developer/ 40755 0 0 0 11256637773 10116 5ustar 0 0 faq/ 40755 0 0 0 11256637773 6700 5ustar 0 0 howto/ 40755 0 0 0 11256637773 7271 5ustar 0 0 images/ 40755 0 0 0 11256637773 7376 5ustar 0 0 misc/ 40755 0 0 0 11256637773 7064 5ustar 0 0 mod/ 40755 0 0 0 11256637773 6710 5ustar 0 0 platform/ 40755 0 0 0 11256637773 7755 5ustar 0 0 programs/ 40755 0 0 0 11256637773 7763 5ustar 0 0 rewrite/ 40755 0 0 0 11256637773 7612 5ustar 0 0 ssl/ 40755 0 0 0 11256637773 6732 5ustar 0 0 style/ 40755 0 0 0 11256637773 7271 5ustar 0 0 style/_generated/ 40755 0 0 0 11256637773 11366 5ustar 0 0 style/css/ 40755 0 0 0 11256637627 10057 5ustar 0 0 style/lang/ 40755 0 0 0 11256637773 10212 5ustar 0 0 style/latex/ 40755 0 0 0 11256637773 10406 5ustar 0 0 style/xsl/ 40755 0 0 0 11256637773 10077 5ustar 0 0 style/xsl/util/ 40755 0 0 0 11256637773 11054 5ustar 0 0 vhosts/ 40755 0 0 0 11256637773 7457 5ustar 0 0 bind.html100644 0 0 22717 11256637772 10060 0ustar 0 0 Adresse IP et port d'écoute - Serveur Apache HTTP

Modules | Directives | FAQ | Glossaire | Plan du site

Serveur Apache HTTP Version 2.2

<-
Apache > Serveur HTTP > Documentation > Version 2.2

Adresse IP et port d'écoute

Configuration d'Apache pour l'écoute sur un port et une adresse IP spécifiques.

Voir aussi

top

Vue d'ensemble

Modules ApparentésDirectives Apparentées

Au démarrage d'Apache, un port et une adresse lui sont associés sur l'hôte local et le serveur se met en attente de l'arrivée d'une requête. Par défaut, le serveur écoute toutes les adresses de l'hôte local. Cependant, on peut lui préciser des ports spécifiques à écouter, ou lui dire de n'écouter que sur certaines adresses, ou une combinaison des deux. Tout ceci est souvent associé avec la fonctionnalité des hôtes virtuels qui détermine la manière dont Apache répond aux différents ports, noms d'hôtes et adresses IP.

La directive Listen enjoint le serveur de n'accepter des requêtes que sur les ports spécifiés ou une combinaison adresse/port. Si seul un numéro de port est spécifié dans la directive Listen, le serveur écoute ce port sur toutes les interfaces réseau. Si une adresse IP est spécifiée en plus du port, le serveur va écouter ce port sur l'interface réseau correspondante. On peut utiliser de multiples directives Listen pour spécifier plusieurs adresses et ports à écouter. Le serveur répondra alors aux requêtes sur ces ports et adresses spécifiés.

Par exemple, pour faire en sorte que le serveur accepte des connexions sur les ports 80 et 8000 sur toutes ses interfaces, utilisez :

Listen 80
Listen 8000

Pour faire en sorte que le serveur accepte des connexions sur le port 80 sur une interface, et sur le port 8000 sur une autre interface :

Listen 192.0.2.1:80
Listen 192.0.2.5:8000

Les adresses IPv6 doivent être entourêes de crochets, comme dans l'exemple suivant :

Listen [2001:db8::a00:20ff:fea7:ccea]:80

top

Remarques spécifiques à IPv6

Un nombre croissant de plateformes implémentent IPv6, et APR supporte IPv6 sur la plupart d'entre elles, ce qui permet à Apache d'allouer des points de connexion (sockets) IPv6 et de traiter des requêtes envoyées sur IPv6.

Les administrateurs d'Apache doivent se préoccuper de la possibilité pour un point de connexion IPv6 de traiter à la fois des connexions IPv4 et des connexions IPv6. Le traitement de connexions IPv4 avec un point de connexion IPv6 utilise des adresses IPv6 traduites en IPv4, qui sont autorisées par défaut sur la plupart des plateformes, mais sont interdites par défaut sous FreeBSD, NetBSD, et OpenBSD, afin de respecter la politique de sécurité du système sur ces plateformes. Mais même sur les systèmes où ces adresses sont interdites par défaut, un paramètre spécial du script configure permet de modifier ce comportement pour Apache.

En revanche, sur certaines plateformes comme Linux et Tru64, la seule manière de gérer à la fois IPv6 et IPv4 passe par l'utilisation d'adresses traduites. Si vous voulez qu'Apache gère des connexions IPv4 et IPv6 avec un minimum de points de connexion, ce qui nécessite l'utilisation d'adresses IPv6 traduites en IPv4, utilisez l'option --enable-v4-mapped du script configure.

L'option --enable-v4-mapped est utilisée par défaut sur toutes les plateformes sauf FreeBSD, NetBSD, et OpenBSD; votre Apache a donc probablement été construit avec cette option.

Si vous souhaitez qu'Apache ne gère que des connexions IPv4, sans se soucier de ce que vos plateforme et APR supportent, spécifiez une adresse IPv4 dans toutes les directives Listen, comme dans l'exemple suivant :

Listen 0.0.0.0:80
Listen 192.0.2.1:80

Si votre plateforme le supporte et si vous souhaitez qu'Apache gère des connexions IPv4 et IPv6 sur des points de connexion séparés (c'est à dire désactiver la traduction des adresses IPv6 au format IPv4), utilisez l'option --disable-v4-mapped du script configure. --disable-v4-mapped est utilisé par défaut sur FreeBSD, NetBSD, et OpenBSD.

top

Comment tout ceci fonctionne-t-il avec les hôtes virtuels

La directive Listen n'implémente pas les hôtes virtuels. Elle indique simplement au serveur principal sur quels adresses et ports il doit écouter. Si aucune directive <VirtualHost> n'est présente, le serveur se comportera de la même façon pour toutes les requêtes acceptées. En revanche, la directive <VirtualHost> peut être utilisée pour provoquer une réaction différente du serveur pour un ou plusieurs adresses/ports. Pour implémenter un hôte virtuel, on doit d'abord indiquer au serveur sur quels adresses et ports il doit écouter. Ensuite, une section <VirtualHost> doit être créée pour chaque couple adresse+port spécifié afin de définir le comportement de cet hôte virtuel. Notez que si la directive <VirtualHost> est définie pour une adresse et un port sur lesquels le serveur n'est pas censé écouter, cet hôte virtuel ne sera pas accessible.

caching.html100644 0 0 124757 11256637772 10567 0ustar 0 0 Guide de la mise en cache - Serveur Apache HTTP

Modules | Directives | FAQ | Glossaire | Plan du site

Serveur Apache HTTP Version 2.2

<-
Apache > Serveur HTTP > Documentation > Version 2.2

Guide de la mise en cache

Ce document complète la documentation de référence des modules mod_cache, mod_disk_cache, mod_mem_cache, mod_file_cache et du programme htcacheclean. Il décrit l'utilisation des fonctionnalités de mise en cache d'Apache pour accélérer les services web et proxy, tout en évitant les problèmes courants et les erreurs de configuration.

top

Introduction

Depuis la version 2.2 du serveur HTTP Apache, les modules mod_cache et mod_file_cache ne sont plus jugés expérimentaux et on considère qu'ils peuvent être utilisés en production. Ces architectures de mise en cache constituent un puissant concept d'accélération de la gestion HTTP, tant comme serveur web originel que comme mandataire.

Le module mod_cache et ses modules de soutien mod_mem_cache et mod_disk_cache permettent une mise en cache intelligente du point de vue HTTP. Le contenu proprement dit est stocké dans le cache, et mod_cache tente d'honorer tous les en-têtes HTTP et les options qui définissent la possibilité de mise en cache du contenu. Il gère non seulement le contenu local, mais aussi le contenu mandaté. mod_cache est conçu pour des configurations de mise en cache simples ou complexes, dans lesquels vous traitez de contenu mandaté, de contenu local dynamique ou avez besoin d'accélérer l'accès à des fichiers locaux qui sont modifiés au cours du temps.

Le module mod_file_cache quant à lui, constitue une forme de mise en cache plus basique, mais quelques fois intéressante. Plutôt que de gérer la complexité de s'assurer de manière active de la possibilité de mise en cache d'URLs, mod_file_cache fournit des méthodes pour la gestion et l'édition de fichiers en mémoire afin de maintenir un cache de fichiers dans l'état où ils étaient la dernière fois qu'Apache a démarré. En tant que tel, mod_file_cache a été conçu pour améliorer le temps d'accès à des fichiers locaux statiques qui ne sont modifiés que rarement.

Etant donné que mod_file_cache constitue une implémentation de mise en cache relativement simple, mises à part les sections spécifiques sur les directives CacheFile et MMapFile, les explications fournies dans ce guide concernent l'architecture de mise en cache du module mod_cache.

Pour tirer parti efficacement de ce document, les bases de HTTP doivent vous être familières, et vous devez avoir lu les sections Mise en correspondance des URLs avec le système de fichiers et Négociation sur le contenu du guide de l'utilisateur.

top

Vue d'ensemble de la mise en cache

Modules ApparentésDirectives Apparentées

mod_cache peut faire intervenir deux phases principales pendant la durée de vie d'une requête. En premier lieu, mod_cache est un module de mise en correspondance d'URLs, ce qui signifie que si une URL a été mise en cache, et que la version du cache de cette URL n'est pas arrivée à expiration, la requête sera traitée directement par mod_cache.

Ceci entraîne que toutes autres actions qui se dérouleraient normalement au cours du processus de traitement d'une requête -- par exemple un traitement effectué par mod_proxy, ou mod_rewrite -- ne seront pas effectuées. Mais c'est justement l'intérêt de la mise en cache préalable du contenu.

Si l'URL ne se trouve pas dans le cache, mod_cache va ajouter un filtre au traitement de la requête. Une fois le contenu de la réponse HTTP trouvé par Apache de manière classique, le filtre sera exécuté en même temps que le contenu sera transmis au client. S'il est déterminé que le contenu peut être mis en cache, il sera sauvegardé dans le cache pour une utilisation future.

Si l'URL se trouve dans le cache, mais est arrivée à expiration, le filtre est quand-même ajouté, mais mod_cache va créer une requête conditionnelle en arrière-plan, pour déterminer si la version du cache est encore à jour. Si la version du cache est encore à jour, ses meta-informations seront mises à jour et la requête sera servie à partir du cache. Si la version du contenu n'est plus à jour, elle sera supprimée et le filtre va sauvegarder le contenu mis à jour dans le cache au moment où il sera servi.

Amélioration du taux de présence dans le cache

Lors de la mise en cache de contenu généré localement, le positionnement de la directive UseCanonicalName à On peut améliorer de manière spectaculaire le taux de présence dans le cache. Ceci est du au fait que le nom d'hôte de l'hôte virtuel qui sert le contenu constitue une partie de la clé de cache. Avec UseCanonicalName positionnée à On, les hôtes virtuels possédant plusieurs noms de serveur ou alias ne généreront pas d'entités de cache différentes, et le contenu sera mis en cache en faisant référence au nom d'hôte canonique.

Les documents mis en cache ne seront servis qu'en réponse à des requêtes de type URL, car la mise en cache est effectuée lors de la phase de traduction de l'URL en nom de fichier. En général, cela n'a que peu d'effet, à moins que vous n'utilisiez les Inclusions Côté Serveur (SSI);

<!-- L'inclusion suivante peut être mise en cache -->
<!--#include virtual="/footer.html" -->

<!-- L'inclusion suivante ne peut pas être mise en cache -->
<!--#include file="/path/to/footer.html" -->

Si vous utilisez les SSI, et voulez bénéficier de la vitesse de service depuis le cache, vous devez utiliser des inclusions de type virtual.

Périodes d'expiration

La période d'expiration par défaut pour les entités du cache est d'une heure; elle peut cependant être facilement modifiée à l'aide de la directive CacheDefaultExpire. Cette valeur par défaut n'est utilisée que lorsque la source originale du contenu ne précise pas de période d'expiration ou d'heure de dernière modification.

Si une réponse ne contient pas d'en-tête Expires mais inclut un en-tête Last-Modified, mod_cache peut déduire une période d'expiration en se basant sur la valeur de la directive CacheLastModifiedFactor.

La période d'expiration des contenus locaux peut être ajustée finement en utilisant le module mod_expires.

On peut aussi contrôler la période d'expiration maximale en utilisant la directive CacheMaxExpire.

Guide succinct des requêtes conditionnelles

Lorsqu'un contenu est arrivé à expiration dans le cache et fait l'objet d'une nouvelle demande d'accès, plutôt que traiter directement la requête originale, Apache préfère utiliser une requête conditionnelle.

HTTP propose toute une panoplie d'en-têtes qui permettent à un client, ou au cache de distinguer les différentes versions d'un même contenu. Par exemple, si une ressource a été servie avec un en-tête "Etag:", il est possible de créer une requête conditionnelle contenant un en-tête "If-None-Match:". Si une ressource a été servie avec un en-tête "Last-Modified:", il est possible de créer une requête conditionnelle contenant un en-tête "If-Modified-Since:", etc....

Lorsqu'une telle requête conditionnelle est créée, la reponse diffère selon que le contenu satisfait ou non aux conditions. Si une requête est créée avec un en-tête "If-Modified-Since:", et le contenu n'a pas été modifié depuis le moment indiqué dans la requête, alors un laconique "304 Not Modified" est retourné.

Si le contenu a été modifié, il est servi comme si la requête n'avait pas été conditionnelle à l'origine.

Les bénéfices des requêtes conditionnelles pour ce qui concerne la mise en cache sont de deux sortes. Premièrement, quand une telle requête est envoyée au processus en arrière-plan, il sera aisé de déterminer si le contenu que devra servir le processus en arrière-plan correspond au contenu stocké dans le cache, sans être obligé de transmettre la totalité de la ressource.

Deuxièmement, les requêtes conditionnelles sont en général moins coûteuses en ressources pour le processus en arrière-plan. Pour ce qui est des fichiers statiques, l'action type est un appel à stat() ou un appel système similaire, pour déterminer si la taille du fichier ou sa date de modification ont changé. Ainsi, même si Apache met en cache le contenu local, un contenu arrivé à expiration pourra être servi plus rapidement depuis le cache s'il n'a pas été modifié, parce que la lecture depuis le cache est plus rapide que la lecture depuis le processus en arrière-plan (à comparer à la différence de vitesse entre la lecture depuis un cache en mémoire et la lecture depuis un disque).

Que peut-on mettre en cache ?

Comme mentionné plus haut, les deux styles de mise en cache d'Apache fonctionnent différemment; la mise en cache de mod_file_cache conserve les contenus des fichiers tels qu'ils étaient au démarrage d'Apache. Quand une requête pour un fichier mis en cache par ce module est envoyée, elle est interceptée et le fichier mis en cache est servi.

La mise en cache de mod_cache, quant à elle, est plus complexe. Lors du traitement d'une requête, le module de mise en cache déterminera si le contenu peut être mis en cache, s'il ne l'a pas déjà été auparavant. Les conditions qui permettent de déterminer la possibilité de mise en cache d'une réponse sont :

  1. La mise en cache doit être activée pour cette URL. Voir les directives CacheEnable et CacheDisable.
  2. La reponse doit avoir un code de statut HTTP de 200, 203, 300, 301 ou 410.
  3. La requête doit être de type HTTP GET.
  4. Si la requête contient un en-tête "Authorization:", la réponse ne sera pas mise en cache.
  5. Si la réponse contient un en-tête "Authorization:", elle doit aussi contenir une option "s-maxage", "must-revalidate" ou "public" dans l'en-tête "Cache-Control:".
  6. Si l'URL contenait une requête sous forme de chaîne de caractères (provenant par exemple d'une méthode GET de formulaire HTML), elle ne sera pas mise en cache à moins que la réponse ne contienne un en-tête "Expires:", comme précisé dans la RFC2616 section 13.9.
  7. Si la réponse a un statut de 200 (OK), elle doit aussi contenir au moins un des en-têtes "Etag", "Last-Modified" ou "Expires", à moins que la directive CacheIgnoreNoLastMod ne précise d'autres contraintes.
  8. Si la réponse contient l'option "private" dans un en-tête "Cache-Control:", elle ne sera pas mise en cache à moins que la directive CacheStorePrivate ne précise d'autres contraintes.
  9. De même, si la réponse contient l'option "no-store" dans un en-tête "Cache-Control:", elle ne sera pas mise en cache à moins que la directive CacheStoreNoStore n'ait été utilisée.
  10. Une réponse ne sera pas mise en cache si elle comporte un en-tête "Vary:" contenant le caractère "*" qui correspond à toute chaîne de caractères.

Qu'est ce qui ne doit pas être mis en cache ?

En bref, tout contenu qui varie beaucoup avec le temps, ou en fonction de particularités de la requête qui ne sont pas couvertes par la négociation HTTP, ne doit pas être mis en cache.

Un contenu dynamique qui varie en fonction de l'adresse IP du demandeur, ou qui est modifié toutes les 5 minutes, ne devra en général pas être mis en cache.

Si par contre le contenu servi diffère en fonction de la valeur de divers en-têtes HTTP, il se peut que l'on puisse le mettre en cache intelligemment en utilisant un en-tête "Vary".

Contenu variable et/ou négocié

Si mod_cache reçoit une réponse contenant un en-tête "Vary", lorsqu'un contenu a été demandé par un processus d'arrière-plan, il va s'efforcer de la traiter intelligemment. Si possible, mod_cache va détecter les en-têtes attribués dans la réponse "Vary" à l'occasion des futures demandes, et servir une réponse correcte à partir du cache.

Si par exemple, une réponse est reçue avec l'en-tête Vary suivant,

Vary: negotiate,accept-language,accept-charset

mod_cache ne servira aux demandeurs que le contenu mis en cache qui correspond au contenu des en-têtes accept-language et accept-charset de la requête originale.

top

Considérations sur la sécurité

Autorisation et contrôle d'accès

Utiliser mod_cache revient sensiblement à la même chose qu'avoir un mandataire inverse intégré (reverse-proxy). Les requêtes seront servies par le module de mise en cache sauf si ce dernier détermine qu'un processus d'arrière-plan doit être appelé. La mise en cache de ressources locales modifie considérablement le modèle de sécurité d'Apache.

Comme le parcours de la hiérarchie d'un système de fichiers pour examiner le contenu d'éventuels fichiers .htaccess serait une opération très coûteuse en ressources, annulant partiellement de ce fait l'intérêt de la mise en cache (accélérer le traitement des requêtes), mod_cache ne se préoccupe pas de savoir s'il a l'autorisation de servir une entité mise en cache. En d'autres termes, si mod_cache a mis en cache un certain contenu, ce dernier sera servi à partir du cache tant qu'il ne sera pas arrivé à expiration.

Si par exemple, votre configuration autorise l'accès à une ressource en fonction de l'adresse IP, vous devez vous assurer que ce contenu n'est pas mis en cache. Ceci est possible en utilisant la directive CacheDisable, ou le module mod_expires. Livré à lui-même, mod_cache - pratiquement comme un mandataire inverse - mettrait en cache le contenu lors de son service, et le servirait ensuite à tout client, vers n'importe quelle adresse IP.

Piratages locaux

Etant donné que les requêtes des utilisateurs finaux peuvent être servies depuis le cache, ce dernier est une cible potentielle pour ceux qui veulent défigurer un contenu ou interférer avec lui. Il est important de garder à l'esprit que l'utilisateur sous lequel tourne Apache doit toujours avoir l'accès en écriture dans le cache. Ceci est en contraste total avec la recommandation usuelle d'interdire à l'utilisateur sous lequel tourne Apache l'accès en écriture à tout contenu.

Si l'utilisateur sous lequel tourne Apache est compromis, par exemple à cause d'une faille de sécurité dans un processus CGI, il est possible que le cache fasse l'objet d'une attaque. Il est relativement aisé d'insérer ou de modifier une entité dans le cache en utilisant le module mod_disk_cache.

Cela représente un risque relativement élévé par rapport aux autres types d'attaques qu'il est possible de mener sous l'utilisateur apache. Si vous utilisez mod_disk_cache, vous devez garder ceci à l'esprit : effectuez toujours les mises à jour d'Apache quand des correctifs de sécurité sont annoncés et exécutez les processus CGI sous un utilisateur autre qu'apache en utilisant suEXEC dans la mesure du possible.

Empoisonnement du cache (Cache Poisoning)

Si vous utilisez Apache comme serveur mandataire avec mise en cache, vous vous exposez aussi à un éventuel "Empoisonnement du cache" (Cache poisoning). L'empoisonnement du cache est un terme général pour désigner les attaques au cours desquelles l'attaquant fait en sorte que le serveur mandataire renvoie un contenu incorrect (et souvent indésirable) en provenance du serveur d'arrière plan.

Par exemple, si les serveur DNS qu'utilise votre système où tourne Apache sont vulnérables à l'empoisonnement du cache des DNS, un attaquant pourra contrôler vers où Apache se connecte lorsqu'il demande un contenu depuis le serveur d'origine. Un autre exemple est constitué par les attaques ainsi nommées "Dissimulation de requêtes HTTP" (HTTP request-smuggling).

Ce document n'est pas le bon endroit pour une discussion approfondie à propos de la Dissimulation de requêtes HTTP (utilisez plutôt votre moteur de recherche favori); il est cependant important de savoir qu'il est possible d'élaborer une série de requêtes, et d'exploiter une vulnérabilité d'un serveur web d'origine de telle façon que l'attaquant puisse contrôler entièrement le contenu renvoyé par le mandataire.

top

Mise en cache de la gestion de fichier

Modules ApparentésDirectives Apparentées

Le fait d'ouvrir un fichier peut en lui-même introduire un délai, en particulier dans les systèmes de fichiers répartis sur le réseau. Apache peut s'affranchir de ce délai en maintenant un cache des descripteurs de fichiers ouverts pour ce qui concerne les fichiers souvent accédés. Apache propose actuellement deux implémentations différentes de mise en cache de la gestion de fichier.

Directive CacheFile

La forme la plus élémentaire de mise en cache que propose Apache est fournie par le module mod_file_cache. Plutôt que de mettre en cache le contenu des fichiers, ce cache maintient une table des descripteurs de fichiers ouverts. Les fichiers à mettre en cache de cette manière sont spécifiés dans le fichier de configuration en utilisant la directive CacheFile.

La directive CacheFile demande à Apache d'ouvrir le fichier lors de son démarrage et de réutiliser le descripteur de fichier élaboré à cette occasion pour tous les accès ultérieurs à ce fichier.

CacheFile /usr/local/apache2/htdocs/index.html

Si vous avez l'intention de mettre en cache un grand nombre de fichiers de cette manière, vous devez vous assurer que le nombre maximum de fichiers ouverts par votre système d'exploitation est correctement défini.

Bien que l'utilisation de la directive CacheFile n'entraîne pas la mise en cache du contenu du fichier, cela ne signifie pas qu'en cas de modification du fichier pendant l'exécution d'Apache, ces changements seront pris en compte. Le fichier sera toujours servi dans l'état où il était quand Apache a démarré.

Si le fichier est supprimé pendant l'exécution d'Apache, ce dernier continuera à maintenir un descripteur de fichier ouvert et à servir le fichier dans l'état où il était quand Apache a démarré. Cela signifie aussi habituellement que malgré le fait que le fichier ait été supprimé, et ne soit plus accessible par le système de fichiers, l'espace libéré ne sera restitué qu'à l'arrêt d'Apache quand le descripteur de fichier sera fermé.

Directive CacheEnable

Le module mod_mem_cache propose aussi son propre schéma de mise en cache de la gestion de fichier, qui peut être activé à l'aide de la directive CacheEnable.

CacheEnable fd /

A l'instar de tout ce qui concerne le module mod_cache, ce mode de mise en cache de la gestion de fichier est intelligent, et les descripteurs ne seront plus maintenus lorsque le contenu mis en cache sera arrivé à expiration.

top

Mise en cache en mémoire

Modules ApparentésDirectives Apparentées

Servir un contenu directement depuis la mémoire système est universellement reconnu comme la méthode la plus rapide. Lire des fichiers depuis un contrôleur de disque ou pire, depuis un réseau distant est plus lent de plusieurs ordres de grandeur. Les contrôleurs de disque réalisent en général des opérations mécaniques, et l'accès au réseau est limité par la bande passante dont vous disposez. Par contre, les temps d'accès à la mémoire sont de l'ordre de la nano-seconde.

Cependant la mémoire système n'est pas bon marché; à capacité égale, c'est de loin le type de stockage le plus coûteux et il est important de s'assurer qu'elle est utilisée efficacement. Le fait de mettre en cache des fichiers en mémoire diminue d'autant la quantité de mémoire système disponible. Comme nous le verrons plus loin, ce n'est pas un problème en soi dans le cas de la mise en cache par l'intermédiaire du système d'exploitation, mais si l'on utilise la mise en cache en mémoire propre à Apache, il faut prendre garde à ne pas allouer trop de mémoire au cache. Sinon le système sera contraint d'utiliser le swap, ce qui dégradera sensiblement les performances.

Mise en cache par l'intermédiaire du système d'exploitation

Dans la plupart des systèmes d'exploitation modernes, c'est le noyau qui gère directement la mise en cache en mémoire des données relatives aux fichiers. C'est une fonctionnalité puissante, et les systèmes d'exploitation s'en acquittent fort bien pour la plus grande partie. Considérons par exemple, dans le cas de Linux, la différence entre le temps nécessaire à la première lecture d'un fichier et le temps nécessaire à sa deuxième lecture;

colm@coroebus:~$ time cat testfile > /dev/null
real    0m0.065s
user    0m0.000s
sys     0m0.001s
colm@coroebus:~$ time cat testfile > /dev/null
real    0m0.003s
user    0m0.003s
sys     0m0.000s

Même pour ce petit fichier, il y a une grande différence entre les temps nécessaires pour lire le fichier. Ceci est du au fait que le noyau a mis en cache le contenu du fichier en mémoire.

Du fait de toujours pouvoir disposer de mémoire système, vous pouvez être assuré qu'il y aura de plus en plus de contenus de fichiers stockés dans ce cache. Ceci peut s'avérer une méthode de mise en cache en mémoire très efficace, et ne nécessite aucune configuration supplémentaire d'Apache.

De plus, comme le système d'exploitation sait si des fichiers ont été supprimés ou modifiés, il peut effacer automatiquement des contenus de fichiers du cache lorsque cela s'avère nécessaire. Ceci constitue un gros avantage par rapport à la mise en cache en mémoire d'Apache qui n'a aucune possibilité de savoir si un fichier a été modifié.

En dépit des performances et des avantages de la mise en cache automatique par le système d'exploitation, la mise en cache en mémoire peut être effectuée plus efficacement par Apache dans certaines circonstances.

En premier lieu, un système d'exploitation ne peut mettre en cache que les fichiers dont il a connaissance. Si vous exécutez Apache en tant que serveur mandataire, les fichiers que vous mettez en cache ne sont pas stockés en local mais sur un serveur distant. Si vous voulez tout de même bénéficier de la vitesse incomparable procurée par la mise en cache en mémoire, la mise en cache propre à Apache sera nécessaire.

Mise en cache à l'aide de la directive MMapFile

La directive MMapFile fournie par le module mod_file_cache vous permet de demander à Apache de charger un contenu de fichier statique en mémoire lors de son démarrage (à l'aide de l'appel système mmap). Apache utilisera le contenu chargé en mémoire pour satisfaire ultérieurement toutes les demandes d'accès à ce fichier.

MMapFile /usr/local/apache2/htdocs/index.html

Comme dans le cas de la directive CacheFile, toute modification du fichier ne sera plus prise en compte par Apache une fois ce dernier démarré.

La directive MMapFile ne gardant pas la trace de la quantité de mémoire qu'elle alloue, vous devez prendre garde de ne pas en abuser. Chaque processus enfant d'Apache utilisant sa propre réplique de la mémoire allouée, il est donc d'une importance critique de s'assurer que les fichiers chargés ne sont pas d'une taille trop importante afin d'épargner au système l'utilisation du swap.

Mise en cache à l'aide du module mod_mem_cache

Le module mod_mem_cache propose une mise en cache en mémoire intelligente du point de vue du protocole HTTP. Il utilise aussi directement le "tas" de la mémoire, ce qui signifie que même si MMap n'est pas supporté par votre système, mod_mem_cache pourra quand-même effectuer la mise en cache.

La mise en cache selon cette méthode est activée comme suit :

# Activation de la mise en cache en mémoire
CacheEnable mem /

# Limite la taille du cache à 1 Mégaoctet
MCacheSize 1024
top

Mise en cache sur disque

Modules ApparentésDirectives Apparentées

Le module mod_disk_cache fournit un mécanisme de mise en cache sur disque au module mod_cache. Comme dans le cas du module mod_mem_cache, cette mise en cache est intelligente et le contenu ne sera servi qu'à partir du cache tant qu'il sera considéré comme valide.

Typiquement, le module sera configuré comme suit :

CacheRoot   /var/cache/apache/
CacheEnable disk /
CacheDirLevels 2
CacheDirLength 1

Il est important de savoir que, les fichiers mis en cache étant stockés localement, la mise en cache par l'intermédiaire du système d'exploitation sera en général aussi appliquée à leurs accès. Si bien que même si les fichiers sont stockés sur disque, s'il font l'objet d'accès fréquents, il est probable que le système d'exploitation s'appliquera à ce qu'ils soient servis à partir de la mémoire.

Comprendre le stockage dans le cache

Pour stocker des entités dans le cache, le module mod_disk_cache crée une empreinte (hash) de 22 caractères de l'URL qui a fait l'objet d'une requête. Cette empreinte comprend le nom d'hôte, le protocole, le port, le chemin et tout argument de type CGI associé à l'URL, afin d'être sur que plusieurs URLs n'interfèrent pas entre elles.

Chaque position de l'empreinte peut contenir un caractère choisi parmi 64 caractères différents, il y a donc 64^22 possibilités pour une empreinte. Par exemple, une URL peut posséder l'empreinte xyTGxSMO2b68mBCykqkp1w. Cette empreinte est utilisée pour préfixer les noms de fichiers spécifiques à cette URL à l'intérieur du cache; cependant, elle est tout d'abord placée dans les répertoires du cache selon les directives CacheDirLevels et CacheDirLength.

La directive CacheDirLevels définit le nombre de niveaux de sous-répertoires, et CacheDirLength le nombre de caractères composant le nom des sous-répertoires. Dans l'exemple donné plus haut, l'empreinte se trouvera à : /var/cache/apache/x/y/TGxSMO2b68mBCykqkp1w.

Cette technique a pour but principal de réduire le nombre de sous-répertoires ou de fichiers contenus dans un répertoire particulier, car le fonctionnement de la plupart des systèmes de fichiers est ralenti quand ce nombre augmente. Avec la valeur "1" pour la directive CacheDirLength, il peut y avoir au plus 64 sous-répertoires à un niveau quelconque. Avec la valeur "2", il peut y en avoir 64 * 64, etc... A moins d'avoir une bonne raison pour ne pas le faire, l'utilisation de la valeur "1" pour la directive CacheDirLength est recommandée.

Le paramétrage de la directive CacheDirLevels dépend du nombre de fichiers que vous pensez stocker dans le cache. Avec une valeur de "2" comme dans l'exemple donné plus haut, 4096 sous-répertoires peuvent être créés au total. Avec 1 million de fichiers dans le cache, cela équivaut à environ 245 URLs mises en cache dans chaque répertoire.

Chaque URL nécessite au moins deux fichiers dans le cache. Ce sont en général un fichier ".header", qui contient des meta-informations à propos de l'URL, comme la date de son arrivée à expiration, et un fichier ".data" qui est la copie exacte du contenu à servir.

Dans le cas d'un contenu négocié via l'en-tête "Vary", un répertoire ".vary" sera créé pour l'URL en question. Ce répertoire contiendra de multiples fichiers ".data" correspondant aux différents contenus négociés.

Maintenance du cache sur disque

Bien que le module mod_disk_cache supprime un contenu du cache lorsqu'il est arrivé à expiration, il ne maintient aucune information à propos de la taille totale du cache ou de l'espace restant disponible.

Par contre l'utilitaire htcacheclean fourni avec Apache vous permet, comme son nom l'indique, de nettoyer le cache périodiquement. Déterminer la fréquence à laquelle lancer htcacheclean et la taille souhaitée pour le cache est une tâche relativement complexe et il vous faudra de nombreux essais et erreurs pour arriver à sélectionner des valeurs optimales.

htcacheclean opère selon deux modes. Il peut s'exécuter comme démon résident, ou être lancé périodiquement par cron. htcacheclean peut mettre une heure ou plus pour traiter de très grands caches (plusieurs dizaines de Gigaoctets) et si vous l'exécutez à partir de cron, il vous est conseillé de déterminer la durée typique d'un traitement, afin d'éviter d'exécuter plusieurs instances à la fois.


Figure 1: Croissance typique du cache / séquence de nettoyage.

Comme mod_disk_cache ne tient pas compte de l'espace utilisé dans le cache, vous devez vous assurer que htcacheclean est configuré de façon à laisser suffisamment d'"espace de croissance" à la suite d'un nettoyage.

configuring.html100644 0 0 30562 11256637772 11453 0ustar 0 0 Fichiers de configuration - Serveur Apache HTTP

Modules | Directives | FAQ | Glossaire | Plan du site

Serveur Apache HTTP Version 2.2

<-
Apache > Serveur HTTP > Documentation > Version 2.2

Fichiers de configuration

Ce document décrit les fichiers utilisés pour configurer le Serveur HTTP Apache.

top

Fichiers de configuration principaux

Modules ApparentésDirectives Apparentées

La configuration d'Apache est effectuée en plaçant des directives dans des fichiers de configuration au format texte. Le fichier de configuration principal se nomme en général httpd.conf. La localisation de ce fichier est définie à la compilation, mais peut être redéfinie à l'aide de l'option de ligne de commande -f. En outre, d'autres fichiers de configuration peuvent être ajoutés à l'aide de la directive Include, et des caractères de remplacement peuvent être utilisés pour inclure de nombreux fichiers de configuration. Des directives de tous types peuvent être placées dans chacun de ces fichiers de configuration. Les modifications dans les fichiers de configuration principaux ne sont prises en compte par Apache que lorsque le serveur est démarré ou redémarré.

Le serveur lit aussi un fichier contenant les types de document mime; ce fichier est défini par la directive TypesConfig, et se nomme mime.types par défaut.

top

Syntaxe des fichiers de configuration

Les fichiers de configuration d'Apache contiennent une directive par ligne. On peut utiliser l'anti-slash "\" comme dernier caractère d'une ligne pour indiquer que la directive continue à la ligne suivante. Il ne doit y avoir aucun caractère ni espace entre l'anti-slash et la fin de la ligne.

Les directives dans les fichiers de configuration ne sont pas sensibles à la casse, mais leurs arguments le sont souvent. Les lignes qui débutent par le caractère "#" sont interprétées comme des commentaires, et sont ignorées. Les commentaires ne doivent pas être inclus dans une ligne après une directive de configuration. Les lignes vides et les espaces précédant une directive sont ignorés; vous pouvez par conséquent indenter les directives afin d'améliorer la lisibilité.

Vous pouvez vérifier l'absence d'erreurs de syntaxe dans vos fichiers de configuration sans démarrer le serveur à l'aide de la commande apachectl configtest ou de l'option de ligne de commande -t.

top

Modules

Modules ApparentésDirectives Apparentées

Apache est un serveur modulaire. Ceci implique que seules les fonctionnalités les plus courantes sont incluses dans le serveur de base. Les fonctionnalités étendues sont fournies à l'aide de modules qui peuvent être chargés dans Apache. Par défaut, un jeu de modules de base est inclus dans le serveur à la compilation. Si le serveur est compilé de façon à utiliser les modules chargés dynamiquement, alors les modules peuvent être compilés séparément et chargés à n'importe quel moment à l'aide de la directive LoadModule. Dans le cas contraire, Apache doit être recompilé pour ajouter ou supprimer des modules. Les directives de configuration peuvent être incluses de manière conditionnelle selon la présence ou l'absence d'un module particulier en les plaçant dans un bloc <IfModule>.

Pour voir quels modules ont été compilés avec le serveur, vous pouvez utiliser l'option de ligne de commande -l.

top

Portée des directives

Modules ApparentésDirectives Apparentées

Les directives placées dans les fichiers de configuration principaux s'appliquent au serveur dans son ensemble. Si vous souhaitez modifier la configuration d'une partie du serveur seulement, vous pouvez limiter la portée de vos directives en les plaçant dans une section <Directory>, <DirectoryMatch>, <Files>, <FilesMatch>, <Location>, ou <LocationMatch>. Ces sections limitent le champ d'application des directives qu'elles contiennent à des URls ou des portions du système de fichiers particulières. Elles peuvent aussi être imbriquées, ce qui permet une configuration très fine.

Apache peut servir simultanément de nombreux sites web au travers des Hôtes Virtuels. La portée des directives peut ainsi être limitée en les plaçant dans des sections <VirtualHost>, afin qu'elles ne s'appliquent qu'aux requêtes pour un site web particulier.

Bien que la plupart des directives puissent être placées dans chacune de ces sections, certaines d'entre elles n'ont aucun sens dans certains contextes. Par exemple, les directives qui contrôlent la création des processus n'ont de sens que dans le contexte du serveur principal. Pour déterminer quelles directives peuvent être placées dans quelles sections, consultez le Contexte de la directive. Pour plus d'informations, nous fournissons des détails dans Comment fonctionnent les sections Directory, Location et Files.

top

Fichiers .htaccess

Modules ApparentésDirectives Apparentées

Apache permet la gestion décentralisée de la configuration via des fichiers spéciaux placés dans l'arborescence du site web. Ces fichiers spéciaux se nomment en général .htaccess, mais tout autre nom peut être spécifié à l'aide de la directive AccessFileName. Les directives placées dans les fichiers .htaccess s'appliquent au répertoire dans lequel vous avez placé le fichier, ainsi qu'à tous ses sous-répertoires. La syntaxe des fichiers .htaccess est la même que celle des fichiers de configuration principaux. Comme les fichiers .htaccess sont lus à chaque requête, les modifications de ces fichiers prennent effet immédiatement.

Pour déterminer quelles directives peuvent être placées dans les fichiers .htaccess, consultez le Contexte de la directive. L'administrateur du serveur peut contrôler quelles directives peuvent être placées dans les fichiers .htaccess en définissant la directive AllowOverride dans les fichiers de configuration principaux.

Pour plus d'informations sur les fichiers .htaccess, se référer au tutoriel .htaccess.

content-negotiation.html100644 0 0 103752 11256637772 13153 0ustar 0 0 Négociation de contenu - Serveur Apache HTTP

Modules | Directives | FAQ | Glossaire | Plan du site

Serveur Apache HTTP Version 2.2

<-
Apache > Serveur HTTP > Documentation > Version 2.2

Négociation de contenu

Apache supporte la négociation de contenu telle qu'elle est décrite dans la spécification HTTP/1.1. Il peut choisir la meilleure représentation d'une ressource en fonction des préférences du navigateur pour ce qui concerne le type de media, les langages, le jeu de caractères et son encodage. Il implémente aussi quelques fonctionnalités pour traiter de manière plus intelligente les requêtes en provenance de navigateurs qui envoient des informations de négociation incomplètes.

La négociation de contenu est assurée par le module mod_negotiation qui est compilé par défaut dans le serveur.

top

À propos de la négociation de contenu

Une ressource peut être disponible selon différentes représentations. Par exemple, elle peut être disponible en différents langages ou pour différents types de média, ou une combinaison des deux. Pour faire le meilleur choix, on peut fournir à l'utilisateur une page d'index, et le laisser choisir. Cependant, le serveur peut souvent faire ce choix automatiquement. Ceci est possible car les navigateurs peuvent envoyer des informations sur les représentations qu'ils préfèrent à l'intérieur de chaque requête. Par exemple, un navigateur peut indiquer qu'il préfère voir les informations en français, mais qu'en cas d'impossibilité l'anglais peut convenir. Les navigateurs indiquent leurs préférences à l'aide d'en-têtes dans la requête. Pour ne demander que des représentations en français, le navigateur peut utiliser l'en-tête :

Accept-Language: fr

Notez qu'il ne sera tenu compte de cette préférence que s'il existe un choix de représentations et que ces dernières varient en fonction du langage.

À titre d'exemple d'une requête plus complexe, ce navigateur a été configuré pour accepter le français et l'anglais, avec une préférence pour le français, et accepter différents types de média, avec une préférence pour HTML par rapport au texte plat (plain text) ou autres types de fichiers texte, et avec une préférence pour GIF ou JPEG par rapport à tout autre type de média, mais autorisant tout autre type de média en dernier ressort :

Accept-Language: fr; q=1.0, en; q=0.5
Accept: text/html; q=1.0, text/*; q=0.8, image/gif; q=0.6, image/jpeg; q=0.6, image/*; q=0.5, */*; q=0.1

Apache supporte la négociation de contenu "server driven" (telle qu'elle est définie dans la spécification HTTP/1.1), où c'est le serveur qui décide quelle est la meilleure représentation à retourner pour la ressource demandée. Il supporte entièrement les en-têtes de requête Accept, Accept-Language, Accept-Charset et Accept-Encoding. Apache supporte aussi la négociation de contenu transparente, qui est un protocole de négociation expérimental défini dans les RFC 2295 et 2296. Il ne supporte pas la négociation de fonctionnalité (feature negotiation) telle qu'elle est définie dans ces RFCs.

Une ressource est une entité conceptuelle identifiée par une URI (RFC 2396). Un serveur HTTP comme Apache propose l'accès à des représentations de la ressource à l'intérieur de son espace de nommage, chaque représentation étant composée d'une séquence d'octets avec la définition d'un type de media, d'un jeu de caractères, d'un encodage, etc... A un instant donné, chaque ressource peut être associée avec zéro, une ou plusieurs représentations. Si plusieurs représentations sont disponibles, la ressource est qualifiée de négociable et chacune de ses représentations se nomme variante. Les différences entre les variantes disponibles d'une ressource négociable constituent les dimensions de la négociation.

top

La négociation avec Apache

Afin de négocier une ressource, on doit fournir au serveur des informations à propos de chacune des variantes. Il y a deux manières d'accomplir ceci :

Utilisation d'un fichier de correspondances de types (type-map)

Une liste de correspondances de types est un document associé au gestionnaire type-map (ou, dans un souci de compatibilité ascendante avec des configurations d'Apache plus anciennes, le type MIME application/x-type-map). Notez que pour utiliser cette fonctionnalité, vous devez, dans le fichier de configuration, définir un gestionnaire qui associe un suffixe de fichier à une type-map; ce qui se fait simplement en ajoutant

AddHandler type-map .var

dans le fichier de configuration du serveur.

Les fichiers de correspondances de types doivent posséder le même nom que la ressource qu'ils décrivent, et comporter une entrée pour chaque variante disponible; chaque entrée consiste en une ligne contiguë d'en-têtes au format HTTP. les entrées sont séparées par des lignes vides. Les lignes vides à l'intérieur d'une entrée sont interdites. Par convention, le fichier de correspondances débute par une entrée concernant l'entité considérée dans son ensemble (bien que ce ne soit pas obligatoire, et ignoré si présent). Un exemple de fichier de correspondance est fourni ci-dessous. Ce fichier doit être nommé foo.var, car il décrit une ressource nommée foo.

URI: foo

URI: foo.en.html
Content-type: text/html
Content-language: en

URI: foo.fr.de.html
Content-type: text/html;charset=iso-8859-2
Content-language: fr, de

Notez aussi qu'un fichier de correspondances de types prend le pas sur les extensions de noms de fichiers, même si les Multivues sont activées. Si les variantes sont de qualités différentes, on doit l'indiquer à l'aide du paramètre "qs" à la suite du type de média, comme pour cette image (disponible aux formats JPEG, GIF, ou ASCII-art) :

URI: foo

URI: foo.jpeg
Content-type: image/jpeg; qs=0.8

URI: foo.gif
Content-type: image/gif; qs=0.5

URI: foo.txt
Content-type: text/plain; qs=0.01

Les valeurs de qs peuvent varier de 0.000 à 1.000. Notez que toute variante possédant une valeur de qs de 0.000 ne sera jamais choisie. Les variantes qui n'ont pas de paramètre qs défini se voient attribuer une valeur de 1.0. Le paramètre qs indique la qualité relative de la variante comparée à celle des autres variantes disponibles, sans tenir compte des capacités du client. Par exemple, un fichier JPEG possède en général une qualité supérieure à celle d'un fichier ASCII s'il représente une photographie. Cependant, si la ressource représentée est à un ASCII art original, la représentation ASCII sera de meilleure qualité que la représentation JPEG. Ainsi une valeur de qs est associée à une variante en fonction de la nature de la ressource qu'elle représente.

La liste complète des en-têtes reconnus est disponible dans la documentation de la directive typemap (module mod_negotiation).

Multivues (option Multiviews)

MultiViews est une option qui s'applique à un répertoire, ce qui signifie qu'elle peut être activée à l'aide d'une directive Options à l'intérieur d'une section <Directory>, <Location> ou <Files> dans httpd.conf, ou (si AllowOverride est correctement positionnée) dans des fichiers .htaccess. Notez que Options All n'active pas MultiViews; vous devez activer cette option en la nommant explicitement.

L'effet de MultiViews est le suivant : si le serveur reçoit une requête pour /tel/répertoire/foo, si MultiViews est activée pour /tel/répertoire, et si /tel/répertoire/foo n'existe pas, le serveur parcourt le répertoire à la recherche de fichiers nommés foo.*, et génère une correspondance de types (type map) qui liste tous ces fichiers, en leur associant les mêmes types de média et encodages de contenu qu'ils auraient eu si le client avait demandé l'accès à l'un d'entre eux par son nom. Il choisit ensuite ce qui correspond le mieux aux besoins du client.

MultiViews peut aussi s'appliquer à la recherche du fichier nommé par la directive DirectoryIndex, si le serveur tente d'indexer un répertoire. Si les fichiers de configuration spécifient

DirectoryIndex index

le serveur va choisir entre index.html et index.html3 si les deux fichiers sont présents. Si aucun n'est présent, mais index.cgi existe, le serveur l'exécutera.

Si, parcequ'elle n'est pas reconnue par mod_mime, l'extension d'un des fichiers du répertoire ne permet pas de déterminer son jeu de caractères, son type de contenu, son langage, ou son encodage, alors le résultat dépendra de la définition de la directive MultiViewsMatch. Cette directive détermine si les gestionnaires (handlers), les filtres, et autres types d'extensions peuvent participer à la négociation MultiVues.

top

Les méthodes de négociation

Une fois obtenue la liste des variantes pour une ressource donnée, Apache dispose de deux méthodes pour choisir la meilleure variante à retourner, s'il y a lieu, soit à partir d'un fichier de correspondances de types, soit en se basant sur les noms de fichiers du répertoire. Il n'est pas nécessaire de connaître en détails comment la négociation fonctionne réellement pour pouvoir utiliser les fonctionnalités de négociation de contenu d'Apache. La suite de ce document explique cependant les méthodes utilisées pour ceux ou celles qui sont intéressés(ées).

