.crl #SSLCARevocationFile
/usr/local/etc/apache/ssl.crl/ca-bundle.crl

#   Client Authentication (Type):
#   Client certificate verification type and depth.  Types are
#   none, optional, require and optional_no_ca.  Depth is a
#   number which specifies how deeply to verify the certificate
#   issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth  10

#   Access Control:
#   With SSLRequire you can do per-directory access control based
#   on arbitrary complex boolean expressions containing server
#   variable checks and other lookup directives.  The syntax is a
#   mixture between C and Perl.  See the mod_ssl documentation
#   for more details.
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>

#   SSL Engine Options:
#   Set various options for the SSL engine.
#   o FakeBasicAuth:
#     Translate the client X.509 into a Basic Authorisation.  This means
that
#     the standard Auth/DBMAuth methods can be used for access control.
The
#     user name is the `one line' version of the client's X.509
certificate.
#     Note that no password is obtained from the user. Every entry in
the user
#     file needs this password: `xxj31ZMTZzkVA'.
#   o ExportCertData:
#     This exports two additional environment variables: SSL_CLIENT_CERT
and
#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
#     server (always existing) and the client (only existing when client
#     authentication is used). This can be used to import the
certificates
#     into CGI scripts.
#   o StdEnvVars:
#     This exports the standard SSL/TLS related `SSL_*' environment
variables.
#     Per default this exportation is switched off for performance
reasons,
#     because the extraction step is an expensive operation and is
usually
#     useless for serving static content. So one usually enables the
#     exportation for CGI and SSI requests only.
#   o CompatEnvVars:
#     This exports obsolete environment variables for backward
compatibility
#     to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x.
Use this
#     to provide compatibility to existing CGI scripts.
#   o StrictRequire:
#     This denies access when "SSLRequireSSL" or "SSLRequire" applied
even
#     under a "Satisfy any" situation, i.e. when it applies access is
denied
#     and no other module can change it.
#   o OptRenegotiate:
#     This enables optimized SSL connection renegotiation handling when
SSL
#     directives are used in per-directory context. 
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

#   SSL Protocol Adjustments:
#   The safe and default but still SSL/TLS standard compliant shutdown
#   approach is that mod_ssl sends the close notify alert but doesn't
wait for
#   the close notify alert from client. When you need a different
shutdown
#   approach you can use one of the following variables:
#   o ssl-unclean-shutdown:
#     This forces an unclean shutdown when the connection is closed,
i.e. no
#     SSL close notify alert is send or allowed to received.  This
violates
#     the SSL/TLS standard but is needed for some brain-dead browsers.
Use
#     this when you receive I/O errors because of the standard approach
where
#     mod_ssl sends the close notify alert.
#   o ssl-accurate-shutdown:
#     This forces an accurate shutdown when the connection is closed,
i.e. a
#     SSL close notify alert is send and mod_ssl waits for the close
notify
#     alert of the client. This is 100% SSL/TLS standard compliant, but
in
#     practice often causes hanging connections with brain-dead
browsers. Use
#     this only for browsers where you know that their SSL
implementation
#     works correctly. 
#   Notice: Most problems of broken clients are also related to the HTTP
#   keep-alive facility, so you usually additionally want to disable
#   keep-alive for those clients, too. Use variable "nokeepalive" for
this.
#   Similarly, one has to force some clients to use HTTP/1.0 to
workaround
#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0"
and
#   "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

#   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
CustomLog /var/log/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>                                  

</IfDefine>






---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message