Il existe deux méthodes de négociation :

  1. La négociation effectuée par le serveur selon l'algorithme d'Apache est normalement utilisée. l'algorithme d'Apache est expliqué plus en détails ci-dessous. Quand cet algorithme est utilisé, Apache peut parfois "bricoler" le facteur de qualité (qs) d'une dimension particulière afin d'obtenir un meilleur résultat. La manière dont Apache peut modifier les facteurs de qualité est expliquée plus en détails ci-dessous.
  2. La négociation de contenu transparente est utilisée quand le navigateur le demande explicitement selon le mécanisme défini dans la RFC 2295. Cette méthode de négociation donne au navigateur le contrôle total du choix de la meilleure variante; le résultat dépend cependant de la spécificité des algorithmes utilisés par le navigateur. Au cours du processus de négociation transparente, le navigateur peut demander à Apache d'exécuter l'"algorithme de sélection de variante à distance" défini dans la RFC 2296.

Les dimensions de la négociation

Dimension Notes
Type de média Le navigateur affiche ses préférences à l'aide du champ d'en-tête Accept. Chaque type de média peut se voir associé un facteur de qualité. La description de la variante peut aussi avoir un facteur de qualité (le paramètre "qs").
Langage Le navigateur affiche ses préférences à l'aide du champ d'en-tête Accept-Language. Chaque langue peut se voir associée un facteur de qualité. Les variantes peuvent être associées avec zéro, un ou plusieurs langages.
Encoding Le navigateur affiche ses préférences à l'aide du champ d'en-tête Accept-Encoding. Chaque encodage peut se voir associé un facteur de qualité.
Charset Le navigateur affiche ses préférences à l'aide du champ d'en-tête Accept-Charset. Chaque jeu de caractères peut se voir associé un facteur de qualité. Les variantes peuvent préciser un jeu de caractères comme paramètre du type de média.

L'algorithme de négociation d'Apache

Apache peut utiliser l'algorithme suivant pour choisir la "meilleure" variante (s'il y en a une) à retourner au navigateur. Cet algorithme n'est pas configurable. Il fonctionne comme suit :

  1. En premier lieu, pour chaque dimension de la négociation, consulter le champ d'en-tête Accept* approprié et assigner une qualité à chaque variante. Si l'en-tête Accept* pour toute dimension implique que la variante n'est pas acceptable, éliminer cette dernière. S'il ne reste plus de variante, aller à l'étape 4.
  2. Choisir la "meilleure" variante par élimination. Chacun des tests suivants est effectué dans cet ordre. Toute variante non sélectionnée à l'issue d'un test est éliminée. Après chaque test, s'il reste une seule variante, choisir cette dernière comme celle qui correspond le mieux puis aller à l'étape 3. S'il reste plusieurs variantes, passer au test suivant.
    1. Multiplier le facteur de qualité de l'en-tête Accept par le facteur de qualité "qs" pour le type de média de ces variantes, et choisir la variante qui possède la valeur la plus importante.
    2. Sélectionner les variantes qui possèdent le facteur de qualité de langage le plus haut.
    3. Sélectionner les variantes dont le langage correspond le mieux, en se basant sur l'ordre des langages de l'en-tête Accept-Language (s'il existe), ou de la directive LanguagePriority (si elle existe).
    4. Sélectionner les variantes possédant le paramètre de média "level" le plus élevé (utilisé pour préciser la version des types de média text/html).
    5. Sélectionner les variantes possédant le paramètre de média "charset" (jeu de caractères) qui correspond le mieux, en se basant sur la ligne d'en-tête Accept-Charset . Le jeu de caractères ISO-8859-1 est acceptable sauf s'il est explicitement exclus. Les variantes avec un type de média text/* mais non explicitement associées avec un jeu de caractères particulier sont supposées être en ISO-8859-1.
    6. Sélectionner les variantes dont le paramètre de média "charset" associé n'est pas ISO-8859-1. S'il n'en existe pas, sélectionner toutes les variantes.
    7. Sélectionner les variantes avec le meilleur encodage. S'il existe des variantes avec un encodage acceptable pour le client, sélectionner celles-ci. Sinon, s'il existe des variantes encodées et des variantes non encodées, ne sélectionner que les variantes non encodées. Si toutes les variantes sont encodées ou si aucune ne l'est, sélectionner toutes les variantes.
    8. Sélectionner les variantes dont le contenu a la longueur la plus courte.
    9. Sélectionner la première des variantes restantes. Il s'agira soit de la première variante listée dans le fichier de correspondances de types, soit, quand les variantes sont lues depuis le répertoire, la première par ordre alphabétique quand elles sont triées selon le code ASCII.
  3. L'algorithme a maintenant sélectionné une variante considérée comme la "meilleure", il la retourne donc au client en guise de réponse. L'en-tête HTTP Vary de la réponse est renseigné de façon à indiquer les dimensions de la négociation (les navigateurs et les caches peuvent utiliser cette information lors de la mise en cache de la ressource). Travail terminé.
  4. Le passage par cette étape signifie qu'aucune variante n'a été sélectionnée (parce qu'aucune n'est acceptable pour le client HTTP). Envoyer une réponse avec un code de statut 406 (qui signifie "Aucune représentation acceptable") et un corps comportant un document HTML qui affiche les variantes disponibles. Renseigner aussi l'en-tête HTTP Vary de façon à indiquer les dimensions de la variante.
top

Ajustement des valeurs de qualité

Parfois Apache modifie les valeurs de qualité par rapport à celles qui découleraient d'une stricte interprétation de l'algorithme de négociation d'Apache ci-dessus, ceci pour améliorer les résultats de l'algorithme pour les navigateurs qui envoient des informations incomplètes ou inappropriées. Certains des navigateurs les plus populaires envoient des informations dans l'en-tête Accept qui, sans ce traitement, provoqueraient la sélection d'une variante inappropriée dans de nombreux cas. Quand un navigateur envoie des informations complètes et correctes ces ajustements ne sont pas effectués.

Types de média et caractères génériques

L'en-tête de requête Accept: indique les types de média souhaités. Il peut aussi contenir des types de média avec caractères génériques, comme "image/*" ou "*/*" où * correspond à n'importe quelle chaîne de caractères. Ainsi une requête contenant :

Accept: image/*, */*

indiquerait que tout type de média est acceptable, avec une préférence pour les types commençant par "image/". Certains navigateurs ajoutent par défaut des types de média avec caractères génériques aux types explicitement nommés qu'ils peuvent gérer. Par exemple :

Accept: text/html, text/plain, image/gif, image/jpeg, */*

Ceci indique que les types explicitement listés sont préférés, mais qu'une représentation avec un type différent de ces derniers conviendra aussi. Les valeurs de qualités explicites, afin de préciser ce que veut vraiment le navigateur, s'utilisent comme suit :

Accept: text/html, text/plain, image/gif, image/jpeg, */*; q=0.01

Les types explicites n'ont pas de facteur de qualité, la valeur par défaut de leur préférence est donc de 1.0 (la plus haute). Le type avec caractères génériques */* se voit attribuer une préférence basse de 0.01, si bien que les types autres que ceux explicitement listés ne seront retournés que s'il n'existe pas de variante correspondant à un type explicitement listé.

Si l'en-tête Accept: ne contient pas aucun facteur de qualité, Apache positionne la valeur de qualité de "*/*", si present, à 0.01 pour simuler l'effet désiré. Il positionne aussi la valeur de qualité des types avec caractères génériques au format "type/*" à 0.02 (ils sont donc préférés à ceux correspondant à "*/*"). Si un type de média dans l'en-tête Accept: contient un facteur de qualité, ces valeurs spéciales ne seront pas appliquées, de façon à ce que les requêtes de navigateurs qui envoient les informations explicites à prendre en compte fonctionnent comme souhaité.

Exceptions dans la négociation du langage

A partir de la version 2.0 d'Apache, certaines exceptions ont été ajoutées à l'algorithme de négociation afin de ménager une issue de secours quand la négociation ne trouve aucun langage correspondant.

Quand un client demande une page sur votre serveur, si ce dernier ne parvient pas à trouver une page dont la langue corresponde à l'en-tête Accept-language envoyé par le navigateur, il enverra au client une réponse "Aucune variante acceptable" ou "Plusieurs choix possibles". Pour éviter ces messages d'erreur, il est possible de configurer Apache de façon à ce que, dans ces cas, il ignore l'en-tête Accept-language et fournisse tout de même un document, même s'il ne correspond pas exactement à la demande explicite du client. La directive ForceLanguagePriority peut être utilisée pour éviter ces messages d'erreur et leur substituer une page dont le langage sera déterminé en fonction du contenu de la directive LanguagePriority.

Le serveur va aussi essayer d'étendre sa recherche de correspondance aux sous-ensembles de langages quand aucune correspondance exacte ne peut être trouvée. Par exemple, si un client demande des documents possédant le langage en-GB, c'est à dire anglais britannique, le standard HTTP/1.1 n'autorise normalement pas le serveur à faire correspondre cette demande à un document dont le langage est simplement en. (Notez qu'inclure en-GB et non en dans l'en-tête Accept-Language constitue une quasi-erreur de configuration, car il est très peu probable qu'un lecteur qui comprend l'anglais britannique, ne comprenne pas l'anglais en général. Malheureusement, de nombreux clients ont réellement des configurations par défaut de ce type.) Cependant, si aucune autre correspondance de langage n'est possible, et que le serveur est sur le point de retourner une erreur "Aucune variable acceptable" ou de choisir le langage défini par la directive LanguagePriority, le serveur ignorera la spécification du sous-ensemble de langage et associera la demande en en-GB à des documents en en. Implicitement, Apache ajoute le langage parent à la liste de langues acceptées par le client avec une valeur de qualité très basse. Notez cependant que si le client demande "en-GB; q=0.9, fr; q=0.8", et le serveur dispose de documents estampillés "en" et "fr", alors c'est le document "fr" qui sera retourné, tout ceci dans un souci de compatibilité avec la spécification HTTP/1.1 et afin de fonctionner efficacement avec les clients correctement configurés.

Pour supporter les techniques avancées (comme les cookies ou les chemins d'URL spéciaux) afin de déterminer le langage préféré de l'utilisateur, le module mod_negotiation reconnaît la variable d'environnement prefer-language depuis la version 2.0.47 d'Apache. Si elle est définie et contient un symbole de langage approprié, mod_negotiation va essayer de sélectionner une variante correspondante. S'il n'existe pas de telle variante, le processus normal de négociation sera lancé.

Exemple

SetEnvIf Cookie "language=(.+)" prefer-language=$1 Header append Vary cookie

top

Extensions à la négociation de contenu transparente

Apache étend le protocole de négociation de contenu transparente (RFC 2295) comme suit. Un nouvel élément {encodage ..} est utilisé dans les listes de variantes pour marquer celles qui ne sont disponibles qu'avec un encodage de contenu spécifique. L'implémentation de l'algorithme RVSA/1.0 (RFC 2296) est étendue à la reconnaissance de variantes encodées dans la liste, et à leur utilisation en tant que variantes candidates à partir du moment où leur encodage satisfait au contenu de l'en-tête de requête Accept-Encoding. L'implémentation RVSA/1.0 n'arrondit pas les facteurs de qualité calculés à 5 décimales avant d'avoir choisi la meilleure variante.

top

Remarques à propos des liens hypertextes et des conventions de nommage

Si vous utilisez la négociation de langage, vous avez le choix entre différentes conventions de nommage, car les fichiers peuvent posséder plusieurs extensions, et l'ordre dans lequel ces dernières apparaissent est en général sans rapport (voir la documentation sur le module mod_mime pour plus de détails).

Un fichier type possède une extension liée au type MIME (par exemple, html), mais parfois aussi une extension liée à l'encodage (par exemple, gz), et bien sûr une extension liée au langage (par exemple, en) quand plusieurs variantes de langage sont disponibles pour ce fichier.

Exemples :

Ci-dessous d'autres exemples de noms de fichiers avec des liens hypertextes valides et invalides :

Nom fichier lien valide Lien invalide
foo.html.en foo
foo.html		 -
foo.en.html foo foo.html
foo.html.en.gz foo
foo.html		 foo.gz
foo.html.gz
foo.en.html.gz foo foo.html
foo.html.gz
foo.gz
foo.gz.html.en foo
foo.gz
foo.gz.html		 foo.html
foo.html.gz.en foo
foo.html
foo.html.gz		 foo.gz

En regardant la table ci-dessus, vous remarquerez qu'il est toujours possible d'utiliser le nom de fichier sans extension dans un lien (par exemple, foo). L'avantage est de pouvoir dissimuler le type réel du fichier associé à un document et de pouvoir le modifier ultérieurement, par exemple, de html à shtml ou cgi sans avoir à mettre à jour aucun lien.

Si vous souhaitez continuer à utiliser un type MIME dans vos liens (par exemple foo.html), l'extension liée au langage (y compris une extension liée à l'encodage s'il en existe une) doit se trouver à droite de l'extension liée au type MIME (par exemple, foo.html.en).

top

Remarque sur la mise en cache

Quand un cache stocke une représentation, il l'associe avec l'URL de la requête. Lorsque cette URL est à nouveau demandée, le cache peut utiliser la représentation stockée. Cependant, si la ressource est négociable au niveau du serveur, il se peut que seule la première variante demandée soit mise en cache et de ce fait, la correspondance positive du cache peut entraîner une réponse inappropriée. Pour éviter ceci, Apache marque par défaut toutes les réponses qui sont retournées après une négociation de contenu comme "non-cachables" par les clients HTTP/1.0. Apache supporte aussi les fonctionnalités du protocole HTTP/1.1 afin de permettre la mise en cache des réponses négociées.

Pour les requêtes en provenance d'un client compatible HTTP/1.0 (un navigateur ou un cache), la directive CacheNegotiatedDocs peut être utilisée pour permettre la mise en cache des réponses qui ont fait l'objet d'une négociation. Cette directive peut intervenir dans la configuration au niveau du serveur ou de l'hôte virtuel, et n'accepte aucun argument. Elle n'a aucun effet sur les requêtes en provenance de clients HTTP/1.1.

Pour les clients HTTP/1.1, Apache envoie un en-tête de réponse HTTP Vary afin d'indiquer les dimensions de la négociation pour cette réponse. Les caches peuvent utiliser cette information afin de déterminer si une requête peut être servie à partir de la copie locale. Pour inciter un cache à utiliser la copie locale sans tenir compte des dimensions de la négociation, définissez la variable d'environnement force-no-vary.

custom-error.html100644 0 0 20536 11256637772 11602 0ustar 0 0 Custom Error Responses - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-
Apache > HTTP Server > Documentation > Version 2.2

Custom Error Responses

Additional functionality allows webmasters to configure the response of Apache to some error or problem.

Customizable responses can be defined to be activated in the event of a server detected error or problem.

If a script crashes and produces a "500 Server Error" response, then this response can be replaced with either some friendlier text or by a redirection to another URL (local or external).

top

Behavior

Old Behavior

NCSA httpd 1.3 would return some boring old error/problem message which would often be meaningless to the user, and would provide no means of logging the symptoms which caused it.

New Behavior

The server can be asked to:

  1. Display some other text, instead of the NCSA hard coded messages, or
  2. redirect to a local URL, or
  3. redirect to an external URL.

Redirecting to another URL can be useful, but only if some information can be passed which can then be used to explain and/or log the error/problem more clearly.

To achieve this, Apache will define new CGI-like environment variables:

REDIRECT_HTTP_ACCEPT=*/*, image/gif, image/x-xbitmap, image/jpeg
REDIRECT_HTTP_USER_AGENT=Mozilla/1.1b2 (X11; I; HP-UX A.09.05 9000/712)
REDIRECT_PATH=.:/bin:/usr/local/bin:/etc
REDIRECT_QUERY_STRING=
REDIRECT_REMOTE_ADDR=121.345.78.123
REDIRECT_REMOTE_HOST=ooh.ahhh.com
REDIRECT_SERVER_NAME=crash.bang.edu
REDIRECT_SERVER_PORT=80
REDIRECT_SERVER_SOFTWARE=Apache/0.8.15
REDIRECT_URL=/cgi-bin/buggy.pl

Note the REDIRECT_ prefix.

At least REDIRECT_URL and REDIRECT_QUERY_STRING will be passed to the new URL (assuming it's a cgi-script or a cgi-include). The other variables will exist only if they existed prior to the error/problem. None of these will be set if your ErrorDocument is an external redirect (anything starting with a scheme name like http:, even if it refers to the same host as the server).

top

Configuration

Use of ErrorDocument is enabled for .htaccess files when the AllowOverride is set accordingly.

Here are some examples...

ErrorDocument 500 /cgi-bin/crash-recover
ErrorDocument 500 "Sorry, our script crashed. Oh dear"
ErrorDocument 500 http://xxx/
ErrorDocument 404 /Lame_excuses/not_found.html
ErrorDocument 401 /Subscription/how_to_subscribe.html

The syntax is,

ErrorDocument <3-digit-code> <action>

where the action can be,

  1. Text to be displayed. Wrap the text with quotes (").
  2. An external URL to redirect to.
  3. A local URL to redirect to.
top

Custom Error Responses and Redirects

Apache's behavior to redirected URLs has been modified so that additional environment variables are available to a script/server-include.

Old behavior

Standard CGI vars were made available to a script which has been redirected to. No indication of where the redirection came from was provided.

New behavior

A new batch of environment variables will be initialized for use by a script which has been redirected to. Each new variable will have the prefix REDIRECT_. REDIRECT_ environment variables are created from the CGI environment variables which existed prior to the redirect, they are renamed with a REDIRECT_ prefix, i.e., HTTP_USER_AGENT becomes REDIRECT_HTTP_USER_AGENT. In addition to these new variables, Apache will define REDIRECT_URL and REDIRECT_STATUS to help the script trace its origin. Both the original URL and the URL being redirected to can be logged in the access log.

If the ErrorDocument specifies a local redirect to a CGI script, the script should include a "Status:" header field in its output in order to ensure the propagation all the way back to the client of the error condition that caused it to be invoked. For instance, a Perl ErrorDocument script might include the following:

...
print "Content-type: text/html\n";
printf "Status: %s Condition Intercepted\n", $ENV{"REDIRECT_STATUS"};
...

If the script is dedicated to handling a particular error condition, such as 404 Not Found, it can use the specific code and error text instead.

Note that the script must emit an appropriate Status: header (such as 302 Found), if the response contains a Location: header (in order to issue a client side redirect). Otherwise the Location: header may have no effect.

developer/API.html100644 0 0 172304 11256637772 11560 0ustar 0 0 Apache 1.3 API notes - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-
Apache > HTTP Server > Documentation > Version 2.2 > Developer Documentation

Apache 1.3 API notes

Warning

This document has not been updated to take into account changes made in the 2.0 version of the Apache HTTP Server. Some of the information may still be relevant, but please use it with care.

These are some notes on the Apache API and the data structures you have to deal with, etc. They are not yet nearly complete, but hopefully, they will help you get your bearings. Keep in mind that the API is still subject to change as we gain experience with it. (See the TODO file for what might be coming). However, it will be easy to adapt modules to any changes that are made. (We have more modules to adapt than you do).

A few notes on general pedagogical style here. In the interest of conciseness, all structure declarations here are incomplete -- the real ones have more slots that I'm not telling you about. For the most part, these are reserved to one component of the server core or another, and should be altered by modules with caution. However, in some cases, they really are things I just haven't gotten around to yet. Welcome to the bleeding edge.

Finally, here's an outline, to give you some bare idea of what's coming up, and in what order:

top

Basic concepts

We begin with an overview of the basic concepts behind the API, and how they are manifested in the code.

Handlers, Modules, and Requests

Apache breaks down request handling into a series of steps, more or less the same way the Netscape server API does (although this API has a few more stages than NetSite does, as hooks for stuff I thought might be useful in the future). These are:

These phases are handled by looking at each of a succession of modules, looking to see if each of them has a handler for the phase, and attempting invoking it if so. The handler can typically do one of three things:

Most phases are terminated by the first module that handles them; however, for logging, `fixups', and non-access authentication checking, all handlers always run (barring an error). Also, the response phase is unique in that modules may declare multiple handlers for it, via a dispatch table keyed on the MIME type of the requested object. Modules may declare a response-phase handler which can handle any request, by giving it the key */* (i.e., a wildcard MIME type specification). However, wildcard handlers are only invoked if the server has already tried and failed to find a more specific response handler for the MIME type of the requested object (either none existed, or they all declined).

The handlers themselves are functions of one argument (a request_rec structure. vide infra), which returns an integer, as above.

A brief tour of a module

At this point, we need to explain the structure of a module. Our candidate will be one of the messier ones, the CGI module -- this handles both CGI scripts and the ScriptAlias config file command. It's actually a great deal more complicated than most modules, but if we're going to have only one example, it might as well be the one with its fingers in every place.

Let's begin with handlers. In order to handle the CGI scripts, the module declares a response handler for them. Because of ScriptAlias, it also has handlers for the name translation phase (to recognize ScriptAliased URIs), the type-checking phase (any ScriptAliased request is typed as a CGI script).

The module needs to maintain some per (virtual) server information, namely, the ScriptAliases in effect; the module structure therefore contains pointers to a functions which builds these structures, and to another which combines two of them (in case the main server and a virtual server both have ScriptAliases declared).

Finally, this module contains code to handle the ScriptAlias command itself. This particular module only declares one command, but there could be more, so modules have command tables which declare their commands, and describe where they are permitted, and how they are to be invoked.

A final note on the declared types of the arguments of some of these commands: a pool is a pointer to a resource pool structure; these are used by the server to keep track of the memory which has been allocated, files opened, etc., either to service a particular request, or to handle the process of configuring itself. That way, when the request is over (or, for the configuration pool, when the server is restarting), the memory can be freed, and the files closed, en masse, without anyone having to write explicit code to track them all down and dispose of them. Also, a cmd_parms structure contains various information about the config file being read, and other status information, which is sometimes of use to the function which processes a config-file command (such as ScriptAlias). With no further ado, the module itself:

/* Declarations of handlers. */

int translate_scriptalias (request_rec *);
int type_scriptalias (request_rec *);
int cgi_handler (request_rec *);

/* Subsidiary dispatch table for response-phase
 * handlers, by MIME type */

handler_rec cgi_handlers[] = {
{ "application/x-httpd-cgi", cgi_handler },
{ NULL }
 };

/* Declarations of routines to manipulate the
 * module's configuration info. Note that these are
 * returned, and passed in, as void *'s; the server
 * core keeps track of them, but it doesn't, and can't,
 * know their internal structure.
 */

void *make_cgi_server_config (pool *);
void *merge_cgi_server_config (pool *, void *, void *);

/* Declarations of routines to handle config-file commands */

extern char *script_alias(cmd_parms *, void *per_dir_config, char *fake, char *real);

command_rec cgi_cmds[] = {
{ "ScriptAlias", script_alias, NULL, RSRC_CONF, TAKE2,
"a fakename and a realname"},
 { NULL }
 };

module cgi_module = { 

  STANDARD_MODULE_STUFF,
  NULL,                     /* initializer */
  NULL,                     /* dir config creator */
  NULL,                     /* dir merger */
  make_cgi_server_config,   /* server config */
  merge_cgi_server_config,  /* merge server config */
  cgi_cmds,                 /* command table */
  cgi_handlers,             /* handlers */
  translate_scriptalias,    /* filename translation */
  NULL,                     /* check_user_id */
  NULL,                     /* check auth */
  NULL,                     /* check access */
  type_scriptalias,         /* type_checker */
  NULL,                     /* fixups */
  NULL,                     /* logger */
  NULL                      /* header parser */
};
top

How handlers work

The sole argument to handlers is a request_rec structure. This structure describes a particular request which has been made to the server, on behalf of a client. In most cases, each connection to the client generates only one request_rec structure.

A brief tour of the request_rec

The request_rec contains pointers to a resource pool which will be cleared when the server is finished handling the request; to structures containing per-server and per-connection information, and most importantly, information on the request itself.

The most important such information is a small set of character strings describing attributes of the object being requested, including its URI, filename, content-type and content-encoding (these being filled in by the translation and type-check handlers which handle the request, respectively).

Other commonly used data items are tables giving the MIME headers on the client's original request, MIME headers to be sent back with the response (which modules can add to at will), and environment variables for any subprocesses which are spawned off in the course of servicing the request. These tables are manipulated using the ap_table_get and ap_table_set routines.

Note that the Content-type header value cannot be set by module content-handlers using the ap_table_*() routines. Rather, it is set by pointing the content_type field in the request_rec structure to an appropriate string. e.g.,

r->content_type = "text/html";

Finally, there are pointers to two data structures which, in turn, point to per-module configuration structures. Specifically, these hold pointers to the data structures which the module has built to describe the way it has been configured to operate in a given directory (via .htaccess files or <Directory> sections), for private data it has built in the course of servicing the request (so modules' handlers for one phase can pass `notes' to their handlers for other phases). There is another such configuration vector in the server_rec data structure pointed to by the request_rec, which contains per (virtual) server configuration data.

Here is an abridged declaration, giving the fields most commonly used:

struct request_rec {

pool *pool;
conn_rec *connection;
server_rec *server;

/* What object is being requested */

char *uri;
char *filename;
char *path_info; 

char *args;           /* QUERY_ARGS, if any */
struct stat finfo;    /* Set by server core;
                       * st_mode set to zero if no such file */

char *content_type;
char *content_encoding;

/* MIME header environments, in and out. Also,
 * an array containing environment variables to
 * be passed to subprocesses, so people can write
 * modules to add to that environment.
 *
 * The difference between headers_out and
 * err_headers_out is that the latter are printed
 * even on error, and persist across internal
 * redirects (so the headers printed for
 * ErrorDocument handlers will have them).
 */

table *headers_in;
table *headers_out;
table *err_headers_out;
table *subprocess_env;

/* Info about the request itself... */

int header_only;     /* HEAD request, as opposed to GET */
char *protocol;      /* Protocol, as given to us, or HTTP/0.9 */
char *method;        /* GET, HEAD, POST, etc. */
int method_number;   /* M_GET, M_POST, etc. */

/* Info for logging */

char *the_request;
int bytes_sent;

/* A flag which modules can set, to indicate that
 * the data being returned is volatile, and clients
 * should be told not to cache it.
 */

int no_cache;

/* Various other config info which may change
 * with .htaccess files
 * These are config vectors, with one void*
 * pointer for each module (the thing pointed
 * to being the module's business).
 */

void *per_dir_config;   /* Options set in config files, etc. */
void *request_config;   /* Notes on *this* request */


};

Where request_rec structures come from

Most request_rec structures are built by reading an HTTP request from a client, and filling in the fields. However, there are a few exceptions:

Handling requests, declining, and returning error codes

As discussed above, each handler, when invoked to handle a particular request_rec, has to return an int to indicate what happened. That can either be

Note that if the error code returned is REDIRECT, then the module should put a Location in the request's headers_out, to indicate where the client should be redirected to.

Special considerations for response handlers

Handlers for most phases do their work by simply setting a few fields in the request_rec structure (or, in the case of access checkers, simply by returning the correct error code). However, response handlers have to actually send a request back to the client.

They should begin by sending an HTTP response header, using the function ap_send_http_header. (You don't have to do anything special to skip sending the header for HTTP/0.9 requests; the function figures out on its own that it shouldn't do anything). If the request is marked header_only, that's all they should do; they should return after that, without attempting any further output.

Otherwise, they should produce a request body which responds to the client as appropriate. The primitives for this are ap_rputc and ap_rprintf, for internally generated output, and ap_send_fd, to copy the contents of some FILE * straight to the client.

At this point, you should more or less understand the following piece of code, which is the handler which handles GET requests which have no more specific handler; it also shows how conditional GETs can be handled, if it's desirable to do so in a particular response handler -- ap_set_last_modified checks against the If-modified-since value supplied by the client, if any, and returns an appropriate code (which will, if nonzero, be USE_LOCAL_COPY). No similar considerations apply for ap_set_content_length, but it returns an error code for symmetry.

int default_handler (request_rec *r)
{
int errstatus;
FILE *f;

if (r->method_number != M_GET) return DECLINED;
if (r->finfo.st_mode == 0) return NOT_FOUND;

if ((errstatus = ap_set_content_length (r, r->finfo.st_size))
    || (errstatus = ap_set_last_modified (r, r->finfo.st_mtime)))
return errstatus;

f = fopen (r->filename, "r");

if (f == NULL) {
log_reason("file permissions deny server access", r->filename, r);
return FORBIDDEN;
 }

register_timeout ("send", r);
ap_send_http_header (r);

if (!r->header_only) send_fd (f, r);
ap_pfclose (r->pool, f);
return OK;
 }

Finally, if all of this is too much of a challenge, there are a few ways out of it. First off, as shown above, a response handler which has not yet produced any output can simply return an error code, in which case the server will automatically produce an error response. Secondly, it can punt to some other handler by invoking ap_internal_redirect, which is how the internal redirection machinery discussed above is invoked. A response handler which has internally redirected should always return OK.

(Invoking ap_internal_redirect from handlers which are not response handlers will lead to serious confusion).

Special considerations for authentication handlers

Stuff that should be discussed here in detail:

Special considerations for logging handlers

When a request has internally redirected, there is the question of what to log. Apache handles this by bundling the entire chain of redirects into a list of request_rec structures which are threaded through the r->prev and r->next pointers. The request_rec which is passed to the logging handlers in such cases is the one which was originally built for the initial request from the client; note that the bytes_sent field will only be correct in the last request in the chain (the one for which a response was actually sent).

top

Resource allocation and resource pools

One of the problems of writing and designing a server-pool server is that of preventing leakage, that is, allocating resources (memory, open files, etc.), without subsequently releasing them. The resource pool machinery is designed to make it easy to prevent this from happening, by allowing resource to be allocated in such a way that they are automatically released when the server is done with them.

The way this works is as follows: the memory which is allocated, file opened, etc., to deal with a particular request are tied to a resource pool which is allocated for the request. The pool is a data structure which itself tracks the resources in question.

When the request has been processed, the pool is cleared. At that point, all the memory associated with it is released for reuse, all files associated with it are closed, and any other clean-up functions which are associated with the pool are run. When this is over, we can be confident that all the resource tied to the pool have been released, and that none of them have leaked.

Server restarts, and allocation of memory and resources for per-server configuration, are handled in a similar way. There is a configuration pool, which keeps track of resources which were allocated while reading the server configuration files, and handling the commands therein (for instance, the memory that was allocated for per-server module configuration, log files and other files that were opened, and so forth). When the server restarts, and has to reread the configuration files, the configuration pool is cleared, and so the memory and file descriptors which were taken up by reading them the last time are made available for reuse.

It should be noted that use of the pool machinery isn't generally obligatory, except for situations like logging handlers, where you really need to register cleanups to make sure that the log file gets closed when the server restarts (this is most easily done by using the function ap_pfopen, which also arranges for the underlying file descriptor to be closed before any child processes, such as for CGI scripts, are execed), or in case you are using the timeout machinery (which isn't yet even documented here). However, there are two benefits to using it: resources allocated to a pool never leak (even if you allocate a scratch string, and just forget about it); also, for memory allocation, ap_palloc is generally faster than malloc.

We begin here by describing how memory is allocated to pools, and then discuss how other resources are tracked by the resource pool machinery.

Allocation of memory in pools

Memory is allocated to pools by calling the function ap_palloc, which takes two arguments, one being a pointer to a resource pool structure, and the other being the amount of memory to allocate (in chars). Within handlers for handling requests, the most common way of getting a resource pool structure is by looking at the pool slot of the relevant request_rec; hence the repeated appearance of the following idiom in module code:

int my_handler(request_rec *r)
{
struct my_structure *foo;
...

foo = (foo *)ap_palloc (r->pool, sizeof(my_structure));
 }

Note that there is no ap_pfree -- ap_palloced memory is freed only when the associated resource pool is cleared. This means that ap_palloc does not have to do as much accounting as malloc(); all it does in the typical case is to round up the size, bump a pointer, and do a range check.

(It also raises the possibility that heavy use of ap_palloc could cause a server process to grow excessively large. There are two ways to deal with this, which are dealt with below; briefly, you can use malloc, and try to be sure that all of the memory gets explicitly freed, or you can allocate a sub-pool of the main pool, allocate your memory in the sub-pool, and clear it out periodically. The latter technique is discussed in the section on sub-pools below, and is used in the directory-indexing code, in order to avoid excessive storage allocation when listing directories with thousands of files).

Allocating initialized memory

There are functions which allocate initialized memory, and are frequently useful. The function ap_pcalloc has the same interface as ap_palloc, but clears out the memory it allocates before it returns it. The function ap_pstrdup takes a resource pool and a char * as arguments, and allocates memory for a copy of the string the pointer points to, returning a pointer to the copy. Finally ap_pstrcat is a varargs-style function, which takes a pointer to a resource pool, and at least two char * arguments, the last of which must be NULL. It allocates enough memory to fit copies of each of the strings, as a unit; for instance:

ap_pstrcat (r->pool, "foo", "/", "bar", NULL);

returns a pointer to 8 bytes worth of memory, initialized to "foo/bar".

Commonly-used pools in the Apache Web server

A pool is really defined by its lifetime more than anything else. There are some static pools in http_main which are passed to various non-http_main functions as arguments at opportune times. Here they are:

permanent_pool
never passed to anything else, this is the ancestor of all pools
pconf
  • subpool of permanent_pool
  • created at the beginning of a config "cycle"; exists until the server is terminated or restarts; passed to all config-time routines, either via cmd->pool, or as the "pool *p" argument on those which don't take pools
  • passed to the module init() functions
ptemp
  • sorry I lie, this pool isn't called this currently in 1.3, I renamed it this in my pthreads development. I'm referring to the use of ptrans in the parent... contrast this with the later definition of ptrans in the child.
  • subpool of permanent_pool
  • created at the beginning of a config "cycle"; exists until the end of config parsing; passed to config-time routines via cmd->temp_pool. Somewhat of a "bastard child" because it isn't available everywhere. Used for temporary scratch space which may be needed by some config routines but which is deleted at the end of config.
pchild
  • subpool of permanent_pool
  • created when a child is spawned (or a thread is created); lives until that child (thread) is destroyed
  • passed to the module child_init functions
  • destruction happens right after the child_exit functions are called... (which may explain why I think child_exit is redundant and unneeded)
ptrans
  • should be a subpool of pchild, but currently is a subpool of permanent_pool, see above
  • cleared by the child before going into the accept() loop to receive a connection
  • used as connection->pool
r->pool
  • for the main request this is a subpool of connection->pool; for subrequests it is a subpool of the parent request's pool.
  • exists until the end of the request (i.e., ap_destroy_sub_req, or in child_main after process_request has finished)
  • note that r itself is allocated from r->pool; i.e., r->pool is first created and then r is the first thing palloc()d from it

For almost everything folks do, r->pool is the pool to use. But you can see how other lifetimes, such as pchild, are useful to some modules... such as modules that need to open a database connection once per child, and wish to clean it up when the child dies.

You can also see how some bugs have manifested themself, such as setting connection->user to a value from r->pool -- in this case connection exists for the lifetime of ptrans, which is longer than r->pool (especially if r->pool is a subrequest!). So the correct thing to do is to allocate from connection->pool.

And there was another interesting bug in mod_include / mod_cgi. You'll see in those that they do this test to decide if they should use r->pool or r->main->pool. In this case the resource that they are registering for cleanup is a child process. If it were registered in r->pool, then the code would wait() for the child when the subrequest finishes. With mod_include this could be any old #include, and the delay can be up to 3 seconds... and happened quite frequently. Instead the subprocess is registered in r->main->pool which causes it to be cleaned up when the entire request is done -- i.e., after the output has been sent to the client and logging has happened.

Tracking open files, etc.

As indicated above, resource pools are also used to track other sorts of resources besides memory. The most common are open files. The routine which is typically used for this is ap_pfopen, which takes a resource pool and two strings as arguments; the strings are the same as the typical arguments to fopen, e.g.,

...
FILE *f = ap_pfopen (r->pool, r->filename, "r");

if (f == NULL) { ... } else { ... }

There is also a ap_popenf routine, which parallels the lower-level open system call. Both of these routines arrange for the file to be closed when the resource pool in question is cleared.

Unlike the case for memory, there are functions to close files allocated with ap_pfopen, and ap_popenf, namely ap_pfclose and ap_pclosef. (This is because, on many systems, the number of files which a single process can have open is quite limited). It is important to use these functions to close files allocated with ap_pfopen and ap_popenf, since to do otherwise could cause fatal errors on systems such as Linux, which react badly if the same FILE* is closed more than once.

(Using the close functions is not mandatory, since the file will eventually be closed regardless, but you should consider it in cases where your module is opening, or could open, a lot of files).

Other sorts of resources -- cleanup functions

More text goes here. Describe the cleanup primitives in terms of which the file stuff is implemented; also, spawn_process.

Pool cleanups live until clear_pool() is called: clear_pool(a) recursively calls destroy_pool() on all subpools of a; then calls all the cleanups for a; then releases all the memory for a. destroy_pool(a) calls clear_pool(a) and then releases the pool structure itself. i.e., clear_pool(a) doesn't delete a, it just frees up all the resources and you can start using it again immediately.

Fine control -- creating and dealing with sub-pools, with a note on sub-requests

On rare occasions, too-free use of ap_palloc() and the associated primitives may result in undesirably profligate resource allocation. You can deal with such a case by creating a sub-pool, allocating within the sub-pool rather than the main pool, and clearing or destroying the sub-pool, which releases the resources which were associated with it. (This really is a rare situation; the only case in which it comes up in the standard module set is in case of listing directories, and then only with very large directories. Unnecessary use of the primitives discussed here can hair up your code quite a bit, with very little gain).

The primitive for creating a sub-pool is ap_make_sub_pool, which takes another pool (the parent pool) as an argument. When the main pool is cleared, the sub-pool will be destroyed. The sub-pool may also be cleared or destroyed at any time, by calling the functions ap_clear_pool and ap_destroy_pool, respectively. (The difference is that ap_clear_pool frees resources associated with the pool, while ap_destroy_pool also deallocates the pool itself. In the former case, you can allocate new resources within the pool, and clear it again, and so forth; in the latter case, it is simply gone).

One final note -- sub-requests have their own resource pools, which are sub-pools of the resource pool for the main request. The polite way to reclaim the resources associated with a sub request which you have allocated (using the ap_sub_req_... functions) is ap_destroy_sub_req, which frees the resource pool. Before calling this function, be sure to copy anything that you care about which might be allocated in the sub-request's resource pool into someplace a little less volatile (for instance, the filename in its request_rec structure).

(Again, under most circumstances, you shouldn't feel obliged to call this function; only 2K of memory or so are allocated for a typical sub request, and it will be freed anyway when the main request pool is cleared. It is only when you are allocating many, many sub-requests for a single main request that you should seriously consider the ap_destroy_... functions).

top

Configuration, commands and the like

One of the design goals for this server was to maintain external compatibility with the NCSA 1.3 server --- that is, to read the same configuration files, to process all the directives therein correctly, and in general to be a drop-in replacement for NCSA. On the other hand, another design goal was to move as much of the server's functionality into modules which have as little as possible to do with the monolithic server core. The only way to reconcile these goals is to move the handling of most commands from the central server into the modules.

However, just giving the modules command tables is not enough to divorce them completely from the server core. The server has to remember the commands in order to act on them later. That involves maintaining data which is private to the modules, and which can be either per-server, or per-directory. Most things are per-directory, including in particular access control and authorization information, but also information on how to determine file types from suffixes, which can be modified by AddType and DefaultType directives, and so forth. In general, the governing philosophy is that anything which can be made configurable by directory should be; per-server information is generally used in the standard set of modules for information like Aliases and Redirects which come into play before the request is tied to a particular place in the underlying file system.

Another requirement for emulating the NCSA server is being able to handle the per-directory configuration files, generally called .htaccess files, though even in the NCSA server they can contain directives which have nothing at all to do with access control. Accordingly, after URI -> filename translation, but before performing any other phase, the server walks down the directory hierarchy of the underlying filesystem, following the translated pathname, to read any .htaccess files which might be present. The information which is read in then has to be merged with the applicable information from the server's own config files (either from the <Directory> sections in access.conf, or from defaults in srm.conf, which actually behaves for most purposes almost exactly like <Directory />).

Finally, after having served a request which involved reading .htaccess files, we need to discard the storage allocated for handling them. That is solved the same way it is solved wherever else similar problems come up, by tying those structures to the per-transaction resource pool.

Per-directory configuration structures

Let's look out how all of this plays out in mod_mime.c, which defines the file typing handler which emulates the NCSA server's behavior of determining file types from suffixes. What we'll be looking at, here, is the code which implements the AddType and AddEncoding commands. These commands can appear in .htaccess files, so they must be handled in the module's private per-directory data, which in fact, consists of two separate tables for MIME types and encoding information, and is declared as follows:

typedef struct {
    table *forced_types;      /* Additional AddTyped stuff */
    table *encoding_types;    /* Added with AddEncoding... */
} mime_dir_config;

When the server is reading a configuration file, or <Directory> section, which includes one of the MIME module's commands, it needs to create a mime_dir_config structure, so those commands have something to act on. It does this by invoking the function it finds in the module's `create per-dir config slot', with two arguments: the name of the directory to which this configuration information applies (or NULL for srm.conf), and a pointer to a resource pool in which the allocation should happen.

(If we are reading a .htaccess file, that resource pool is the per-request resource pool for the request; otherwise it is a resource pool which is used for configuration data, and cleared on restarts. Either way, it is important for the structure being created to vanish when the pool is cleared, by registering a cleanup on the pool if necessary).

For the MIME module, the per-dir config creation function just ap_pallocs the structure above, and a creates a couple of tables to fill it. That looks like this:

void *create_mime_dir_config (pool *p, char *dummy)
{
mime_dir_config *new =
(mime_dir_config *) ap_palloc (p, sizeof(mime_dir_config));
new->forced_types = ap_make_table (p, 4);
new->encoding_types = ap_make_table (p, 4);

return new;
 }

Now, suppose we've just read in a .htaccess file. We already have the per-directory configuration structure for the next directory up in the hierarchy. If the .htaccess file we just read in didn't have any AddType or AddEncoding commands, its per-directory config structure for the MIME module is still valid, and we can just use it. Otherwise, we need to merge the two structures somehow.

To do that, the server invokes the module's per-directory config merge function, if one is present. That function takes three arguments: the two structures being merged, and a resource pool in which to allocate the result. For the MIME module, all that needs to be done is overlay the tables from the new per-directory config structure with those from the parent:

void *merge_mime_dir_configs (pool *p, void *parent_dirv, void *subdirv)
{
mime_dir_config *parent_dir = (mime_dir_config *)parent_dirv;
mime_dir_config *subdir = (mime_dir_config *)subdirv;
mime_dir_config *new =
(mime_dir_config *)ap_palloc (p, sizeof(mime_dir_config));
new->forced_types = ap_overlay_tables (p, subdir->forced_types,
parent_dir->forced_types);
 new->encoding_types = ap_overlay_tables (p, subdir->encoding_types,
parent_dir->encoding_types);
return new;
 }

As a note -- if there is no per-directory merge function present, the server will just use the subdirectory's configuration info, and ignore the parent's. For some modules, that works just fine (e.g., for the includes module, whose per-directory configuration information consists solely of the state of the XBITHACK), and for those modules, you can just not declare one, and leave the corresponding structure slot in the module itself NULL.

Command handling

Now that we have these structures, we need to be able to figure out how to fill them. That involves processing the actual AddType and AddEncoding commands. To find commands, the server looks in the module's command table. That table contains information on how many arguments the commands take, and in what formats, where it is permitted, and so forth. That information is sufficient to allow the server to invoke most command-handling functions with pre-parsed arguments. Without further ado, let's look at the AddType command handler, which looks like this (the AddEncoding command looks basically the same, and won't be shown here):

char *add_type(cmd_parms *cmd, mime_dir_config *m, char *ct, char *ext)
{
if (*ext == '.') ++ext;
ap_table_set (m->forced_types, ext, ct);
return NULL;
 }

This command handler is unusually simple. As you can see, it takes four arguments, two of which are pre-parsed arguments, the third being the per-directory configuration structure for the module in question, and the fourth being a pointer to a cmd_parms structure. That structure contains a bunch of arguments which are frequently of use to some, but not all, commands, including a resource pool (from which memory can be allocated, and to which cleanups should be tied), and the (virtual) server being configured, from which the module's per-server configuration data can be obtained if required.

Another way in which this particular command handler is unusually simple is that there are no error conditions which it can encounter. If there were, it could return an error message instead of NULL; this causes an error to be printed out on the server's stderr, followed by a quick exit, if it is in the main config files; for a .htaccess file, the syntax error is logged in the server error log (along with an indication of where it came from), and the request is bounced with a server error response (HTTP error status, code 500).

The MIME module's command table has entries for these commands, which look like this:

command_rec mime_cmds[] = {
{ "AddType", add_type, NULL, OR_FILEINFO, TAKE2,
"a mime type followed by a file extension" },
 { "AddEncoding", add_encoding, NULL, OR_FILEINFO, TAKE2,
"an encoding (e.g., gzip), followed by a file extension" },
 { NULL }
 };

The entries in these tables are:

Finally, having set this all up, we have to use it. This is ultimately done in the module's handlers, specifically for its file-typing handler, which looks more or less like this; note that the per-directory configuration structure is extracted from the request_rec's per-directory configuration vector by using the ap_get_module_config function.

int find_ct(request_rec *r)
{
int i;
char *fn = ap_pstrdup (r->pool, r->filename);
mime_dir_config *conf = (mime_dir_config *)
ap_get_module_config(r->per_dir_config, &mime_module);
 char *type;

if (S_ISDIR(r->finfo.st_mode)) {
r->content_type = DIR_MAGIC_TYPE;
return OK;
 }

if((i=ap_rind(fn,'.')) < 0) return DECLINED;
++i;

if ((type = ap_table_get (conf->encoding_types, &fn[i])))
{
r->content_encoding = type;

/* go back to previous extension to try to use it as a type */
fn[i-1] = '\0';
if((i=ap_rind(fn,'.')) < 0) return OK;
++i;
 }

if ((type = ap_table_get (conf->forced_types, &fn[i])))
{
r->content_type = type;
 }

return OK; }

Side notes -- per-server configuration, virtual servers, etc.

The basic ideas behind per-server module configuration are basically the same as those for per-directory configuration; there is a creation function and a merge function, the latter being invoked where a virtual server has partially overridden the base server configuration, and a combined structure must be computed. (As with per-directory configuration, the default if no merge function is specified, and a module is configured in some virtual server, is that the base configuration is simply ignored).

The only substantial difference is that when a command needs to configure the per-server private module data, it needs to go to the cmd_parms data to get at it. Here's an example, from the alias module, which also indicates how a syntax error can be returned (note that the per-directory configuration argument to the command handler is declared as a dummy, since the module doesn't actually have per-directory config data):

char *add_redirect(cmd_parms *cmd, void *dummy, char *f, char *url)
{
server_rec *s = cmd->server;
alias_server_conf *conf = (alias_server_conf *)
ap_get_module_config(s->module_config,&alias_module);
 alias_entry *new = ap_push_array (conf->redirects);

if (!ap_is_url (url)) return "Redirect to non-URL";

new->fake = f; new->real = url;
return NULL;
 }

developer/debugging.html100644 0 0 21562 11256637772 13061 0ustar 0 0 Debugging Memory Allocation in APR - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-
Apache > HTTP Server > Documentation > Version 2.2 > Developer Documentation

Debugging Memory Allocation in APR

The allocation mechanisms within APR have a number of debugging modes that can be used to assist in finding memory problems. This document describes the modes available and gives instructions on activating them.

top

Available debugging options

Allocation Debugging - ALLOC_DEBUG

Debugging support: Define this to enable code which helps detect re-use of free()d memory and other such nonsense.

The theory is simple. The FILL_BYTE (0xa5) is written over all malloc'd memory as we receive it, and is written over everything that we free up during a clear_pool. We check that blocks on the free list always have the FILL_BYTE in them, and we check during palloc() that the bytes still have FILL_BYTE in them. If you ever see garbage URLs or whatnot containing lots of 0xa5s then you know something used data that's been freed or uninitialized.

Malloc Support - ALLOC_USE_MALLOC

If defined all allocations will be done with malloc() and free()d appropriately at the end.

This is intended to be used with something like Electric Fence or Purify to help detect memory problems. Note that if you're using efence then you should also add in ALLOC_DEBUG. But don't add in ALLOC_DEBUG if you're using Purify because ALLOC_DEBUG would hide all the uninitialized read errors that Purify can diagnose.

Pool Debugging - POOL_DEBUG

This is intended to detect cases where the wrong pool is used when assigning data to an object in another pool.

In particular, it causes the table_{set,add,merge}n routines to check that their arguments are safe for the apr_table_t they're being placed in. It currently only works with the unix multiprocess model, but could be extended to others.

Table Debugging - MAKE_TABLE_PROFILE

Provide diagnostic information about make_table() calls which are possibly too small.

This requires a recent gcc which supports __builtin_return_address(). The error_log output will be a message such as:

table_push: apr_table_t created by 0x804d874 hit limit of 10

Use l *0x804d874 to find the source that corresponds to. It indicates that a apr_table_t allocated by a call at that address has possibly too small an initial apr_table_t size guess.

Allocation Statistics - ALLOC_STATS

Provide some statistics on the cost of allocations.

This requires a bit of an understanding of how alloc.c works.

top

Allowable Combinations

Not all the options outlined above can be activated at the same time. the following table gives more information.

ALLOC DEBUG ALLOC USE MALLOC POOL DEBUG MAKE TABLE PROFILE ALLOC STATS
ALLOC DEBUG -NoYesYesYes
ALLOC USE MALLOC No-NoNoNo
POOL DEBUG YesNo-YesYes
MAKE TABLE PROFILE YesNoYes-Yes
ALLOC STATS YesNoYesYes-

Additionally the debugging options are not suitable for multi-threaded versions of the server. When trying to debug with these options the server should be started in single process mode.

top

Activating Debugging Options

The various options for debugging memory are now enabled in the apr_general.h header file in APR. The various options are enabled by uncommenting the define for the option you wish to use. The section of the code currently looks like this (contained in srclib/apr/include/apr_pools.h)

/*
#define ALLOC_DEBUG
#define POOL_DEBUG
#define ALLOC_USE_MALLOC
#define MAKE_TABLE_PROFILE
#define ALLOC_STATS
*/

typedef struct ap_pool_t {
union block_hdr *first;
union block_hdr *last;
struct cleanup *cleanups;
struct process_chain *subprocesses;
struct ap_pool_t *sub_pools;
struct ap_pool_t *sub_next;
struct ap_pool_t *sub_prev;
struct ap_pool_t *parent;
char *free_first_avail;
 #ifdef ALLOC_USE_MALLOC
void *allocation_list;
 #endif
#ifdef POOL_DEBUG
struct ap_pool_t *joined;
 #endif
int (*apr_abort)(int retcode);
struct datastruct *prog_data;
 } ap_pool_t;

To enable allocation debugging simply move the #define ALLOC_DEBUG above the start of the comments block and rebuild the server.

Note

In order to use the various options the server must be rebuilt after editing the header file.

developer/documenting.html100644 0 0 10130 11256637772 13427 0ustar 0 0 Documenting Apache 2.0 - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-
Apache > HTTP Server > Documentation > Version 2.2 > Developer Documentation

Documenting Apache 2.0

Apache 2.0 uses Doxygen to document the APIs and global variables in the code. This will explain the basics of how to document using Doxygen.

top

Brief Description

To start a documentation block, use /**
To end a documentation block, use */

In the middle of the block, there are multiple tags we can use:

Description of this functions purpose
@param parameter_name description
@return description
@deffunc signature of the function

The deffunc is not always necessary. DoxyGen does not have a full parser in it, so any prototype that use a macro in the return type declaration is too complex for scandoc. Those functions require a deffunc. An example (using &gt; rather than >):

/**
 * return the final element of the pathname
 * @param pathname The path to get the final element of
 * @return the final element of the path
 * @tip Examples:
 * <pre>
 * "/foo/bar/gum" -&gt; "gum"
 * "/foo/bar/gum/" -&gt; ""
 * "gum" -&gt; "gum"
 * "wi\\n32\\stuff" -&gt; "stuff"
 * </pre>
 * @deffunc const char * ap_filename_of_pathname(const char *pathname)
 */

At the top of the header file, always include:

/**
 * @package Name of library header
 */

Doxygen uses a new HTML file for each package. The HTML files are named {Name_of_library_header}.html, so try to be concise with your names.

For a further discussion of the possibilities please refer to the Doxygen site.

developer/filters.html100644 0 0 27634 11256637772 12604 0ustar 0 0 How filters work in Apache 2.0 - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-
Apache > HTTP Server > Documentation > Version 2.2 > Developer Documentation

How filters work in Apache 2.0

Warning

This is a cut 'n paste job from an email (<022501c1c529$f63a9550$7f00000a@KOJ>) and only reformatted for better readability. It's not up to date but may be a good start for further research.

top

Filter Types

There are three basic filter types (each of these is actually broken down into two categories, but that comes later).

CONNECTION
Filters of this type are valid for the lifetime of this connection. (AP_FTYPE_CONNECTION, AP_FTYPE_NETWORK)
PROTOCOL
Filters of this type are valid for the lifetime of this request from the point of view of the client, this means that the request is valid from the time that the request is sent until the time that the response is received. (AP_FTYPE_PROTOCOL, AP_FTYPE_TRANSCODE)
RESOURCE
Filters of this type are valid for the time that this content is used to satisfy a request. For simple requests, this is identical to PROTOCOL, but internal redirects and sub-requests can change the content without ending the request. (AP_FTYPE_RESOURCE, AP_FTYPE_CONTENT_SET)

It is important to make the distinction between a protocol and a resource filter. A resource filter is tied to a specific resource, it may also be tied to header information, but the main binding is to a resource. If you are writing a filter and you want to know if it is resource or protocol, the correct question to ask is: "Can this filter be removed if the request is redirected to a different resource?" If the answer is yes, then it is a resource filter. If it is no, then it is most likely a protocol or connection filter. I won't go into connection filters, because they seem to be well understood. With this definition, a few examples might help:

Byterange
We have coded it to be inserted for all requests, and it is removed if not used. Because this filter is active at the beginning of all requests, it can not be removed if it is redirected, so this is a protocol filter.
http_header
This filter actually writes the headers to the network. This is obviously a required filter (except in the asis case which is special and will be dealt with below) and so it is a protocol filter.
Deflate
The administrator configures this filter based on which file has been requested. If we do an internal redirect from an autoindex page to an index.html page, the deflate filter may be added or removed based on config, so this is a resource filter.

The further breakdown of each category into two more filter types is strictly for ordering. We could remove it, and only allow for one filter type, but the order would tend to be wrong, and we would need to hack things to make it work. Currently, the RESOURCE filters only have one filter type, but that should change.

top

How are filters inserted?

This is actually rather simple in theory, but the code is complex. First of all, it is important that everybody realize that there are three filter lists for each request, but they are all concatenated together. So, the first list is r->output_filters, then r->proto_output_filters, and finally r->connection->output_filters. These correspond to the RESOURCE, PROTOCOL, and CONNECTION filters respectively. The problem previously, was that we used a singly linked list to create the filter stack, and we started from the "correct" location. This means that if I had a RESOURCE filter on the stack, and I added a CONNECTION filter, the CONNECTION filter would be ignored. This should make sense, because we would insert the connection filter at the top of the c->output_filters list, but the end of r->output_filters pointed to the filter that used to be at the front of c->output_filters. This is obviously wrong. The new insertion code uses a doubly linked list. This has the advantage that we never lose a filter that has been inserted. Unfortunately, it comes with a separate set of headaches.

The problem is that we have two different cases were we use subrequests. The first is to insert more data into a response. The second is to replace the existing response with an internal redirect. These are two different cases and need to be treated as such.

In the first case, we are creating the subrequest from within a handler or filter. This means that the next filter should be passed to make_sub_request function, and the last resource filter in the sub-request will point to the next filter in the main request. This makes sense, because the sub-request's data needs to flow through the same set of filters as the main request. A graphical representation might help:

Default_handler --> includes_filter --> byterange --> ...

If the includes filter creates a sub request, then we don't want the data from that sub-request to go through the includes filter, because it might not be SSI data. So, the subrequest adds the following:

    
Default_handler --> includes_filter -/-> byterange --> ...
                                    /
Default_handler --> sub_request_core

What happens if the subrequest is SSI data? Well, that's easy, the includes_filter is a resource filter, so it will be added to the sub request in between the Default_handler and the sub_request_core filter.

The second case for sub-requests is when one sub-request is going to become the real request. This happens whenever a sub-request is created outside of a handler or filter, and NULL is passed as the next filter to the make_sub_request function.

In this case, the resource filters no longer make sense for the new request, because the resource has changed. So, instead of starting from scratch, we simply point the front of the resource filters for the sub-request to the front of the protocol filters for the old request. This means that we won't lose any of the protocol filters, neither will we try to send this data through a filter that shouldn't see it.

The problem is that we are using a doubly-linked list for our filter stacks now. But, you should notice that it is possible for two lists to intersect in this model. So, you do you handle the previous pointer? This is a very difficult question to answer, because there is no "right" answer, either method is equally valid. I looked at why we use the previous pointer. The only reason for it is to allow for easier addition of new servers. With that being said, the solution I chose was to make the previous pointer always stay on the original request.

This causes some more complex logic, but it works for all cases. My concern in having it move to the sub-request, is that for the more common case (where a sub-request is used to add data to a response), the main filter chain would be wrong. That didn't seem like a good idea to me.

top

Asis

The final topic. :-) Mod_Asis is a bit of a hack, but the handler needs to remove all filters except for connection filters, and send the data. If you are using mod_asis, all other bets are off.

top

Explanations

The absolutely last point is that the reason this code was so hard to get right, was because we had hacked so much to force it to work. I wrote most of the hacks originally, so I am very much to blame. However, now that the code is right, I have started to remove some hacks. Most people should have seen that the reset_filters and add_required_filters functions are gone. Those inserted protocol level filters for error conditions, in fact, both functions did the same thing, one after the other, it was really strange. Because we don't lose protocol filters for error cases any more, those hacks went away. The HTTP_HEADER, Content-length, and Byterange filters are all added in the insert_filters phase, because if they were added earlier, we had some interesting interactions. Now, those could all be moved to be inserted with the HTTP_IN, CORE, and CORE_IN filters. That would make the code easier to follow.

developer/hooks.html100644 0 0 24603 11256637772 12250 0ustar 0 0 Apache 2.0 Hook Functions - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-
Apache > HTTP Server > Documentation > Version 2.2 > Developer Documentation

Apache 2.0 Hook Functions

Warning

This document is still in development and may be partially out of date.

In general, a hook function is one that Apache will call at some point during the processing of a request. Modules can provide functions that are called, and specify when they get called in comparison to other modules.

top

Creating a hook function

In order to create a new hook, four things need to be done:

Declare the hook function

Use the AP_DECLARE_HOOK macro, which needs to be given the return type of the hook function, the name of the hook, and the arguments. For example, if the hook returns an int and takes a request_rec * and an int and is called do_something, then declare it like this:

AP_DECLARE_HOOK(int, do_something, (request_rec *r, int n))

This should go in a header which modules will include if they want to use the hook.

Create the hook structure

Each source file that exports a hook has a private structure which is used to record the module functions that use the hook. This is declared as follows:

APR_HOOK_STRUCT(
APR_HOOK_LINK(do_something)
...
 )

Implement the hook caller

The source file that exports the hook has to implement a function that will call the hook. There are currently three possible ways to do this. In all cases, the calling function is called ap_run_hookname().

Void hooks

If the return value of a hook is void, then all the hooks are called, and the caller is implemented like this:

AP_IMPLEMENT_HOOK_VOID(do_something, (request_rec *r, int n), (r, n))

The second and third arguments are the dummy argument declaration and the dummy arguments as they will be used when calling the hook. In other words, this macro expands to something like this:

void ap_run_do_something(request_rec *r, int n)
{
...
do_something(r, n);
 }

Hooks that return a value

If the hook returns a value, then it can either be run until the first hook that does something interesting, like so:

AP_IMPLEMENT_HOOK_RUN_FIRST(int, do_something, (request_rec *r, int n), (r, n), DECLINED)

The first hook that does not return DECLINED stops the loop and its return value is returned from the hook caller. Note that DECLINED is the tradition Apache hook return meaning "I didn't do anything", but it can be whatever suits you.

Alternatively, all hooks can be run until an error occurs. This boils down to permitting two return values, one of which means "I did something, and it was OK" and the other meaning "I did nothing". The first function that returns a value other than one of those two stops the loop, and its return is the return value. Declare these like so:

AP_IMPLEMENT_HOOK_RUN_ALL(int, do_something, (request_rec *r, int n), (r, n), OK, DECLINED)

Again, OK and DECLINED are the traditional values. You can use what you want.

Call the hook callers

At appropriate moments in the code, call the hook caller, like so:

int n, ret;
request_rec *r;

ret=ap_run_do_something(r, n);

top

Hooking the hook

A module that wants a hook to be called needs to do two things.

Implement the hook function

Include the appropriate header, and define a static function of the correct type:

static int my_something_doer(request_rec *r, int n)
{
...
return OK;
 }

Add a hook registering function

During initialisation, Apache will call each modules hook registering function, which is included in the module structure:

static void my_register_hooks()
{
ap_hook_do_something(my_something_doer, NULL, NULL, APR_HOOK_MIDDLE);
 }

mode MODULE_VAR_EXPORT my_module =
{
...
my_register_hooks /* register hooks */
 };

Controlling hook calling order

In the example above, we didn't use the three arguments in the hook registration function that control calling order. There are two mechanisms for doing this. The first, rather crude, method, allows us to specify roughly where the hook is run relative to other modules. The final argument control this. There are three possible values: APR_HOOK_FIRST, APR_HOOK_MIDDLE and APR_HOOK_LAST.

All modules using any particular value may be run in any order relative to each other, but, of course, all modules using APR_HOOK_FIRST will be run before APR_HOOK_MIDDLE which are before APR_HOOK_LAST. Modules that don't care when they are run should use APR_HOOK_MIDDLE. (I spaced these out so people could do stuff like APR_HOOK_FIRST-2 to get in slightly earlier, but is this wise? - Ben)

Note that there are two more values, APR_HOOK_REALLY_FIRST and APR_HOOK_REALLY_LAST. These should only be used by the hook exporter.

The other method allows finer control. When a module knows that it must be run before (or after) some other modules, it can specify them by name. The second (third) argument is a NULL-terminated array of strings consisting of the names of modules that must be run before (after) the current module. For example, suppose we want "mod_xyz.c" and "mod_abc.c" to run before we do, then we'd hook as follows:

static void register_hooks()
{
static const char * const aszPre[] = { "mod_xyz.c", "mod_abc.c", NULL };

ap_hook_do_something(my_something_doer, aszPre, NULL, APR_HOOK_MIDDLE);
 }

Note that the sort used to achieve this is stable, so ordering set by APR_HOOK_ORDER is preserved, as far as is possible.

Ben Laurie, 15th August 1999

developer/index.html100644 0 0 11314 11256637772 12227 0ustar 0 0 Developer Documentation for Apache 2.0 - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-
Apache > HTTP Server > Documentation > Version 2.2

Developer Documentation for Apache 2.0

Many of the documents on these Developer pages are lifted from Apache 1.3's documentation. While they are all being updated to Apache 2.0, they are in different stages of progress. Please be patient, and point out any discrepancies or errors on the developer/ pages directly to the dev@httpd.apache.org mailing list.

top

Topics

top

External Resources

developer/modules.html100644 0 0 26307 11256637772 12600 0ustar 0 0 Converting Modules from Apache 1.3 to Apache 2.0 - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-
Apache > HTTP Server > Documentation > Version 2.2 > Developer Documentation

Converting Modules from Apache 1.3 to Apache 2.0

This is a first attempt at writing the lessons I learned when trying to convert the mod_mmap_static module to Apache 2.0. It's by no means definitive and probably won't even be correct in some ways, but it's a start.

top

The easier changes ...

Cleanup Routines

These now need to be of type apr_status_t and return a value of that type. Normally the return value will be APR_SUCCESS unless there is some need to signal an error in the cleanup. Be aware that even though you signal an error not all code yet checks and acts upon the error.

Initialisation Routines

These should now be renamed to better signify where they sit in the overall process. So the name gets a small change from mmap_init to mmap_post_config. The arguments passed have undergone a radical change and now look like

Data Types

A lot of the data types have been moved into the APR. This means that some have had a name change, such as the one shown above. The following is a brief list of some of the changes that you are likely to have to make.

top

The messier changes...

Register Hooks

The new architecture uses a series of hooks to provide for calling your functions. These you'll need to add to your module by way of a new function, static void register_hooks(void). The function is really reasonably straightforward once you understand what needs to be done. Each function that needs calling at some stage in the processing of a request needs to be registered, handlers do not. There are a number of phases where functions can be added, and for each you can specify with a high degree of control the relative order that the function will be called in.

This is the code that was added to mod_mmap_static:

static void register_hooks(void)
{
    static const char * const aszPre[]={ "http_core.c",NULL };
    ap_hook_post_config(mmap_post_config,NULL,NULL,HOOK_MIDDLE);
    ap_hook_translate_name(mmap_static_xlat,aszPre,NULL,HOOK_LAST);
};

This registers 2 functions that need to be called, one in the post_config stage (virtually every module will need this one) and one for the translate_name phase. note that while there are different function names the format of each is identical. So what is the format?

ap_hook_phase_name(function_name, predecessors, successors, position);

There are 3 hook positions defined...

To define the position you use the position and then modify it with the predecessors and successors. Each of the modifiers can be a list of functions that should be called, either before the function is run (predecessors) or after the function has run (successors).

In the mod_mmap_static case I didn't care about the post_config stage, but the mmap_static_xlat must be called after the core module had done it's name translation, hence the use of the aszPre to define a modifier to the position HOOK_LAST.

Module Definition

There are now a lot fewer stages to worry about when creating your module definition. The old defintion looked like

module MODULE_VAR_EXPORT module_name_module =
{
    STANDARD_MODULE_STUFF,
    /* initializer */
    /* dir config creater */
    /* dir merger --- default is to override */
    /* server config */
    /* merge server config */
    /* command handlers */
    /* handlers */
    /* filename translation */
    /* check_user_id */
    /* check auth */
    /* check access */
    /* type_checker */
    /* fixups */
    /* logger */
    /* header parser */
    /* child_init */
    /* child_exit */
    /* post read-request */
};

The new structure is a great deal simpler...

module MODULE_VAR_EXPORT module_name_module =
{
    STANDARD20_MODULE_STUFF,
    /* create per-directory config structures */
    /* merge per-directory config structures  */
    /* create per-server config structures    */
    /* merge per-server config structures     */
    /* command handlers */
    /* handlers */
    /* register hooks */
};

Some of these read directly across, some don't. I'll try to summarise what should be done below.

The stages that read directly across :

/* dir config creater */
/* create per-directory config structures */
/* server config */
/* create per-server config structures */
/* dir merger */
/* merge per-directory config structures */
/* merge server config */
/* merge per-server config structures */
/* command table */
/* command apr_table_t */
/* handlers */
/* handlers */

The remainder of the old functions should be registered as hooks. There are the following hook stages defined so far...

ap_hook_post_config
this is where the old _init routines get registered
ap_hook_http_method
retrieve the http method from a request. (legacy)
ap_hook_open_logs
open any specified logs
ap_hook_auth_checker
check if the resource requires authorization
ap_hook_access_checker
check for module-specific restrictions
ap_hook_check_user_id
check the user-id and password
ap_hook_default_port
retrieve the default port for the server
ap_hook_pre_connection
do any setup required just before processing, but after accepting
ap_hook_process_connection
run the correct protocol
ap_hook_child_init
call as soon as the child is started
ap_hook_create_request
??
ap_hook_fixups
last chance to modify things before generating content
ap_hook_handler
generate the content
ap_hook_header_parser
lets modules look at the headers, not used by most modules, because they use post_read_request for this
ap_hook_insert_filter
to insert filters into the filter chain
ap_hook_log_transaction
log information about the request
ap_hook_optional_fn_retrieve
retrieve any functions registered as optional
ap_hook_post_read_request
called after reading the request, before any other phase
ap_hook_quick_handler
called before any request processing, used by cache modules.
ap_hook_translate_name
translate the URI into a filename
ap_hook_type_checker
determine and/or set the doc type
developer/request.html100644 0 0 33157 11256637772 12621 0ustar 0 0 Request Processing in Apache 2.0 - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-
Apache > HTTP Server > Documentation > Version 2.2 > Developer Documentation

Request Processing in Apache 2.0

Warning

Warning - this is a first (fast) draft that needs further revision!

Several changes in Apache 2.0 affect the internal request processing mechanics. Module authors need to be aware of these changes so they may take advantage of the optimizations and security enhancements.

The first major change is to the subrequest and redirect mechanisms. There were a number of different code paths in Apache 1.3 to attempt to optimize subrequest or redirect behavior. As patches were introduced to 2.0, these optimizations (and the server behavior) were quickly broken due to this duplication of code. All duplicate code has been folded back into ap_process_request_internal() to prevent the code from falling out of sync again.

This means that much of the existing code was 'unoptimized'. It is the Apache HTTP Project's first goal to create a robust and correct implementation of the HTTP server RFC. Additional goals include security, scalability and optimization. New methods were sought to optimize the server (beyond the performance of Apache 1.3) without introducing fragile or insecure code.

top

The Request Processing Cycle

All requests pass through ap_process_request_internal() in request.c, including subrequests and redirects. If a module doesn't pass generated requests through this code, the author is cautioned that the module may be broken by future changes to request processing.

To streamline requests, the module author can take advantage of the hooks offered to drop out of the request cycle early, or to bypass core Apache hooks which are irrelevant (and costly in terms of CPU.)

top

The Request Parsing Phase

Unescapes the URL

The request's parsed_uri path is unescaped, once and only once, at the beginning of internal request processing.

This step is bypassed if the proxyreq flag is set, or the parsed_uri.path element is unset. The module has no further control of this one-time unescape operation, either failing to unescape or multiply unescaping the URL leads to security reprecussions.

Strips Parent and This Elements from the URI

All /../ and /./ elements are removed by ap_getparents(). This helps to ensure the path is (nearly) absolute before the request processing continues.

This step cannot be bypassed.

Initial URI Location Walk

Every request is subject to an ap_location_walk() call. This ensures that <Location> sections are consistently enforced for all requests. If the request is an internal redirect or a sub-request, it may borrow some or all of the processing from the previous or parent request's ap_location_walk, so this step is generally very efficient after processing the main request.

translate_name

Modules can determine the file name, or alter the given URI in this step. For example, mod_vhost_alias will translate the URI's path into the configured virtual host, mod_alias will translate the path to an alias path, and if the request falls back on the core, the DocumentRoot is prepended to the request resource.

If all modules DECLINE this phase, an error 500 is returned to the browser, and a "couldn't translate name" error is logged automatically.

Hook: map_to_storage

After the file or correct URI was determined, the appropriate per-dir configurations are merged together. For example, mod_proxy compares and merges the appropriate <Proxy> sections. If the URI is nothing more than a local (non-proxy) TRACE request, the core handles the request and returns DONE. If no module answers this hook with OK or DONE, the core will run the request filename against the <Directory> and <Files> sections. If the request 'filename' isn't an absolute, legal filename, a note is set for later termination.

URI Location Walk

Every request is hardened by a second ap_location_walk() call. This reassures that a translated request is still subjected to the configured <Location> sections. The request again borrows some or all of the processing from its previous location_walk above, so this step is almost always very efficient unless the translated URI mapped to a substantially different path or Virtual Host.

Hook: header_parser

The main request then parses the client's headers. This prepares the remaining request processing steps to better serve the client's request.

top

The Security Phase

Needs Documentation. Code is:

switch (ap_satisfies(r)) {
case SATISFY_ALL:
case SATISFY_NOSPEC:
    if ((access_status = ap_run_access_checker(r)) != 0) {
        return decl_die(access_status, "check access", r);
    }

    if (ap_some_auth_required(r)) {
        if (((access_status = ap_run_check_user_id(r)) != 0)
            || !ap_auth_type(r)) {
            return decl_die(access_status, ap_auth_type(r)
                          ? "check user.  No user file?"
                          : "perform authentication. AuthType not set!",
                          r);
        }

        if (((access_status = ap_run_auth_checker(r)) != 0)
            || !ap_auth_type(r)) {
            return decl_die(access_status, ap_auth_type(r)
                          ? "check access.  No groups file?"
                          : "perform authentication. AuthType not set!",
                          r);
        }
    }
    break;

case SATISFY_ANY:
    if (((access_status = ap_run_access_checker(r)) != 0)) {
        if (!ap_some_auth_required(r)) {
            return decl_die(access_status, "check access", r);
        }

        if (((access_status = ap_run_check_user_id(r)) != 0)
            || !ap_auth_type(r)) {
            return decl_die(access_status, ap_auth_type(r)
                          ? "check user.  No user file?"
                          : "perform authentication. AuthType not set!",
                          r);
        }

        if (((access_status = ap_run_auth_checker(r)) != 0)
            || !ap_auth_type(r)) {
            return decl_die(access_status, ap_auth_type(r)
                          ? "check access.  No groups file?"
                          : "perform authentication. AuthType not set!",
                          r);
        }
    }
    break;
}
top

The Preparation Phase

Hook: type_checker

The modules have an opportunity to test the URI or filename against the target resource, and set mime information for the request. Both mod_mime and mod_mime_magic use this phase to compare the file name or contents against the administrator's configuration and set the content type, language, character set and request handler. Some modules may set up their filters or other request handling parameters at this time.

If all modules DECLINE this phase, an error 500 is returned to the browser, and a "couldn't find types" error is logged automatically.

Hook: fixups

Many modules are 'trounced' by some phase above. The fixups phase is used by modules to 'reassert' their ownership or force the request's fields to their appropriate values. It isn't always the cleanest mechanism, but occasionally it's the only option.

top

The Handler Phase

This phase is not part of the processing in ap_process_request_internal(). Many modules prepare one or more subrequests prior to creating any content at all. After the core, or a module calls ap_process_request_internal() it then calls ap_invoke_handler() to generate the request.

Hook: insert_filter

Modules that transform the content in some way can insert their values and override existing filters, such that if the user configured a more advanced filter out-of-order, then the module can move its order as need be. There is no result code, so actions in this hook better be trusted to always succeed.

Hook: handler

The module finally has a chance to serve the request in its handler hook. Note that not every prepared request is sent to the handler hook. Many modules, such as mod_autoindex, will create subrequests for a given URI, and then never serve the subrequest, but simply lists it for the user. Remember not to put required teardown from the hooks above into this module, but register pool cleanups against the request pool to free resources as required.

developer/thread_safety.html100644 0 0 35615 11256637772 13754 0ustar 0 0 Apache 2.0 Thread Safety Issues - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-
Apache > HTTP Server > Documentation > Version 2.2 > Developer Documentation

Apache 2.0 Thread Safety Issues

When using any of the threaded mpms in Apache 2.0 it is important that every function called from Apache be thread safe. When linking in 3rd party extensions it can be difficult to determine whether the resulting server will be thread safe. Casual testing generally won't tell you this either as thread safety problems can lead to subtle race conditons that may only show up in certain conditions under heavy load.

top

Global and static variables

When writing your module or when trying to determine if a module or 3rd party library is thread safe there are some common things to keep in mind.

First, you need to recognize that in a threaded model each individual thread has its own program counter, stack and registers. Local variables live on the stack, so those are fine. You need to watch out for any static or global variables. This doesn't mean that you are absolutely not allowed to use static or global variables. There are times when you actually want something to affect all threads, but generally you need to avoid using them if you want your code to be thread safe.

In the case where you have a global variable that needs to be global and accessed by all threads, be very careful when you update it. If, for example, it is an incrementing counter, you need to atomically increment it to avoid race conditions with other threads. You do this using a mutex (mutual exclusion). Lock the mutex, read the current value, increment it and write it back and then unlock the mutex. Any other thread that wants to modify the value has to first check the mutex and block until it is cleared.

If you are using APR, have a look at the apr_atomic_* functions and the apr_thread_mutex_* functions.

top

errno

This is a common global variable that holds the error number of the last error that occurred. If one thread calls a low-level function that sets errno and then another thread checks it, we are bleeding error numbers from one thread into another. To solve this, make sure your module or library defines _REENTRANT or is compiled with -D_REENTRANT. This will make errno a per-thread variable and should hopefully be transparent to the code. It does this by doing something like this:

#define errno (*(__errno_location()))

which means that accessing errno will call __errno_location() which is provided by the libc. Setting _REENTRANT also forces redefinition of some other functions to their *_r equivalents and sometimes changes the common getc/putc macros into safer function calls. Check your libc documentation for specifics. Instead of, or in addition to _REENTRANT the symbols that may affect this are _POSIX_C_SOURCE, _THREAD_SAFE, _SVID_SOURCE, and _BSD_SOURCE.

top

Common standard troublesome functions

Not only do things have to be thread safe, but they also have to be reentrant. strtok() is an obvious one. You call it the first time with your delimiter which it then remembers and on each subsequent call it returns the next token. Obviously if multiple threads are calling it you will have a problem. Most systems have a reentrant version of of the function called strtok_r() where you pass in an extra argument which contains an allocated char * which the function will use instead of its own static storage for maintaining the tokenizing state. If you are using APR you can use apr_strtok().

crypt() is another function that tends to not be reentrant, so if you run across calls to that function in a library, watch out. On some systems it is reentrant though, so it is not always a problem. If your system has crypt_r() chances are you should be using that, or if possible simply avoid the whole mess by using md5 instead.

top

Common 3rd Party Libraries

The following is a list of common libraries that are used by 3rd party Apache modules. You can check to see if your module is using a potentially unsafe library by using tools such as ldd(1) and nm(1). For PHP, for example, try this:

% ldd libphp4.so
libsablot.so.0 => /usr/local/lib/libsablot.so.0 (0x401f6000)
libexpat.so.0 => /usr/lib/libexpat.so.0 (0x402da000)
libsnmp.so.0 => /usr/lib/libsnmp.so.0 (0x402f9000)
libpdf.so.1 => /usr/local/lib/libpdf.so.1 (0x40353000)
libz.so.1 => /usr/lib/libz.so.1 (0x403e2000)
libpng.so.2 => /usr/lib/libpng.so.2 (0x403f0000)
libmysqlclient.so.11 => /usr/lib/libmysqlclient.so.11 (0x40411000)
libming.so => /usr/lib/libming.so (0x40449000)
libm.so.6 => /lib/libm.so.6 (0x40487000)
libfreetype.so.6 => /usr/lib/libfreetype.so.6 (0x404a8000)
libjpeg.so.62 => /usr/lib/libjpeg.so.62 (0x404e7000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x40505000)
libssl.so.2 => /lib/libssl.so.2 (0x40532000)
libcrypto.so.2 => /lib/libcrypto.so.2 (0x40560000)
libresolv.so.2 => /lib/libresolv.so.2 (0x40624000)
libdl.so.2 => /lib/libdl.so.2 (0x40634000)
libnsl.so.1 => /lib/libnsl.so.1 (0x40637000)
libc.so.6 => /lib/libc.so.6 (0x4064b000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000)

In addition to these libraries you will need to have a look at any libraries linked statically into the module. You can use nm(1) to look for individual symbols in the module.

top

Library List

Please drop a note to dev@httpd.apache.org if you have additions or corrections to this list.

LibraryVersionThread Safe?Notes
ASpell/PSpell ?
Berkeley DB 3.x, 4.x Yes Be careful about sharing a connection across threads.
bzip2 Yes Both low-level and high-level APIs are thread-safe. However, high-level API requires thread-safe access to errno.
cdb ?
C-Client Perhaps c-client uses strtok() and gethostbyname() which are not thread-safe on most C library implementations. c-client's static data is meant to be shared across threads. If strtok() and gethostbyname() are thread-safe on your OS, c-client may be thread-safe.
libcrypt ?
Expat Yes Need a separate parser instance per thread
FreeTDS ?
FreeType ?
GD 1.8.x ?
GD 2.0.x ?
gdbm No Errors returned via a static gdbm_error variable
ImageMagick 5.2.2 Yes ImageMagick docs claim it is thread safe since version 5.2.2 (see Change log).
Imlib2 ?
libjpeg v6b ?
libmysqlclient Yes Use mysqlclient_r library variant to ensure thread-safety. For more information, please read http://dev.mysql.com/doc/mysql/en/Threaded_clients.html.
Ming 0.2a ?
Net-SNMP 5.0.x ?
OpenLDAP 2.1.x Yes Use ldap_r library variant to ensure thread-safety.
OpenSSL 0.9.6g Yes Requires proper usage of CRYPTO_num_locks, CRYPTO_set_locking_callback, CRYPTO_set_id_callback
liboci8 (Oracle 8+) 8.x,9.x ?
pdflib 5.0.x Yes PDFLib docs claim it is thread safe; changes.txt indicates it has been partially thread-safe since V1.91: http://www.pdflib.com/products/pdflib-family/pdflib/.
libpng 1.0.x ?
libpng 1.2.x ?
libpq (PostgreSQL) 8.x Yes Don't share connections across threads and watch out for crypt() calls
Sablotron 0.95 ?
zlib 1.1.4 Yes Relies upon thread-safe zalloc and zfree functions Default is to use libc's calloc/free which are thread-safe.
dns-caveats.html100644 0 0 27063 11256637772 11353 0ustar 0 0 Issues Regarding DNS and Apache - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-
Apache > HTTP Server > Documentation > Version 2.2

Issues Regarding DNS and Apache

This page could be summarized with the statement: don't configure Apache in such a way that it relies on DNS resolution for parsing of the configuration files. If Apache requires DNS resolution to parse the configuration files then your server may be subject to reliability problems (ie. it might not boot), or denial and theft of service attacks (including users able to steal hits from other users).

top

A Simple Example

<VirtualHost www.abc.dom>
ServerAdmin webgirl@abc.dom
DocumentRoot /www/abc
</VirtualHost>

In order for Apache to function properly, it absolutely needs to have two pieces of information about each virtual host: the ServerName and at least one IP address that the server will bind and respond to. The above example does not include the IP address, so Apache must use DNS to find the address of www.abc.dom. If for some reason DNS is not available at the time your server is parsing its config file, then this virtual host will not be configured. It won't be able to respond to any hits to this virtual host (prior to Apache version 1.2 the server would not even boot).

Suppose that www.abc.dom has address 192.0.2.1. Then consider this configuration snippet:

<VirtualHost 192.0.2.1>
ServerAdmin webgirl@abc.dom
DocumentRoot /www/abc
</VirtualHost>

This time Apache needs to use reverse DNS to find the ServerName for this virtualhost. If that reverse lookup fails then it will partially disable the virtualhost (prior to Apache version 1.2 the server would not even boot). If the virtual host is name-based then it will effectively be totally disabled, but if it is IP-based then it will mostly work. However, if Apache should ever have to generate a full URL for the server which includes the server name, then it will fail to generate a valid URL.

Here is a snippet that avoids both of these problems:

<VirtualHost 192.0.2.1>
ServerName www.abc.dom
ServerAdmin webgirl@abc.dom
DocumentRoot /www/abc
</VirtualHost>

top

Denial of Service

There are (at least) two forms that denial of service can come in. If you are running a version of Apache prior to version 1.2 then your server will not even boot if one of the two DNS lookups mentioned above fails for any of your virtual hosts. In some cases this DNS lookup may not even be under your control; for example, if abc.dom is one of your customers and they control their own DNS, they can force your (pre-1.2) server to fail while booting simply by deleting the www.abc.dom record.

Another form is far more insidious. Consider this configuration snippet:

<VirtualHost www.abc.dom>
ServerAdmin webgirl@abc.dom
DocumentRoot /www/abc
 </VirtualHost>

<VirtualHost www.def.dom>
ServerAdmin webguy@def.dom
DocumentRoot /www/def
 </VirtualHost>

Suppose that you've assigned 192.0.2.1 to www.abc.dom and 192.0.2.2 to www.def.dom. Furthermore, suppose that def.dom has control of their own DNS. With this config you have put def.dom into a position where they can steal all traffic destined to abc.dom. To do so, all they have to do is set www.def.dom to 192.0.2.1. Since they control their own DNS you can't stop them from pointing the www.def.dom record wherever they wish.

Requests coming in to 192.0.2.1 (including all those where users typed in URLs of the form http://www.abc.dom/whatever) will all be served by the def.dom virtual host. To better understand why this happens requires a more in-depth discussion of how Apache matches up incoming requests with the virtual host that will serve it. A rough document describing this is available.

top

The "main server" Address

The addition of name-based virtual host support in Apache 1.1 requires Apache to know the IP address(es) of the host that httpd is running on. To get this address it uses either the global ServerName (if present) or calls the C function gethostname (which should return the same as typing "hostname" at the command prompt). Then it performs a DNS lookup on this address. At present there is no way to avoid this lookup.

If you fear that this lookup might fail because your DNS server is down then you can insert the hostname in /etc/hosts (where you probably already have it so that the machine can boot properly). Then ensure that your machine is configured to use /etc/hosts in the event that DNS fails. Depending on what OS you are using this might be accomplished by editing /etc/resolv.conf, or maybe /etc/nsswitch.conf.

If your server doesn't have to perform DNS for any other reason then you might be able to get away with running Apache with the HOSTRESORDER environment variable set to "local". This all depends on what OS and resolver libraries you are using. It also affects CGIs unless you use mod_env to control the environment. It's best to consult the man pages or FAQs for your OS.

top

Tips to Avoid These Problems

top

Appendix: Future Directions

The situation regarding DNS is highly undesirable. For Apache 1.2 we've attempted to make the server at least continue booting in the event of failed DNS, but it might not be the best we can do. In any event, requiring the use of explicit IP addresses in configuration files is highly undesirable in today's Internet where renumbering is a necessity.

A possible work around to the theft of service attack described above would be to perform a reverse DNS lookup on the IP address returned by the forward lookup and compare the two names -- in the event of a mismatch, the virtualhost would be disabled. This would require reverse DNS to be configured properly (which is something that most admins are familiar with because of the common use of "double-reverse" DNS lookups by FTP servers and TCP wrappers).

In any event, it doesn't seem possible to reliably boot a virtual-hosted web server when DNS has failed unless IP addresses are used. Partial solutions such as disabling portions of the configuration might be worse than not booting at all depending on what the webserver is supposed to accomplish.

As HTTP/1.1 is deployed and browsers and proxies start issuing the Host header it will become possible to avoid the use of IP-based virtual hosts entirely. In this case, a webserver has no requirement to do DNS lookups during configuration. But as of March 1997 these features have not been deployed widely enough to be put into use on critical webservers.

dso.html100644 0 0 40143 11256637772 7722 0ustar 0 0 Dynamic Shared Object (DSO) Support - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-
Apache > HTTP Server > Documentation > Version 2.2

Dynamic Shared Object (DSO) Support

The Apache HTTP Server is a modular program where the administrator can choose the functionality to include in the server by selecting a set of modules. The modules can be statically compiled into the httpd binary when the server is built. Alternatively, modules can be compiled as Dynamic Shared Objects (DSOs) that exist separately from the main httpd binary file. DSO modules may be compiled at the time the server is built, or they may be compiled and added at a later time using the Apache Extension Tool (apxs).

This document describes how to use DSO modules as well as the theory behind their use.

top

Implementation

Related ModulesRelated Directives

The DSO support for loading individual Apache modules is based on a module named mod_so which must be statically compiled into the Apache core. It is the only module besides core which cannot be put into a DSO itself. Practically all other distributed Apache modules can then be placed into a DSO by individually enabling the DSO build for them via configure's --enable-module=shared option as discussed in the install documentation. After a module is compiled into a DSO named mod_foo.so you can use mod_so's LoadModule command in your httpd.conf file to load this module at server startup or restart.

To simplify this creation of DSO files for Apache modules (especially for third-party modules) a new support program named apxs (APache eXtenSion) is available. It can be used to build DSO based modules outside of the Apache source tree. The idea is simple: When installing Apache the configure's make install procedure installs the Apache C header files and puts the platform-dependent compiler and linker flags for building DSO files into the apxs program. This way the user can use apxs to compile his Apache module sources without the Apache distribution source tree and without having to fiddle with the platform-dependent compiler and linker flags for DSO support.

top

Usage Summary

To give you an overview of the DSO features of Apache 2.x, here is a short and concise summary:

  1. Build and install a distributed Apache module, say mod_foo.c, into its own DSO mod_foo.so:

    $ ./configure --prefix=/path/to/install --enable-foo=shared
    $ make install

  2. Build and install a third-party Apache module, say mod_foo.c, into its own DSO mod_foo.so:

    $ ./configure --add-module=module_type:/path/to/3rdparty/mod_foo.c \
    --enable-foo=shared
     $ make install

  3. Configure Apache for later installation of shared modules:

    $ ./configure --enable-so
    $ make install

  4. Build and install a third-party Apache module, say mod_foo.c, into its own DSO mod_foo.so outside of the Apache source tree using apxs:

    $ cd /path/to/3rdparty
    $ apxs -c mod_foo.c
    $ apxs -i -a -n foo mod_foo.la

In all cases, once the shared module is compiled, you must use a LoadModule directive in httpd.conf to tell Apache to activate the module.

top

Background

On modern Unix derivatives there exists a nifty mechanism usually called dynamic linking/loading of Dynamic Shared Objects (DSO) which provides a way to build a piece of program code in a special format for loading it at run-time into the address space of an executable program.

This loading can usually be done in two ways: Automatically by a system program called ld.so when an executable program is started or manually from within the executing program via a programmatic system interface to the Unix loader through the system calls dlopen()/dlsym().

In the first way the DSO's are usually called shared libraries or DSO libraries and named libfoo.so or libfoo.so.1.2. They reside in a system directory (usually /usr/lib) and the link to the executable program is established at build-time by specifying -lfoo to the linker command. This hard-codes library references into the executable program file so that at start-time the Unix loader is able to locate libfoo.so in /usr/lib, in paths hard-coded via linker-options like -R or in paths configured via the environment variable LD_LIBRARY_PATH. It then resolves any (yet unresolved) symbols in the executable program which are available in the DSO.

Symbols in the executable program are usually not referenced by the DSO (because it's a reusable library of general code) and hence no further resolving has to be done. The executable program has no need to do anything on its own to use the symbols from the DSO because the complete resolving is done by the Unix loader. (In fact, the code to invoke ld.so is part of the run-time startup code which is linked into every executable program which has been bound non-static). The advantage of dynamic loading of common library code is obvious: the library code needs to be stored only once, in a system library like libc.so, saving disk space for every program.

In the second way the DSO's are usually called shared objects or DSO files and can be named with an arbitrary extension (although the canonical name is foo.so). These files usually stay inside a program-specific directory and there is no automatically established link to the executable program where they are used. Instead the executable program manually loads the DSO at run-time into its address space via dlopen(). At this time no resolving of symbols from the DSO for the executable program is done. But instead the Unix loader automatically resolves any (yet unresolved) symbols in the DSO from the set of symbols exported by the executable program and its already loaded DSO libraries (especially all symbols from the ubiquitous libc.so). This way the DSO gets knowledge of the executable program's symbol set as if it had been statically linked with it in the first place.

Finally, to take advantage of the DSO's API the executable program has to resolve particular symbols from the DSO via dlsym() for later use inside dispatch tables etc. In other words: The executable program has to manually resolve every symbol it needs to be able to use it. The advantage of such a mechanism is that optional program parts need not be loaded (and thus do not spend memory) until they are needed by the program in question. When required, these program parts can be loaded dynamically to extend the base program's functionality.

Although this DSO mechanism sounds straightforward there is at least one difficult step here: The resolving of symbols from the executable program for the DSO when using a DSO to extend a program (the second way). Why? Because "reverse resolving" DSO symbols from the executable program's symbol set is against the library design (where the library has no knowledge about the programs it is used by) and is neither available under all platforms nor standardized. In practice the executable program's global symbols are often not re-exported and thus not available for use in a DSO. Finding a way to force the linker to export all global symbols is the main problem one has to solve when using DSO for extending a program at run-time.

The shared library approach is the typical one, because it is what the DSO mechanism was designed for, hence it is used for nearly all types of libraries the operating system provides. On the other hand using shared objects for extending a program is not used by a lot of programs.

As of 1998 there are only a few software packages available which use the DSO mechanism to actually extend their functionality at run-time: Perl 5 (via its XS mechanism and the DynaLoader module), Netscape Server, etc. Starting with version 1.3, Apache joined the crew, because Apache already uses a module concept to extend its functionality and internally uses a dispatch-list-based approach to link external modules into the Apache core functionality. So, Apache is really predestined for using DSO to load its modules at run-time.

top

Advantages and Disadvantages

The above DSO based features have the following advantages:

DSO has the following disadvantages:

env.html100644 0 0 60703 11256637772 7731 0ustar 0 0 Environment Variables in Apache - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-
Apache > HTTP Server > Documentation > Version 2.2

Environment Variables in Apache

The Apache HTTP Server provides a mechanism for storing information in named variables that are called environment variables. This information can be used to control various operations such as logging or access control. The variables are also used as a mechanism to communicate with external programs such as CGI scripts. This document discusses different ways to manipulate and use these variables.

Although these variables are referred to as environment variables, they are not the same as the environment variables controlled by the underlying operating system. Instead, these variables are stored and manipulated in an internal Apache structure. They only become actual operating system environment variables when they are provided to CGI scripts and Server Side Include scripts. If you wish to manipulate the operating system environment under which the server itself runs, you must use the standard environment manipulation mechanisms provided by your operating system shell.

top

Setting Environment Variables

Related ModulesRelated Directives

Basic Environment Manipulation

The most basic way to set an environment variable in Apache is using the unconditional SetEnv directive. Variables may also be passed from the environment of the shell which started the server using the PassEnv directive.

Conditional Per-Request Settings

For additional flexibility, the directives provided by mod_setenvif allow environment variables to be set on a per-request basis, conditional on characteristics of particular requests. For example, a variable could be set only when a specific browser (User-Agent) is making a request, or only when a specific Referer [sic] header is found. Even more flexibility is available through the mod_rewrite's RewriteRule which uses the [E=...] option to set environment variables.

Unique Identifiers

Finally, mod_unique_id sets the environment variable UNIQUE_ID for each request to a value which is guaranteed to be unique across "all" requests under very specific conditions.

Standard CGI Variables

In addition to all environment variables set within the Apache configuration and passed from the shell, CGI scripts and SSI pages are provided with a set of environment variables containing meta-information about the request as required by the CGI specification.

Some Caveats

top

Using Environment Variables

Related ModulesRelated Directives

CGI Scripts

One of the primary uses of environment variables is to communicate information to CGI scripts. As discussed above, the environment passed to CGI scripts includes standard meta-information about the request in addition to any variables set within the Apache configuration. For more details, see the CGI tutorial.

SSI Pages

Server-parsed (SSI) documents processed by mod_include's INCLUDES filter can print environment variables using the echo element, and can use environment variables in flow control elements to makes parts of a page conditional on characteristics of a request. Apache also provides SSI pages with the standard CGI environment variables as discussed above. For more details, see the SSI tutorial.

Access Control

Access to the server can be controlled based on the value of environment variables using the allow from env= and deny from env= directives. In combination with SetEnvIf, this allows for flexible control of access to the server based on characteristics of the client. For example, you can use these directives to deny access to a particular browser (User-Agent).

Conditional Logging

Environment variables can be logged in the access log using the LogFormat option %e. In addition, the decision on whether or not to log requests can be made based on the status of environment variables using the conditional form of the CustomLog directive. In combination with SetEnvIf this allows for flexible control of which requests are logged. For example, you can choose not to log requests for filenames ending in gif, or you can choose to only log requests from clients which are outside your subnet.

Conditional Response Headers

The Header directive can use the presence or absence of an environment variable to determine whether or not a certain HTTP header will be placed in the response to the client. This allows, for example, a certain response header to be sent only if a corresponding header is received in the request from the client.

External Filter Activation

External filters configured by mod_ext_filter using the ExtFilterDefine directive can by activated conditional on an environment variable using the disableenv= and enableenv= options.

URL Rewriting

The %{ENV:variable} form of TestString in the RewriteCond allows mod_rewrite's rewrite engine to make decisions conditional on environment variables. Note that the variables accessible in mod_rewrite without the ENV: prefix are not actually environment variables. Rather, they are variables special to mod_rewrite which cannot be accessed from other modules.

top

Special Purpose Environment Variables

Interoperability problems have led to the introduction of mechanisms to modify the way Apache behaves when talking to particular clients. To make these mechanisms as flexible as possible, they are invoked by defining environment variables, typically with BrowserMatch, though SetEnv and PassEnv could also be used, for example.

downgrade-1.0

This forces the request to be treated as a HTTP/1.0 request even if it was in a later dialect.

force-gzip

If you have the DEFLATE filter activated, this environment variable will ignore the accept-encoding setting of your browser and will send compressed output unconditionally.

force-no-vary

This causes any Vary fields to be removed from the response header before it is sent back to the client. Some clients don't interpret this field correctly; setting this variable can work around this problem. Setting this variable also implies force-response-1.0.

force-response-1.0

This forces an HTTP/1.0 response to clients making an HTTP/1.0 request. It was originally implemented as a result of a problem with AOL's proxies. Some HTTP/1.0 clients may not behave correctly when given an HTTP/1.1 response, and this can be used to interoperate with them.

gzip-only-text/html

When set to a value of "1", this variable disables the DEFLATE output filter provided by mod_deflate for content-types other than text/html. If you'd rather use statically compressed files, mod_negotiation evaluates the variable as well (not only for gzip, but for all encodings that differ from "identity").

no-gzip

When set, the DEFLATE filter of mod_deflate will be turned off and mod_negotiation will refuse to deliver encoded resources.

no-cache

Available in versions 2.2.12 and later

When set, mod_cache will not save an otherwise cacheable response. This environment variable does not influence whether a response already in the cache will be served for the current request.

nokeepalive

This disables KeepAlive when set.

prefer-language

This influences mod_negotiation's behaviour. If it contains a language tag (such as en, ja or x-klingon), mod_negotiation tries to deliver a variant with that language. If there's no such variant, the normal negotiation process applies.

redirect-carefully

This forces the server to be more careful when sending a redirect to the client. This is typically used when a client has a known problem handling redirects. This was originally implemented as a result of a problem with Microsoft's WebFolders software which has a problem handling redirects on directory resources via DAV methods.

suppress-error-charset

Available in versions after 2.0.54

When Apache issues a redirect in response to a client request, the response includes some actual text to be displayed in case the client can't (or doesn't) automatically follow the redirection. Apache ordinarily labels this text according to the character set which it uses, which is ISO-8859-1.

However, if the redirection is to a page that uses a different character set, some broken browser versions will try to use the character set from the redirection text rather than the actual page. This can result in Greek, for instance, being incorrectly rendered.

Setting this environment variable causes Apache to omit the character set for the redirection text, and these broken browsers will then correctly use that of the destination page.

Security note

Sending error pages without a specified character set may allow a cross-site-scripting attack for existing browsers (MSIE) which do not follow the HTTP/1.1 specification and attempt to "guess" the character set from the content. Such browsers can be easily fooled into using the UTF-7 character set, and UTF-7 content from input data (such as the request-URI) will not be escaped by the usual escaping mechanisms designed to prevent cross-site-scripting attacks.

force-proxy-request-1.0, proxy-nokeepalive, proxy-sendchunked, proxy-sendcl, proxy-chain-auth, proxy-interim-response, proxy-initial-not-pooled

These directives alter the protocol behavior of mod_proxy. See the mod_proxy and mod_proxy_http documentation for more details.

top

Examples

Changing protocol behavior with misbehaving clients

Earlier versions recommended that the following lines be included in httpd.conf to deal with known client problems. Since the affected clients are no longer seen in the wild, this configuration is likely no-longer necessary.

#
# The following directives modify normal HTTP response behavior.
# The first directive disables keepalive for Netscape 2.x and browsers that
# spoof it. There are known problems with these browser implementations.
# The second directive is for Microsoft Internet Explorer 4.0b2
# which has a broken HTTP/1.1 implementation and does not properly
# support keepalive when it is used on 301 or 302 (redirect) responses.
#
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0

#
# The following directive disables HTTP/1.1 responses to browsers which
# are in violation of the HTTP/1.0 spec by not being able to grok a
# basic 1.1 response.
#
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0

Do not log requests for images in the access log

This example keeps requests for images from appearing in the access log. It can be easily modified to prevent logging of particular directories, or to prevent logging of requests coming from particular hosts.

SetEnvIf Request_URI \.gif image-request
SetEnvIf Request_URI \.jpg image-request
SetEnvIf Request_URI \.png image-request
CustomLog logs/access_log common env=!image-request

Prevent "Image Theft"

This example shows how to keep people not on your server from using images on your server as inline-images on their pages. This is not a recommended configuration, but it can work in limited circumstances. We assume that all your images are in a directory called /web/images.

SetEnvIf Referer "^http://www\.example\.com/" local_referal # Allow browsers that do not send Referer info SetEnvIf Referer "^$" local_referal <Directory /web/images> Order Deny,Allow
Deny from all
Allow from env=local_referal </Directory>

For more information about this technique, see the "Keeping Your Images from Adorning Other Sites" tutorial on ServerWatch.

faq/index.html100644 0 0 14101 11256637772 11006 0ustar 0 0 Frequently Asked Questions - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-
Apache > HTTP Server > Documentation > Version 2.2

Frequently Asked Questions

This document is not a traditional FAQ, but rather a quick guide showing you what to do when you run into problems with the Apache HTTP Server.

A more traditional but quite outdated document is the Apache 1.3 FAQ.

top

"Why can't I ...? Why won't ... work?" What to do in case of problems

If you are having trouble with your Apache server software, you should take the following steps:

Check the ErrorLog!

Apache tries to be helpful when it encounters a problem. In many cases, it will provide some details by writing one or more messages to the server error log. Sometimes this is enough for you to diagnose and fix the problem yourself (such as file permissions or the like). The default location of the error log is /usr/local/apache2/logs/error_log, but see the ErrorLog directive in your config files for the location on your server.

If you end up in any of the support forums this is quite likely to be the first place they will ask you retrieve information from. Please ensure you know where to find your errorlog. If you are unsure, the wiki page here can give you some ideas where to look.

Consult the wiki
The Apache HTTP Server Wiki contains guides to solving many common problems.
Check the Apache bug database
Most problems that get reported to The Apache Group are recorded in the bug database. Do not submit a new bug report until you have checked existing reports (open and closed) and asked about your problem in a user-support forum (see below). If you find that your issue has already been reported, please don't add a "me, too" report.
Ask in a user support forum

Apache has an active community of users who are willing to share their knowledge. Participating in this community is usually the best and fastest way to get answers to your questions and problems.

Users mailing list

#httpd on Freenode IRC is also available for user support issues.

Please use the bug database for bugs!

If you've gone through those steps above that are appropriate and have obtained no relief, then please do let the httpd developers know about the problem by logging a bug report.

If your problem involves the server crashing and generating a core dump, please include a backtrace (if possible).

top

Whom do I contact for support?

With millions of users and fewer than sixty volunteer developers, we cannot provide personal support for Apache. For free support, we suggest participating in a user forum (see above).

Professional, commercial support for Apache is available from a number of companies.

filter.html100644 0 0 23751 11256637772 10430 0ustar 0 0 Filtres - Serveur Apache HTTP

Modules | Directives | FAQ | Glossaire | Plan du site

Serveur Apache HTTP Version 2.2

<-
Apache > Serveur HTTP > Documentation > Version 2.2

Filtres

Ce document décrit l'utilisation des filtres avec Apache.

top

Le filtrage avec Apache 2

Modules ApparentésDirectives Apparentées

La chaîne de filtrage est disponible depuis la version 2.0 d'Apache, et permet aux applications de traiter les données en entrée et en sortie d'une manière hautement flexible et configurable, quelle que soit la provenance de ces données. Il est possible de pré-traiter les données en entrée, et post-traiter les données en sortie, comme souhaité. Ces traitements sont tout à fait indépendants des traditionnelles phases de traitement des requêtes.

les filtres peuvent s'enchaîner, perpendiculairement au traitement des requêtes

Voici quelques exemples de filtrage avec la distribution standard d'Apache:

Apache utilise aussi plusieurs filtres en interne pour accomplir des tâches comme le découpage des grosses requêtes (chunking) et la gestion des requêtes portant sur une partie d'un fichier (byte-range).

Un grand choix d'applications sont implémentées par des modules de filtrage tiers disponibles à modules.apache.org entre autres. En voici quelques exemples :

top

Filtrage intelligent

Le filtrage intelligent applique différents fournisseurs de filtrage en fonction de l'état du traitement de la requête

mod_filter, inclus dans les version 2.1 et supérieures d'Apache, permet de configurer la chaîne de filtrage dynamiquement à l'exécution. Ainsi par exemple, vous pouvez définir un proxy pour réécrire du code HTML avec un filtre HTML et traiter des images JPEG avec un filtre totalement séparé, bien que le proxy ne possède aucune information préliminaire sur ce que le serveur à l'origine des données à filtrer va envoyer. Ceci fonctionne grâce à l'utilisation d'un gestionnaire de filtre, qui distribue les tâches à différents fournisseurs de filtrage en fonction du contenu réel à filtrer à l'exécution. Tout filtre peut se voir soit inséré directement dans la chaîne et lancé inconditionnellement, soit utilisé comme un fournisseur de filtrage et inséré dynamiquement. Par exemple,

top

Utilisation des filtres

Il y a deux manières d'utiliser le filtrage : Simple et Dynamique. En général, vous utiliserez l'une ou l'autre méthode; le mélange des deux peut avoir des conséquences inattendues (bien que le filtrage simple en entrée puisse être associé sans problème avec le filtrage simple ou dynamique en sortie).

La méthode Simple est la seule permettant de configurer les filtres en entrée, et suffit pour les filtres en sortie pour lesquels vous avez besoin d'une chaîne de filtres statique. Les directives correspondantes sont SetInputFilter, SetOutputFilter, AddInputFilter, AddOutputFilter, RemoveInputFilter, et RemoveOutputFilter.

La méthode Dynamique permet une configuration dynamique des filtres en sortie à la fois statique et flexible, comme discuté dans la page mod_filter. Les directives correspondantes sont FilterChain, FilterDeclare, et FilterProvider.

Une autre directive AddOutputFilterByType est encore supportée, mais peut poser des problèmes et est maintenant obsolète. Utilisez la configuration dynamique à la place.

glossary.html100644 0 0 70334 11256637772 11005 0ustar 0 0 Glossaire - Serveur Apache HTTP

Modules | Directives | FAQ | Glossaire | Plan du site

Serveur Apache HTTP Version 2.2

<-
Apache > Serveur HTTP > Documentation > Version 2.2

Glossaire

Ce glossaire définit la terminologie courante relative à Apache en particulier, et aux serveurs web en général. Vous trouverez plus d'informations sur chaque concept dans les liens fournis.

top

Définitions

Algorithme
Une formule sans ambiguité ou un jeu de règles destinées à résoudre un problème en un nombre fini d'étapes. Les algorithmes de chiffrement sont en général appelés Ciphers.
Algorithme de chiffrement (Cipher)
Un algorithme ou un système de chiffrement des données. Quelques exemples : DES, IDEA, RC4, etc.
Voir : chiffrement SSL/TLS
APR
voir "Bibliothèques pour la portabilité d'Apache".
Archive Tar (Tarball)
Un paquetage de fichiers rassemblés dans une archive à l'aide de l'utilitaire tar. Les distributions d'Apache sont stockées dans des Archives Tar compressées ou en utilisant pkzip.
Authentification
L'identification formelle d'une entité du réseau comme un serveur, un client, ou un utilisateur.
Voir : Authentification, Autorisation, et contrôle d'accès
Autorité de Certification (Certification Authority) (CA)
Un tiers de confiance habilité à signer des certificats pour des entités du réseau qu'il a authentifiées selon des critères basés sur la sécurité. Les autres entités du réseau peuvent alors utiliser la signature pour vérifier qu'une CA a authentifié le porteur du certificat.
Voir : chiffrement SSL/TLS
Bibliothèques pour la portabilité d'Apache (Apache Portable Runtime) (APR)
Un jeu de bibliothèques qui fournit la plupart des interfaces de base entre le serveur et le système d'exploitation. APR est développé parallèlement au serveur HTTP Apache comme projet indépendant.
Voir : Apache Portable Runtime Project
Certificat (Certificate)
Un ensemble de données servant à authentifier des entités du réseau comme un serveur ou un client. Un certificat contient des ensembles d'informations X509 à propos de son propriétaire (appelé sujet/subject) et de l'Autorité de Certification (Certification Authority) ou CA signataire (appelée le fournisseur/issuer), ainsi que la clé publique (public key) du propriétaire et la signature de la CA. Les entités du réseau vérifient ces signatures en utilisant les certificats des Autorités de Certification.
Voir : chiffrement SSL/TLS
Chiffrement à Clé Publique (Public Key Cryptography)
L'étude et l'application des systèmes de chiffrement asymétriques, qui utilisent une clé pour le chiffrement et une autre pour le déchiffrement. Les deux clés correspondantes constituent une paire de clés. Appelé aussi chiffrement asymétrique.
Voir : chiffrement SSL/TLS
Clé Privée (Private Key)
La clé secrète dans un système de chiffrement à clé publique, utilisée pour déchiffrer les messages entrants et signer les messages sortants.
Voir : chiffrement SSL/TLS
Clé Publique (Public Key)
La clé accessible au public dans un système de Chiffrement à clé publique, utilisée pour chiffrer les messages destinés uniquement à son propriétaire et déchiffrer les signatures faites par son propriétaire.
Voir : chiffrement SSL/TLS
CONNECT
Une méthode HTTP pour encapsuler des données brutes dans HTTP. Elle peut aussi être utilisée pour encapsuler d'autres protocoles, comme le protocole SSL.
Contexte (Context)
Une portion des fichiers de configuration dans laquelle certains types de directives sont autorisés.
Voir : Termes utilisés pour décrire les directives d'Apache
Contrôle d'accès (Access Control)
La restriction d'accès à des zones du réseau. Habituellement dans un contexte Apache, la restriction d'accès à certaines URLs.
Voir : Authentification, Autorisation et Contrôle d'accès
Couche des Points de connexion Sécurisés (Secure Sockets Layer) (SSL)
Un protocole créé par Netscape Communications Corporation pour l'authentification et le chiffrement généraux des communications dans les réseaux TCP/IP. L'utilisation la plus connue est HTTPS, autrement dit le Protocole de Transfert Hypertexte (HTTP) au dessus de SSL.
Voir : chiffrement SSL/TLS
Cryptographie Symétrique (Symmetric Cryptography)
L'étude et l'application des Algorithmes de chiffrement qui utilisent une clé secrète unique pour les opérations de chiffrement et de déchiffrement.
Voir : chiffrement SSL/TLS
Dégradé pour l'exportation (Export-Crippled)
Diminué en terme de puissance cryptographique (et de sécurité) afin de respecter les Règles de l'Administration des Exportations des Etats-Unis (Export Administration Regulations ou EAR). Les logiciels de cryptographie dégradés pour l'exportation sont limités à une clé de petite taille, et produisent un Texte crypté qui peut en général être décrypté par force brute.
Voir : chiffrement SSL/TLS
Demande de signature de certificat (Certificate Signing Request) (CSR)
La soumission d'un certificat non signé à une Autorité de certification, qui le signe avec la Clé privée de leur Certificat de CA. Une fois le CSR signé, il devient un vrai certificat.
Voir : chiffrement SSL/TLS
Directive
Une commande de configuration qui contrôle un ou plusieurs aspects du comportement d'Apache. Les directives sont placées dans le Fichier de configuration
Voir : Index des directives
Directive de configuration (Configuration Directive)
Voir : Directive
En-tête (Header)
La partie de la requête et de la réponse HTTP qui est envoyée avant le contenu proprement dit, et contient des méta-informations décrivant le contenu.
Expression Rationnelle (Regular Expression) (Regex)
Une méthode pour décrire un modèle sous forme de texte - par exemple, "tous les mots qui commencent par la lettre A" ou "tous les numéros de téléphone à 10 chiffres" ou encore "Toutes les phrases contenant 2 virgules, et aucun Q majuscule". Les expressions rationnelles sont très utiles dans Apache car elles vous permettent d'appliquer certains attributs à des ensembles de fichiers ou ressources avec une grande flexibilité - par exemple, tous les fichiers .gif et .jpg situés dans tout répertoire nommé "images", pourraient être enregistrés comme "/images/.*(jpg|gif)$". Apache utilise les Expressions Rationnelles Compatibles avec Perl fournies par la librairie PCRE.
Fichier de configuration (Configuration File)
Un fichier texte contenant des Directives qui contrôlent la configuration d'Apache.
Voir : Fichiers de configuration
Filtre (Filter)
Un traitement appliqué aux données envoyées ou reçues par le serveur. Les filtres en entrée traitent les données envoyées au serveur par le client, alors que les filtres en sortie traitent les documents sur le serveur avant qu'ils soient envoyés au client. Par exemple, le filtre en sortie INCLUDES traite les documents pour les Server Side Includes (Inclusions côté Serveur) .
Voir : Filtres
Gestionnaire (Handler)
Une représentation interne à Apache de l'action à entreprendre quand un fichier est appelé. En général, les fichiers ont des gestionnaires implicites, basés sur le type de fichier. Normalement, tous les fichiers sont directement servis par le serveur, mais certains types de fichiers sont "gérés" séparément. Par exemple, le gestionnaire cgi-script désigne les fichiers qui doivent être traités comme CGIs.
Voir : Utilisation des gestionnaires d'Apache
Hachage (Hash)
Un algorithme mathématique à sens unique, irréversible, générant une chaîne de longueur fixe à partir d'une autre chaîne de longueur quelconque. Des chaînes différentes en entrée vont normalement produire des chaînes différentes en sortie (selon la fonction de hachage).
Hébergement Virtuel (Virtual Hosting)
Servir des sites web multiples en utilisant une seule instance d'Apache. Les Hôtes virtuels basés sur IP différencient les sites web en se basant sur leur adresse IP, alors que les Hôtes virtuels basés sur le nom utilisent uniquement le nom d'hôte et peuvent en conséquence héberger de nombreux sites avec la même adresse IP.
Voir la Documentation des Hôtes Virtuels d'Apache
.htaccess
Un fichier de configuration placé à un certain niveau de l'arborescence du site web, et appliquant des directives de configuration au répertoire dans lequel il est placé, ainsi qu'à tous ses sous-répertoires. En dépit de son nom, ce fichier peut contenir pratiquement tout type de directive, et pas seulement des directives de contrôle d'accès.
Voir : Fichiers de configuration
httpd.conf
Le fichier de configuration principal d'Apache. Sa localisation par défaut est /usr/local/apache2/conf/httpd.conf, mais ceci peut être changé en utilisant des options de compilation ou d'exécution.
Voir : Fichiers de configuration
HTTPS
Le Protocole de Transfert Hypertexte (Sécurisé), le mécanisme de communication cryptée standard sur le World Wide Web. Il s'agit en fait de HTTP au dessus de SSL.
Voir : chiffrement SSL/TLS
Identificateur de Ressource Uniformisé (Uniform Resource Identifier) (URI)
Une chaîne de caractères compacte servant à identifier une ressource abstraite ou physique. Elle est formellement définie par la RFC 2396. Les URIs utilisées sur le world-wide web sont souvent appelées URLs.
Inclusions Côté Serveur (Server Side Includes) (SSI)
Une technique permettant d'englober des directives de traitement dans des fichiers HTML.
Voir : Introduction aux Inclusions Côté Serveur
Interface commune avec les programmes externes (Common Gateway Interface) (CGI)
La définition standard d'une interface entre un serveur web et un programme externe pour permettre à ce dernier de traiter des requêtes. L'interface a été initialement définie par NCSA mais il existe aussi le projet RFC project.
Voir : Contenu dynamique avec CGI
Localisation de Ressource Uniformisée (Uniform Resource Locator) (URL)
Le nom/adresse d'une ressource sur l'Internet. Il s'agit du terme informel commun pour ce qui est formellement défini comme Identificateur de Ressource Uniformisé. Les URLs sont généralement construites selon un schéma, comme http ou https, un nom d'hôte, et un chemin. Une URL pour cette page pourrait être http://httpd.apache.org/docs/2.2/glossary.html.
Mandataire (Proxy)
Un serveur intermédiaire qui se situe entre le client et le serveur d'origine. Il prend en compte les requêtes des clients, les transmet au serveur d'origine, puis renvoie la réponse du serveur d'origine au client. Si plusieurs clients demandent le même contenu, le mandataire peut l'extraire de son cache, plutôt que le demander au serveur d'origine à chaque fois, ce qui réduit le temps de réponse.
Voir : mod_proxy
Mandataire inverse (Reverse Proxy)
Un serveur mandataire qui est vu du client comme un serveur d'origine. Ceci peut s'avérer utile pour dissimuler le serveur d'origine réel au client pour des raisons de sécurité, ou pour répartir la charge.
Méthode (Method)
Dans le contexte HTTP, une action à effectuer sur une ressource spécifiée dans la ligne de requête par le client. Parmi les méthodes disponibles dans HTTP, on trouve GET, POST, et PUT.
Module
Une partie indépendante d'un programme. De nombreuses fonctionnalités d'Apache sont fournies par des modules que vous pouvez choisir d'inclure ou d'exclure. Les modules qui sont compilés dans le binaire httpd sont appelés modules statiques, alors que les modules qui existent séparément et peuvent être chargés optionnellement à l'exécution sont appelés modules dynamiques ou DSOs. Les modules qui sont inclus par défaut sont appelés modules de base. De nombreux modules disponibles pour Apache ne se trouvent pas dans l'archive du Serveur HTTP Apache . Il sont appelés modules tiers.
Voir : Index des modules
Mot de Passe (Pass Phrase)
Le mot ou la phrase qui protège les fichiers de clés privées. Il empêche les utilisateurs non autorisés de les déchiffrer. En général, il s'agit simplement de la clé secrète de chiffrement/déchiffrement utilisée pour les Algorithmes de chiffrement.
Voir : chiffrement SSL/TLS
Nom de domaine entièrement qualifié (Fully-Qualified Domain-Name) (FQDN)
Le nom unique d'une entité du réseau, comprenant un nom d'hôte et un nom de domaine qui peuvent être résolus en une adresse IP. Par exemple, www est un nom d'hôte, example.com est un nom de domaine, et www.example.com est un nom de domaine entièrement qualifié.
Nombre Magique des Modules (Module Magic Number) (MMN)
Le Nombre Magique des Modules est une constante définie dans le code source d'Apache et associée à la compatibilité binaire des modules. Sa valeur est modifiée quand des structures internes d'Apache, des appels de fonctions et d'autres parties significatives de l'API sont modifiées de telle façon que la compatibilité binaire ne peut plus être garantie. En cas de changement de MMN, tous les modules tiers doivent être au moins recompilés, et parfois même légèrement modifiés afin de pouvoir fonctionner avec la nouvelle version d'Apache.
Objet Dynamique Partagé (Dynamic Shared Object) (DSO)
Modules compilés en dehors du binaire Apache httpd et qui peuvent être chargés à la demande.
Voir : Support des objets dynamiques partagés
OpenSSL
L'ensemble d'outils Open Source pour SSL/TLS
Voir http://www.openssl.org/#
Outil de gestion des extensions Apache (APache eXtension Tool) (apxs)
Un script Perl qui aide à la compilation des sources de module sous forme d'Objets Dynamiques Partagés (Dynamic Shared Objects ou DSOs) et facilite leur installation dans le serveur Web Apache.
Voir : Page de manuel : apxs
Plein Texte (Plaintext)
Le texte non chiffré.
Protocole de Transfert Hypertexte (HyperText Transfer Protocol) (HTTP)
Le protocole de transmission standard utilisé sur le World Wide Web. Apache implémente la version 1.1 du protocole, référencée comme HTTP/1.1 et définie par la RFC 2616.
Résumé de message (Message Digest)
Un hachage du message, qui peut être utilisé pour vérifier que son contenu n'a pas été altéré durant le transfert.
Voir : chiffrement SSL/TLS
Sécurité de la couche Transport (Transport Layer Security) (TLS)
Le protocole successeur de SSL, créé par l'Internet Engineering Task Force (IETF) pour l'authentification et le chiffrement généraux des communications dans les réseaux TCP/IP. TLS version 1 est pratiquement identique à SSL version 3.
Voir : chiffrement SSL/TLS
Session
Les informations sur le contexte d'une communication en général.
Signature numérique (Digital Signature)
Un bloc de texte crypté qui valide un certificat ou un autre fichier. Une Autorité de certification crée une signature en générant une empreinte de la Clé publique fournie avec le Certificat; la CA chiffre ensuite l'empreinte avec sa propre Clé privée. Seule la clé publique de la CA peut décrypter la signature, ce qui permet de vérifier que la CA a bien authentifié l'entité du réseau qui possède le Certificat.
Voir : chiffrement SSL/TLS
SSLeay
La bibliothèque originelle d'implémentation de SSL/TLS développée par Eric A. Young
Texte crypté (Ciphertext)
Le résultat du passage d'un document Plaintext (Plein texte) par un Cipher.
Voir : chiffrement SSL/TLS
Type MIME (MIME-type)
Une méthode pour décrire le type de document transmis. Son nom vient du fait que son format est issu des Multipurpose Internet Mail Extensions (Extensions Multi-usages de la Messagerie par Internet) . Il comprend un type majeur et un type mineur, séparés par un slash (barre oblique). On trouve entre autres types text/html, image/gif, et application/octet-stream. Dans HTTP, le type MIME est transmis dans l' en-tête Content-Type.
Voir : mod_mime
Variable d'environnement (Environment Variable) (env-variable)
Ce sont des variables nommées gérées par le shell du système d'exploitation, et servant au stockage d'informations et à la communication entre les programmes. Apache possède aussi des variables internes considérées comme variables d'environnement, mais stockées dans des structures internes à Apache, et non dans l'environnement du shell.
Voir : Les variables d'environnement dans Apache
X.509
Une norme de certificat d'authentification recommandée par l'International Telecommunication Union (ITU-T) et utilisée pour l'authentification SSL/TLS.
Voir : chiffrement SSL/TLS
handler.html100644 0 0 21431 11256637772 10551 0ustar 0 0 Utilisation des gestionnaires d'Apache (handlers) - Serveur Apache HTTP

Modules | Directives | FAQ | Glossaire | Plan du site

Serveur Apache HTTP Version 2.2

<-
Apache > Serveur HTTP > Documentation > Version 2.2

Utilisation des gestionnaires d'Apache (handlers)

Ce document décrit l'utilisation des gestionnaires d'Apache (handlers).

top

Qu'est-ce qu'un gestionnaire ?

Modules ApparentésDirectives Apparentées

Un "gestionnaire" est une représentation interne à Apache de l'action qui doit être entreprise quand un fichier est appelé. En général, les fichiers ont des gestionnaires implicites, basés sur le type du fichier. Normalement, tous les fichiers sont traités simplement par le serveur, mais certains types de fichiers sont "gérés" séparément.

Les gestionnaires peuvent aussi être configurés explicitement, soit en fonction des extensions des noms de fichier, soit en fonction du chemin du fichier, sans faire référence au type de fichier. Ceci a le double avantage d'être une solution plus élégante, et aussi d'autoriser à associer à la fois un type et un gestionnaire avec un fichier. (Voir aussi Fichiers avec extensions multiples.)

Les gestionnaires peuvent être soit partie intégrante du serveur ou inclus dans un module, soit ajoutés à l'aide de la directive Action. Les gestionnaires intégrés dans la distribution standard se présentent comme suit :

top

Exemples

Modification d'un contenu statique à l'aide d'un script CGI

Les directives suivantes vont faire en sorte que les requêtes pour des fichiers possédant une extension html déclenchent l'exécution du script CGI footer.pl.

Action add-footer /cgi-bin/footer.pl
AddHandler add-footer .html

À ce moment-là, le script CGI se charge d'envoyer le document initialement demandé (référencé par la variable d'environnement PATH_TRANSLATED) et d'effectuer tous ajout ou modification voulus.

Fichiers avec en-têtes HTTP

Les directives suivantes vont activer le gestionnaire send-as-is, qui est utilisé pour les fichiers qui possèdent leurs propres en-têtes HTTP. Tous les fichiers situés dans le répertoire /web/htdocs/asis/ seront traités par le gestionnaire send-as-is, sans tenir compte de l'extension de leur nom de fichier.

<Directory /web/htdocs/asis>
SetHandler send-as-is
</Directory>

top

Note du programmeur

Pour implémenter la fonctionnalité des gestionnaires, l' API Apache a fait l'objet d'un ajout que vous pourriez être amené à utiliser. Plus précisément, un nouvel enregistrement a été ajouté à la structure request_rec :

char *handler

Si vous voulez que votre module déclenche l'utilisation d'un gestionnaire, il vous suffit de définir r->handler avec le nom du gestionnaire à n'importe quel moment avant l'étape invoke_handler de la requête. Les gestionnaires sont implémentés comme auparavant, quoique l'on utilise le nom du gestionnaire à la place d'un type de contenu. Bien que ce ne soit pas obligatoire, la convention de nommage des gestionnaires stipule l'utilisation d'un mot composé séparé par des tirets, sans slashes, afin de ne pas interférer avec l'espace de nommage des types de média.

howto/access.html100644 0 0 22441 11256637772 11537 0ustar 0 0 Access Control - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-
Apache > HTTP Server > Documentation > Version 2.2 > How-To / Tutorials

Access Control

Access control refers to any means of controlling access to any resource. This is separate from authentication and authorization.

top

Related Modules and Directives

Access control can be done by several different modules. The most important of these is mod_authz_host. Other modules discussed in this document include mod_setenvif and mod_rewrite.

top

Access control by host

If you wish to restrict access to portions of your site based on the host address of your visitors, this is most easily done using mod_authz_host.

The Allow and Deny directives let you allow and deny access based on the host name, or host address, of the machine requesting a document. The Order directive goes hand-in-hand with these two, and tells Apache in which order to apply the filters.

The usage of these directives is:

Allow from address

where address is an IP address (or a partial IP address) or a fully qualified domain name (or a partial domain name); you may provide multiple addresses or domain names, if desired.

For example, if you have someone spamming your message board, and you want to keep them out, you could do the following:

Deny from 10.252.46.165

Visitors coming from that address will not be able to see the content covered by this directive. If, instead, you have a machine name, rather than an IP address, you can use that.

Deny from host.example.com

And, if you'd like to block access from an entire domain, you can specify just part of an address or domain name:

Deny from 192.168.205
Deny from phishers.example.com moreidiots.example
Deny from ke

Using Order will let you be sure that you are actually restricting things to the group that you want to let in, by combining a Deny and an Allow directive:

Order deny,allow
Deny from all
Allow from dev.example.com

Listing just the Allow directive would not do what you want, because it will let folks from that host in, in addition to letting everyone in. What you want is to let only those folks in.

top

Access control by environment variable

mod_authz_host, in conjunction with mod_setenvif, can be used to restrict access to your website based on the value of arbitrary environment variables. This is done with the Allow from env= and Deny from env= syntax.

SetEnvIf User-Agent BadBot GoAway=1
Order allow,deny
Allow from all
Deny from env=GoAway

Warning:

Access control by User-Agent is an unreliable technique, since the User-Agent header can be set to anything at all, at the whim of the end user.

In the above example, the environment variable GoAway is set to 1 if the User-Agent matches the string BadBot. Then we deny access for any request when this variable is set. This blocks that particular user agent from the site.

An environment variable test can be negated using the =! syntax:

Allow from env=!GoAway

top

Access control with mod_rewrite

The [F] RewriteRule flag causes a 403 Forbidden response to be sent. Using this, you can deny access to a resource based on arbitrary criteria.

For example, if you wish to block access to a resource between 8pm and 6am, you can do this using mod_rewrite.

RewriteEngine On
RewriteCond %{TIME_HOUR} >20 [OR]
RewriteCond %{TIME_HOUR} <07
RewriteRule ^/fridge - [F]

This will return a 403 Forbidden response for any request after 8pm or before 7am. This technique can be used for any criteria that you wish to check. You can also redirect, or otherwise rewrite these requests, if that approach is preferred.

top

More information

You should also read the documentation for mod_auth_basic and mod_authz_host which contain some more information about how this all works. mod_authn_alias can also help in simplifying certain authentication configurations.

See the Authentication and Authorization howto.

howto/auth.html100644 0 0 52570 11256637772 11245 0ustar 0 0 Authentication, Authorization and Access Control - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-
Apache > HTTP Server > Documentation > Version 2.2 > How-To / Tutorials

Authentication, Authorization and Access Control

Authentication is any process by which you verify that someone is who they claim they are. Authorization is any process by which someone is allowed to be where they want to go, or to have information that they want to have.

top

Related Modules and Directives

There are three types of modules involved in the authentication and authorization process. You will usually need to choose at least one module from each group.

The module mod_authnz_ldap is both an authentication and authorization provider. The module mod_authn_alias is not an authentication provider in itself, but allows other authentication providers to be configured in a flexible manner.

The module mod_authz_host provides authorization and access control based on hostname, IP address or characteristics of the request, but is not part of the authentication provider system.

You probably also want to take a look at the Access Control howto, which discusses the various ways to control access to your server.

top

Introduction

If you have information on your web site that is sensitive or intended for only a small group of people, the techniques in this article will help you make sure that the people that see those pages are the people that you wanted to see them.

This article covers the "standard" way of protecting parts of your web site that most of you are going to use.

Note:

If your data really needs to be secure, consider using mod_ssl in addition to any authentication.

top

The Prerequisites

The directives discussed in this article will need to go either in your main server configuration file (typically in a <Directory> section), or in per-directory configuration files (.htaccess files).

If you plan to use .htaccess files, you will need to have a server configuration that permits putting authentication directives in these files. This is done with the AllowOverride directive, which specifies which directives, if any, may be put in per-directory configuration files.

Since we're talking here about authentication, you will need an AllowOverride directive like the following:

AllowOverride AuthConfig

Or, if you are just going to put the directives directly in your main server configuration file, you will of course need to have write permission to that file.

And you'll need to know a little bit about the directory structure of your server, in order to know where some files are kept. This should not be terribly difficult, and I'll try to make this clear when we come to that point.

top

Getting it working

Here's the basics of password protecting a directory on your server.

First, you need to create a password file. Exactly how you do this will vary depending on what authentication provider you have chosen. More on that later. To start with, we'll use a text password file.

This file should be placed somewhere not accessible from the web. This is so that folks cannot download the password file. For example, if your documents are served out of /usr/local/apache/htdocs you might want to put the password file(s) in /usr/local/apache/passwd.

To create the file, use the htpasswd utility that came with Apache. This will be located in the bin directory of wherever you installed Apache. If you have installed Apache from a third-party package, it may be in your execution path.

To create the file, type:

htpasswd -c /usr/local/apache/passwd/passwords rbowen

htpasswd will ask you for the password, and then ask you to type it again to confirm it:

# htpasswd -c /usr/local/apache/passwd/passwords rbowen
New password: mypassword
Re-type new password: mypassword
Adding password for user rbowen

If htpasswd is not in your path, of course you'll have to type the full path to the file to get it to run. With a default installation, it's located at /usr/local/apache2/bin/htpasswd

Next, you'll need to configure the server to request a password and tell the server which users are allowed access. You can do this either by editing the httpd.conf file or using an .htaccess file. For example, if you wish to protect the directory /usr/local/apache/htdocs/secret, you can use the following directives, either placed in the file /usr/local/apache/htdocs/secret/.htaccess, or placed in httpd.conf inside a <Directory /usr/local/apache/apache/htdocs/secret> section.

AuthType Basic
AuthName "Restricted Files"
# (Following line optional)
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require user rbowen

Let's examine each of those directives individually. The AuthType directive selects that method that is used to authenticate the user. The most common method is Basic, and this is the method implemented by mod_auth_basic. It is important to be aware, however, that Basic authentication sends the password from the client to the server unencrypted. This method should therefore not be used for highly sensitive data, unless accompanied by mod_ssl. Apache supports one other authentication method: AuthType Digest. This method is implemented by mod_auth_digest and is much more secure. Most recent browsers support Digest authentication.

The AuthName directive sets the Realm to be used in the authentication. The realm serves two major functions. First, the client often presents this information to the user as part of the password dialog box. Second, it is used by the client to determine what password to send for a given authenticated area.

So, for example, once a client has authenticated in the "Restricted Files" area, it will automatically retry the same password for any area on the same server that is marked with the "Restricted Files" Realm. Therefore, you can prevent a user from being prompted more than once for a password by letting multiple restricted areas share the same realm. Of course, for security reasons, the client will always need to ask again for the password whenever the hostname of the server changes.

The AuthBasicProvider is, in this case, optional, since file is the default value for this directive. You'll need to use this directive if you are choosing a different source for authentication, such as mod_authn_dbm or mod_authn_dbd.

The AuthUserFile directive sets the path to the password file that we just created with htpasswd. If you have a large number of users, it can be quite slow to search through a plain text file to authenticate the user on each request. Apache also has the ability to store user information in fast database files. The mod_authn_dbm module provides the AuthDBMUserFile directive. These files can be created and manipulated with the dbmmanage program. Many other types of authentication options are available from third party modules in the Apache Modules Database.

Finally, the Require directive provides the authorization part of the process by setting the user that is allowed to access this region of the server. In the next section, we discuss various ways to use the Require directive.

top

Letting more than one person in

The directives above only let one person (specifically someone with a username of rbowen) into the directory. In most cases, you'll want to let more than one person in. This is where the AuthGroupFile comes in.

If you want to let more than one person in, you'll need to create a group file that associates group names with a list of users in that group. The format of this file is pretty simple, and you can create it with your favorite editor. The contents of the file will look like this:

GroupName: rbowen dpitts sungo rshersey

That's just a list of the members of the group in a long line separated by spaces.

To add a user to your already existing password file, type:

htpasswd /usr/local/apache/passwd/passwords dpitts

You'll get the same response as before, but it will be appended to the existing file, rather than creating a new file. (It's the -c that makes it create a new password file).

Now, you need to modify your .htaccess file to look like the following:

AuthType Basic
AuthName "By Invitation Only"
# Optional line:
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
AuthGroupFile /usr/local/apache/passwd/groups
Require group GroupName

Now, anyone that is listed in the group GroupName, and has an entry in the password file, will be let in, if they type the correct password.

There's another way to let multiple users in that is less specific. Rather than creating a group file, you can just use the following directive:

Require valid-user

Using that rather than the Require user rbowen line will allow anyone in that is listed in the password file, and who correctly enters their password. You can even emulate the group behavior here, by just keeping a separate password file for each group. The advantage of this approach is that Apache only has to check one file, rather than two. The disadvantage is that you have to maintain a bunch of password files, and remember to reference the right one in the AuthUserFile directive.

top

Possible problems

Because of the way that Basic authentication is specified, your username and password must be verified every time you request a document from the server. This is even if you're reloading the same page, and for every image on the page (if they come from a protected directory). As you can imagine, this slows things down a little. The amount that it slows things down is proportional to the size of the password file, because it has to open up that file, and go down the list of users until it gets to your name. And it has to do this every time a page is loaded.

A consequence of this is that there's a practical limit to how many users you can put in one password file. This limit will vary depending on the performance of your particular server machine, but you can expect to see slowdowns once you get above a few hundred entries, and may wish to consider a different authentication method at that time.

top

Alternate password storage

Because storing passwords in plain text files has the above problems, you may wish to store your passwords somewhere else, such as in a database.

mod_authn_dbm and mod_authn_dbd are two modules which make this possible. Rather than selecting AuthBasicProvider file, instead you can choose dbm or dbd as your storage format.

To select a dbd file rather than a text file, for example:

<Directory /www/docs/private>
AuthName "Private"
AuthType Basic
AuthBasicProvider dbm
AuthDBMUserFile /www/passwords/passwd.dbm
Require valid-user </Directory>

Other options are available. Consult the mod_authn_dbm documentation for more details.

top

More information

You should also read the documentation for mod_auth_basic and mod_authz_host which contain some more information about how this all works. mod_authn_alias can also help in simplifying certain authentication configurations.

The various ciphers supported by Apache for authentication data are explained in Password Encryptions.

And you may want to look at the Access Control howto, which discusses a number of related topics.

howto/cgi.html100644 0 0 64562 11256637772 11052 0ustar 0 0 Apache Tutorial: Dynamic Content with CGI - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-
Apache > HTTP Server > Documentation > Version 2.2 > How-To / Tutorials

Apache Tutorial: Dynamic Content with CGI

top

Introduction

Related ModulesRelated Directives

The CGI (Common Gateway Interface) defines a way for a web server to interact with external content-generating programs, which are often referred to as CGI programs or CGI scripts. It is the simplest, and most common, way to put dynamic content on your web site. This document will be an introduction to setting up CGI on your Apache web server, and getting started writing CGI programs.

top

Configuring Apache to permit CGI

In order to get your CGI programs to work properly, you'll need to have Apache configured to permit CGI execution. There are several ways to do this.

ScriptAlias

The ScriptAlias directive tells Apache that a particular directory is set aside for CGI programs. Apache will assume that every file in this directory is a CGI program, and will attempt to execute it, when that particular resource is requested by a client.

The ScriptAlias directive looks like:

ScriptAlias /cgi-bin/ /usr/local/apache2/cgi-bin/

The example shown is from your default httpd.conf configuration file, if you installed Apache in the default location. The ScriptAlias directive is much like the Alias directive, which defines a URL prefix that is to mapped to a particular directory. Alias and ScriptAlias are usually used for directories that are outside of the DocumentRoot directory. The difference between Alias and ScriptAlias is that ScriptAlias has the added meaning that everything under that URL prefix will be considered a CGI program. So, the example above tells Apache that any request for a resource beginning with /cgi-bin/ should be served from the directory /usr/local/apache2/cgi-bin/, and should be treated as a CGI program.

For example, if the URL http://www.example.com/cgi-bin/test.pl is requested, Apache will attempt to execute the file /usr/local/apache2/cgi-bin/test.pl and return the output. Of course, the file will have to exist, and be executable, and return output in a particular way, or Apache will return an error message.

CGI outside of ScriptAlias directories

CGI programs are often restricted to ScriptAlias'ed directories for security reasons. In this way, administrators can tightly control who is allowed to use CGI programs. However, if the proper security precautions are taken, there is no reason why CGI programs cannot be run from arbitrary directories. For example, you may wish to let users have web content in their home directories with the UserDir directive. If they want to have their own CGI programs, but don't have access to the main cgi-bin directory, they will need to be able to run CGI programs elsewhere.

There are two steps to allowing CGI execution in an arbitrary directory. First, the cgi-script handler must be activated using the AddHandler or SetHandler directive. Second, ExecCGI must be specified in the Options directive.

Explicitly using Options to permit CGI execution

You could explicitly use the Options directive, inside your main server configuration file, to specify that CGI execution was permitted in a particular directory:

<Directory /usr/local/apache2/htdocs/somedir>
Options +ExecCGI
 </Directory>

The above directive tells Apache to permit the execution of CGI files. You will also need to tell the server what files are CGI files. The following AddHandler directive tells the server to treat all files with the cgi or pl extension as CGI programs:

AddHandler cgi-script .cgi .pl

.htaccess files

The .htaccess tutorial shows how to activate CGI programs if you do not have access to httpd.conf.

User Directories

To allow CGI program execution for any file ending in .cgi in users' directories, you can use the following configuration.

<Directory /home/*/public_html>
Options +ExecCGI
AddHandler cgi-script .cgi
 </Directory>

If you wish designate a cgi-bin subdirectory of a user's directory where everything will be treated as a CGI program, you can use the following.

<Directory /home/*/public_html/cgi-bin>
Options ExecCGI
SetHandler cgi-script
 </Directory>

top

Writing a CGI program

There are two main differences between ``regular'' programming, and CGI programming.

First, all output from your CGI program must be preceded by a MIME-type header. This is HTTP header that tells the client what sort of content it is receiving. Most of the time, this will look like:

Content-type: text/html

Secondly, your output needs to be in HTML, or some other format that a browser will be able to display. Most of the time, this will be HTML, but occasionally you might write a CGI program that outputs a gif image, or other non-HTML content.

Apart from those two things, writing a CGI program will look a lot like any other program that you might write.

Your first CGI program

The following is an example CGI program that prints one line to your browser. Type in the following, save it to a file called first.pl, and put it in your cgi-bin directory.

#!/usr/bin/perl
print "Content-type: text/html\n\n";
print "Hello, World.";

Even if you are not familiar with Perl, you should be able to see what is happening here. The first line tells Apache (or whatever shell you happen to be running under) that this program can be executed by feeding the file to the interpreter found at the location /usr/bin/perl. The second line prints the content-type declaration we talked about, followed by two carriage-return newline pairs. This puts a blank line after the header, to indicate the end of the HTTP headers, and the beginning of the body. The third line prints the string "Hello, World.". And that's the end of it.

If you open your favorite browser and tell it to get the address

http://www.example.com/cgi-bin/first.pl

or wherever you put your file, you will see the one line Hello, World. appear in your browser window. It's not very exciting, but once you get that working, you'll have a good chance of getting just about anything working.

top

But it's still not working!

There are four basic things that you may see in your browser when you try to access your CGI program from the web:

The output of your CGI program
Great! That means everything worked fine. If the output is correct, but the browser is not processing it correctly, make sure you have the correct Content-Type set in your CGI program.
The source code of your CGI program or a "POST Method Not Allowed" message
That means that you have not properly configured Apache to process your CGI program. Reread the section on configuring Apache and try to find what you missed.
A message starting with "Forbidden"
That means that there is a permissions problem. Check the Apache error log and the section below on file permissions.
A message saying "Internal Server Error"
If you check the Apache error log, you will probably find that it says "Premature end of script headers", possibly along with an error message generated by your CGI program. In this case, you will want to check each of the below sections to see what might be preventing your CGI program from emitting the proper HTTP headers.

File permissions

Remember that the server does not run as you. That is, when the server starts up, it is running with the permissions of an unprivileged user - usually nobody, or www - and so it will need extra permissions to execute files that are owned by you. Usually, the way to give a file sufficient permissions to be executed by nobody is to give everyone execute permission on the file:

chmod a+x first.pl

Also, if your program reads from, or writes to, any other files, those files will need to have the correct permissions to permit this.

Path information and environment

When you run a program from your command line, you have certain information that is passed to the shell without you thinking about it. For example, you have a PATH, which tells the shell where it can look for files that you reference.

When a program runs through the web server as a CGI program, it may not have the same PATH. Any programs that you invoke in your CGI program (like sendmail, for example) will need to be specified by a full path, so that the shell can find them when it attempts to execute your CGI program.

A common manifestation of this is the path to the script interpreter (often perl) indicated in the first line of your CGI program, which will look something like:

#!/usr/bin/perl

Make sure that this is in fact the path to the interpreter.

In addition, if your CGI program depends on other environment variables, you will need to assure that those variables are passed by Apache.

Program errors

Most of the time when a CGI program fails, it's because of a problem with the program itself. This is particularly true once you get the hang of this CGI stuff, and no longer make the above two mistakes. The first thing to do is to make sure that your program runs from the command line before testing it via the web server. For example, try:

cd /usr/local/apache2/cgi-bin
./first.pl

(Do not call the perl interpreter. The shell and Apache should find the interpreter using the path information on the first line of the script.)

The first thing you see written by your program should be a set of HTTP headers, including the Content-Type, followed by a blank line. If you see anything else, Apache will return the Premature end of script headers error if you try to run it through the server. See Writing a CGI program above for more details.

Error logs

The error logs are your friend. Anything that goes wrong generates message in the error log. You should always look there first. If the place where you are hosting your web site does not permit you access to the error log, you should probably host your site somewhere else. Learn to read the error logs, and you'll find that almost all of your problems are quickly identified, and quickly solved.

Suexec

The suexec support program allows CGI programs to be run under different user permissions, depending on which virtual host or user home directory they are located in. Suexec has very strict permission checking, and any failure in that checking will result in your CGI programs failing with Premature end of script headers.

To check if you are using suexec, run apachectl -V and check for the location of SUEXEC_BIN. If Apache finds an suexec binary there on startup, suexec will be activated.

Unless you fully understand suexec, you should not be using it. To disable suexec, simply remove (or rename) the suexec binary pointed to by SUEXEC_BIN and then restart the server. If, after reading about suexec, you still wish to use it, then run suexec -V to find the location of the suexec log file, and use that log file to find what policy you are violating.

top

What's going on behind the scenes?

As you become more advanced in CGI programming, it will become useful to understand more about what's happening behind the scenes. Specifically, how the browser and server communicate with one another. Because although it's all very well to write a program that prints "Hello, World.", it's not particularly useful.

Environment variables

Environment variables are values that float around you as you use your computer. They are useful things like your path (where the computer searches for the actual file implementing a command when you type it), your username, your terminal type, and so on. For a full list of your normal, every day environment variables, type env at a command prompt.

During the CGI transaction, the server and the browser also set environment variables, so that they can communicate with one another. These are things like the browser type (Netscape, IE, Lynx), the server type (Apache, IIS, WebSite), the name of the CGI program that is being run, and so on.

These variables are available to the CGI programmer, and are half of the story of the client-server communication. The complete list of required variables is at http://hoohoo.ncsa.uiuc.edu/cgi/env.html.

This simple Perl CGI program will display all of the environment variables that are being passed around. Two similar programs are included in the cgi-bin directory of the Apache distribution. Note that some variables are required, while others are optional, so you may see some variables listed that were not in the official list. In addition, Apache provides many different ways for you to add your own environment variables to the basic ones provided by default.

#!/usr/bin/perl
print "Content-type: text/html\n\n";
foreach $key (keys %ENV) {
print "$key --> $ENV{$key}<br>";
 }

STDIN and STDOUT

Other communication between the server and the client happens over standard input (STDIN) and standard output (STDOUT). In normal everyday context, STDIN means the keyboard, or a file that a program is given to act on, and STDOUT usually means the console or screen.

When you POST a web form to a CGI program, the data in that form is bundled up into a special format and gets delivered to your CGI program over STDIN. The program then can process that data as though it was coming in from the keyboard, or from a file

The "special format" is very simple. A field name and its value are joined together with an equals (=) sign, and pairs of values are joined together with an ampersand (&). Inconvenient characters like spaces, ampersands, and equals signs, are converted into their hex equivalent so that they don't gum up the works. The whole data string might look something like:

name=Rich%20Bowen&city=Lexington&state=KY&sidekick=Squirrel%20Monkey

You'll sometimes also see this type of string appended to a URL. When that is done, the server puts that string into the environment variable called QUERY_STRING. That's called a GET request. Your HTML form specifies whether a GET or a POST is used to deliver the data, by setting the METHOD attribute in the FORM tag.

Your program is then responsible for splitting that string up into useful information. Fortunately, there are libraries and modules available to help you process this data, as well as handle other of the aspects of your CGI program.

top

CGI modules/libraries

When you write CGI programs, you should consider using a code library, or module, to do most of the grunt work for you. This leads to fewer errors, and faster development.

If you're writing CGI programs in Perl, modules are available on CPAN. The most popular module for this purpose is CGI.pm. You might also consider CGI::Lite, which implements a minimal set of functionality, which is all you need in most programs.

If you're writing CGI programs in C, there are a variety of options. One of these is the CGIC library, from http://www.boutell.com/cgic/.

top

For more information

There are a large number of CGI resources on the web. You can discuss CGI problems with other users on the Usenet group comp.infosystems.www.authoring.cgi. And the -servers mailing list from the HTML Writers Guild is a great source of answers to your questions. You can find out more at http://www.hwg.org/lists/hwg-servers/.

And, of course, you should probably read the CGI specification, which has all the details on the operation of CGI programs. You can find the original version at the NCSA and there is an updated draft at the Common Gateway Interface RFC project.

When you post a question about a CGI problem that you're having, whether to a mailing list, or to a newsgroup, make sure you provide enough information about what happened, what you expected to happen, and how what actually happened was different, what server you're running, what language your CGI program was in, and, if possible, the offending code. This will make finding your problem much simpler.

Note that questions about CGI problems should never be posted to the Apache bug database unless you are sure you have found a problem in the Apache source code.

howto/htaccess.html100644 0 0 50261 11256637772 12074 0ustar 0 0 Apache Tutorial: .htaccess files - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-
Apache > HTTP Server > Documentation > Version 2.2 > How-To / Tutorials

Apache Tutorial: .htaccess files

.htaccess files provide a way to make configuration changes on a per-directory basis.

top

.htaccess files

Related ModulesRelated Directives
top

What they are/How to use them

.htaccess files (or "distributed configuration files") provide a way to make configuration changes on a per-directory basis. A file, containing one or more configuration directives, is placed in a particular document directory, and the directives apply to that directory, and all subdirectories thereof.

Note:

If you want to call your .htaccess file something else, you can change the name of the file using the AccessFileName directive. For example, if you would rather call the file .config then you can put the following in your server configuration file:

AccessFileName .config

In general, .htaccess files use the same syntax as the main configuration files. What you can put in these files is determined by the AllowOverride directive. This directive specifies, in categories, what directives will be honored if they are found in a .htaccess file. If a directive is permitted in a .htaccess file, the documentation for that directive will contain an Override section, specifying what value must be in AllowOverride in order for that directive to be permitted.

For example, if you look at the documentation for the AddDefaultCharset directive, you will find that it is permitted in .htaccess files. (See the Context line in the directive summary.) The Override line reads FileInfo. Thus, you must have at least AllowOverride FileInfo in order for this directive to be honored in .htaccess files.

Example:

Context: server config, virtual host, directory, .htaccess
Override: FileInfo

If you are unsure whether a particular directive is permitted in a .htaccess file, look at the documentation for that directive, and check the Context line for ".htaccess".

top

When (not) to use .htaccess files

In general, you should never use .htaccess files unless you don't have access to the main server configuration file. There is, for example, a prevailing misconception that user authentication should always be done in .htaccess files. This is simply not the case. You can put user authentication configurations in the main server configuration, and this is, in fact, the preferred way to do things.

.htaccess files should be used in a case where the content providers need to make configuration changes to the server on a per-directory basis, but do not have root access on the server system. In the event that the server administrator is not willing to make frequent configuration changes, it might be desirable to permit individual users to make these changes in .htaccess files for themselves. This is particularly true, for example, in cases where ISPs are hosting multiple user sites on a single machine, and want their users to be able to alter their configuration.

However, in general, use of .htaccess files should be avoided when possible. Any configuration that you would consider putting in a .htaccess file, can just as effectively be made in a <Directory> section in your main server configuration file.

There are two main reasons to avoid the use of .htaccess files.

The first of these is performance. When AllowOverride is set to allow the use of .htaccess files, Apache will look in every directory for .htaccess files. Thus, permitting .htaccess files causes a performance hit, whether or not you actually even use them! Also, the .htaccess file is loaded every time a document is requested.

Further note that Apache must look for .htaccess files in all higher-level directories, in order to have a full complement of directives that it must apply. (See section on how directives are applied.) Thus, if a file is requested out of a directory /www/htdocs/example, Apache must look for the following files:

/.htaccess
/www/.htaccess
/www/htdocs/.htaccess
/www/htdocs/example/.htaccess

And so, for each file access out of that directory, there are 4 additional file-system accesses, even if none of those files are present. (Note that this would only be the case if .htaccess files were enabled for /, which is not usually the case.)

The second consideration is one of security. You are permitting users to modify server configuration, which may result in changes over which you have no control. Carefully consider whether you want to give your users this privilege. Note also that giving users less privileges than they need will lead to additional technical support requests. Make sure you clearly tell your users what level of privileges you have given them. Specifying exactly what you have set AllowOverride to, and pointing them to the relevant documentation, will save yourself a lot of confusion later.

Note that it is completely equivalent to put a .htaccess file in a directory /www/htdocs/example containing a directive, and to put that same directive in a Directory section <Directory /www/htdocs/example> in your main server configuration:

.htaccess file in /www/htdocs/example:

Contents of .htaccess file in /www/htdocs/example

AddType text/example .exm

Section from your httpd.conf file

<Directory /www/htdocs/example>
AddType text/example .exm
 </Directory>

However, putting this configuration in your server configuration file will result in less of a performance hit, as the configuration is loaded once when Apache starts, rather than every time a file is requested.

The use of .htaccess files can be disabled completely by setting the AllowOverride directive to none:

AllowOverride None

top

How directives are applied

The configuration directives found in a .htaccess file are applied to the directory in which the .htaccess file is found, and to all subdirectories thereof. However, it is important to also remember that there may have been .htaccess files in directories higher up. Directives are applied in the order that they are found. Therefore, a .htaccess file in a particular directory may override directives found in .htaccess files found higher up in the directory tree. And those, in turn, may have overridden directives found yet higher up, or in the main server configuration file itself.

Example:

In the directory /www/htdocs/example1 we have a .htaccess file containing the following:

Options +ExecCGI

(Note: you must have "AllowOverride Options" in effect to permit the use of the "Options" directive in .htaccess files.)

In the directory /www/htdocs/example1/example2 we have a .htaccess file containing:

Options Includes

Because of this second .htaccess file, in the directory /www/htdocs/example1/example2, CGI execution is not permitted, as only Options Includes is in effect, which completely overrides any earlier setting that may have been in place.

Merging of .htaccess with the main configuration files

As discussed in the documentation on Configuration Sections, .htaccess files can override the <Directory> sections for the corresponding directory, but will be overriden by other types of configuration sections from the main configuration files. This fact can be used to enforce certain configurations, even in the presence of a liberal AllowOverride setting. For example, to prevent script execution while allowing anything else to be set in .htaccess you can use:

<Directory />
Allowoverride All
 </Directory>

<Location />
Options +IncludesNoExec -ExecCGI
 </Location>

top

Authentication example

If you jumped directly to this part of the document to find out how to do authentication, it is important to note one thing. There is a common misconception that you are required to use .htaccess files in order to implement password authentication. This is not the case. Putting authentication directives in a <Directory> section, in your main server configuration file, is the preferred way to implement this, and .htaccess files should be used only if you don't have access to the main server configuration file. See above for a discussion of when you should and should not use .htaccess files.

Having said that, if you still think you need to use a .htaccess file, you may find that a configuration such as what follows may work for you.

.htaccess file contents:

AuthType Basic
AuthName "Password Required"
AuthUserFile /www/passwords/password.file
AuthGroupFile /www/passwords/group.file
Require Group admins

Note that AllowOverride AuthConfig must be in effect for these directives to have any effect.

Please see the authentication tutorial for a more complete discussion of authentication and authorization.

top

Server Side Includes example

Another common use of .htaccess files is to enable Server Side Includes for a particular directory. This may be done with the following configuration directives, placed in a .htaccess file in the desired directory:

Options +Includes
AddType text/html shtml
AddHandler server-parsed shtml

Note that AllowOverride Options and AllowOverride FileInfo must both be in effect for these directives to have any effect.

Please see the SSI tutorial for a more complete discussion of server-side includes.

top

CGI example

Finally, you may wish to use a .htaccess file to permit the execution of CGI programs in a particular directory. This may be implemented with the following configuration:

Options +ExecCGI
AddHandler cgi-script cgi pl

Alternately, if you wish to have all files in the given directory be considered to be CGI programs, this may be done with the following configuration:

Options +ExecCGI
SetHandler cgi-script

Note that AllowOverride Options and AllowOverride FileInfo must both be in effect for these directives to have any effect.

Please see the CGI tutorial for a more complete discussion of CGI programming and configuration.

top

Troubleshooting

When you put configuration directives in a .htaccess file, and you don't get the desired effect, there are a number of things that may be going wrong.

Most commonly, the problem is that AllowOverride is not set such that your configuration directives are being honored. Make sure that you don't have a AllowOverride None in effect for the file scope in question. A good test for this is to put garbage in your .htaccess file and reload. If a server error is not generated, then you almost certainly have AllowOverride None in effect.

If, on the other hand, you are getting server errors when trying to access documents, check your Apache error log. It will likely tell you that the directive used in your .htaccess file is not permitted. Alternately, it may tell you that you had a syntax error, which you will then need to fix.

howto/index.html100644 0 0 11763 11256637772 11412 0ustar 0 0 How-To / Tutorials - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-
Apache > HTTP Server > Documentation > Version 2.2

How-To / Tutorials

top

How-To / Tutorials

Authentication and Authorization

Authentication is any process by which you verify that someone is who they claim they are. Authorization is any process by which someone is allowed to be where they want to go, or to have information that they want to have.

See: Authentication, Authorization

Access Control

Access control refers to the process of restricting, or granting access to a resource based on arbitrary criteria. There are a variety of different ways that this can be accomplished.

See: Access Control

Dynamic Content with CGI

The CGI (Common Gateway Interface) defines a way for a web server to interact with external content-generating programs, which are often referred to as CGI programs or CGI scripts. It is the simplest, and most common, way to put dynamic content on your web site. This document will be an introduction to setting up CGI on your Apache web server, and getting started writing CGI programs.

See: CGI: Dynamic Content

.htaccess files

.htaccess files provide a way to make configuration changes on a per-directory basis. A file, containing one or more configuration directives, is placed in a particular document directory, and the directives apply to that directory, and all subdirectories thereof.

See: .htaccess files

Introduction to Server Side Includes

SSI (Server Side Includes) are directives that are placed in HTML pages, and evaluated on the server while the pages are being served. They let you add dynamically generated content to an existing HTML page, without having to serve the entire page via a CGI program, or other dynamic technology.

See: Server Side Includes (SSI)

Per-user web directories

On systems with multiple users, each user can be permitted to have a web site in their home directory using the UserDir directive. Visitors to a URL http://example.com/~username/ will get content out of the home directory of the user "username", out of the subdirectory specified by the UserDir directive.

See: User web directories (public_html)

howto/public_html.html100644 0 0 22311 11256637772 12574 0ustar 0 0 Per-user web directories - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-
Apache > HTTP Server > Documentation > Version 2.2 > How-To / Tutorials

Per-user web directories

On systems with multiple users, each user can be permitted to have a web site in their home directory using the UserDir directive. Visitors to a URL http://example.com/~username/ will get content out of the home directory of the user "username", out of the subdirectory specified by the UserDir directive.

See also

top

Per-user web directories

Related ModulesRelated Directives
top

Setting the file path with UserDir

The UserDir directive specifies a directory out of which per-user content is loaded. This directive may take several different forms.

If a path is given which does not start with a leading slash, it is assumed to be a directory path relative to the home directory of the specified user. Given this configuration:

UserDir public_html

the URL http://example.com/~rbowen/file.html will be translated to the file path /home/rbowen/public_html/file.html

If a path is given starting with a slash, a directory path will be constructed using that path, plus the username specified. Given this configuration:

UserDir /var/html

the URL http://example.com/~rbowen/file.html will be translated to the file path /var/html/rbowen/file.html

If a path is provided which contains an asterisk (*), a path is used in which the asterisk is replaced with the username. Given this configuration:

UserDir /var/www/*/docs

the URL http://example.com/~rbowen/file.html will be translated to the file path /var/www/rbowen/docs/file.html

Multiple directories or directory paths can also be set.

UserDir public_html /var/html

For the URL http://example.com/~rbowen/file.html, Apache will search for ~rbowen. If it isn't found, Apache will search for rbowen in /var/html. If found, the above URL will then be translated to the file path /var/html/rbowen/file.html

top

Redirecting to external URLs

The UserDir directive can be used to redirect user directory requests to external URLs.

UserDir http://example.org/users/*/

The above example will redirect a request for http://example.com/~bob/abc.html to http://example.org/users/bob/abc.html.

top

Restricting what users are permitted to use this feature

Using the syntax shown in the UserDir documentation, you can restrict what users are permitted to use this functionality:

UserDir disabled root jro fish

The configuration above will enable the feature for all users except for those listed in the disabled statement. You can, likewise, disable the feature for all but a few users by using a configuration like the following:

UserDir disabled
UserDir enabled rbowen krietz

See UserDir documentation for additional examples.

top

Enabling a cgi directory for each user

In order to give each user their own cgi-bin directory, you can use a <Directory> directive to make a particular subdirectory of a user's home directory cgi-enabled.

<Directory /home/*/public_html/cgi-bin/>
Options ExecCGI
SetHandler cgi-script
</Directory>

Then, presuming that UserDir is set to public_html, a cgi program example.cgi could be loaded from that directory as:

http://example.com/~rbowen/cgi-bin/example.cgi

top

Allowing users to alter configuration

If you want to allows users to modify the server configuration in their web space, they will need to use .htaccess files to make these changed. Ensure that you have set AllowOverride to a value sufficient for the directives that you want to permit the users to modify. See the .htaccess tutorial for additional details on how this works.

howto/ssi.html100644 0 0 55255 11256637772 11105 0ustar 0 0 Apache Tutorial: Introduction to Server Side Includes - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-
Apache > HTTP Server > Documentation > Version 2.2 > How-To / Tutorials

Apache Tutorial: Introduction to Server Side Includes

Server-side includes provide a means to add dynamic content to existing HTML documents.

top

Introduction

Related ModulesRelated Directives

This article deals with Server Side Includes, usually called simply SSI. In this article, I'll talk about configuring your server to permit SSI, and introduce some basic SSI techniques for adding dynamic content to your existing HTML pages.

In the latter part of the article, we'll talk about some of the somewhat more advanced things that can be done with SSI, such as conditional statements in your SSI directives.

top

What are SSI?

SSI (Server Side Includes) are directives that are placed in HTML pages, and evaluated on the server while the pages are being served. They let you add dynamically generated content to an existing HTML page, without having to serve the entire page via a CGI program, or other dynamic technology.

The decision of when to use SSI, and when to have your page entirely generated by some program, is usually a matter of how much of the page is static, and how much needs to be recalculated every time the page is served. SSI is a great way to add small pieces of information, such as the current time. But if a majority of your page is being generated at the time that it is served, you need to look for some other solution.

top

Configuring your server to permit SSI

To permit SSI on your server, you must have the following directive either in your httpd.conf file, or in a .htaccess file:

Options +Includes

This tells Apache that you want to permit files to be parsed for SSI directives. Note that most configurations contain multiple Options directives that can override each other. You will probably need to apply the Options to the specific directory where you want SSI enabled in order to assure that it gets evaluated last.

Not just any file is parsed for SSI directives. You have to tell Apache which files should be parsed. There are two ways to do this. You can tell Apache to parse any file with a particular file extension, such as .shtml, with the following directives:

AddType text/html .shtml
AddOutputFilter INCLUDES .shtml

One disadvantage to this approach is that if you wanted to add SSI directives to an existing page, you would have to change the name of that page, and all links to that page, in order to give it a .shtml extension, so that those directives would be executed.

The other method is to use the XBitHack directive:

XBitHack on

XBitHack tells Apache to parse files for SSI directives if they have the execute bit set. So, to add SSI directives to an existing page, rather than having to change the file name, you would just need to make the file executable using chmod.

chmod +x pagename.html

A brief comment about what not to do. You'll occasionally see people recommending that you just tell Apache to parse all .html files for SSI, so that you don't have to mess with .shtml file names. These folks have perhaps not heard about XBitHack. The thing to keep in mind is that, by doing this, you're requiring that Apache read through every single file that it sends out to clients, even if they don't contain any SSI directives. This can slow things down quite a bit, and is not a good idea.

Of course, on Windows, there is no such thing as an execute bit to set, so that limits your options a little.

In its default configuration, Apache does not send the last modified date or content length HTTP headers on SSI pages, because these values are difficult to calculate for dynamic content. This can prevent your document from being cached, and result in slower perceived client performance. There are two ways to solve this:

  1. Use the XBitHack Full configuration. This tells Apache to determine the last modified date by looking only at the date of the originally requested file, ignoring the modification date of any included files.
  2. Use the directives provided by mod_expires to set an explicit expiration time on your files, thereby letting browsers and proxies know that it is acceptable to cache them.
top

Basic SSI directives

SSI directives have the following syntax:

<!--#element attribute=value attribute=value ... -->

It is formatted like an HTML comment, so if you don't have SSI correctly enabled, the browser will ignore it, but it will still be visible in the HTML source. If you have SSI correctly configured, the directive will be replaced with its results.

The element can be one of a number of things, and we'll talk some more about most of these in the next installment of this series. For now, here are some examples of what you can do with SSI

Today's date

<!--#echo var="DATE_LOCAL" -->

The echo element just spits out the value of a variable. There are a number of standard variables, which include the whole set of environment variables that are available to CGI programs. Also, you can define your own variables with the set element.

If you don't like the format in which the date gets printed, you can use the config element, with a timefmt attribute, to modify that formatting.

<!--#config timefmt="%A %B %d, %Y" -->
Today is <!--#echo var="DATE_LOCAL" -->

Modification date of the file

This document last modified <!--#flastmod file="index.html" -->

This element is also subject to timefmt format configurations.

Including the results of a CGI program

This is one of the more common uses of SSI - to output the results of a CGI program, such as everybody's favorite, a ``hit counter.''

<!--#include virtual="/cgi-bin/counter.pl" -->

top

Additional examples

Following are some specific examples of things you can do in your HTML documents with SSI.

When was this document modified?

Earlier, we mentioned that you could use SSI to inform the user when the document was most recently modified. However, the actual method for doing that was left somewhat in question. The following code, placed in your HTML document, will put such a time stamp on your page. Of course, you will have to have SSI correctly enabled, as discussed above.

<!--#config timefmt="%A %B %d, %Y" -->
This file last modified <!--#flastmod file="ssi.shtml" -->

Of course, you will need to replace the ssi.shtml with the actual name of the file that you're referring to. This can be inconvenient if you're just looking for a generic piece of code that you can paste into any file, so you probably want to use the LAST_MODIFIED variable instead:

<!--#config timefmt="%D" -->
This file last modified <!--#echo var="LAST_MODIFIED" -->

For more details on the timefmt format, go to your favorite search site and look for strftime. The syntax is the same.

Including a standard footer

If you are managing any site that is more than a few pages, you may find that making changes to all those pages can be a real pain, particularly if you are trying to maintain some kind of standard look across all those pages.

Using an include file for a header and/or a footer can reduce the burden of these updates. You just have to make one footer file, and then include it into each page with the include SSI command. The include element can determine what file to include with either the file attribute, or the virtual attribute. The file attribute is a file path, relative to the current directory. That means that it cannot be an absolute file path (starting with /), nor can it contain ../ as part of that path. The virtual attribute is probably more useful, and should specify a URL relative to the document being served. It can start with a /, but must be on the same server as the file being served.

<!--#include virtual="/footer.html" -->

I'll frequently combine the last two things, putting a LAST_MODIFIED directive inside a footer file to be included. SSI directives can be contained in the included file, and includes can be nested - that is, the included file can include another file, and so on.

top

What else can I config?

In addition to being able to config the time format, you can also config two other things.

Usually, when something goes wrong with your SSI directive, you get the message

[an error occurred while processing this directive]

If you want to change that message to something else, you can do so with the errmsg attribute to the config element:

<!--#config errmsg="[It appears that you don't know how to use SSI]" -->

Hopefully, end users will never see this message, because you will have resolved all the problems with your SSI directives before your site goes live. (Right?)

And you can config the format in which file sizes are returned with the sizefmt attribute. You can specify bytes for a full count in bytes, or abbrev for an abbreviated number in Kb or Mb, as appropriate.

top

Executing commands

I expect that I'll have an article some time in the coming months about using SSI with small CGI programs. For now, here's something else that you can do with the exec element. You can actually have SSI execute a command using the shell (/bin/sh, to be precise - or the DOS shell, if you're on Win32). The following, for example, will give you a directory listing.

<pre>
<!--#exec cmd="ls" -->
</pre>

or, on Windows

<pre>
<!--#exec cmd="dir" -->
</pre>

You might notice some strange formatting with this directive on Windows, because the output from dir contains the string ``<dir>'' in it, which confuses browsers.

Note that this feature is exceedingly dangerous, as it will execute whatever code happens to be embedded in the exec tag. If you have any situation where users can edit content on your web pages, such as with a ``guestbook'', for example, make sure that you have this feature disabled. You can allow SSI, but not the exec feature, with the IncludesNOEXEC argument to the Options directive.

top

Advanced SSI techniques

In addition to spitting out content, Apache SSI gives you the option of setting variables, and using those variables in comparisons and conditionals.

Caveat

Most of the features discussed in this article are only available to you if you are running Apache 1.2 or later. Of course, if you are not running Apache 1.2 or later, you need to upgrade immediately, if not sooner. Go on. Do it now. We'll wait.

Setting variables

Using the set directive, you can set variables for later use. We'll need this later in the discussion, so we'll talk about it here. The syntax of this is as follows:

<!--#set var="name" value="Rich" -->

In addition to merely setting values literally like that, you can use any other variable, including environment variables or the variables discussed above (like LAST_MODIFIED, for example) to give values to your variables. You will specify that something is a variable, rather than a literal string, by using the dollar sign ($) before the name of the variable.

<!--#set var="modified" value="$LAST_MODIFIED" -->

To put a literal dollar sign into the value of your variable, you need to escape the dollar sign with a backslash.

<!--#set var="cost" value="\$100" -->

Finally, if you want to put a variable in the midst of a longer string, and there's a chance that the name of the variable will run up against some other characters, and thus be confused with those characters, you can place the name of the variable in braces, to remove this confusion. (It's hard to come up with a really good example of this, but hopefully you'll get the point.)

<!--#set var="date" value="${DATE_LOCAL}_${DATE_GMT}" -->

Conditional expressions

Now that we have variables, and are able to set and compare their values, we can use them to express conditionals. This lets SSI be a tiny programming language of sorts. mod_include provides an if, elif, else, endif structure for building conditional statements. This allows you to effectively generate multiple logical pages out of one actual page.

The structure of this conditional construct is:

<!--#if expr="test_condition" -->
<!--#elif expr="test_condition" -->
<!--#else -->
<!--#endif -->

A test_condition can be any sort of logical comparison - either comparing values to one another, or testing the ``truth'' of a particular value. (A given string is true if it is nonempty.) For a full list of the comparison operators available to you, see the mod_include documentation. Here are some examples of how one might use this construct.

In your configuration file, you could put the following line:

BrowserMatchNoCase macintosh Mac
BrowserMatchNoCase MSIE InternetExplorer

This will set environment variables ``Mac'' and ``InternetExplorer'' to true, if the client is running Internet Explorer on a Macintosh.

Then, in your SSI-enabled document, you might do the following:

<!--#if expr="${Mac} && ${InternetExplorer}" -->
Apologetic text goes here
<!--#else -->
Cool JavaScript code goes here
<!--#endif -->

Not that I have anything against IE on Macs - I just struggled for a few hours last week trying to get some JavaScript working on IE on a Mac, when it was working everywhere else. The above was the interim workaround.

Any other variable (either ones that you define, or normal environment variables) can be used in conditional statements. With Apache's ability to set environment variables with the SetEnvIf directives, and other related directives, this functionality can let you do some pretty involved dynamic stuff without ever resorting to CGI.

top

Conclusion

SSI is certainly not a replacement for CGI, or other technologies used for generating dynamic web pages. But it is a great way to add small amounts of dynamic content to pages, without doing a lot of extra work.

images/caching_fig1.gif100644 0 0 40203 11256637627 12501 0ustar 0 0 GIF89aX–÷ÿ  %&&+++&'(555469:::7894L(6H'>Y1;G>@B=CK4AQ,Fe3OpDDDEFHMMMNRXUUU]]]IOVIWhO^q]`eLb}ccdkkkgghimqoppssswxxIgŠLpšSk‡Pr™Ox¨Qz«L¼y~ƒ[†¸xƒ‘kˆ¬eŠ´fŠµu‹¤p’¸XŒÉX”ÛY‘ÔZÏ\šã`—×yÆcžãw¦ßk¤èa¥ôg¨öfªûm«ök­ûc§ùo°üu¬í{¯ìt§äs®óp¯ùx¯ð~±ív°õs²û{³ôzµû~¸ü†††‡ˆˆ‹‹‹‡‡ˆ„—’†“””•—šƒ”¨œž¡ Š¡»Ÿ  –¥µ£££®®®¤§ª¯°°´´´·¸º»»¼¶·¹£©°‰©Î„¬ÛŽ³Þ”µÜœ·Ö™·Ùž¸×ºÜ•µÚ­Ñ…±åƒ³ëŒ´ãŠ¶ëŒ¹í‚¶ô€·ø†¹õƒºü‹»óŠ¾üˆ·ð‘·ã”¹å“»ëœ½ä™¾é’¾ó¿ø¯æ­¼Í¥·Ì¤ºÔ£½Û«½Ò©¿Ù¢·Ð¶½Æ³¾Ê»¿Ä¸¿È±¿Ð¡¿áŽÀüŸÀç›Áí—Àï”Áö“Ãü›Äõ™ÇüÉü¦ÀÞ¯ÀÕ«ÁÚµÁͽÀĺÂ˳ÁÒ´ÆÛ»ÅѾÈÔ½ÊÙ¶ÉߣÀã£Äë©Çê­Êì©Äã¡Æò£Éö£Ìü«Íô¨Ïü¬Ñü®Ð÷µÉá³Íë¸Ïé¸Ëá±Îñ¼Òì·ÐîµÒô³Õü»Õò¹×û¼Ùü»ØùÃÄÄÄÆÉÆÉËÈÇÇÊÊÊÈÈÇÄËÓÊÎÒÃÌÖÎÑÔÈÒÞÐÏÐÓÓÓÓÖÚ×ØÚÜÜÜÃÖëÊÕâËÚìÅÔæÁ×ðÄÚóÃÝüËÝóÈßùÖÜãÒÞìÜßãÐßðÇàýÏáöÌâüÕáïÜàåÛãìÔãôÒæüÖèýÛæóÞéöÜëüããääæéæèêìììäëóâîüëîñèïøæðýíñôìôüóóóò÷üõùýøø÷þþþø÷÷!ù,X–þý H° Áƒ*\È°¡Ã‡#JœH±¢Å‹3jÜȱ£Ç CŠI²¤É“(Sª\ɲ¥Ë—0cÊœI³¦Í›8sêÜɳ§ÏŸ@ƒ J´¨Ñ£H“*]Ê´©Ó§P£JJµªÕ«X³jÝʵ«×¯`ÊK¶¬Ù³hÓª]˶­Û·pãÊK·®Ý»xóêÝË·¯ß¿€ L¸°áÈ+^̸±ãÇ#KžL¹²å˘3kÞú®šg}ñäùK& &èͨSíwB ɸ¨ñ'¢ŠEiï0ªÙ¢º·oŸú lѧ¯Ÿ²ÜµýOO`5cÒäáV.­ß;cÉôU³p¢š¿w¤ûþùÃ-M™ôd¢ R3Fí»²~ÉŒÉÏ­O™ùßøó«ÔWÁJ<}´ñV[?\h` <ñd ҄pÅxPó Òc€g¼£A”ÑO„ €"\pAkT Bþt‚>V” BjôcP¡ßŽ @ ýh`mV¼£ÀÆ Ì;¨ ôcÆ ï PF=ÊeÀ…?bh LèsA úœTd`Þìs~'¬pÆßã¨2ÞIÓžqhX©h”æ2 ,m ɈÏ¥½õ{SŽ×5¿½³¹U°e ö£Æ”a €?×Ý[ÐB°pþFd€`÷߀c„·Ð{c”Œ2nµ¬“â1Ž“ãAn“äQN“åa~S?Vœ·d.úè( ž°dH£úêª+Ãúꮳ;ì¯ÏÞúë¸ç®ûî·Ë^ûï¾O»ð½Ïûñ¹GC»ò½Û^ðÆOüóÓ;ï<òØçn=ôÒS½÷ÝoŸýøÌ?_~ìâŸ~õ܃ïþø𻿾üíÏ?üø£ï;Ý™ž°hV@ð€,`x@2€ (AF0‚ t`ØÀjðƒ aGhA Nð‚%ü`WBrð…+!]XBN°Y' )HÃÎð‡þ0Ü }˜C¦°‚7ô {(à *qˆMb‘hÂ#NчAÄ"™ÈÅêЊ`Lâ›U€ ü‹ˆÿòÆÆ6ºñpŒ£çHÇ:ÚñŽxÌ£÷ÈÇ>úñ€ ¤ IÈBòy¤—;Çƨ¨&ˆ$"¹3JZRQ–”$%1™ÉIjÒ“•œ$(EYÉOî ”šìä&Q™ÊSf²”®T¥$Y KN¶’”£ å&aiÉìr–¯%-sÌa®2˜»Ì%)M©L]þò’Ç”e,¡ LiÚò™×l¦6“ùJøò–Ƭ&5yÍq^ó–µt¦.·ùÉpN›îòq{¬Ã÷ÈÇd´º®~u&©éçHÚÔ‚`u [u‡:ˆ Zt‚³àÆ=Þº­zµÁ°Å':1‹rÜ­}T×1×[ØåHëOvÓ¦bµ¬-1èz PtS@ `@b¬±„Á¬:Ê1ŽÍv¶øþƒZ@ƒM˜µ©åª;Ö¡YºÚ³˜‚¦@ ÉzΣJ}ê>–«Û¹ö …B¤KÝLÀ9ÀÄ-Öá²2÷¯tµë¤ Ý#D¸(àƒ?ÜÂÁªwÍÚÚ΂V Ó-‚~‹@„(·µB×jÔ­Þcµœõìg1)áCB¤Ð@ì¡h€Š€‰ÿò¥¬¼Mð`ï+ÝOw ~؃ à@¡ÃWå T\ßß~ö .±~¥À@‚­H_EÂT“B•«÷Ø­fŸ{ß" Á¼P ž@e<܇hÅ(ÆðÜ`P E9Äå"™Œ­¯þgÇ[(K™ÊQp°¬e/$@8˜.dÉ<—ï&9Äu…îÚÜf(D™ÊNˆÂ‘‰PŒâ«hNIŠ ÒÅ.Y°÷%¯tÛl„éöøÇ™˜Ã#1‰E˜¢ÇC`ƒ'a ·¸G™A¬æÏæømŽ0˜?}:4â“„$JQŠ. @=h‚¤@ w Ù-P¥Ç¥A “÷Áº>‚RLC8â×Á–Ä©K1%Í=t²zckE£æÖþã-o¡¡…(X9Ý$DAŠRÃßر*ð€Ü&ŸÏ‚dÆöÖ±¶&o›`h{[Yƒhô#D1nùCÑ Ãþ$†ƒáÄ€¯Z ìpw¿6äÅ5ŧ\ï;Ü!†Ð²(NQ 5üp®£†<Ì-8tWv Ê]î=è¡Žqö³šžîƒNo?¢Û­Øw°+AlT{Ü>J x. .ÐÁ B€B'Æ`®<ÕÌIÖ,Äse©£—Þ‚ØÃ!2áˆG»ëÇN4ž1j¼cà`ƒ#ð€Þ·Ý+ËÝ*W×Q_è  ç/®‰À‡OkBß‹D¿‰} N†‡<ðAô¢¨ *oñˆ—XÂP@ñÕ A‡o7‚Ô¢ï¹|’ñ Õ¥>ª¯q¤”!ƒpµ¶ûø«DÁï.&þþ`hOW¸Ü6„¯7~Šàÿ[ðJK}ò‰cŒ \ ¦ˆÃô\Žê[«i~7-FŒcÌ› Ûfa¼7¢& “0zþv8Åçï°~Óz®gSêö3f6yK&^øa›'eKðŠd£ÀoÄxÉtA'vò |!!"ó ‹ppCÐa²†~ÖtÄp ‚¦_¦_èEeOw9 §` >G‚‡£<ÔЀò@± È ¢DðjÛõlT¡UQ•dÎeWÁåd„ÖƒDàzÀh¡Ào§fzØq„¨÷¡Qè”60ûbð6S oC eSàc9÷{¤F ¦Ðqè' ç „þA‡S ’ ç  qàÓ… 々LñVZÅtáõ –c:ø}v† jŒ°¦V ipÑ@ ©·„C‡pxÊ`*ÓðÌðo C@\{eøX¯5ýW^¸·mœphŠ¤°Œ€pHƒ‚)ø€qsÈ#3¶”wƒÔ–‡„Vqõvo† Žp “0‚Î Hx|K˜F !!`Óp p°`v…O1cL·dk6Ç_4go6ሠ“pjj0|ötÕ±ØÉ`*Õð)ñçRö lPµ[6h_ž8]SæV¶Ax ( ©:¬¨„K8’5`È…,ýðþTRåt´]ûŃ`u{ À6l]ço è:†ëÈ,é ¢ üÏðw W˜hiu]¸¶_L{PY¶qÁ÷“_‡z†·Žÿ“ý‡ (þ òˆÓõ ô`‰C!_þ0y7[Q·_D °…Ð gzjà“æ˜ HøD‹i¹Õ¨×X_ûÇ`P acz p0Ž ÀŒ¦GÆ׊ëx”!!PúðªàI€^ S)üðW´gW0BeQàw0tÀ™B(ˆ#té§~KXâašSc*ôñMI…E0ÁÀ]Gq}îö[Mþ¶_R hš)¾ö™£÷uÊ@ ¬ˆœÊט?ñ˜˜AVôUW0h|ÉK‚p—ð™¦@ g ÇP‚±ƒˆÅ1Ìiîˆ8ý Ó` r@Ó§@Q^ÕXœˆ_úUwpVáÈqÍX‚Æ™„ɧžê‰³¨ç øðÇÐ’x0F—9Qƒ­eWyh^GK€w„p ¡@œçw ÿyzÒÀjõ’¿±î Y^8^º‡R`a†Ð€h •@ Ç’ Ê'"Áˆ ßÒðy°Óy 1Ö\%w‚vkCvQº £XŠ8l™~JØ¥ ùÊP§2Ÿ¢ þs€vj7f?±XNg °Õ`R`^¸7€ék¥(n‡(ixoè¥IÁž‘±UhÖX5ù¨Ø_Oàe¨e§P ©Šzº©E`*¦¡çÀ púÕ ˆŠ&W7H£ÄXp†©: >êŒÆwˆïž(‘ À–ñdJ oðC ¶°0 ~¥dïuØfˆ¦yÐh"8| ¨§ª§gžÚ2éÚ]†Æ_R&… ¿l„(”íú#«š´ªøP ¦ÒG êЭ*qYù@yŽe¯›v™{  t0j–ÚŸ¤ÑŠÒH°±–DzšÈ€‹D°‹ÁЋ4ñþv–—¹YwRÖ›„  Ž`Š¥0žò‘˜ò°zi¹œ"‹A[«F7Ÿ ^ss'wrÐw«úsÆ' #ê[ñ0 p¦Ó¹²k™xñy¯w€qp@Zw©ÊP| J”Ê9´±–=S-Õ@¨y p3bÀ¸ø%eùqzÚ³ÚÛß*wcûdQgsv†¦š¢‰ˆ_+£ ¿L) |Ôɲ$ñ«še _h^cøWv†¤@‚¸ ¢qÛ*­Á«™ ÀxD€ RÃY”  þ7]§Z†Ð{˜`—»ê{#|ò…yo+ÿ»±‡[¾š $UË3LÃÊP¨» c"ñTw¹þk,qz¹¾fj¤p§—„oø³ØÛШQ xvk7›áWsµÝw^Qpu7»‡¹Še·?kÅYqÆuQ›ÉÉ›|ðÀ)¾Å™˜n¸’Eqµ¡©pvg¼«[–V¯5êixik€-œÈe¹’¨\t[(Ÿ’ ;aöûÌQ›Y| °U^3{srДբ)XÇiq¤°7ÊÈÜœ¸&ËvŸ¡°%éÁ x½HqÇ4< “pÃÔ9ÁW\Vê ÅÅÜfý%SZŽæè:ù¼œHA² Ññ  fŠpRàµ!“îÜ ¨_Bð|°¯ ³Û®ßRþÆO¡Êp±ú››Ýÿ+‘`Ï£w8)¹È*¨ÙO¡ð`Ñ&ÇDZÒv• f^6Óà–†{ËI¬Kì»ð»šÎÀ¢GŘLëtz†— q°q]w å©©é¹ÓðZ´b0{± I¡0„Ä ªã†úºŒ » z öÌNEÐÄ@m{™CìwÅ °¸ì ¼’l uà›[ý\EãÀÍe4'’BÈu®šÏ‹,½ùXX9a}°h7+l-Œ¸IÂŒ {}ü  Ö:S` *7µ9´Ó¹§¯pÌÐ&Y–ú ­ : ÂëjPþ` ÷KuH 0^­=Š¤ÆªXúÔé‹ÍiÁ9¯GYFKZµ¤… ÷sF—Š5í€õ ƒv^B|è¢üqÑ`xQŽÎñk sPÉ/†åp%¹ÜÜëÄÊñ«.ʧ‡×°~êŒÞp±X‚Î}ø…ð{§fÖµèïc!뵎ºQ¹WônêÝÒ‹ÖÄImLÕÔ@ r@u·PZµëP_B hsz²°¼?uXêck^O oðkþ±‹œZï)ê ;¿ÇÄXŒJ¹Qu°÷²}ˆÊ‰Ñ ø Ìþhú´0¯{êN&söðåH³Î€ÏÖkQ÷ØÝòü¥hŽ€§—„ÇŽä$÷OÖ œx±K Ð µ(þ­7ïÿP ¸ŠvÙ:XòI¬Oðá1_‚¸Á„“R=°ß¢mþØ+0ãÏÈãŸþåßþðÿïþçÿî_ÿéÿi üˆ÷‡Áh‘$5Ǥ½{WO_¿~þ>t1¢CŠ!^´˜ñ¡DŒ;VÜ£F‡ÿü™D鯢´ ”E¼ø‘_?yѹAb„ˆ”"B˜8ÔhQ5Æ”Q{'¯ÃŒNähñãSTUÆI’aH©Y§v…˜Ì‚†jW™j•*¯š);Iˆ RD.‘=p" ,*­Zý©ƒìc ˆÇÕŒ‰‚œÜËñÂ"ÄP¢SÆ^‡Èòp”ìã1¹Iò¡ñœ4Ò=ÆA‹)Èå wˆ„$Ž¥”/ˆ Œ/K3´Äeë<™KÊðcÁxc#AþGÃd E‹¼$ ‘ÉÅùeà–Ë„æâú‘™Ç¥—üØÇ:n1(¡2]1ûÍd¶ä’äü¡&ѹN#M3IÐû$-ùa@Ppó ŒÙöJv2‡³ìç ÇP~"s—¹ÌÇ:Ü—%€’à{_@áG |Q¢&´åE%zPÝ´ùe)‹pÊ8HÂ{çÇ$5º:úÃ’+%¡:aŠNŽ‚2å å‡F˜Â I™éD-Ô *£d!*9kŠIE’’ŠN¨C8©!|´4©«SæUý—Œ Q«¥¦!a™b€‚OpÂâ°ƒTcœ_•ÞKῌΗKEä>ÔÑþ (|Œ(E2¤qŽˆÚUyY5ìø:=«&–wx $?p*"(!ª5t_cK9YnvzË8ê3=HBV3ždã-þp$¸°Ê@©fG»¸ÎÎvyËè*mÛGȪŽôe0¦0!܆Ҹ¡lwëªÚ.—wuu.{kÆ'}uÂRØèbÕSéë.ëŒêÕð–±´bE¤;1Å&Èʈ‡r]%_˜ÊÕ±ô•ÙbËÆé†ñ¦|ÂNá@îîsö50æÆ+Ú[¿½ë/[H‹n>á °Z+¬:Än¸rDÔ­‡ÏVx Ò¾çqŒsÔã¢ö§9El9þ™ÆW0ƒ[J"ÜaȘêŒà7¶Æ3ÖaŽ8OΡ¡s(ø„“0¸RBq ·BÚÃÍu2B;êA’8€§="“±Ã8˜bñP)­‹dæþ¹:“ô6©mB\ qžÖ%nvI! `'›¹U¦µž­ÍØe/ŒûÇu…9?ÁÞv™‡*ìPþ7:ÝÍ+µÿÜ“%ÀÄ5¶ˆï¬hY#õÝì¶5…˜MŽ4‹°š¦ÿmb7/ß1{8ó´½ðäÅÛ¾Üf#ËêcR|2ÿLöÄ¡ñ-Zœû ‡j‰‡žþÝ”#9\÷]h£:ÓãÒ3yüº|„7bÚÕ¾yef¾ç4Â3í’ÉÚ‰ž€nÚˆNó±0Øèº x³Iøß ÃáV+°Ñaýâ¢"ûêÏúÀËñ‰¸@ áø>»ºòYǽUšÍùô²y T/aãnµ»Ü j³ëï¼µ5—ñSöð†åº³]uÈ>é9©—…€‡9˜‚Úø¨|%?j,‡þþryg?ÔA ÊBµÆ4½K¿rÊœ¨¨WÞ<‹Ñ$ûë„ŽýÔ‰^ûØŸéè-!H=„ØaÍxè‹/|<—¾ø“Ã}òÜq >(¡ +®†>~;}l“¾îׯ\öy§zL,Áû’†<¢®fŠZ”Ö¡¶:ú[¥þÝ‘U B@‚9h†øš?‡#*꣌”¨~s7ýÛ¿´35mê >…p»ÊC@59¼ Ü ¥s2BÈ S³˜Ë@ÛR.Fã@ì;¾I›’ˇ('€„o¸ÀÄRÀò´dÃ-Q[ÁDâcÃ"á?ߺ‡[è&'@…jÀÃ1ÓÃ:±>ÂË“·r`:"Ègˆ¯LC+ÛÀ>üÃÔ Ä?˜ÁVøûA6Ô CÔ¨M¼ÉŠÄ<È÷ùÂDT3ücDƉB;9b@5"h¸ÁØ“Å3kÂZT U¬_²…Ad…s@Å1»D$3Eb|7䟥{B¸˜aÃ%T´LdCIK<º@£AtÐBK=PË-i¬ cœ½ *ʃU¨‡—Ó?n,´EdGç¡Fø¡Â!þx‚K˜†_$¿¹c7>ÜGw”É…¾Âƒ\ ,FÄÇ=‹Æ}tˆ~$8ü'“ƒ:¬Åó¯MS†®Ê?FTȘɇd4‚$x„o°Ç¯jFﲿQ-dÇ“l•„êy<˜TÂòSG›³ÈbÄÈéÙOLCEb Fˆ ¯a$Fœ4’r¸.&x^87çòICÛA˜¤+„¼É¢dž~à]ÈF€†ªbJ t´ŠLH±t"z °ÍC…sxIlJ5$É¡$Ê[Ô:æÁ%ÀÆJ$Ægœ±~+IMlÁp„z°ʃPø†sdļ´2®Ê¡”JÊøuð2& „U ÌÂLG!ÚÊñÊþZÜÌG£‡aøƒ!X¤L– :ñԣÓ4£ÕT Õ£°%xÈw¸K4dËn<ª„+ÝlwrÄñ!«DC¸ “FR̶½äKÞô‡qd‚"HTpI‹´L$CL¾œ¸äÿ*&(JTÎÙ’/Ûô°v3OÞ¼á@PœÍZœH<ÓGÍDOÝaE(¸4^ AvÏÃKa›¿Õ$+(`-G¸†ýüÈâ,´DN“\L!œdä9B ‡á4£÷4"ùÜ°eXШ PÖ!+L€MB€†ÑÜÇþ¬³5LýªÍ”ËÖ‹pè8v¤QÂÑåÁÌÄüÆ]ªœ¢y<Ð-M~KQÕDþRÌ©.(€ÍVÈÂ2R< RaŒRä#œôM1yȈ¬ÅêÒ.,<.ÚÒÝœÒËÙ‡`ØÈöªCeC¤=›”Fœ¼P(‚#ÀQOóôm0]8’G]ž}€ÄF"J$TÑ›ÉB{ úÌÎ7­œ_š8k…jPKBMÐÛ\Ó·ôËæD"¸´W´Ó>”†®¼¿/UÌS]ÿ+$P‚¬ÐJmËã¬OM]~K+‚S‡6U³Qõ°‘ÔS¥ÕäÉnÀU-h°ÃI-T ݳš4Ò/\T)Lžu`="H‚V8 ÕJ3RV‰Š8LÐg]¿q1zDVú{Ò|”Õ#þ…×þ#+Í,ÅVJý4&ŒÒ{í.æD¾Ýñ%ZX¹\€º%Xºó·¡TXôW/Cl¼ÖµNÒÃΕBX´ë×ÖɾE€»dS+[×ãÖ_-YÖiOx‹Ð…yXÝ,‹\+ÃPó¼XÆl~†¸ð_˜‡ÎU < /CQ¯Õж]Å[(‚!lÅÎ5Ô#Üw•]Õ9Ù"0@0tÕ ø\utÚ⳪?LÉéåvÐUñÌ×ásÞØ]X’ËFòÜm¢Ü ¤´50Ü´ßÃõÞuøU•{X.ÿœj0ß‚5Îô1å?7s²ZÈäMÞùµÛúå×îű×(€… îž =4¦:]ÃÞÕÙ?О_ _Q­¨ÁkËRe[¾w¨)`‚=ð…6ÏÝ%ÏÐ5@Eã¿uþ-„mx\bl©ì `%^Aõëuð„¾Òl˜[-u.+Þ//¤âÑM@u˜W)xs˜bÈåàÅbä¿q0](Ðxxc´­[Öy‡|4úÒ2¤w°‚üY¤ÜûUq˜#a°F226’.Ѐý‘‡-HÅy¥§ (e@ÑzŠwØ‚ài)O–Ÿ9v@õãn@5)؆åãóí-Ð0†-ÐeÉá‚€€2è‡3,Xˆ9lQ càc(8ˆQ eP2.ø‹w¨‚Pƒ~(Ð4Ø‚zˆ¸ g® ê3-y 3þ(èVñòÕL…^ÊyÐ!ðƒnˆß¡àVá‚ ð2(2èø°‚w8 P fÐcPƒ ¸ *@5P2P€©²f•†0c¸.Ї°3Ѐx@Xƒj°j(ƒ ƒN3 ` .cÈ.xÈ52P,WÖ¿ìë‡ûì+@H‡0Þǃ¾ä]Öf}xz æ P€¸¨‡ (‡°°©gm.eЇ“öi(e0@ƒÐ€€bR¨Ë€20 02g0°±P€xXk10Ô„j#¢deƒaFõ-mê«þBP‡Íž1K.L^èËî4„f}¸@4 †~¨€iö™Þ‚Ð.@¹¦kl*Àhè‚–il¼&Àd5@€2@c‡ (´¡†j@5ðËŽ:3þZ¦ÕkÈ%ð„tÐ`ÏÕaÞIèÛ>øj·ª€-è.¸€‚: °íwøcˆ‡é6†0†zЀKJé3‡ è‚ß}è j@€dðe0¨æ xœvi¨«‚ ?µèîÔ~jþÁì›ZO`‚'ЄvXoJmïÝÑf8*ï€:.¨4+Ð (}È€5 *È€…0ò*Ðþ+‡ #i0ì  ‚àQÈ€?#§†z¸§Îëf lyøp  3¨‚ð>?¼ýçÅɇb„Ì}q$N¿à¹•ˆX¯&’~¨†ð“ï÷ñêb q˜Í~H AW y@Š†ÐA'4ö Gÿ @?Eÿ Çl ÞS4Œ|„Û}qžqŠÌlÁå$b"_˜ä;c \õâ˾{˜…¸ØkPàWÞÉËL7'ïɹ‡O O^oÓ  Zàƒ8CD$>ÒÎWÕ¹¦+Y0ÇSwv•pnÊØçG+¿œŒ3‡]fâáOs™¡-‚ZþhÒÎÕêÉCÖ4®RHÏŸ†È›÷É›¥!!ôˆmôânV‘oMëüå‡/,¿?…P 뇥vö)hk󸃱ì‹w¨…³ÕàWåZÕ (¥î»y#×€dˆ†8ë¿@ƒÈ+è ž jHr") èyj(i(ƒ•—có5‡ Ø‚•×-+8 †°ñw w`iL."ùi‹fZôçb_œx 謖ߔO¤¯†-È€~0¸ 0„€p°GjPú5ì~‡Ýîi¸€20jW ¨ X3 ûy4(åw(€þ‰néÉ(zùPt²Pƒ(å>ƒ~È€TîøëgîedËQ½@h{aØc Ò¿{Œ|gú èå~ ðn•PÈ€ØÈ~0{+È€°€2øfÀ¨ÉWx0¸Øp½÷ Ø‚É8§ö ý¯~5€‡2è4¸Xw1ºu™!m^}V(hP1 2lèp!½bˆ$ÑÖï!ÆŒ7rìèñ#È"G’I-Ã…h%3‚°â¯Ì…~Ò¼ÓWÍÂ&Œ! f,ƒ<…ýD$´"ž1ïjn±°š‚jÆR.Õ¢Šï Róþ§a Ãd‚(á/Y†wj*è“a¬?iH\\™QY ïìòíë÷/àÀ 0x0áÊ~ëlI!¢g›àÈ’'S®Ü±J•5¸4c¡ß;VâqÉÀ¥‹2 ² Øò.C1h¬Õோi1ÑÞ[†ZOy|ÇA"‹2ÕzúËv¡X…VPQáÝmé·EL†u/»Ö2úôê×/HÐ0„vù©›õdI¡nãÙóïïŸòIH#X I—U¼ÓUXQ2U˜QFwÔlQýœ±—1eø£¡ƒ*sa¤UV˜¡O2T”Q†òtTÉ0¤Æ€þþij…É”Q5bôÓÊ€ØÅ^’%c^ÿ9ù$”¹_|ˆ•Ä7œ@ñÄ!æDù%˜a: fb†T×~hšÉ‘2L&¹&œéí‡aTÊ·?ÄE®¤3gœ ™ƒ^Ts(£24%|w–´O1},é8º)§a&`§¡v”ÌMŠz*˜&)IûE|ì2ªµ2úi™þè>¶2ªŒõ,´¤¢¾ËŸª‡ÙµÏ-Dˆ5Â: ¨£ÔË4¤´P<%`µöSA@)Ô¦©áª+Y²±:R>´Q Øà³.¾ÿ}š£4ä`[¾aösAþA…î¢+lW»UÚïCxò§µW¼ðH¸úÃSAxˆq”jP°<è¾ 2Ê5ünHüÐÊDx2Ï?)£zqe¸’Qƒó@‡ŠÆ«á¦ÍIk´²•ð®ÓIKÌbÐJ[ÑI X@P¹'_ýázjà®Å~ý5Ó+åSN'BHmÏÙ)WýÐI<`BMúè­·<{ûíwßÿ¸à{^¸ßõü­xâ‹;®ãë9â“?¾·â„S.yã–ë]ϤwIs¯Yg¤M‹”1ñ„.ù>»F'f¹ë¾;ï½ûþ;ðÁ ?<ñÅ<ðïý›ð ¦Ó®þò@vª’;Àü!„ÂÈþ<÷O]P4•á‹?>ùå›>úé«¿¾ù `v÷§]R;¶LAÄÂÜ{3_Î+`¸V…°€< ¨À2°| #ˆÀ¼'H‹Ÿü¢—º•¨ÃR`B!¬± r/@j @EBÉ,§ 8C©¼¶BuõCƒ«šHÔ¡%(Â^3ìˆÿ:U mIã(HâñCÀÈ#.|G›Î³ÄuÍ$Þˆð sÔlŠ_ Ѐ’Q‚P¡W^´  b€½K†g¬UEÒoôAR€;ºøF0±$…ò5F€íq$TÀÌp® þÒVq 1¤0„(übüh¤Íþè*Àc˜‰1ªp†… ì“p´¡²JB (A ÚÀGM)D”äH!Õ†e9“é’2±ôÈ#Aâ*( a ÝÐÇ/{y«Ì(³/Äb^3ÌÜ#óòߢy¨>jR›»d¤7 5ÍŽ¸ŒPÀŸ:¹®}©ó›ðÃX2Ã…º’„ë ¡©v^Kcü /ÿ¨qr$Þè ‰vÔXþl(GÚQ8t#ù('˜Ð'wL´VÝìèC ÒT¡Ò]8ìH>€á‡"à´i¨ÀSŒ$ š3VI6’{Ôb EØÃ.àvÓMÉtþ¨ !ÕèøÏÈTT#÷¬B¸?£2ª¨cÔ3©ê¤¦f„%B·§UCY•ª"+{¸Šwpb^²@ÇTѨ²µ¦rEVNYæwüaE˜E<ôxW8a&Ê@ëYkµ>d0zQ¥*V2ªD+K'+Ø-•!ɇ:ú ` S³kºìMKiÚÊ0¶!ùàÆ„…mPvµ€y¨YóâFÛþ¥µ é="I>@F2µ½k¶¶5V¤î–·}ñíBÖñ*üuùa­Q³j]Á@÷Cå˜ðSÝíF »CMTsÉK’îbÉá=Ä>Õë$ÔÎTµò}n^Oª~p‹þ}Šï}ûcÞ›27NǢҺ몕òý 0IèŠYÝB˜/óôìGø )A³ªpè Sû‚x$Ý͇-`ˆh•˜=")z[¼ÞüŠ„³p À!-£‡Ë-•My =åaØ#ùEŒÀ täRÈ”ðLµëd`Ò8$÷€Úd1«×/if§<ÝÏÈÚ ¶M¼ç#Á6˜Í—÷öç¹('.õ z$5“œ=êä¹0ÁÒWµê!ñ1σ=¦Ÿ±µô¨þÅŠ ]”ÝìAzGå<îÖ®c.D6øl÷Ž,›í³+ºŸíôÆzÂYž°£¿‘Ñ[«çN¯ ùŽ ·‚#ò’ÏÚ©ŠT­wºµêDÌjŽj>#ÔЖÊ1«öQ›~ F(‚d Ïã«|ö¥_¼CB"è¯õÁ;œt¯½œ³döÈ8¦ hÃøÇ_¸V•¡í½Ÿ!¬kL¼aýË`?·‰“òQ¦Ö~¸ãçÄ9âbc‚o?l±£¢÷y×™Ú~ÕGxí9Ô1Ð1pC0”Ã~a‚âòA””m×=ßFðÃ8tŸÂ>•Ã'ÜÃoUS0þÃETÓ-C>`1Ã-ˆ ?C 2?ƒìpC:ÑC0Ø‚ºƒ ŽÃE¨C-ÐGåƒ –Cú}IÞ]¹¥Ýùý^ê•C샞ð‰Ÿ(D0ƒk­Ã:`=Y0¬ƒ;¬à'¬Ã ¶àbD ?¬ * ?-¸ƒæÃ:x&äÑ•ž•CþžÝßXM`C1ÄE¡~1Ä>„Â+°ƒBÜ‚Òà8ìƒ:Ü¡Bð úƒöÃ'(`'Dâb‚Îà8|‚ ®a þëDbæÔ` ÜÜ`„aõŞɠhßRšZ¥TÐK.¼T1€BCƒ-Ú:°ÍöðCþ'¤“òÃ'Ü‚%ŠÕ ÊŽr"(Ü?@b‘ –=üÁ8¨Ã:âDU ïAÔåÝÛý"xÑ‹/¼Ô=|B0ÜÃ=p!(=°`> "® v¢ â£5bÂ8”C ÃÒ7tÂ=`‚:„–%Ú=¬Ã'¨Ã>(`>ÜC<åb¾¬cC…æõÙ/ÊK ‚)=Ü-¸¤%Ò‚ rcûÉäÄíßüùCž¼¤Æ =ÞB:-ÐÂ8øƒPî`Q&à0ÐB:MÜK¢#UQZõÜoežómGÔcH “i à  T[Åàá=‰HÎH UÒ^÷)Ä•ùÕ,ÌC“=I ÒÂ>ZþWèâ‘ž/¶¥?œYÌLÍYþV>°žiååP-ƒïõ¥!Ô%žyÞÖõEÿ5T; Ô`’Z[æÃ8¸NlÚø‘ßΉžÒùW×DdÏ…æF¤%­ÙJ"b?´ßD¨Zf˜kòÓZBálbDßåZæóäfœ¢@⺧˜”š.D{mÉ!èkN^ùÕÕö5_cîסY¡90§zU¦ZN÷mgFÌ‘H¸U§C &•fyþ¦CäÉD´;€'yíf;õ&cÊ'þà °{ºÞuÊ^/Z¥y>Ý« ~n—{ÖW³%œs⺟B:V6„~þª/–¤mÅREõÃÈpÆ}h{èM]f|b%mÞ“ŠÎŒ‹b ŒF|Z ðíF+ÐbŽ2rþSl&ÛÒèC¼ÔDÙé˜4¡è-¦‚úçB!ñ.PÝME¨IPi]e™€©ºTOõèÁ/@å‡)?µœâ-¨C¸ƒßáäIiCÀi;É)[ÒiC´ƒ{1AI¦‹ÎÛTš‰¶YEuá9ÉBçé©‘î(Lñç•2ið‰¨ž‡‹™†‹x6ÒÜXªIŸ:ôAÌ䞤>¥Â™šæUÒSF”Cèe}*§èjC¤bYéU¡Íâ½ÖL’6Ì¥žVƒþÎŬÙb©*Jxìª-‰éy뜔JèAüY«BÈÅhê%yž ¯&ŸÓõƒ:˜ÓB:‰«? Q¹f«¨i'–j {áÇzê)Ÿª©n«Ó½––<ÁÊk¨Æ©¶2ªÓ%b hT,8"ÂbkjU(¬ªBLÜýÈJÑY뿆S],–æÃ,# ø‚—Škˆ‚ì«Î¨¬:„=€äSžNl½¦ÖŠÙ8]Ù¼LŒ¡æè„2[‚–êÇ CôcšÉBÉ뼶jÒÝ«lbêB¸&ÜÞš¥k°ÖÊÊzSÀ2,ÆîÃéAf-ÀÓ&lŸæì”MgöÕƒ›æèÇzÓ¹ñþ¥ -éËÊ%Ê–0tª¤Æ­6!Þ¢êlÄ)F0ÜÃjÚl-U©³Î©â~lqJ©-VžùnÚþÜ8 *!tÃä©ßF“Ÿú¦ÔbI[E&´¨ÊfÀ-6Ȥ…þ\1¬ÔlÖò–Ùì¹zœ|öÃ0°Û.H,Ó*ëÍÖWËâké¾JL/(Ó6­ eßî>ké6‹ƒ®äðRìLnì*?ÈË8 ëªn­6%©ãJí‘m%‹Vkö­“=Rm~Â2Ôó’Óæźl‘B-'Ô¼šo4…¬ÿz]ÆZ¢ÍÂÛ‚îþöÞÐ lѾË=HD8,°¸þV.bõ/òÞí_ÃýèAPå¯þF¯Yɯ=’ÞÏø­öÂ÷Šl¤¨<ì°<Ô6ää:ð°1'±/17±?1G±O1W±W1©T€1Ô·…ÇCßð°/ñï0q'qŸ±7ñ‡q11q_±¯EH÷±ÿ1 2“/H4Œh@ $r œÀpPx€"O2%W²%_2&g²&o2'w²'2(‡²(²(Ÿ@”E"Ÿ)¯r+/ò+³r'Ë2)Óò+_² €ˆÀ-÷²/ÿ20ó%Ÿ€ dÈþJ4 û¼‡òt]3;3|4³a<ó4G34Oó5„4k³5W36{³6gsAló8w37ó9‡38³89»³9—ó:G³ø 8Û3<Ï2×3ùìsø >Û3@ës;¿33÷s5Ss:³ó<t<ç³:/´;4E7tEK´C£³Y1;G>@B=CK4AQ,Fe3OpDDDEFHMMMNRXUUU]]]IOVIWhO^q]`eLb}ccdkkkgghimqoppssswxxIgŠLpšSk‡Pr™Ox¨Qz«L¼y~ƒ[†¸xƒ‘kˆ¬eŠ´fŠµu‹¤p’¸XŒÉX”ÛY‘ÔZÏ\šã`—×yÆcžãw¦ßk¤èa¥ôg¨öfªûm«ök­ûc§ùo°üu¬í{¯ìt§äs®óp¯ùx¯ð~±ív°õs²û{³ôzµû~¸ü†††‡ˆˆ‹‹‹‡‡ˆ„—’†“””•—šƒ”¨œž¡ Š¡»Ÿ  –¥µ£££®®®¤§ª¯°°´´´·¸º»»¼¶·¹£©°‰©Î„¬ÛŽ³Þ”µÜœ·Ö™·Ùž¸×ºÜ•µÚ­Ñ…±åƒ³ëŒ´ãŠ¶ëŒ¹í‚¶ô€·ø†¹õƒºü‹»óŠ¾üˆ·ð‘·ã”¹å“»ëœ½ä™¾é’¾ó¿ø¯æ­¼Í¥·Ì¤ºÔ£½Û«½Ò©¿Ù¢·Ð¶½Æ³¾Ê»¿Ä¸¿È±¿Ð¡¿áŽÀüŸÀç›Áí—Àï”Áö“Ãü›Äõ™ÇüÉü¦ÀÞ¯ÀÕ«ÁÚµÁͽÀĺÂ˳ÁÒ´ÆÛ»ÅѾÈÔ½ÊÙ¶ÉߣÀã£Äë©Çê­Êì©Äã¡Æò£Éö£Ìü«Íô¨Ïü¬Ñü®Ð÷µÉá³Íë¸Ïé¸Ëá±Îñ¼Òì·ÐîµÒô³Õü»Õò¹×û¼Ùü»ØùÃÄÄÄÆÉÆÉËÈÇÇÊÊÊÈÈÇÄËÓÊÎÒÃÌÖÎÑÔÈÒÞÐÏÐÓÓÓÓÖÚ×ØÚÜÜÜÃÖëÊÕâËÚìÅÔæÁ×ðÄÚóÃÝüËÝóÈßùÖÜãÒÞìÜßãÐßðÇàýÏáöÌâüÕáïÜàåÛãìÔãôÒæüÖèýÛæóÞéöÜëüããääæéæèêìììäëóâîüëîñèïøæðýíñôìôüóóóò÷üõùýøø÷þþþø÷÷ý^½\ pHYsHHFÉk>12IDATxÚí T[×àýQ»,³msºÅŠ´™]` t;Û³íl3I»gvRé=ã=ÄGš9g¼àPy¦qlgãã`{ÎŒk7§JÆâÜ6ë¤Scë$iÓ(UäJéÔµ,¥iš8͡ı”ð,"ôÐ}Þÿ}6ÂÐÇÕ}÷ï„>—û~ïÿ}ï[!3a’YÁ¦€ ‹ ‹ ‹ & ,& ,& ,&LXLXLXL˜0°˜0°˜0°˜0a`1a`1a`1a’R°D¯×+‚²Ó½ØƒJ6± ¬ùinÓêœuf¹°:þÜâ|5ײ‰e`Í«vn«•$ä1XÈå%äu¸ƒ@r#ÑᔼëJ¼²èt# Ìí ºAåc‡G]Èép8DYr¹‚lŽX3ÁÊ« Hra-€…êt:]0 Í/qÜ'»µ­n½Û±v݃¢®@Óˆ´š‚\]¡¦jk^a½\Ÿ/Õ®1£â|m›c’b¢€•{[aÒÕÈ…5b§¸Î,É Z´¥DÌi—‘¶NÞ¬sUk$M‘T¢ 6hðÇjò@…Õë hIŽÛš¶êD6Éj ¹jªª«@Ĩƃ²4VkM~A¾Õ敽:Çzj\§óÊVuîúÂ’ ¦A..’°%¹ ±t²Ü¤åzø\Kõ`Iµ«W­\¹jåª<§V=|U4–7×€äÌmïÓh%‰ð¢¶ ^—vX’DÕiÁ^Â1̹.pÓØ$«¬š•+Éu(`Õa°°%×kJJÜbQAžC6¯¬Bâú’Ü&¹8o«n×}Á)°0B ………ð¦Í­ªrKUÚâ*/›dÖt°1—Wv{ÀH6™%ÉÜ-W.üèhr"9°Õ-‹æ&ˆEÙ ±š“Å­M¢ìuIæÆ&x 9›dÖt°æ‘†|6iLR–Ó•Þ¢š?5ÇŸÞËÉ®8&)ÐXkÜ1qÍø>ßׅĵŒ¯óÊEå-ѯ ƒ?éãŸqxWô»´X+V­^ý/öåæƒ9_W)ÿV¯šû}õ´£,ýë|Ç_=[æŸZÇ¿jêקdüsþŽUkV­©’‹ “¥ˆf°VæWÅþÇR{P5ûñ¯s¾WÝxS¼Ï%üx¾ãGåË céã/®Êòñß< )ÿôß{oµ{S¸º‰9ŸL’鼯Š¹Xlb˜¤ *Ì1³‰a’æ)& ,& ,& ,&Y#ˆÅ„i,&L Ö*¦±˜0°˜0°XLXLXdJ$ŽŽ…#Äl2 ùGCagmrm’E…qæ™ ú춡ÞcgÞ E;u!ÿˆí\_Ð$aó û}vëPoÿÓX³'_p##v»ÍÚßk©Üø¥/uÚý„œ?šodØn‡‘u´ã‹_ùWbF×ahÔgíÌšÉTig`Ý´|““xz@Oë³T ¼òï«ÿéÓ_µXý7/xhpâ@…¶›¾´”ãîúôçþO»u4ã"\‹Ã€»¥ÒsÂUØ'™)œºâ|#Š–êµtTš¸Rƒ7=º·ío?ó©¯ñûdf•_ZhP  F&Tîiû›O}únÁbϬi¤°šjWÆÆó¦Ý{÷wž¾Q»Æ=¤hqEO™xCi©À F£±¥¹óàéþßÏüÇ» ÂÐHüäˆâ£ùñ™ëEÅÇFVQÞ‚GöÀøìݼÐ?’kÐè´ Á´ñ¥|© pFcyE[ç“OÿðÔ3•›Bp6§2  ÅK7ð¾âžÜÑÓu´kpàüæ¼OýQ_i eÄGWÂj NœÁ`ÀC;¸³»çè‘#õ9ŸýÛoêMC£‘LLÛž¶~¬Ü¬Ý ¥¦=m)cpŠH¥`ÁÔ€*ÆÆ¢x-ø’«¨hiní<ðôá'‡ÓåjÊûÌÍÃ4*œK»Œ£+Åö•â¡µ´4ïzìɧ{NÀiƒ½6]þâ³#k·§ÓÍžŽ°ÏСð.ÆŠŠææÖ§xâÔ€9:knOPu`)>zhÌ7l;á h)¸â8^¨Ø³·óÀéÃ'Žyb``à<>u0=ïŠNMnÝÎr½Ð;<™†¡)Öot#D 0.Žã„Š}mŸ<ÔƒÕfÊá¼xá’WlÊ[÷‡Z8.M Š탨O(x®”çvƒ}êéÃ]GNÆfÍér{E18Tf Ã`ú†mpÞ¦ûÁ{;;wêîî: Óc†¹¹àÆ“ƒã’ä¾ý¶Æ?fÔ›¬©ŽìA‡Æ‹¥]Jah&ž€í;qꈢCÝš22Gžæ;ƒ±›•j²wPï0m}ØGp`#˜öìmëܹcGω£* ê‚ÛëMB·ì"¤ ,¬ nìà±ÀåÆ eFp6A‡ŸŒ©Ð⊞‚Ù‰}ΣÍÛz¡«™3Xì¡j°~>ETò8²‚±Aø°¯ tè©AóÔØ€*8qRlh¯åií>ÑÊ褒©h Ì2D6<ž6#g¬Ø>ú‰“ƒxhÎèؼb ¸Q4‚5 Lawª²ûSN¨Ü»ÿÀéî®®£'¯”ûŠrÞ”+nj‚¼ZóÊO.çËp NNVOŽáóÖ×Q‰u(•Á£{ØÑóxDƒŠÓrë© D7Okî’ø›ž‡ô†J{ªj ©F°­=ó¦(ªcwìèê:yRÑSØ¡òÂ…ˆõB v;S¤Zü±ôf »èØG?ðô¡SGcSs1ja7´ÁMñhµ®à¥SÛÊ Bò M1L¨ä@Ma?¸¥¹yÛ§ttP±ÊŠUÎÜeà„]„ƒÞÁ‡Ë9¡/`$<Mt(>Lä9ZšE M™6<¶Eš‚)‚BòØ°m3¥d„Û÷ì=¡ÕQì(^ v6¯Q‘ø“Ë \èiæJ;lá¤j*œêP†VŠ‡¶I¨lßðtÏ ÅŽF~Øi¡]G‘8ÊÀå ûÔ¶¼Ð7I¦@`ê·[qÜM¤›ÚÛöŸ~úD×ó‘èØ°³‡§ Æ…½*#Û5V$Ä`##xììÚ¶ãÐáàÄŸ¶mòF/¸[\q­Æ-KâOÝËq½¾d‘ Åb8uzÈ&Tìi~l'ŒíÔÉAÅÆjJqÒ¥q4ßrK/ô´r|¥ÍŸ¼YƒˆYÉQA¶ÄTѶkÛöÝxÚÚ]žØØÆ%´´•>Y V´wTUo¥rÅm*«Øwð‡O~ÏÍyp6ÝnÅŸÂ3sËÙÁ¦PFÁKƒÛË &«/I1tôuàó01û<ÓSX8ªðiÃgíVgÀº"Ëâùîr¾4)¥©fM(Åiþ2Èttþàiì£8ÎG§íÝÅ›>zLá$¤‚ Ši7Á¹3p¦½m ™Ð5øÄ÷á̹ñi ŒK :›` / ¸{ZËøJërO_84¢Ä~8™nÐ ¦½ÿz`Çã@Qœ½¨Ë²p¼+O‡·3z²çÙ–]ÚËŒs{K7•b7½²mÿÎîÇ»ŽD=ÅÂNhâ>:]kgÔÁþYðì”rÆò]O8õ„â _œšÄ§& –,]ùMw3Ï/çôE;'pêS‰¯°/Œ‡vr0–¬v{!(O|hNr˘ë÷ɇŒÓ¹e„P=Åádp¦j~»Zq:AÑ¡ Š¥×“´Æ5ûÀx4þÓ iª}ûŸÄiO%€tÐኻ¹ˆCz¢`¡ ïà6H“ù–tú"8p¶EG†ý½¶§vötEGêÀµË‹RŠóŽOø랇8C¥m‰9H÷‡|1OƒÈ´bOçS‡ºº¢.vÒƒH_’—>Ÿ‘e`)Í%ÑZ®­íkÞ¶ýPÏ©'=>uæ}ÔXp' K‡±1\ÊéƒL•’˜Å¹ ÁT5¿m;¡x„M Ö"„Wã‹N7DÏ 6†\iï’Ê™J7j´“ŠL»wµ>¶óPOûzØk€¨4Ég*‹ÀÂ%6ã¬hªÝƒ>€Ù9cPU×ÑÒ6+ðN%‰®îr=ß»ÈÊœÒ8?bë·`¨#”ÖžÝ+Æ|ÎdÉ4*ëÒQÅÞÚ——ØgëWJ€ öè>zsdIt†ë¦Ýú´).혰Ӹ>6ž×wï²çd¬òæO–Qz6c#XcMÆ/pæÝ×¹ý{]ØWwº<‰÷-BcÝÜú^ºæêY¨OR ¸² ùYlóvhÇ AqÕ“«b™÷X’øÛîrÚ- å8·Þ‹chýlÛöpÏ *³6.¡ôíðG*X“ÑÊ{4ÑÎú)ܼ¯ÄÇä;ÓM!Tæ¼ÏàúI¿oò–Þ‹ wÃU€·Þsd Ö@‘|صnÆÍÚÁÍzìôü…rhÑÔBG©Ò¥Þvà0Nñá8ôèõôž@BÁ ØçÅôh¸°& ¤.O´c)ùWÝL°"ÁKP?á+ÏÎã¿ a=*TîÛq„h¹¼b0%w¿žÊOBm@87›®„\©ðhÛ]GŸ0_Ñ£xÖÒ½Ì'þý 3 V——û-àY[:wB_U´ÇD±€©ùÞé¦ þ6j Cñ®K¢”¶ù™c a.ð¢=ßYnÐV`Ÿ…R½±­³zAÑìzZdz­ðYÏÉí°0ß:2‰KCصÒW´íè:Mɤ0ÊÉ6 M­Jo¿q×CŠëéö‚i¼ìâ€ç·   6*ÑVEë#Š¶ò\m•®‘9×ÍKž^8õPß>4¬ô€ñSKçvðœ¸!`áË®ï¾ÄU´ à²K¯2VCÎPÚÛ§¤ÿËöèQúTÅ`:½â8¦äº÷7Ðh0õ)ë“ŒÆÖ@<´‰’$“"ó…Õi´ëãÆwå)9öJì§éÏÝü7óù™ï™ý©ëØe‡%Âzã®m°\Ä|Þ­¬6˜q¬ÙLj÷ûâ`¾ñÃï•£ÿðSnX°*Çþ¤©ÏEPðb×w7nàL¼~SùcÝ]ß1+†f|æ<Ìž—9s¢¼EŽ7ÎX‡yÜñO)ª±b¹ù,Žþ§{9îÖáÚ¶}¦Í¡(yÌŠ¤Ùç-î|¡¹ÏÇ;‡òô ½9þ…ÁZSR‡¥¡®nî÷Í7ožö³òÔæY˜ýã´L溞=Ó[vÏÝw}å¯ïüÖ}ÊýÐkê§vófå‡Íuqdöø6Ï~¥!þû¦Ž·yêWTåä볎S[õå;¿r×Ýwõ®ÿc«úrqIqMm}œÄ—©ï sÇûå SÏÍü½3fµxmn5¼aÚA”Wêkª¾ü×w}íö¥¯ÜùåoUÁТӶдOêôßûCfÍ£òÂæYóßwþ7›ƒ ƒµbõš¥Ë'ñÖO®ùÌç¿Æqÿû®/~áŽ;n¿]s[ΚLÈê•+ãýÅkÿâ?ÿåç¿øÅ¿ú¯wܮլËÍÉÌÈâOnκ;¾ðW_üŸÿËÛo×jór>¹æÉýÅŸ\ô < h¬Âêêêûª£2õ}A¹¯jö³WÍ:VÕÿüÂÿÒÝú²¿ûû¨©©ÅZ¢æ¾ªªªaÕ|ã›:€r¤ûæÓ )ÊY³~Î1ªªï¿¿þþo?pç·¿U]Sß°¹¾F9ðôáU-pÜï›ï·üdÁšœ¢™¿(*0[÷ßÿÀ|û[Ê´á±Ýú|Ü·¤3x«y¯¾ï¾éG®i $àc™¥”ÊÄ„òeâê+ÇʾÎml}|„ó®ØîBlcïùà».sÓÖïãö½ Í‘§uÇ}a\t;¶6}Çá¸à HDȬ#ÌcEFm¸©©|„4àzŽg.PÆ»ÍÄ}aâš×­¤†2m9×å‹ñ_¹hE{À®Ë$JæÒ !Ÿµ6öiyøèdCƒ™L¿xñ¦ ñâ/1£U7W¼<Ö.”À‘L¨d ¬½Ô•±õñ£ç/ˆRfÓzñòX7ÙÊäÐ\qóX1B ¬™(2æZ¶÷ ¸ÒÐ$°°)¼˜Ô¦f1EVIFÀ‚Φ~S©žÛµú¼™/™z’ VZL!kNipÔ‹“øòmßt¸3m‰‹ •Ž¨0‚J(f° ÔU€„˜ÆËÀ¢@cÁ"(›¿wÄqáÝ„ûRÛš| ç=³Â|¬„õ¬”P’W=Ît71d¥)ÔRVê—A‡ŒµRÐóØ :=ARš<˜•å`EBv¼Ý±õ{G¡;†œäž—XS˜†¨‚ý±ðÊ7zÚ¡†ƒ;É9}s–1+`-ñpÌkøÈ€ëJ0£Ñ bQ!=Î{x/Ë+oíÄf¨I 7*œ±Û +ž{…¹Òså(^û" ,RM¡†i¬ô•½·±ü¡‡»Î»½A‰°I ײ<Ö2éë yõ8,Qº"7 Ô ‘:ÁŠŒ ™¸o<¢Ôp$D"X„úX¯å±Zá­ôÕ¨µ½tãwÇÑ ‰ Dƒ¥Q“ó¾Ø]: ŒSiÐ7÷ ¸¯ID6¦±ZaVšÂHØnkÇI·(‘9 žùZ“IH70S8Ÿ„ì½¥úon?é BÐ E… ü½¬Ñ‘^ÁPÞÚuT}Etæ4…ˆ+ìôƇz\iÜ£…žtƒ“i¬ùdtÚš?eœœ«)‹4ÖòwD%X8 ä¹æ¿ö»Ž °P À¢RcEB6 ôÉì¸$ÌÙ‹™Â¸¡Vãl'7Ñ€È÷±˜ÆŠã¸C…иí$Á!ý>…`A§ 4Œ>Òõ¹Â;ú±~¬$G)LNú¡«¬µÛå ~uyu¬+{4„&×Ü}ÞKr@8åc‘Z+Ìc`Í ;`¹ó××eòÁZ´ÆJÏÅ¢¹\Ù-=®<“Ï[W˜b°’¹®prØ"èï…€ðù\‘l 5LcÍy}Ù¶× ‘? ÷¼³U:³BØ®ÏØÚåƒÙ0 ‹1…‹¹N–M±<Ö¬€ÐŠ+„=ç½Ù ¯_bŸr°PÖ€59fm‡€°{þ€±ýXZ¦±n„¥†òî¬I÷±ØŽ~7í`ØÞËëË·AåeÉ$°tC6h,ÜŠ¬7n;å"½B˜tZX,*Œ9X#}¿Â+b`-ßÇÊ:…RlÙg2”á€0˜=sAôºB¦±k ÆæîÁlâŠdÅ|¬˜ƒ5láõ-;Ý VrÀb +,lþQþÈ€'{÷hºØ•Ð©ÔX(kÀŠ„^}tã½Yžn`y¬˜!<¾ñïþéè¿‹2‹™Âäi¬QëîoüããP!Œ0°T›nHXŸ¥ìÿxÄDY6 ÖóN4Xa»I¿qÇ¿’v;¯tGcrm°~,Yi–áõ»ø®”u“Àj…Dƒ…‹Ïe ¬¥e X(¾E…Æš?*Làü„ûMúòÃïHD3WÈ]Wøó± JI÷æg®¡ì›¶iò¯Ûä²WêO^š³,–ÇJ¡ÆZÖò¯´ËpÍÏ_“XÉ+Oõë 'íÐÖ°óéÊa%õ×°ÝfÈõ±"!« /ÿ‘eã$x٤Ă É<×úÛ@V‚ÅòX䂲¶ëËO¿3ž•“à¥l,DXEa=²,V+$¬I;ì…õôﲓ+¶®X°"þsàºÿ¿+(;'ètƒªw(r;³,¶˜"¥`-µƒ4»Ø–~‚•|KÍkÒסçZŸ¿ÎÀJ¾¥f° Lh0þàR–ºî¬M*X‘‘~kyþ ‹9ïqÁZj­pÒÞΗmÿC0[¹"y]¡ªóXás†{{ÞÉ„‡•œü¹é†×Ô¼J'ìïÅ®ûµ,Mb –S£âýFmíú{di™0f oVF¯U;ï#aÓC?Ïà~îË>õî4÷¼#V“2¡±ûwÙk ɾٸZóX‘1¸™xË®\—X,*L"XÑÕ„¿d±Â"ÙyÏSm­p윉kyú‰,æŠè~,µF…×}~Sç3Y­°’‘yOÑ߯ZçýªÝPöƒ[¯&DY–*ýPö€{C e-Ï‹Ù캳F¿T ¸ÌZaÊ„ü~<«-!É‹)Ô††6ñ÷þèìVXd߯P•`áÕ„›ögÓjB”e>–J;HC¶JýÆÓÙkY)q`ÁjB¡¬õç,·„lùW |üe¶ ¥ý>ÛÁ`½¦¡}G¿¸ Ënxù£w¯§ï:P[ºá5U&HÃv‹¡¬ówÙu'ÛÇJ`,DXcøÆ9ÿö'‰•²³«ÎZሥTßúLÖ»îlùY`Á½ŸCÙé¤l:ŠX‚…2–oˆËêÕ„7gŽúûfàÂ]:X“¶vþ›°š0û-¡ZïWH(X¡~¾´åÄ;pÅvMN2\rkïá×ùÛ€ÌÀJá9Sa­Ðo«äŒ§½ˆ°Ø®É5ÒË•Á¦£4X´¯+dé†ùîMÈC™P¢+¶®°ðjBCÅ©w+µ`©­ƒ4ü–…+Ûÿ» `±ÝfR VÂQ¡Ê„÷ž¾’ù†™¤)µðàÕF†;8nÛ3ãt(,VÒ!,¥LøƒK25`eCTˆ²¬„—EüC<” EÄÀbQa2Á‚?î¤,¶®0ùÚpI¦0l5éÿåðòw.Bä€Å¢BÀúð8ghý eÂś´^ êŠ '¯¶é¹—‚Ô€åUçºBDXáË»õß8|í:M`±ZaæÁB¡Wwë7þ|1°XT˜T5j«Ðo|‰…ErºAUµBÿØòMDX)÷±–6]ªªFFŽ›Œûߎ0°Òªh]!º|L¨8ð¶ÌÀbÎ{rM¡}_ñì{T™BRWé8×å«ÇyGv·û…˜•¡c·™k…›Àïyé#ŠLaÆ×Î{‘ªj·™ˆ•7t¼1NX¬ƒ”°ÂV~ÃÞ÷&(Ë«aw±O¶þ] Xçxñ$šÀbQ! èðÜñåúîˆ0°X­0ã`…ý}\ÙÏ>&ÎÏ]ž)dµÂ$ÏýÀ†ûÈ Sd Y)+ôjWñÓ0‰–n©¿ÕMnzzj…£¶=›Z~ISP({u”o¼–kô¬iSÛKTEU­e+XþŸ eûÿ˜Ý½ hX,*Ì4XÈw\àžzãzÊÏvz5¹>–Zj…È×Á™ž{¢n,Â7·UMT8¼‡^¸FX‰%HÅ…j_¹J ±FJžvª¨ç}¸rƒé•M`%f ëu±?:XëŠ1ƒf Ôa½çÊo<#ÖŠ³ÙB‹ÂME+ò–É`ú£DX‰%Hku²£¶VçëVßֈ̿_BÅ5%55²ì¨så?(¢`å6ÖK²X]`FE«tMµãb·\çð¸e´¥°6\¿¥¨(1^T´Jo4³çmšJЉšÂ:­Ü°¦¡¾Pr­­Ô™óQ®ÎaÎsËUMfsC®'ª±ÜkŠš:© f‹.дv«w§quƒWçÐÕ5è‚u…mø ­¹°i¬™šª,aÂ>–ÜP YzQ¼­QÒ65yPÞƒ²¼EW[$åÔåÄÀråŠrU~cN}“9è†ÇÅë êuÅ›Í9MŽ ¦¨i«Ç›c°P‚K%¦0âëÊŽ_•i+ Lá–YÔyƒyµ¨N#J"Z`‰ÚB‘ND…E÷æÕîÜ‘¶6¥š~¬ˆ¯ãë÷¼IC„4S(7j”þ¤Û°šqåk׸ùµS“/®Õ¬k¬.ÀÇÊõš×æùšµ¢7Ç-ëjñJ !ƒ%šo“‚·5 &Íú…™I,Ý€²¬±WÛ¹{ߤÌ&à¼ß+¯ «ŸbÐX-ö¤ V w3è±ÚÂ(XÍEø)¿Úœ#zÁ0NKvjEs ¯f\¿àDºT²)òŸ3q»þHW‰˜ÂyË:$æÖê´uõ®õù÷çÔŠÚ‚ÍMR>€¥“ëµu›/Šù% žèË‚ïüõ÷¯mÀ®¼öX59U…yâVÐX¹ ¨v³¶hA°^SɤßcÙþ·)ÔX dÞ²È0W‹hKu×U½¥±yj«›Ðƒ¢ì€®¬«kܲ«¶º1P”½55[$gUcã–`=¸ôN|3ü†@m³qܳ¡Í.øDýĄ̂eùWöµ5|O¦¬¤-ÿB1—%Åõ!¸¤ƒ’i #vèmxö*b`¥IÔÒó>ù꣰!em~Do¼¦’<Ö$ìk»ûÅ(KÑXR€œE".󸬞~¬I+Çw¼¾Ø}m“e9Sfc™÷@ÑÚbRÎ Ê[‰³ji› ñüÞ7(+AO™BwÞÊ:bÀÒ¬X¡ ª¦2Ž_E)uÞQFÀº(;rV¬XÕH̉1¯Ád©DcEÆú °¯m” Ñ¢Áj€ˆ8ÇȹšVYfu€öÃö£g>¦-Ûé†Üu+W¬LO’;áÙ3ÎD®*Lax¤W`e1Bh°p¯X” J7%‘Ç ãó¿ùm¾÷ã|ÿߣZ™I…’Ö Ò°½Co|!,Ó§±ð_½6‡4Á×ùr5Ê5úr»¾üúÀòjV¯ SV®V…)üð\%×öÊDêU-J·ÆÒ€UÝH””ÀÙЪÃy÷7mÚÿú$…¦Pc†¼Yu/¤?´RQÒYpRß1A8˜ÉühŠ4Þç]„ó˜ çÄ €+Q%ë /wpÜsïÑÖñëÇræ­XQEN­°¢ Q%ýXèò£zÓO?È°Ð"À‚Z¡rÝädÞ«V¬Þ¢šZ¡Ýd¨øåGTm˜< ,¹z A%G5ì½¥–Z¡]Ø`zs‚ºÄû~,¯›´½U‰×X(`A7–¡òm‰J°È½å‰ 4VÈÆó{²¼/ÝÂ(ªð±àž½×æ“é¯V·•Ci떵ˆn½ÿ*`1•9¾ÜËm¤m_[ò},€õê±MÏŽRó±2 ÖË{ø–Ÿ~D'X¤úXy*¸_aèl%ßöâÇ ¬tšB’ŠÐh©`- ±Bý¿ÿõ Vã.Uä±ÆŽmâ¾f`1+¹`£p_[æcV»?¸N!X$ïó®åoß°éãˆB°<,•b°n•yûÚ ÂË+Í‹zS~«R_ñG¹"¹¤CÿmåИÝÄí^xûÑl$oá}Þ3f U°?–nÝö6 ‹õceTcœ`_[3…É+rù¸Pvð*•`1ç=“`½ÕÁÁ¾¶Lce…RðÎäƒ5iÛÃïþé4ùìÓ5©EhúïLyÙÄï{‘Ʀf 3j Ãç~ï¢÷µe`1ç}!ë Çïý`½Ï;õ«Ÿßpì}‰V°X+S`ÁÍ  ?ûˆ‚ŠÊ&SHÿbŠë£½ý:-á’Maê/3Zú±æ Ã>Ø×öl˜Z°HuÞ©¯~X´G…»‰7½˜‰÷%Üu…ô× m†Ê7ƒôj,VÒÉ X“6~ãoK ¬4ëUÚÁŠ„­¼~ïUJ³ doIu­0Â`}H+X_Wˆn–˜é1¤RcMúûù²¥”+¸_!ó±2c áž½|ÙSÑ –‡u&]“%֫ǸŠçƨÕX¬ƒ4¥kþ=HC/wð-Ï}L1XÙ_+Dä‚5¿Æ;ÛÎïzZ°X­0S`ùϘøý«,¢®|Úk…þãœÊ “§À"´¤C{­Ðo}mÿD-Xl]a¦Àòu¸³ïGhË£cy¬ U¹§s_[òÓ tƒÕþuîj-aÒ¢Âä_y´¯+®üú=oÊ4ƒÅÖfBc…a_ÛŠËô‚EïV‘ˆh°Ð¨UàZþŒŽÚíÃÓÒY‘s~¦±R Õ›‚D|°¯mÛŸ~ûý-ÛÈ´W,#ÌÇJ±óNq­02Ü+TtÂJŠ‘¾~[Èf³#¸§½Õ¶ØmVxÎnµ+o´…å·|ò˜í܈›Õ' ÃÛ¹a#5ä“Ãð1Â},R¬NwÞQö‚?óêã ǧïk‹æþ¡±Ç‘Y/„Ãþ¡0ñsÂj…™ÑX¡^¸gïGKY­± õÛÉŸ/É›‚P¾¶Ü™—¤tP8zm‹föY eg³¿·ÝÊÇbQa’ó&‰€5Ü¡¯x™Ú.?£BŠMᘽ+e’•’+{AçZ° ¯ÐûÚ"‹ “«±`íWÙþ×Ók Ó‹±k…(­`ÅËcá{ö¾M³Æb¤1…Ãèmx•SHñºBtylr•b®ØºÂÌh, M/~Àœwæ¼',£a7¥÷ì%ßR VØ&ö¼-Q®±Xiڣ°UÐw\½N¹Å¢Â$ç0ÔXöµåŽ]E ¬LÅ»ÍDüCºi×/©Ý~”|°hÕX£gL\½Û2°2ևDžMß ,’ïWHíºB¿Eà(Þ×–ôt½Ë×Á gßOAâ1°žšÁzÔÀQ¼¯m̲×R VœZáÈ£„W&¹š' ¿ß­#,‘üù[ŠÆ ¿Ui¨x“Ö{öNi, »ûWÚÁ²› »/#êM!K7¤¬Q›I¿ëÏt+,Ù­’î”!°âÔ ‘oH(Ûë£,/Á>¥y¬Èðq¡lÿUÊÁbEè´ƒ~ë˜`|V`©7*Ì X°¯í¦Šû€i¬LEë®Éak%·ûÅX™2…´®„Ÿ “_£,vû´ƒõqÿ&n?åM3ÌÇÊX¡^ž?~•v°ˆ^WHXsj…cƒþg\§,¶Ï{z5Ö¨e†ÈÞ¤°(5…“p—qØ×–îJ!ó±ÒVx¸Ý`|9,Ó©Ûqçѹ®pÔÞ®¯xå:+c`Ñ™ÇB~[%×Bõ†É„ƒEkˇ÷µýc„~°H]¥ã¢tSèmØÔù¶ Àb~i+rù_ñÔUÚƒÂå¯+LÙ ÑšÇzuo|î=êÁb»&§¬Y™wô+ûÚÒÎÁ‹)\t:ï›ÀW¾ ,V+L3XVΰç VÆ„Ò÷¹;þKõR’¿fM>þ>ßëË|~±ŸŸ&ºÕk ³e‹›ÐB`Í••Ê+¢¯¯\¹‚žÇÓÿÄY¦ÿÍK~Îûf?ŸÀØVÄž%y>W¬,–Š ™0Y¼¬,_¼ÆbÂdA°n¡±XL–ÓXLÒ b`1a‹IÖøX¨I«Áÿ@b´Ó¿N==õ†oœñ~Í"ß?ëøšE¾_»ü÷Ï÷Ô£›?køyyïOñß›Îã7Ì–ô¸=ø?·[yýæžz>ú`ê‡è÷Ùï÷,òýÓ?ý}‰¼±Ç÷þi£ÿYo°üm«öXŒÉ3Opcžã{³ôfªû€·ø‹»óŒ¹íyÆ1;G(6HZφ¹õp’¸X”Û‚¶ô“»ë£ÀãÔãôv°õƒ³ë…±å™¾é«ÁÚ–¥µ4L~±íƒ”¨4694AQŸÀç¦ÀÞ³ÁÒ½ÊÙæèêc§ùž¸×«½Ò­¼Í³¾ÊºÂ˽ÀÄÄÆÉŸ  g¨öºÜ¤ºÔ¶½Æ•—šx¯ðœ½ä£½ÛŒ´ã©¿Ù¯ÀÕµÁÍu‹¤Š¶ë‘·ã789Š¡»×ØÚìì츿ÈÜß㈷ðÎÑÔÓÖÚÜÜÜEFH£©°›ÁííñôëîñNRX>@B»ÅÑ·¸ºœ·Ös®óUUU¶·¹ÈÈÇÆÉËÜàå¾ÈÔ¥·Ì]]]ÄËÓŽ³Þ”µÜ´ÆÛäæép¯ùø÷÷{¯ì™·Ù¡¿á»¿Ä¢·ÐÃÌÖ•µÚ„¬Û­Ñwxx£Äëk¤èkˆ¬„—‡‡ˆeŠ´&'(IgŠ\šãSk‡IWhIOVO^qPr™Lb}Ox¨ kkky~ƒLpšw¦ßopp’†»Õòa¥ôccd»Øù›ÄõÊÎÒ‰©ÎÅÔæÖÜãµÉáÈÒÞ¶ÉßÊÕâÛãì¸Ëá¹×û©ÄãÒÞì¯æÞéöÈßù¼ÒìÁ×ðËÝóÕáï³ÍëäëóËÚìÛæó¡Æòèïø«Íô­Êì·ÐîÄÚó©ÇêÃÖë±Îñ¸ÏéµÒô¯°°¤§ª’¾óÏáö‹imq]`eøø÷ ‹‹‹ÿÿÿóóóÈÇÇ333†††ããä“””ÊÊÊ£££:::ÃÄÄDDD‡ˆˆøÎUé)‘IDATx^ìÖɪÃ0 …a½ÿ‹ÊÎÔáλ!Œ ÄJý`¢CDW‡¸Ò3`l$ÅÅÅ((Ök Ï«Z´íÙs;Ƴ¿·É÷ÆËš/ž»UilVÛ{úƒøɱ±<=ÏÕ)Á³1ªjµ×Še%ˆ9îÅbÅ9+žîP¬âX±ÊH± â5¥…ìËöö¿Xñ í´¨‡-yvõ¯jÇsÝƸò{BšÍâ5R[‹ûþ>‡ëßuõu“ÓóýcÊyÊÓï"§æ!ëæûGžk<ô +Ééð¿\òb-ràŸ²Y†a°?{ÿ×¥žÒÝU2z)®Rð¤YùÒSÈ`Ì~¬±NMjÞa(M²«ù„’AÆß?ͧñJ߃‡µÀiàâH\â6Hó>¦ ßgûÓ_êïï!EÊÁ.« Â@´ÚøÿY,7¶›`‚ ) >Зᔂ¬.–ÅÂ?,VºÂND¨‡šÇ™ïÙ=%³–YýŸ‰Ú»÷ý ÿîÏþ¢¿´ÌÞ®°gÇ8‚0E;Þÿˆ€ÑÉVG‡÷Îð“¶éÇ(¼R,ç~<+VŽõp–-^_!ÂBX ,ڿºٹö§6Î+ÊÈã_Ò²B«J*R" mv7ÍnZÉ(I€+‰´´1„èIõhH…¹”Ú´Žq'¶UÇ!¯öß«ú@3šQ‹ì=ß'Ø`—‡ÊHŸ24vrç~gÏ=÷Ü+¬Ó¡»{ÝÓVëO×Çê«{ºŒÕž§{ºÀêž.°º§ ¬.°º§ ,A0ûL¦>£ÐnD£Ùl1™mˆA›Øí ’h4Ymö~dzÏ}Ë,´¬Ì§}`ÐñœÓ,¶U`ôÑbµ õ;†]Æz<9xàœN›Í>4ìp¹ŸáÍÒ÷‡Ð¬Î›"ûöw¾ûb»D†çÐl² k”5IrÛºÀÒ+Ÿ("=VJΠË-+ìõÒ÷^~É5d9÷ò‚Ð,NPè˜$+ªªi¯¼üýŒ ™Î›¥ŠßÁÝå–(gt4¯Mì–½'Îêd,åpº%MõùéÒ¸ÿÕ×^ÿ¡â²‰çKTÚ 1(¡Š"“Ý—ýo¼þò›²Ëv¾ P ´¤@Sc,6E‘&Æ'=W~$t:c‘B7ƒÅ9OIŠOUeMÁgêÊ[?~í'¯øä~ç9èdiô>‹d@D¥Ô#óNÙOöö›Š<ŒÈÎáˆâ^Úú)mŠª¨²¬Ó^¿çêÌ[³ïÌux)Œû’dbqõ]EÆw5‰Æ¢ñÄüϽþF é2Ÿ‹F¤M© Q¨¡M¥Ò‘X&“Hüâ›o¿úˤÔo΃¨ú¶a»¬!4Uºì÷dXlñD¢R-wèÚŒ`Œ Â¸ ZØ#çõC‹žìÌR.ŸØMìîVjµg½ö«FÅð ‰^ÕetW¬ö©- -¯\‰äâ Šl·vá?¿~û7Ù˜Ít¦¡±´9FÞe9àõ†B‹Ù+oåf½‡º$‚”¬hª¢M‡^ŸYŠfò,k@•¡X­n”;lÑÏH¥oÄN÷öU<îñ¤ÒéhŒÒÓK¹Y7 9sÕÂæÎŽáüÆÍ•@R²ˆ-çÐzûàrɲJ¡I¬¾PíËÍfÀ¡)Ã*…Æ"Û}tñýø­d–ØzCÖbEÚ¡Ñ)4ÄvyÜïI…Ñ\  "D­ŠEÚN¹|â Ò¯›˜è ;)U!.Ø Ø$Ïש Rc<…ìÔX½ýèOëÑæsÙÌ­UÂÐèÐÁè¬(6jÖüÄ¡³ñÞ½ØU„©zh~tûCnQ#hZ‰)nÁPY–(4¡iï2iô\>ŽÐ*<¶bu® #ªc€%¦ §Ünè)Ÿ&»Ç'³WÒÑh,‡jîàÞpÊû *Þ¾X¹óá­iEv­1«Å>ÜÛਪ€ .OeÑ¢Ô=àêR«E„V(ßЯ®öÞÝê½Èý¤ÏmkÕl@$‚‡º‰§(oŒ¨ž ‡£Ñ|<ÅU‘DðOZçK ¢âöÃ$:4zvfa6VOÍ^aæÀëv­°1[ÚòÉ †¦‡ÆÊ™ nhJ ´P);ó—XU™3(n®‘ *ïÝ-Šñ[Óš<Ø(MÜèp1¼Ëð9‚!Æ¡R ic±fƒô묲@ÊeÄÞLáhc—ǧ¨µŠe8P-›Q“ƪ s둦ŽÚMe*X,4¡},»Ç&§®DrLó΢…B{XÉÀªö ³¥çy°Ohª™N©Å6„¾éÒ˜òÊL.šéÍðØ ö6Šë@hÁXobPddŸ]°\ /,-‰3Íb θCŸ80ÖECÏNõÃ…O4Íam²3ï!puIU¥ž4´’¢Øfó(ˬ_Gh„ªÍrÏ!ÁÕ¬êzdQSÜvK3{ˆxTp‹éH^ÿri;•FÚÚk«õØ6umg`5žSïnU9ÜŒ¨>Þò®M}º”†ÜÌWˆ§ ”Ž¨§f¥°§\؈ooù¤!k“z+éôQÜ›¬)Tb&³3¹8g‚ C® ·ö”›°îôôܨΧ§£¦õ”5Y…Í¿EN‡çÓ™|Ü>ÏÓÆËrK>LÑþÀMNÊŸtw>M÷gÓ$Óã×>£›3àÚæ6wŽ&6Q /öæ ‘Å-Å=tÚë3š¬÷ƒ™îKÊÒø‹ÙðGÔ@d*BÔ1úõÚ£»EúR(~†Ïæ4ž~o¼tI…Lwû'S颈=–6´} iëÆá¨Sýs!;ªæ L/“Ÿ0{)á {Ù9zj,0ö{颜æúøæ¬OÖ_A #4Ð+~†"5¥›G­rñn•¾<œ3äï|Ò€E8ÍôÈ„öø0j€²¶;¡Á âMéC=¶Îô°‰·² ›jmò*lOf'@¤‡ƒ Ž“ŸU¬òb¼D6i¿U8á–ñÁE½ç¿žŠDYd ƒ"¯ËÇ!.Þùê‘ûšÏm7 'õûÍÖºR×ôžçúB4šà’ "½@FúIUzùë,,—Ôg!˜­­…JÛ ‘ÙkàÃþÍñà ,œ¹%Ã\œ*fÌ ’%/ÍüJ)¡Ä€ ªÔ^m?4Ø ünP 5Õq¢q&²fç›Tš,M,/®¤"QZªºR=€Nc,Adý1ª ˜j‚šcâÊÎ<5Æ ªˆêX¥ÄPKO'‡M<þâ¼Ó>ì¨äÖ®.äØ`m~žÙÕÜé8Á©q`M ùÜ,‹pü‡xY“1-¥!ÄB,ß›ˆïu7Ð ˆ­SÙIpK Óœ¹kŽk†êœî-ž„ÈWïÖUÞ)Æ·§}ò𱊡`D•W¥Reö¤Òð¬{1ôã#þ„vC=ÊÑûšŠÑÎ1[¾êSešlaêÇÃÈzˆ‚Nð ,èN'¸ éÑ°G;³©*ÜQhÈõÉ áz×wäbÈ\À;þBY~—N}èwìê×ØÖ%ìT+ì9ØÜ´r7fx”ͺÑà,ìM! t?¡#% ¢ŽILKÄ *ðÞµ7X@V{XFG©€={¡Á­šðWÅó½ÌRàÃÚÓt…Žï7i´Änñˆ£Õ†<ê÷@ª37LµYÆ:X‚™²0Ѽ÷W¨&X‘älÎC§‹w®’o¦¦UÒ2âQöRyhªàb)EU â5¦)צ‹w`¾P¼Y (Òê´ª¢PV¨8{C‹ÛéXfqÏ•máiƒ6©ªdRZ›š‰ÖG£uÍ©Ÿf1(k#ÆŠáÓµŒH„`¨"„µl:¦GÖD1ÌíM1Ú‘P§ŸÞJÔÓ¦(ÉÀÄäÕH¾>ù£òÇŒþ–žöŸŠÜxÁSwiͳýyZ½RãögSÓƒY¡ž…µÈÿÛSûØdY"ÄKZ:Â¥¹É|ç]ÖNõ‹ô4…öÔA9¼uJ›‚ÕOéV$‡î”eMŸûu0°D>yçF#‰õY’U¼?žk¾èÔK!Îâ;˜Ÿ [ŧª Ûp^Rë‘ ›)·@ë]¡.³¾¤:}ø œVtF(m*ÛR÷g—`ñ¡¨Vu£ª£etÚ™x‘.ùIvf2ñ]ë°‡™"n-°„ÂÍO÷€éý2Ò•Ýk“ÔGÄX,î »[ ¬2…F³yà™EÒZ M•/ù³áhìZïgŒG‘µóüdb¹=€%`¼<ì"ezR´WÅwLXlMŠ(…úª_ðbh~’b·ÙnÕ'{©{_ªjë-ìÝ+oX:›>¨¥±56ô™…%Õ~y Ë‹ÔãdõŠl–…vÿ­Ég±m…"hw` ¸5á‰d°®j©AÌÅ»~ wîÝ¢b8èo&úlÔÀS ô§¢$Í×hŤ%,Ú(Þ÷F;é`RqÁshPìl(!{=K,¶Ê:Q<­ ,C¤Š‘žÐv:z |À`Zšºó®ŸÂêÍÒ–*õ÷‰ vû  ¶ÐÚJ8’gîµnyœ °à9äK^€^8h°ÃO#Xy—©•¸†oéuÏ{}Û9äb› Ál$.oµCÜØò™!ö”“(†ºb'ȻդBv*Çç5Zš>+Ô‘U]§åü¤l7 _I›Õî’|Ie+èIÇ°Š§@X óa’Åh“ÑÔ:sÖ[¯tñ®# Ëòþ4Z4;í(4¾ÀÚ ù žBk5®ø>ÖÁs£J[c[ä9˜÷aE$/q¶ŠPªö+`XÔÃcäæS¶¦CÛÔÁW úSwöÀê)lÜÜfÅPàDjt+ª­„£„ø ņ)à•B>(Óh‡Ë,n˸U"ÒP6MT8¬Úö÷¼Ÿ[ÙÇ°¸ç¤9z ÞúÙ•BäÚI*£är‹fÔgYMüž4í‚V¸»ÞâÓ8+Ô øÕü¶¦ÈCN£‰~H«¤×Žf¸%³ßåtK´8‡Øn`ù>“ž†"Åç,Tœ/ÂAL£öÖmy¿dlµz§ºyV¡ñYaCh…õÙû[ÊXÿÛS|RгMÚ¡‚EÐ}"íKÑ(+˜2û2 ¸ œÎXŠ¡æSƒÌþßZËFÐÂóy?çR qïÑ>¢OdŸO S„ø ŶƒØÚXe¼ð/ý+~ÂWöNý§½÷¾¾ðÏ<þ·B²»5—.—èã"½ó|Ú@ÿcÿïÆWc ú·‡ý7öðÞ2ÐV)²ñ åÂ…è_ŸW“”äÇÓ+éèû½¬Ðlˆ¥!/ 9)³oŸ'~ä?žCÎXí@~ Åøß>Ñ|ØÖÑü¥Ï)m» yàª1;÷vh¾Ê ï7Þ¡žØÇóèù±T³Ò0„-laëˆgOÉÅC÷*}Œ^æ’c@¼ÄÃz0‘ÚÖ¤ýѧ’„¥¥Eo&,ftl)¡·3;ûÍ·[?,–ÜT±.ÿ_¸Ìm ÈL ÒÜv{§'÷Jzýp04œsSßhª¤N /"•Bùàk„‚—»„giœÐ“JËÇR›qx‹e@ìôÅ"¥:Á¦kR'®òÖæ£l°¸ÆéK_)ÿÌ á‰µmŸí¸¬ëõøIÕ·ƒŽ¯÷?¬×û{¤ ZSv‘ùÎHºã<׺}'Ø!bµXl»qëòi’¹ît–ë¸mÄa”m7WDùxêγ‰Öqü.Röü¿ƒÓÆ^®>™µbÖb(,‡íz'ÁQìZ\ú:6›ƒ`[è ¥´‡s(w.:tp6‹£Úæì/jTžr6¾Í»@¡„+—¥œß^’——ïAøѸ±‘¢„´Z  :Ô>(±`2šׯÜ×B8_G·§€z€¿òƒ êxüiÌBöMõ c6óIÇ"·7—6—@Ù'™%ˆ™¡·rœ-˜2€‚-ÆH‡øCI›Í“êA5+¨Ï;Rú;2Ï744–µøW8Žlœ³YÙ}?­¶Ÿ®-q„²8%ÞÁ2Î{X¹þ@FZ¹‰­gÄôV†èç…xè6{—Ï}yÇ:*–¢OMçÏÍV$=CU¼cïjzÛ¨¢he”í›ÄŽ§ö‰c[¡Îbæ-2³ÕØBš%ÆvbëáŠÊUÄ"Q¥ÄHé&ŽŠÈwªø¬€¶I)ðSx ¨dÉ¢Y2Sº€N°\Ï3Ïöœ»ÍÊÑѽçžsî›k’ªî÷«jó p»´mëù§ß¶®þË‘ ­¿3`Gø&ô¿*Žß ô0»µT¶ÕÐ5Uò€µ}5°8_kÉrÝÜ^¡KÃmå]ÿ6+¤NkÔ0k;K•õ–¤Ì¬[Çr—ÓÍôsá®s}K±íxÙ“b¹í!$ 2%°St[QÂ3Ú<3>)¬Ø¸’o™®z–¼Q`¹Ï¾Õ¨F©µwºü"Ðq X:–ßÒ D‰½ƒ%»]åa§©°Ð±ì#—$¥fîôö‹õ{]ç¸ò.¡À±z-b_J¼¯Šåç]„0 ·GX¼ïÀ"ÁÉxRgÔƒÏWÅPÀ±,RçÌÚéR% Uußúv+äÃ? Ë76ÇIKÅ’ûüKBc ¸òŠµoÝ.·›kR·A>:[!È»sÎò¬ZuÙƒP᧭°} ´sWÌ°ÎÖÞí'AÞŸ¡cu.EY0­Ý­R%PwmƒHÁ±z¬`8ªÖÞŽ}¢Ôì¬àr‹Ä"š1wæx8or¦ Žõà^aG×9žžO}µãlƒo+kÌOä¼¹“Ì°\±—¼‚WŽE5¡Va% Yíü½Â¬6Fa§rtž}|²ÒÎó.¨¶BŽ Ÿ7a4ªg¬ZiÝs¿’,t,>0ÀR™»Åv/o´@ EÇú¯šˆèófn§Ò¼/e´ AÊGXÎBH\á³Õ.tŒBºÛÖõmX…òFË+ ä½÷…0A©u2¸B—ʱ cõœÀŠê†¹·"r!Ä•€¥Ä":mœ•¾p\] ÕCqYip2’dZµ]_ðV]—MFËÃB¨eŒ\µRï}!„Wx `¹ÂÔÈn-o¸ŽGB åR¶B‹„ÔD†9γ@\á®w…Á·:;¶Â/¸Â(CÇz}!¤¬±Wl7=%°yÇ•Îk á´FÍZ©-úÎKþ(ä^xt,¯ aÜq‹•.Uɽl`ñ¡Vp<ž¦F¶ê,„ òXÛèXÿtç3VUäBˆ»BD“‰¢F)³öV бœ(23÷>h»BÈ iÏŒMë4U+9Bƒ…+Þ`'ãZ¦a/„=;Ï2ïî"ñ$5sÕe/¸°À±ÜѾeÙÂr ¿ ` 3¡,Žh†uV^õ@Ü%}¤É‡‹ °Hè»wRÇBÈ Ð±ÜƒðûÔ7_/=j‰œƒx £p"¾0÷xÇv €%Nn°H8ј{|; ,ŠŒç¸‘ywJQ5–*<ÊsQÀâ:–|›y,wX†²…÷î %îàXèXŽùܘ}2`‘>4Àâî åo…¼ `Íh̺{.¯añÑ»+|Že»„ Êr‹}a'xƒT~qIÀ ©If¾¿!Z‚Žåóó/›ÖÜÅèIËçÀ ªIj~ôäÿÒ°¸?¢ÉØ I(®3k¿.Wȼ#¥Ä¢Ô¨}™ ,ŒBt¬P<ͬ›ç^°Å]¡0‹°Èˆu‘JÝ1 áU-cÜz*WÞ %“S:³~h íÁàXøt¯¢FÔì³¼h óîói(¢Sëî›–ÈÂûXÁð fÔïX" :VHMḟB©;€òNb3º‘½hX ïB½Â š¦“'}¸}Æ]¡¯u,eJÿð¸x.ƒañ—øùJG™Œ2£Ö—„VÇ|ü¢ßÄõ4;¾#Ô&”¯¼Ë7Þ@Þc ýp÷'ï¹KŸ‡Wæ]ú°8QµŒY}º)rÂ+„¥CÆ#:Ëî7=7, [¡ûšðY~ ï—¾õ ǧ4#{ë\¨MˆŽ…­ð(œ ‡³‹®†å7å]ìïyçã?§3‡›C”ÅÃk|x€E½‘½hɤîú‰/.Û+TÔ4MÝyv_hSÂ1¶ÂPä AÞñMhçšððÝaº&äÃ0 ‘ ]O²ÔM‘Zƒü­ð/öΧµ‰ ã¥%ךÆIªFÒbô°;‡Ì!‹^ IÚž<™êq/Õ7%SÐÓŠD„*­‚?G[èJi55iüúi=º9z*È»ì¸ûì7Xø1ï»ûð{æk8Lè¿mBËswýªµŒBMÁÒzª€ÀbÜ*îïv`¬ç‰H6úm–í[¯ZÔ– aê V,…UÆó¶WܦXݱcýs?–ŠXãËsööiï%XÈ ³ù²ã6HWw€…¬Ð`ܲ½:Ié¨Ò,€¥Bë|F†iRð¬'Xôå¶ê…Éô5±àÛ„“P¯P°Ðè71%Ês ñ»AÿÖdEÝ6“vøß×\°T,³ÂTúŠœ­·iåD:È ³“Òs·ôˆ ¼BMÀ‚Wȸ)ü˜ô“'¼Â¡MhWn·H!À‚WÈ.å¥WÛú‚„Ðqó SS®Ô;áÛ„*J£¤ÆÕ’”K Z‡‘–wÆ­3lBŒBz°Tä«"TFHß&$}S€…RÆó¢PÜ!XÝõñ cþU¨´…,g:šeÒ·LÒëÒv_ÐÆ„…ð “37y÷ñ£È€ÕŽ§W¨t‹u«Îõ&mé(F!²B5±Vu »Ä¥£ Yá¹tÅ)Xر¦.šrî턆L¬ÐÈ®›³µž°àÒîXÝ Vå^€…¬O‹Êû~¤Fá³_º‚µŸå]qSVرÐ6C›iKL h€Wˆ¶#'ìÒgâ˾é +d9qçFÿI”N¬Dø£ð{gÐÓ6Äq7[´Õì„$„$-]ÊJ„‹ý.ï4¹D*‚ŠÃáš/°‡"m%ª†SP/\6ìué7ØިȵZUM %¡”–î)Ý¥.¢[ÚÛš¨²ÞZ&àØÎ{3RpìØ’šýgÞ<†j…ä¬` ¡L⥳ës`7”tÄà •q”jÇ `I‘k¸´Y÷ÒÏ: agŠÓé,X£qTjHÎâ¡j…áÕNoÙ€EºÊ›ü»—Î]~j…¡X¾|ëU‘)µø¿KUUý›@}Ÿý/ô úÑ ,n”÷PC.çžQ`±¸_!– ´Ë´Ëñät+X‘M¥4¾Ýݽ ÄB ¥°h‘¡¶L;7…çõ»ªƒcœ›oWO:,•{¹D+ ¾·±Ô‰·í²Ùƒ¥c` £Ÿë÷µÎ©Gè猇5ã!’Ó•Âòëu‘“PHQbx óùW Z¦_78ÒP-Á‚¤£y¤¼ø…°h”‹òHúG?Ñ¢Y4_o¬÷õ¼ŽÌÈ+uâ–ç¡Ðä–¨ËH¾ŒûèKµxÎ –~çK¼"gäm—¶9”eEšÉ¯í ̇BªûÀãØc‘pLÁÙ‰%«;‹Ðįʻù^ÁãQ"°žcÑ`Y ë_¦Sñ6xä]y£ÃJ©2!°V  °(‚èËír¡PªVÊ“÷žr –YŽ:AYˆW ¡^8)´«fþÔÉ;7`­f•ôk.ÁRUÊ'ÑÊ]c4 óæR•÷p¾3…˗Hq ͇ÉcQ`™)4É_>…Ä°2Î>«~CáW6,º^Œàg –ñ¼ac…“ ÊíÔµÖÖÚƒepcN–ô£)ÒQ×M`éÏŸ¬^Àº†På‰$p)7¨¶}Y°˜â¬:V8ŽÐæã"‡`Ùšz®@Ç ^Ï Æô’À¼òîèÚSÚ”È9ÁšÁ"a ¬À¢_ÁzÏÍ*àõGÞ, \{,*J:Qžã¼KŒ¦=Xm|"ë`ÙgZ-2ÍÚõ “ré~°‚«cø×çD`Ën;-ªëwŸ‘¬œÌ %‘!ÿ´-p ©7ÖõC³æuçrŸ“¤b49Y_cÐcÚ‹K­ë‡Æu+ƒ¡ b5¡LN­  Í nôs°Øj›!N†Bq «¤—' ÇÒ1QcU˜¶ zÞûWoàôÖs9V›¡Ð6tý& t,K°b ºù¶Æjò¾?íô"õØÎ]>öÍsÔÕÿ=F©yú{H‡•÷éo/\òMóyoa–Ÿ¶i¡ìF‘ÍPø¼×\ô X=Íæâ,7Ehi0“©LŽ&ïÄ£PxÔÛlþsÙ7°÷]<&‹%‡3¸Rë‚R!i¬5q¸÷ˆø'Lw¨‘ÕÇXR$ŽJÉ:aOÇútw¯¹·pà+æû~×ÞÄ'.B¡t5^ÐÀbfâšÖ±€wé`¿e³­ƒíw³Í[ÿ×–÷ÏÒOµ>—5'ºç¥Ç"nÕ ¥Taò…$°ç±šš]èõ›óz,Ò +´;Vøq…=°æz›þ´½C.BáÓ¡œ[)vÞÕ×K:µëËe_ÙoÚÛXà#yVäòøN?ƒ¡°§OÓü5$k®Wãê%b VBQ¦¼ÔGIçæ¼hïñ󴸚}¨quÀɺÂj ã×ëK,z¬€Ö^Þl~ðÏ@¹Ÿ›Í œôc‘ꂼõ²kÀ"íµÍÜÖ´nÿ(rS+3éW5Q`´ÑïËE•tŽ¾¼ãgÁê€2#?/Õ~¬¹@›¡f'Àê)™‘57&ÃF˜\x¬p ¡|—÷%ËPè•Á#18¨à\ÔM `Î{G=ñǺB12ˆð¸Ã ï ÁcIÕ8þÁݹ¶cqÖj¢œ^1äXÞƒµ›G·¶j,‚{éxY+ 7FPîmÀ²3Vçc‘y¬ð°‚ÆwŠ–³ït¬`¢Œ§6$ËYƒ+”ðb®-äXìƒ5–AI}®-ssÞ½2ðX‘±™ò›yrƒ£sÞ¥èXFÙÝ°œ5˜ó.])¤·å ”wØVŽd|Ó~ü(a`λ›ó±"1çÖœ<èXäjR)X„B±ZQJSî7Í@òÎ:XWR8½<«{r,ÒÆÞÕË£›[/Ýý× ÍþÎ⮌î8=×B!„BiHAÙyËaƒä=‰Qö ›`Íù¸‹}5Œf÷!ywÖ@Ç ÇQf³Æ@E‡@ÚO`-…â™BòD$„PH ëÜÝ R4^(5ÜnåùZa}ô:ž|SôM<ã¬ûÌ—tBhsmwE—ùF¿žÆÒÖž½Ï; å½£É;ñàÍÙ{¬hR.åv\÷ë¡°šPJS"€«t+«àåuXÿ±w÷ª CQÀƒÒ5Ñ#Zµ‹.ñ,ÔNRú®}ºYtS\|¡:9HÁb@#D,¸xýhAíXòWîõxî3ürnNþœ“„¬>ú®Ð¬BðÏ^‚ÅõPW¨šXK—I‹]×\!e…‰býaÜÄU±(ÒKO@½òõC°¸öçKÕ2ðòøÄ$‡…qU$î¬P°>‘Â?WÈ$ØÝÀDT,ÝÈBwU°V¬;1°è*ÔÒIè¶]åö>7PWÈ. ë=e—ü.X4 -~iì;Ïþ -, Y!»Æ«0âàuÂ]…”÷Ô>4Ì°D<ù”Ž ΢ƒÖ‘²B!°rÓgXôŽEYa<_¶½¡*;¬öÎߧ‘#ŠãèNiwX›µ1Ë Ÿ-a»ñL3Å.¦AÙ§+(CëÀEšH‰B*£4©LOþ йI%ÑÙ8îâ‹-¤L~J‘P’2Ahä•7?äøåÆžû>Ë ^MÁGoÞ|gÞ›ÿì± ¤Ð±¼üž ¯k‹,€U:‘Çz&Ä R*-y……üɧģ!Ky…,U–Agþ€A©H5Ó`)7Ë士ÛÆõõÝm×ú÷h~Æ{'}oLßW;æÛc¡>–ãù¼¹y¥bHD ‹÷Ä?7Ñ{ögé`¯Ð)dx°^Õ@üùu÷¸ó^‘g èߣÈèv´;þÞBdœÑp£ø|“`AnH¤*<8ªF¦ÂñoÝ$U”+Ýþ[°bcéæ­é6ò ç¬aQ¾Ù?ÿ°bÿðm1Gö¯žN75¡¤`ÜÄ¿¾U!¢òa/êiâ`ýe¬¤z,Ýÿÿ‚¥Pmf*SÓƒåsQéö"«·(Pc1ÖØsä°¢(趚bïéþ(azÈhÛþ:ï6{¬e!¾ùbßjôf‚we›òž\a›º®-R¬ “™Pø=›Ášá¢ 6 ¤n&”þ… G °löXÌË…ÍËù±ÔT[:X*r° Åz@]~1N.¦Jr÷8°HõÜLá¸Ù’lœ*€EkX.ùåæÎ Çà|NoØ+TFu,}goíñ­Ç Rì:…Ž>X¸a•,ÕÙ’A¿J;t,¬ TI–çÞ¼SƒU ·©ïìÅT°Xš‡[g?)L…¤†¼B–åõbõÐ:šp_!½© <–Jf…\©*€Ej¨6ã,- Ùî÷Z›þ•x°&šG.íH¸ý y…l5#‚þÀ¢5È ,]”ÛŸ/Ξ{%˶{5ë`%/7Zç Ë Xöz,×/ËÍû‹ÖÖÓ6o=¶-÷Ëü}…È+\Êq©ëÚ’äï^QðË_Jô °Ô+ÖF(ÉëÚByÇ}…6öøñ¾2íyÆ'¸¯ÐÆà]™ñXl5§–eA›¿¯Y:,U·;ŠkdBCnpÓåzãjÁn»÷ŠdB«ÙÙ+TÞ2oV<ËÁzk†c,Ku,§ÐæÍâL (ïбØê ¯ƒ1VbXlŸœÃcѪ&³l^nzËØ^¡­S¡ˆJ—ø4”wèX[r‡úÐ b,ÄXÉŒíªA°Wø‹•{…‹¹°þåù!¦BZÃy,7·'ü™<Û æ,èX ¯x[×V!Æ"5ÄX¬P kC¶¹ÁØ^¡y…nªTŽÍ…XËNK-¥óòuÁd€Ë»­kû•c?X7^&X…6o­ŸÑ‚…àÝ鬈à]Ây…TÚt¬'[¢Ö7X0y…v*ïêã²(ô¡$S ý‹j*Ls‘ï¾nìÚVV†[Ôut,gY„ÅO‰“ ± ‹=áJU)€EiwMÈöSÚA°*Ä™wæed³M\~ gÞY!'k>ƒÇB^!­Ž•|R»Ïˆ=ö 1ºÃ¼l ƒ…½B Áòór³;õT :ÖÜÒ=„ `Ý ³1á<\eÏ`Íì¶ã†Ðr: Oàö7bc¢”ânlˆ‘ ¾æͼL9ÛcajU])DÝ´4zCfæê?ê_ÜlnóÙÞÝÝþ6÷ …ö>VÏÀâIˆ|Bô¸BH­ ;Nôþ;/6¦9„_‹÷Â~£Ã`uì±½‰Ç‹¿Ô;H¦8”Då{´fjKmVXcòáÓIöŸ8Žx "¼Ÿõ(½·õêû4µ=ùZæ¤c•yÇ’jv,PXëg t,ðÆ:xw@†NY¼x®êâè.ƒ?PÄ…6m¡õŽ°묱 Õ‘Ç”_úc“ç9ßÞ-Uú~•ýïOÿïs 1Trå×ûãJ¥ý›˜øÛ䆔Ž‰"wž%¿öË#>½æÏ. Jºí]vë}êOßÿûŸ?coH†Ù?µ9ÛJ8ã£Lîê‚ÞIEND®B`‚images/custom_errordocs.png100644 0 0 41417 11256637627 13622 0ustar 0 0 ‰PNG  IHDR®ÐWásRGB®ÎégAMA± üa cHRMz&€„ú€èu0ê`:˜pœºQ<>PLTEÿÿÿÃÃÃqqq‚‚‚uuuQQû‚}}ÿÿ‚ŽŽŽ0eešššëë릦¦‚00eeeÏššÿ ÿše‚‚‚‚Aš¦4<ÿe0ÿÿeÏÿÿÏï00000000ÿ000000e0e0eÿe0e00e0eeeee0eeeeešeš0ešeešššÿš0šeše0šeešeššššš0ššeššÏšÏšÏššÏÏÏÿÏ0ÿÏeÏe0ÏeeÏešÏeÏÏeÿϚϚ0ÏšeÏššÏšÏÏšÿÏÏÏÏ0ÏÏeÏÏšÏÏÏÏÏÿÏÿeÏÿÏÏÿÿÿ0ÿeÿšÿÿÿ0ÿ00ÿ0eÿ0šÿ0ÿÿeÿeeÿešÿeÿÿšÿš0ÿšeÿššÿšÏh×R pHYsÄÄ•+A.IDATxÚícÛÆ‘ïg)ÞU÷Jµ”ÔÛçˆrdSwVJ3¯ñQ)e_s'¿& ¥##襱ìö.m©8ÿÿ?ðfvÀþP¤DP3”ø¿ |8˜Ýý.4ØØêb ÁÆVû•´lõ0Æ•qec[&®M6¶7Æ•qec›eN‰ÜÏþ®¿øÅ/šúõÀg”m™¸:!©ûÙ_ÂÇUˆ_èW‰ÿMžŒÏÕüw²Z#õáøj¼·\{Ùí;Ëe}PáÖØîWH¬$®¯`^Ýášl%ÛµÍ9·Ÿ»Ü \Ó×Å•Þ«ç\%¯\ ÷Ù~Ñ@fMïÜ4qm4]\­4…to7©K66^ÀžÐ0~8Ùû«³Ý®I=«á]‰TÉlW¼š¸Ú°j¤wwg¹J¸Ú ÙÛöwc¬Þ°Wó°&Y[ÌVõVg[ \ÊÛæâ*ãY¸6š^DëfÞfôšÅ¸î6ÿÇáÆdù Ìú¹ŸíŽqÕñ@®2~µpMnÈÜèÓöNnÑÉá±9/®Æpµ‚àÝ¡Á¸ÖλªòVW«PÒðøÈ üR¹‚Bç9Û»:³ƒθÖ+vµóX.MiªRìêÞfC™o£YÁ@ÃÇ5¼@ vmäíŠq½E\“<@>®³2ðhàãšµƒ™¬ÄÌ ò®M/ïjnñÉÏ4ƒ¾=´€“*°·_°:ÛíãZ1¦«ücÅÝWÊsÞrª“ù«E0P±V‹¼êܼ®*®ì.W×° ÜÏþ.®`Û‚p­6}¼2­+h0Ãü%¸E[­ÌÀu‹mÅÍÄ•;V°­¶m0®lŒ+ãÊƸ2®lŒ+ÛíàšÔÛBÖèÀ·¬º7Y0°,³g[¶Áùæ‡ö]4mµ œË%q-s‰¡`?³gänæŸ_™_¶µÂU{Å°OƒÌ穃‹ù`OÈ£iÆõ|H¯ao`í2Ùsú¤Ö`[]\“Ë”\Ë ¸B‘ãTKäE '3p±Ãt{üRÒ7îáX{v–`[]\ fqU»ÎÄ5 pp-Žs-< ×Ð_#%ØV×0S3qµ/1äÞæ=xB‹Aꃠl±l±¸Z%GÆuõ½«{Á*EàšM€ÛÅØ»Ö/hÜ×¹c×…ÐÈ%;‹U  3P„kðV¸®wìZ*3F¸`lzvq/W¹@þ³¼«Y$‚ i¶4ÌÌÛúdØØVŠ`Æ•qecc\ÙØW6Æ•qecspÝ`c[mk°Î[­u68*`«Oìʸ²Õ×6Y“qe»{Û ˜ë]ÛÛÛ‚½+[Mpm´l«`v¡ôë.½–Š]à ÂMðÒlC¹0$w'-ó¦Wi8³ƒxÉ5¡Qa×æW„ßtöñÍܧ¾õÅõ†¦D)½¶Ëã<«9¸¦é†Ù¸nìd¹¸ÎìÕÖ„ìæ9¾ûÜ ¼äF}o•íGTŒÍG»íGÏ8ÁÇUàhË`òÓNáÆ4z›‡+û\' ¯gàêtèÎkæmt9·¾‘Ù¯{ÆŠ §Exc¶`GÖ²vÇ…½à¼3ž­ž6d/ö[òœ[£>¸>zôP ¯èY ¢ÕÅ•žÚ¹¸ºI ÀeÒo;£RýgÓèíF×¢~+3qõ:tçßl=èìn3Ýz5¡¸¿Nè+ÂÌCáãk„{¥çÉýÎ:ñµÁµÝ~Ð~(â!rú@P<ðÀË ÌŠ]^_»6@é\5Ô OUضåà¸ób̸4áî¾Å+ÓiÌÛa~/ô¢Þ`ebWÂÇ0¼3ö¹•\‰ ûÄ××í&zUò¯×ÚÕƒ™¸êÐ5=CÉ‹|·±‘M Ðõؘå½BÒŠzœg€¦Í <®y:3£hä`7ëø p-Þ¥Ž]í‹Q{@”bÐbq}Ðl?œ;hÌ Ì3DѪr°[…¸{ì–ð^ù¸ÎŒ"̉kÉ¢V)\Ç—@qâÅpuÃõaûa“p%^<òc¹` (…«Œä¿íq—»Îº[Bá/Êu-‡¹b×ʸ{1—ÁuËõVy‚‡è^›ˆëCé_±Û, €ÕûÙ.§e¶Òs¦ßlh?[933Å=ÎÝàI·n¯^Óí!^)3,à•9¾FÃ×+ülèK°‘] ùR\‘χ»¢!¯ôú Y*¨déª*ûº•LÛJ¦m%o¹5øÍ­ð¢àô””'¶êsΉSÌ»6Ú»í]äµù°‰Ü– ØjIkþ¯Ö|ØÞE¿Úx¨ó>»šKlkAkÍ.«D”\«1Ææ⃶յÚáêl5Æ•ƒ¶úàÊÁllK W¶6Æ•­®¸&R,çÂÆ*.ll¬â’_̵gub×­ÿŶfæ®ë¤â¸®›Å…¸ÞŠË´Eà*ØÖÈ⸫¸ˆÝeâºÍ¸²Uĵ(v5®2fX «;ba¸RÝ_fÆ•h}°‹›Ð¼.ÒµîÈX@:ö¤®¨v.w6y×Ò°‚õ²DƒÒ+/rp5óZdÉ^3H¬ò¯VÍnˆ¨|Öü-76 ×ÝæNY\ ‚ÒÞÕÄU½×«:[H–“Sƒó ׫†«¹ s£¡Ü3\76<\íY;Ú—Êy­;p3\w¨gîƒíæfcÛ],ÐÃÎ6ÖRRÞJ¹Ocn†ˆìߤ434ìuíõª:Wph½ß—‚ݽlc#”0ƒ ¬ØÙQ]½àþàªxM”‹šgï&ˆÖí`«ÄF¸ï<„dY¼èaGl6T,°½=WS¨×z¹¸føØ%œæħàGž_‚P€õ9ùU8át^  Œ«ß<ÛÂõA{弫ƒ«¡A¥%,À ë.¦±6wŸBIïZˆkðî wàüø4gõÒ¸*øM\E)\áÞ¸W•ÈÚÚÒjŠ³2&®ŠV7ƒU ѲuŸ0pmà¦71Øn6çˆ]çó®Ž/Í"—å‡]\Ýø1_D³Jt©Ç{×ðÞ#ÇZW¯¯V†kc‡:}·Kz× TUP:¯‰?„ÝÍM ‹w·3` i@'3 '3àµt¨šÝܳàU„qÍ"K3^Ì"Jð“Uæ<ãEøë%k™Ë$ ƒ»cIçÈ̸öžÅ®‰òçì`Àt¯8òš»†tžm©*°$Ó²èuw [ ,gmo›þuÞJX(“sç*‚õÀÕ«&ØÞI¢½»»Ðº¬ÄšííMtÞ7…µ¨–ëfk] »®„ tÜFŸ§xÛ»ËjáÒÜÝÙÙ½1¬ÜÄemqÍm@h3°³-­±½Ûl··›Kv´2®÷ ×¼6;M"¶Ýl6VÙטm­¬ך«¸l1­÷ ׺÷Õâ~øë.2°V¸r7üu`Y ¶šÊb´Z­¾ü—i\:e»[Ëǵ¯iM€m1®l«…ë–ë]û¦{mñéb»k\E¶¥ž·<ïj­˜ÏÛ àŠ}µ<\ïJ>]l«Š«»¶4ºì]ÙVWÙä5ß»¦î•OÛªâšz×,xÕëÄXð:” 0ۭ㪻k…¼«&õP†h‚>«>BͲ­ ®: @Óp¾Jj%¾Œ+Û]àšJ ¸ÞµßJãWå_ X|¦'zf\ÙV×Ì»ª§4(è§ÁÀáŠ}«s¦ôã耻¤0FkÊÝî-þ÷©vªž­ºàº•5aÉ‹]u“UìR¾veqõÞgaýéު߽kGY×À¥Î‚+"S~«ëFW#3 ß ¤±E­XÆ«‰«ïa,¡Óó„pÍóL‹¼®p\ˬ5®¿Ê,œwMÚcõûºšY*t]¹Ø5€««m9 W±l\«mÊ^J㺌cY‘` ‰/ÑǾhQM×Ó ®˜ ÀºÓî`xŒ/|Es&²8`«l‡ˆ+ôÉ£žÅªIT+Ç»d zŠÏGGƒA¯ÛLfa@[9‘U#Y ¶Õò®}lÕ}‹M¯. q}-S®o°>k8x’µ¢ù½k-d1ØVË» è¢ñd:DGùdÿó?åÇ®ØB€nþè`{²•l÷#Øá\‰¬r²À{ð¨XÖz;_ÇãÉÿ›L¢¯[ÔÉFYDhÔëõ"r­Q4G5A9Y `wÂf†«½hD°Ž'“Éwøf<8PyÕ×¾wE^G§²9Ö¿õd¡kU XƒífÖ‚£Q$½ëdr1AX¯Ç“9y×HµlÁ†®Q—(?zBY×aEïʲlsÛ9Ö£NÓ©ò­ìø(/Q€•®Ç=œžö¨+còµZ,‹Áv#û墦ìwdy½¾î†kac·R½@Ôí¾8B¯<|:”Ákyïʲl7±×Ð=–.uBñÀtz=Ÿ>ÁæDÎ¥ë]1 @^ÞDƾˆ¢#r±UY,‹ÁvâÖá‹Óé„ÜëutMà¾mý–úÃþîÀ!çO­Ó9WjàÚí÷ŽN0$FÿE“9bW–Å`› ×~üŠœFÀŽ§?Å1Ö¾úý¿ºÝaÑ»R ŠQ/iË-kõ6,‹Á6ŸAÿ"~E˜ÀÒÖõÅÑCå—èc÷ÝDõ ÀÞYÑH•ÆöU÷—êµZ,‹Á6/®¯Ïⷔ̚N~:‹¿F~âWÔÇ\µ²°ƒÖH–®NŽºTM0š#ïʲlsÇÔÞµuqööíÛ‹3Õ{ZˆË$ÍdºWÌ»RïWr®Ø‚PEczW¯ÕbY ¶ylŸe_Ưÿ€= TjIfªDÔr225vá eu8š«k!Ëb°Uµvž¡ñÙ×Ú·^šîÕ Z'ÔVÞÿ{Ð%n#ܤk!Ëb°Už\ œ{ñë‹ó¯%)Z¡­ŸtÇ:´ŠZª°…¢Ý#LÀ»9ÙqåÌËb°ÍC+ü^¨Ê€8áå’ð—O’„¯M\OdÉ ›g'} ‡ã*‰,–Å`›ß¨hó½H//ÅÞ¥vO|ž–„.Mï:T©€$ïŠìh̲l·`­}U”"ªUë½ÈÂÖ+|mdÇ,"ö`/ØîQÆ T«ÕbY ¶9CÃøR‡«{Ú«îipc_Ü­%ûe©¬ë`Œ9hòoøÁ뜱+Ëb°•µKYjéP`/kβ'Kè؉‹X••í×åZ°ƒ£Áx€‘+Æ®Sî ˶lSiUÊÉ`_¥cÕ%õxÏï:Ô'°ß›c–Å`[zàšâ*ýj¬ŠZ*G·â×$ŽbY(O˜´Ô¦Z-Õñ{lõ&˜ ° …=gæ Xƒ­ŠsÅßby÷ß»ÜKJZ’Û=é`iÝRû‹$ˆd&`ü´‡2„XêùùÕ °•+gÀ«8)c‰äYf]¥‹•ý·÷³Ž0Ô€p¢úv# Â|Ö1Á;­œÈbY ¶*Ö—­Iâ”Q¡Üìå^B,:Ø–îK•áª`GÝîI¯{‚­#Ê”Xƒm.Û'[Ú·î £›‹®4 Â×/áà3ÖÞ—¼î}­"Wú;NšgGÔòpy²ll:€ÃKç¥N^]¦.uq,éž û±n3@‰€1…r®ì€0š§š ¤,FÞ 4s¤–ÍÕXû¥t®{YÄš®úIqû4éž*ùS0ðï#Y…ïPßõ{ÌP5AÅصŠ,FÂ^ˆI‘‹ëUò®•d1 }¥06æòU^\%{IsXáë¥ò¯—²@––¶Pöu"ƒ"¶¨9$ë˜þKãZY 8•ÛÌ ã¦/#P1‚€‚P­~Fwønl”¬’è5I èÂWËÀµ/ƒ±làaÖ[¸à†£Š™ª²Ýß>Áu¼ÙdÐ1{×5+h% .X/EZîqÂqlà ±ªÕ¢./$ðŽ.ö3$¯5û–”ÅÈpí^³xÆÄ5{a\×ÍÚ4žfK$±êž¼ñ«À@díqök×V‹PUÝ°ÝÀ@VxM׊y×J²–w5!¶we\×9‹ç —²oÖž°HÕM´â®ÂUVmµÿ@·~»F*ÛíaA«BìZ]œ’Ø´¦³T¤Ê¸®eäJ¡â÷"혥ïþ—É”4u?Õ£KŽÎTÖU§]‘U*lM¢9;n—“ÅH3Gp|«,XYE2Æu½¬º6q­±ª":K´Ð¿ïåèpÉHÜ_JA ªÀ¬ksT;Wö®åe1Ì~Ræ7gèB˜s¡`f¶:æ\åý}ï2Ë Äê%Í·&­½4t=؇§»RÒuBá*v(èa›ƒ›Îã]*‹‘—že«»Qñ å'è.,‰ÕþU÷+TàRWXù¦•´°¬%«³¦]âa”@yןª{×EËbp¥ëZg±Œ¬@u™„°{YnKç·“Xà u”Ñõ¯èbiH-¥@Hy¬y[d-PƒoýëŒ+ú×´{Ö^êaSXçJR„Ý}8|=&X1Ð-²žõdìzͲlËÃEY»Ò»¦Í´Û^‚jÂmœJÝ`лŽX \ÇØùåó¾âÄw>ïʲl%ì ˜v»ºK¡1ìޥιî%Í(Ÿ¿ê¦Å¡Cø½ë”Â)]ŒâÅãѵ &Õ{°,[9;Cwˆ5§ÝÖ¡ß’6zÕÓ_Ucz”âºß[”˜H•mì ‹¢ƒ1M@]ØÄ®Œ+[‘ÉZ~ž°{Ð'N/3±!¡ó¯Š Ý渧«ö»GãI‹Z RâCÅñ5ÇÂLÖœ±+Ëb°Í0ê¬BŒ£Ïd2K:R³ Î ˆ \nòÛDÉ¥‹ìžQ¨Š¬¦»J;¢‘n’àž°lö6¢x“rû“SU["ë¼hµ¬‡ƒ™¦Cf¼ÁPõUDý²è19¢ØÑðæ]§¼+Ëb°UÉ ¼¥›¹¯øZNx'Ѫn?„—ñwXŠBi!Eë€"ˆ·Ù{€*µº²eK4îžLi[ó,‹Á–k—RßJæ'²D?¢r+SÌFó×8Æ`#ÕãÁçØ û˜Ú¿¥n„8Wî’“E/}Q4ÀÁÛ£€ñt4U^_Ž¦)oõ‡­4öÕ¢^Ûg#*WҘŃH+¦"ÊôŽ‡l50&g[:3À²l¥ìû Ÿ‰°w²x„ÄFª©®þÌê`eÎõ;,Q]Gʦºx†“&Ò?Ÿ$1­™“e1صF48±u";¬Ð›S·ï©N¾’&Fk@7~ÙO›’«j˜¸(éLØÓª*ž#veY ¶‚È•ð$PåÍ›°•ã¿¥í÷/Y •wÅØu Öit-_”OÆQcÉÁ"¹X±ÕÉÃ\Õåd1Øî«]S»Tv¢në×cùH\uì^RêÂ7­ªr™tÇ“±ªnËøu"ó Ôñ¸JQ«º,Ûý4oÅ4) /ñ£êÓ!Ö˜€\&Ðö¾R!«Ì\˜’wd|B¼˜*X¯Çsæ]ËÉb°ÝS\#Å×D:LÙ@>õ/DÖWëRû×=ìSxD­Y$ÔéâŠMÝ` &‘ÍÓq»¤,Ûý´ÑHe[¯ÇÊËŽ¯µƒ½Ðí[tý€Ô|±ÞõH®bI¸\ßEXÄÂ…] È”XyïZUƒí¾z×´¬•T(‡ÆB:•Õ—ý\ßDÓÄ»J*UÈ;ž 'Ôâ5’I9wïZR£´uÐDG¿¡÷Ù5ß_#¼c¶Üb§ÃðÜwEø(%A•¥&å,¯£¯ÅAÝ0û\5rDšhòŸ²l6!§< 2Ö#ïúfZ½V«’,FyZSÖ’§ô¯ ®ÂÀU=ãz‰¬h¢è£– :± %Q£^/-aa ]Ssðâ4" '×IîK:äëÑø¤+‰»4àfWú׊µZUd1Jã*LR…ElZµ d[¢íQ1_‘'c€$/…=P=Höìkµ~ÛÏúèw*vU~UU.D×O#£'?H‡]½V«´,F%Z3\=ÒäM]{ßÌ wôÄNEˆôîßiP‘­ÃvKv¡ªR§ºÈ”E£i«+Ëö¡{Eª%ÉÆÿÑÛ‘ô¥Çép†èƒÇãêͳËËbTÅ5b¸Š ÍNÇ 4²Þl{¶[ ¢S¼_#²Ó©l£ª[ºL£ÓãÞÏ+z×Ó(©Î¢–¯×¯â×”W¸ºG=ù÷›¸sË».T£“–¶ÂÞÕ˜n¾˜Þ¸c-i¯`–ÙØnÅ^ãÐB§pµ*EX®w•~ó ;@½á)e°m 6$lí]ž)W:JŸ;‘žV…•½ë¢e1Ü`@”ÂUt:%qe|îÀâ¯N§ˆá€"ÊÁNix¬ÞQŠé> RØ•¹ûƒÞ@.F­£ÓÞ†¿g*€Hj¸$´ŠÚÊÞuѲÎ\¸ŠN‡q]iûýìïôþ OñÓvŠý"¶1ùúü_ìè ú:8~¥JC2†ÕU²Ò®çm3°pYŒ@"K8Y¬ŽšÙ.³¸%²g+ààõ6Üéw£·o¿·(ÔÞïDjÑ·õŽ'o'£Ñd4¹–/¨€9š >'ª‡§-3šà̉®2ëš]K0©ÈZ¢,F^µV‘Ke:zª•#HxÕK$1pjiX̶Ü|:È!=Fø@g:¢Ñ²GØ }ê‹ž‚õè•nƒ­Ú¶J]!‚àð¨7@õ&ºý– t L¡ªÜë<±ë-ê ”Nº–œÍ¶¤X5 ßP¬:P½XˆØÓ!Å£bxD6LA%¡a)Þ.UGTôÇeߩE—ö¨Iì:žÜ,v]®Û1&j¹¸¾£;=Œ†§4ø‚;¢ÏäjÑÇNÇC|•À¢Ø•Tq«±¨áh0P@:Ö¤mëD&nÇ:xÕ9‚9cW–Å`3“­o)ö$¯zJ^ˆæŠ ˆZ=±bUü.'ßQ3ì‘n#s^º®@y×±Ž÷:¿wåÆØl™wE§zh`QÇ"ÒÀž&¬U¦d'rØÌk-éÆÙË©ò¦×ã,ï*ßmV+j±,[®²h/s«½Ï{bu4èv{„êp$‹]ʱN´“+ne÷AUÀRzªÍë$ñ®ºAeïʲlEÁ€ŒSGÇGTÐHݪ VÓÖHi·+ w˜Ðh.×’Ók¶ª–²×cd¾UÇ° °-Ä»ŽÈ¹Ò®ØÉš²Y#9ÆP’º:Q¼'‘o€$Ǫw6)cFº/nq¨ZÊ&Éëæx²9W–Å`sqÅDÖÛ¶P³Äu@¬A÷iOK°žHß*ÇÑVå¬É5yÕ‘®¸NáLÓ®jÕ’T¿VÌ °,[A0€Þõƒ×“uZ»§ªâDQÕ ¬ƒ¡ ¢aOúÙcÊd)틉aQè:Ñi±v¯ã$…•F›,‹Á¶Û{%Ýi½!ïJµÿz¼ÁQ$›>ÙƒðX îJ-úzÃÀ‰Iìíã×Iš˜ÈÞ°i—™$lÝ$X',‹Á¶ ïú¤ “8ŠÅÑ@òJ þô­XÃ8ç 0 ‘=î“Hà:m`ûVbUu†eY ¶EÄ®o1ÑŠm\O‰ÄÃHµÀ‡Ž0‡Eùˆ¦GÄ.ªµá°¬*@²a¨«¯’ðu’Ä­i;•جÞ<›e1ظ¶NUã–¹LŒ ¨G*uE˜ÙFäJIþ‚’é]±.k(EÜÓ^°‰ÂÀÔp¯I즎^Kãʲl…Þu0:N†=°)UÈ.Ò›D$‰I+ìÓ£BÕ |%!¬‰ªÉÒa€®ÎÒ!¬íeË{W–Å`Ë÷®ÖSéRe}ë R¥.¼å£wt¥w•‘Á”>ô(E(kÙbL¦f0IcØM¥?‡w]´,Û:d¨¶ºÒ6 ýKJ(NÀé/¢É@z×iöHè PÁŒtsì©$Nus¢‹ZsÆ® –Å`[ïJÕ¯žÊÌ5Þ•e1Øêã]Yƒ­&Þ•e1Øj‚+Ëb°ÕÉ»²,[½+Ëb°Õ(veY ¶eXƒ­Þ•e1Øêä]Yƒ­vÞu‘²llËô®‹•Å`c[ªw]¬,ÛR3%e1ØØVÅ»–‘Å`c[صœ,FÒÃ.O ªLOðzo[;ðzŠB±ô ¸[ð·9×i˜½n®®"ˆBíÅ¢/Œë"e1|ÝÄr¸»ƒµÝ–Ä5´ÙùúÞ”ê4ÁcWJ!°ãzÓصUWOh®ó 36_W‡Ï…éUB©uøړ€©\–wm•¸ˆ©x¸=û×h &]î³÷Âè‘oËœ©1a©[°{ó#WáŠ#Z€"_!PøJ‰tֶ¢ýe¬Û?@v>ÀU;©¸ó„«rȸÎ'‹aÄ®¦¼›£n檘˜B•ùZ}B˜²k®’¿Ûóš{5—_DP¸â™Æ=< Ø$„…Œ„ó-ÀÛ‘§´T)ʶ8¨&‹ˆ]}1>ájîå©L…dùÀÓøóeÕÀõ¼"Wúªø`B;wp…àöœ£ÊSžó•ƒBˆà}MÆuî` àU„s fàŒMÁM ñâ¸ûY¸†Æ.Ù„?×Ðìpi*pè§5'Li/Ž]o*‹±d\¡*®Z ®Âuâá` לóPWKèPØ‚yŒëÍd1‚Á€>:š{A ?áÊòÙ‰,€<ònŒ‘§è@ ðD´ÙBë ÷ ¶8cXuÐ’Ip£ocž}ÌŒë<²V2ÀÂʤåâÄq˜˜Û1JÆnñ,©Ã¬ŽÂžå.`©ú€" v…±+S!ÑÛ.äœ %†&¹÷÷lÀ}t²+ ‹±Â§œëç]—-‹±Ê¸²‚`ó®Ë”ÅXé„ +ÖW–Å`«“weY ¶:zW–Å`«Qìʲl5Ê °,[-¼+Ëb°ÕÉ»²,[í¼+Ëb°ÕÅ»²,[¼+Ëb°Õ(3À²l5ó®,‹ÁVŸØµœÎÛ*Å®Œ+[Mb×ãÊV+ïÊc²­6®•d1ØØV$˜-‹aôäË&ÕË åaÖî}ëæjýŸ§whKO,®cA`KNG?ÝÀ‚«ÓF; $&÷4fËCÎqá ¤}7-BCêeùŠhàëäè»ANûJ´¹¢˜Picé¤O7á5Œpg‘¸V’GôôMotÚ*‹Ð<…BÕ?˜ "câ’Ã2uÃuÛ­®sÊbØ2y†J2Ùس4 ³ˆ"°XI9BKÏÔp&-±eŠ¹Ø lÞaƒóµéÀàA¦[0°Òqús§aLì3€°'$ÓÍÙ´ƒŽ4#øè8ØÂÆY²t!Ü/æh5š˜§Ý’‡\ƒÀùª»–“Å(Ì3´G|-0‚‹•“#{/ÆdOtÊÁ k·dÑ xê4öa‹°Ä‹¸yÙì6›HéÔoÈÙŒä“Hç‰lºH^:¦ÖFŒeÌIÐá™™+"ifkî^× ‡×EÊb$»GLÏVÖ!mª\­Jr„¾@‘ NæågîÉ Æ!$8èK†·TµeXL¦ –OƒÚŒLcž¿pÇ) l×ZÞ¦&÷kz_Ú¸áÔ-°‚k¸Ò•¼kyY –yhóá*ýÍ K™ËŒ£íßJ¦WU´§ ®…ê›î'!5¹ ŽÜ,\…°fvDÇr¦ÖìN(K`oDdVX?ã^d‹œÍv6à°’§e¯˜×9d1ìôRq…\m43Žò½ÇL\ÃÚ•wˆkFmGà* §[×dùà9„ÅBwÀLp•é}À†o7v]SYŒøXú^â]ÿÝÕ;"öñdv+ïÚÇÿäëa×—o à¸%A¤y}è#Ã}¡–Kqíë\Ÿ€·šX[YŒÖÓît‡ï‹«—WïûWïÞõ%°Óþðµ„ñ %=d_û]šö5¾{úÁüŒ.¢ÚÅé‡-Š¬Øõ~‰+?açzkÞuÝe1âùP„îùó—ϯ^¾{ùîêJ†(·˜àÇÊ•âoŸÎ^ÿ¡%Ñçš­³–Ä:6qméÙ¹Þžw]YŒ¾¢ðÙ³ç/ÑÞ_=¿ºÂ¸ ÿø1NÿáÃ?OÏuJD•Ÿ$ƒDfë«ÏÐ}Ò ñm_‡VìŠî¶ÅR7·ï]×WCU”‚gD,"{Eľ¼ºêãí½ì/?¼¡`?&.?£ö—_ !…ßaë mã+Eæyßŵ%Yfçz«Þu­e1b*)õ_=ÓÈ¢½|In}÷òªÿ#YÌœþyz6¶Ò³ñk+Žó}7;×Ûõ®ë,‹ÑŠe/‰«çÏŸ=K}lÿY‘}O>ö9f 0ŒYþšN?|øsµïKËv‹™u–ňã×1ºF3%V9ÙçÏ^RéK"‹öø‡ˬ% JWÍþ¼Ï¾õ.¼ëúÊbÈï„<¾÷Ã€ç «˜¥Àà=!Kå¯+äÞQÚàÏ?¶Æñ9Ó³¢±ëZë ®X§…‘*²(pEf dÑË¢ŸÅ9ÏŸ¿{…ÖGí™ë*>!¸ò§ö”—¾ýlQÿóþý?ÿîß?êÜš~|LV‰ÿò׿þåÂ\ö+9>$S®¯’É?þݧØum˸q ) {þÕû—Wÿñ‘}–!+¡}NYƒ÷Ï_*gû®OÎöÝãwÓ¸ˆV\çìà ÀëKƒ×ÿ¾’f|þøïñQÏ"8ÿêáú!ÁõÇéôÇ©~R³5÷®÷D#ž~A ¯Wäd¯^Rd!«Ó\*Óõüý{šý²ÿNÖÚ~øçß¿ ¹YÅø³ÿñqýùÛŸÿ~þ©|¦™¾JÌä÷ñø‡ÄÇßÎðñ·¿ÐNã×Ç®M\"PÏ.Î.ÞªÿïÎ.~ºGÞu­Ë¸ñ‡þʱꮯœésèØÜ>W±ÿxÿòw2Ýuõ¡?ŒmbcrÇâ[\ð¹1ãS‰«üWâFi§?‹o^¥?5VùM8×ÇlÀ©µp%z¯ŠZ÷Jcò;ÌTý Â‚+*{‘Ÿ}O¾ôùËþ3[¤VÛ»ßM§ã§cXE«pyýVâúí§çß|ó_ßüýü›O \%­ßâ›ol^åÝß ÎΓ™2˜ž=¢@àzt-ílÍq½—²­iŸ Q) ƒ«wÉ ÁúYûeßÈ Ä?öÇÈ*þeö\Ó*Äÿ¯ç…±«ZégÚÇ7ÙÛy¸šäãzE®ÓÏîƒw½²ñH,üe ì;ŠgÉ×ê˜VƵ2ƒ€µÀöŸË&Ù²ÙÁo§?j^‰ÖÔùš¼pýô´äå¬ú`nV¥»0R LÖ»Çè~©ö×)!«¢O‰Öóós¬G8§—oˆ×Ÿ•21àïK¯þŽk¨¿øü#Mø[†«ö ;ûøßÿ—>Çep}K†­?]ütöÓÅÛøæ>Ä®÷X#–MÒ[ÓýWîþY…^½ûòñ;z(n^â³qk|~¦£ÕgF´ªcƒgÏþž>®~²U¼ä´¼ë_E®VÞõ­]uÎU¾×ß»²,F¾¿=ÿögŠóßÒ´sL¶~ëUÞžÿüÍÏßz)Õ«wäUÿh<'›?b*ÕÚ\,#Ø$Ê}‹éVü“¯¸ìÛ³õÍ»²,[Mó®÷Rƒ­V¸®·,Ûºy×µ–Å`[[ﺖ²lë»®©,ÛzfÖVƒm½¼ëŠÈb˜Ã=ͽ‰›/±ØõæÞ†=ü 㺲ÎPLÖÅ\þÜñMQýÜ9Öa¥ÃDA2š©¨ÏØŠ9ÞTH;34tª³7Èù&áõ Û.|]wÀ«Ùã·¦—!’+…«xüÖ»ó®w"‹‘Ô˜ •g Ff[êŒS– ™,ΈyÙ8hö5ÐËgC<ƒ1ð™1bðáNò™´Æx–É¥C£1ø%ÆÏxæX¯áñ[E¥ñ[ô#`ßzGÞõ®d1ÜHoŽ„ &Ïî¦Ö‘™p6•MƒÉ˜¦öÖ’QWÁy/TÕ<¬±¥MØìLú¬á/-‚ÀrLš=–½ñ[ˆ*ã·š£f¦ßÉœ›;~ëy×»’Å€tÈHaŽíàêæ{RÏWXøÛƒWLokŽrjÑæLÂ×7çÚc^ ÇA9az¸zßÐò˜Åã·:Þuöø­Ö·²~m¢püÖ;Ê Ü‘,˜¿c°;ó´º× üÛ·ñ„1D)Ø#V›W¼»aæ'ÓÛu=ša†µ^ìêŒÙšÝ¼Sw>ÅÁ`ÀÛHþø­öæø­F@’-žŽÕZ4~ëz×5“Å€ÕÊ ÜÎ^‡,Âý”ŸoùŸµù¾,‹Á¶FÞõžÈb°­ŸwåÆØl«ë½’Å`[›`àžÈb°q0ÀÆvKÞµ¼,FšŸ‘,/`7ŽÈª£‹­ìrÞɧœEªl¯ì‘C¨ÅJ•#/µ”8w²]w6âíe1Ìjë²gÞ˜ÞeÛ]Aùk^f“U®Eù#‡ §¢>¸Q+J(ÜgÙšÿ»Äu#±›ÉbX-w*}Ópk¸…ÓZö:TŵԑCõS G%øí@Ô ×0®•e1 ÍÀ¬·ÎnFYËRç$¦-þÜk435WkƒÆŽ¬ýY ¦Ìƒs7h\c¿ÆòlïTêÈE6¬ƒt!díì/a×þƒ}4`·‚°÷k^á+XÞ:ݶ¹ï­Ðî×_ev3Y W°Úcdñ Ñx"kƒ&À8Cf+¿q xmD »%Œ°c~ÅܨµAÿø ¥ ä›J¹¶XµêÙÇäí*ÐèÕ?/NK^÷*XÞßhhµªqVuÏ¡Õâh¥p­.‹á¶.¶Z¹þ¬ßläÓh"dŸ6á4G^{6«©Ÿ{±ÜßBöëìÓg¹pZa›é—Ю ø œïÈÝù§ßo¬˜3Û¾•¬®•e1ìVÍÂmÛ末Àý×[ ÐÄÔ_ÎÞQpwÂòåÎuçïïמ’:ÕrG:V9£W„BJžtšÞ:ûõÚ¦Gâœ~ðœ«>8¿úüF¼wë]«Êbx½«¸Êcà¿:€Ù“!tš­‹î¹QðKfn+ks¢³_È+Õ•WÝ`-¾ÅíyבŸ9®°×bïzw²ó_Ó°Å:\-¸ç´–ô®w"‹ÁÆ6‡w½+Y 6¶9¼kiYŒN§£ŸfZGZîLz²?ÎÞ`ÎôÀæ²tîq»ÛÒŸË}3aT#ð­ü2åe1lÌŠñËv ?–Z§pNè˜;ùÛêäý":¥½j°Uô®åd1:¥i-ÄuZg.•GcÇÿ™urÜ}%\ãzg±k9„ÖŽz£.²ºÊê–ÛQ¯­Çu©:ã}²Ådåäž.•Ì5CÑécšµ3óÖnáª7è`¨¢cŸzê0wl*ÓÖRV£&à àÖb×Y¸¦tˆ 3ýÚIbW‹ìŒž„çdec‹™ûN7elÁüÍ$û17j¬žÝ \ÓMu\œâšSº^ÇóÎf5‘£w wÙœé>Å®­2ÞÕÃUX/æD$Óá:ÿö‹GvLè,ü¬]yD:·ñŽ~øc/á“ñCr‚ ·=ÓöšÝëMpÝ2í&=amo&Íá.ñ±"€k'ÿ£óƒ°£æŽ°W0Pí„Ô×d¾±xêè3 Ýƒ5VÊ¡ÕI†u!¸ÞTüŽNÔ™Ýà}À0àëü5òpu~.»¯Ž: 8Wë@:vœî—¹¬v}!MO¶›º+lònnY Õu²Â´F׈ù:ÞmÔŒ“¥½•;v<‘ø¼Ž[z3ÓYÆxÞØ(Úq´þOÈû&Æœ4–ÙV¼æl ŵj0”œ¨Ñ* e÷Ù”«Dž–°;Aœ;á;iÛw:Á ";6á¦üÍ€¸ȯvŒ\@z0ì 3Ïœ‰º[íý®XìdoTÔ’”¦oæ•ÅXºuøj1®¹¸V•Åè°1N·’ÈBL“×Èb,Û¹2lù¸V–Å`c»\µ¥_n$‹ÁÆvw¸V—Å`c»\µ±Y 6¶¥ãš_ [UƒmÙ¸nåáºÅƶâfâÚ`c[iÛ`\Ùj‹ë†gºuÁòí¶öÃVႬZ$àâê⼕B½dÛº¥ý°U¹ [¶c»s×ʸ²1®Œ+ãz«¸noo·ÛmÆõ¾ã*äa^›Í¶|jâÓvó&»ØÖ–»4šÍR¸n7NÚn3®÷Ý»¶%móÚˆö¦À©ÍÍí]w-ññXüæ±|iÀÜÖŒÑvv¶ÛþBÑúÊá*ðëíÆ•ƒÅ–um6Øöfã“]Ǥ2J¾ÉÇu[áúàÑ£G áãª0–´–õkì2® øÁÒº³+vÇÇ×ú§"\ÑJ\7%Ö.®’UÑØ”´Î T8¸n7¶W¼``s§½³¹Óloî6›¿ˆ³!\%];*ÑŸk[’Jfâ5ˆë¶€OÐp›À™ÆÕ š›è7áD.°áD¯¿I¢övfÆ2I¼J„n7”ݶpm¶Z¥oÝ,Ƶ­w·ókÆ•q Ív[y×Ýöæ'»nôJ0¢[m×]WÓ£n7vÈœX@óJ´*n‹qÝùßd¿fïʸæeÈ9în7)™%Ûqc׶a»®2^ÕÅ«öŽZÂÙs“&d´nB±wýD{WÆ5'3ÐÜlìbòu³½»½ƒÞ³¹c˜Äj ¡»­®” ÐÅ«vNÆymBB+Š4°we›?3Ðò©¬6¦V›&­iÉß ÚM+vm¤¹ÖvÞ¾›ŸljZg%²Rïʸ2®á`@4v?Aﺻ»M©æÎN¸øŸàÚngµ öý 2Ø´fI¶ôšzå%HÙ›àÕ›M¨Ó^˜0…)ŒÀc#B ÁBä eàÂÂÿvà6l?¢ÛpÀö9NléÉAjØòLt)dd¬ÔLM¾9Áº|óuÅ‘VŸüTnåÁˆcj4,p0H  z¤…(Lá Üó¡F†0„+Ìa\ @|çÕq¦ î³ÚÅš&à>N#P—p} …{@mæò%0)hA_$£„†Ã4òiCÀ–pH(8š@E@¨pÒd^= R:›”€üó€”å !ƒ²°Aô  ü«‘7&.+„ Úã'ä€`(ØÌ’¼–$.£äU Â$J0ýLe`ÔnÈh;)«%8ðÔÿ!Xrè8l Qˆ¸E( t @°*´ì.G8a\T€Î¡å jW‹¬¤€ \°3+¸JÂ0ð½no{Û€¬`à·W½®ŠXúS°¡YJ# þÄSÌ[%(ð¾œoµ‹1‚YnÂå4¨;³Ë Zf̨gV‘ D™)ö .ª¢¾D—~é k§ñܧ¼‚*-‰W ·À1Ý ’ `f@X½ÀUA€)J7 ØZöU,uiVé…+¥²Š„Û——®  L4 )¥¾úÅÿ¬%™lËbð/´ ®-.ÈhYÀB‚|s X\ãP€Òÿ‘mª3À 𙳙ä¯ûh§ànD´+ñî A‘”¤‚Þ T5A¬`ºÑ­.ðCÛÇe33XȮ˱^à¼+À np÷Mw8ØXtApƒÎ4Á!ƒ.s÷Ëßþúw¿_˜BÈÿøÀ©ÌBˆ3`!'m„ÀPŒ fm(0‚7,™+XÁ ^ðBJT¢•²ó+hBgäÙ pKèIˆ`ê¤ B¤Ðœ'ˆAÃòDàÀ…" q<(yêšpó0©£¯=ÝEE;8Ìj*?"BÛÐ…%haš‚ Ã?öG ùÌQH¬•Ì´øÿÉ{3“@@~uVF­ `“¬ A/Š'¼ÒÔ€½Àx Kx–†"±³·ûH³¸`ŠŸlK¨í¤ð²â(WmñÆEóŒÀ=ñéq±ƒ;–€wPc¢ ÅÚžhAoàUÔ ”'ŒXÀl¯Å@Å Õ@Òð#‚„ ZйqàoäR¡Øç•Ÿ©¡ÍÈeþu&uÿT |wæÅ‹¸“Sjz5`E‚×+T€nÈClœå¸ ú­Žë²º×Tuo2)¶!)X/–RLk!Vü‚%«už†6>Pþez%+<@_•7pyô±A¡“5ÛGBOíÇ.‚öjº7OdÔwBÅ"KÖr"2P³7(†.pçv—~*L.Ãb’)þÁ§¢³Zôå+ÐgƒÃ6Ãe\w……R)•7ó7z£RlPz+¤&-pîBFRBPFô(ò'!Ò!²´ƒAå-EU4ir&ëò"9ó"”âPç)`",:ãEë|³ÿ¡4NH8Q³¦å5¨±QVÒ:¯c #áAWýÅW€•1}•R{#+cX}+°ò®ø30 ¤‡…R(ØrÞrP0ȆºAˆ wæ‚~„¸2Tulø&2W'84ug/má„Ži¡/oÑ"¤Y…Sg«%IŸByé¡9ðQgïá0`d/P]6A0²Â;cFQ^-ñR+ÅŠA0ïˆRw³73E„/cU°±UdB P3øg.s‚¿r/ÍèŒna°ñŒÓø2PÞG‰gA]c‰g…8¬u5`b¡áóQ’p³uAªsÿÆ6¶ó:0AW±4ÿ°MãÁŽ;Çx+‰†³ò7c81­òèÔU ø/ûÁI«UšÓYOYkqZc‰eWi‰1°‘hA’`‘¤E‰.@é!pçµ$g³gMôLÄ6•…°6à0½C3@RrÓ;Çi,%+}X3pQ¡3]Œ#9+€ã8ŽViL" •´åRäVm¹]a_(@U–ã:&Þ¨žóopÇU—ÂcP^QWú˜¸™›º)ZP`¶›À)dL0dÐe`Ò÷Õ!¿œÎ =àGL@X P€|!½–>!{€Éùœâÿyi^`àA^ePVp$ñ3VDÀwÌ =Y q=EÐÑ'žþih >n°H4ptìÃdÿv66€>&A=†!ŸJýƒF a i Qþ£-“öŸ¹lÊçZ;Ã%G'E¯eg•‰'yu?EY`GS`ò™`aàhÍK o :oëY¤"7YA<°MäD²•@gw&Bj…P8ù3ˤKÀwXðS ¤Ám€#"U ¦CdWàå×0rZ“ë3N(™a¡[y¥"ôˆ\b/_õÛ¡?Q€€¡Ha¦?ÿ–C6’*u@1©:©“8ðšAùqôl ZâIQ“’Œrn"††#Pƒ1?FP«ƒ"?©ÿö«ÅÆ©G'P*%ŒS¬bqQ™Ð¿buïT'° ‡k¯êhë¶-O€Ê«wås}ñ“ÇdÇ*t–p$:vÖ®˜ÂgÁ’B“2,êg-Pt‚O)ÒÅ¡LR0‹ÎñOP ®Ì5#ññ!6 Y[ÅŠ:ð®MCB\âþqE*`;h+ã~Û¦,d'-;5KÛrH jª°ÝbJà°sŠ}éÿZ:@±ð“5vJ¥ê„}ÆNA[,¾ç °–{@@!@àÒ’"û×À3RàGZ€mY`F°Rà­.û–AHC@…TF i胢ÞTBÇÓl¢mu{ªîDŒ¦)h¨~ €,2¨'G(;(zp¤=0ì†êÆnEP\ûn¶!©“Êrp°¹p0Uä¤îáKj“Æ™át8™ú±öbªèt4xk,(˜zn˜{ê²O¬„GiG"ØÂvøä @]pQPQ‰önSÐ4¶=–[@TcàØ{tã„/@³/qº<ÿÀÈ¥:0NæRz¥ú’RWE8³ˆoR3pÒúÄm³æmÆQ²{(¿;(ptPÅ‘'»Ç.rx—Qà#R ZÐEÀrk6ŸÒ»¦` ãZ>¶ƒ;¢‹½)yËÖ¤N¤šçU±Í†g[JÒgÝW§¤‚G ƒ÷¤¿bÇ»~’‡ü×-p¿‚{Så2HC&*€w $X`nfÚ¥4`àGáIiV€&aU¬ëN`§#u°’":I¿Ò3IðeŒ‘]Ô €¶Ttƒ9¥cWvkôOQ;"‚F‡+FÈj/" –Rw’ƒw‚ üƒ‚ÿ@c>‘Åü¥¿J}#§ßk;’Ž‰ã‘ ÷YIp8væ.@&}v»±%ä±;Ã{m\­n(!rX !eƒ„[¸ü.d×Ãw‚&/‚4„X¯‹Åy°^˜cÈ‚€sk@`3:ßdgðÚÛ˜!Žþ†©×¼®wÖ€ç´Â±‘ýÆ=ÓP€Æ.puØ6,×2ó¿Ñ­'Ç%;¸üK‹Þâ‰B¼MEqüÌ.hØ&3r_âŒÂç+ð”$°p~@RÐLÔQbPig°¢ ú€dÑIõã$rë%àœŠXmè"ÐË+½ñÆ-@h’{÷ëzM{‚‡¸ÿ<{p´ÃãB¿¼d.”Ò·”RÐv7~ƒóY©±5°$M@£rt`³‹±h¼séÃ>ž3ÆãLμâ§b‚±}&­½×Æ F·×†]篮4vhÓuˆÃ´X"ßb{%@F,Ô‹wÑ{`‚UîT/Jã}h:ea9°…¬)\N=nõd7³5ª©§(ðAðÓ®..c,誀)Ø'¿ØÒoÌÃiÔ!a§SqtÚ×RÓøü¿8!BÀ2 ·‡ˆ×åŒ:Èã—•óZ+Ù8L¦:T? €yW6`7Ap71E"ê[uÈI§æÝGÆ£„,,p»ÌRF¸«»ÿÂ,iÔ´áÖ'±§ƒw¼‡ÁË‹òÄvB31ƒ×ЈÁ"WT/KSÌÛ—¥šn帗"ªŠ}u7ø8†*ÅR®B8ðòm âà?³Bç&.Øvk½'ö§2=v²wÞ;h(³ºGq½h°1Ò2=Í(ò{.«VQ[Å„TÙ€J÷€€M˜:¾ZW"0›ÃÓ_p…I+|ÓRˆUŠfØBÜ]' zGËÍ’"<•ÚoM"Š²#ð>8r‡BàË-Ⱦ§ÊÁÂ0^UWÕ±@L‘ù„5?eU9` •ëE¡’—Å&Fôëh`OP˜cˆRõ…dÿø*5UXfx"å­ƒYÞ·èƒq(HÅé— €œ êíTQy=YG¯J3/Ô­±Sùn‘YO:g±§¥1`%PÉ8H}Ô¾¥6áÁ0`/p›X˜ žR®ØþØWÉ}7¾‹Ë-=.ßB2E#.üŒ,üìθUŠX€  ˆx×y=,¢2ðš$ ™’š•ŸôY£Æ/95ÿÂ5`ygùMcÓã¾%n“¤¶s70ðBfRþˆéŠ²X‹Œ2Ã;…i˜¬HBˆ")`Ò±×ägˆ=mqÍg[äNqQ~}†E{–)À?BÚXÌ£&5yI ÿWëÑ9VCó³®’,é :&‘hS'‘—5)Ü8 ìB†0Àì#Ð7/€*õ`HX25”5å7ßègtÒ8…“jA,»³±4¾¢%__ꙥ/10|]bÂXÙZ±Nšû­mu–‘I:w’œé>A/( c;.Ûä6v5à¸i7¯¢ŠD9X¬rŠ‡5SzCÎg[å4c5ü¢ãðºÑæXI0–u›å¨Þ€{ @ªëžóŸâ9®e[‹“:dƒëk©‰ÀD¾å+ÀšCÏç±H\¸;²É«EN1ÅžRÉ]ð/1„UàlPöš~³¢‰8éñ8kÿoã”8s_¡ ª¤éWÚ‘f‰¾æ0¶n…Ÿ1ïqYxx™—; 6Å…;Ya;Û!DÌÀ hDAA .dØÐáCˆ%N¤X1â&l ÐQ#GØpÀä$n(  M,€ã )àY nÜTPt¦ME,ȱ"O:.ä  ÁŠ§,‡æ€ A‚8||øâƒ4Ðâ "Ä8FDø°®E¼yõîåÛwáˆ3æŽxð FŒ ‚0¬¸ÐøŠ+HHqÁE –-‹‚X‘Ôå ]¿ò¸´‰'9PèÈœƒ gIƒÐü™†$GØà=×ïoàÁ…'þûnÃãŠ1,‡¸¸ñŠäÅ¥O§N< ;images/feather.png100644 0 0 13210 11256637627 11632 0ustar 0 0 ‰PNG  IHDRøFÖÏ©<sRGB®ÎégAMA± üa cHRMz&€„ú€èu0ê`:˜pœºQ<‰PLTEþŽþ®úúþoýOþ5­üËþýËþãþþäÿŽüpý¢`þXoý3ÿè«‹Püp•sú/ýîϤn6üK¬ûc®JŽ+ Š ¼3PÝnܪVÃF¤w@qU j §:¬ÃO+„8 ÉÚ2ä$r)ÇÐ7ÕRš úù÷Ê.ü‘8ÔѲfÍêèå–“†mi[|}eàãCCCX7¾º©QPKïïïä æ!!!¯¬•___..-ppoöf ŽsüÈ£þó㌆£—‘——•Ówô«š››ì¸›ÏÏÏÜ×ÈËÇÀ°¯®ç’fßàßüç¨ýåíýªV¿¿¿ôßЃ‚k-3û™"êgañÊ^Êr3ÍŠWÕ´@Ö’ó—ee_x’ay’)Rz?n7hDf‡8i6[ýþÿGt<`ƒ3fÿÿÿÿÅT# pHYsÄÄ•+\IDATxÚå[‰_ZwöUÀáä¡‚"‹<},²È¢€ Šq7QSc–fíL§3¿}“¿üwÎýbj¶NÛ,;ïÓI5ñ¼sî¹çÞïkWûvmnþª/ëúÃ?­oýspð¯•*à[„ûø¬Eô¿„¼²u±õ‡þpo­Ý~þ²ñ°}ÞÚý(òʃÆÎYå¼²w°U;>Ý=n¯]=øÈíÿçqåæKýîÝëŽÞj>=>Ù|ݾ8¯}ØÜÏëáËËו›\ãwïܹ¿¹ùléðþî“'w*c;ªÕkµÝ‹­ÆÓÓ‰¼~yyé;­Üds«NW‹¡©©Éljijñ¾üfm³Þ<Ù¬]œœ¿/õÊÃ=°}¹ó¼rC]ýÙ?üðc.7ìv»nëU¼ç'‡«t³­zmsow÷¸±ù°¶öŽ‘ï¶|¤{oí&¶3Êû>Hžšœ,·o†î"·¬µ@u­Ñ¬mÖÎÞúƵ£ýK^;•›ÕÇŸ={Ñnßö0/sù°»¤zzzl :^õ’ÃQøðÕO6OŽ÷67ëµçç?·¹úŽÀþ·Öã`*?ü°´txx˜Ë-NsÙ€ÈJFÍf³FÒ6k:ˆ¯üàhw·µ·yñt¿µÛI®k›­°Àþ¯Í›“Üžðêˆ{r¸l–YØÁ WO0bµvuÍ$gºf"6k—‹À'§­ÚîñÎA‡Û­×ÍKuí=¾9‘õÏßáZº*†(n·û¶n ®ªlG\]]ÝÝ.Ww÷ÆLw÷,€7êµÓ½×g­SE÷ã§ûؾƒ•‘ÕïÞ?< …²sK¼¦sÅMȺvÚŠ dÏö÷÷Ïúûí~üÛ¿Æ÷ŽŸÖO›¯¥BÖv:°/›oÈòbJªy[/.Rä0qý6Ä Ì‘êÚšžé²ýv»Ý¢ÍZæ5‹e¾Ö^ÛÛyZ?h5Ѳ¶Îë¾Ë7tWnÀtöèÑ£¿ü-Wi¸KÅaQù@P§¸:fWºWÿƺep0ãì‹Í÷e¼®·šá‹ÊãÝfø öåþEåÛK_Š•Í`GÛAöh~¢•Qß]¬çîä¬dg¼ƒ}}}Zo¯ïux«ÕÚÙi=¯¿Ñ8Z÷;QæÛ~~‡W(7,º££meá=bew·£ŸEm±€ìùX/.ïªÓ«9WÉx}'Þ¿¼ûxí›_DüeŠ]«ZÔK¤øJÛV놲p+¬ŒêV íÚ:¹îÕ¼N§s(1´Z®µ·¾k°›µ­o{ó#âI¨˜­ ×·õ PDsïVÇW¿è{ 5oÉND‡††F¢c˱±Í­ÝýŸ+ûwê›[ßðêIâw.D+ êRØ=(d§#]"îäŒzïNf,¸Åïëk½àÚ¹‹NF§£{Í7¨ÿû_šÝD|ÀJÛ2Lêû¶a¨z6„ã¤K´=›Çï ®¾¾Œ··×[RdNG§'®Kü_›¿Ýeã]^Y3¸-ÁÛ,ÑÊ‚†jZºôéÙ –´Ýî•7‹Å}÷¢°‡b1r=˜^G}é«?¬¨QtkmëÁÖ7Ë“ûž{ e¡œ*écAui)gÆP°ìwÙ)îŒzƒ‰k”7ÌlyhdyTŽ¢Óë°}>ØúÞÁéñëÝ“§Öþ7äêwž={†é2´Ş]Õ#¤yfc†%ŸH&#ÉZÆBqkó"qtlÑ7<¼Ãõtà-‰ûšý}v´æ~8ܪ7ÿÑR‡ª×Ö֯ὑ ©ñr»¤·Ý’Ê”{ äˆKÊ™Œ\{Ù³ú¼ò†ÂŽSß#cËÑ1‚~ õüßDàÁVå`¿ÙÜðúø®?ÿ×øÝ'ß---.†Š¹{ž¥ï–BÅbYFê L B/±¦1fr¿ÆPfñ{-$‰Œîsò\–ÇèfQàŽ^¯ëŸ#å_v¼ßj5›û­§gg§{ïe_ø#fîFãϸ~:š ]ÔÕ² cb%˜-˜ãÉ‚éä ?l^8r¨p¬ àDÂ)>²@]NO&®Ãž˜HŒÀà‡œü›Ïêͽ£½½ÖN«~pVkœU¾*ðGJÌÁ¢GMÔ¹¢;¸Ì—‡9ZG$—ÍlH>Ik 9£ Ò¼ËÙë•Fª†¸—'–ÅÃYÙÓoƒ¾œ@±GQûNo¼—”7GÍúñËz}¯qò²~zò²òµ€ß}òäQµŠõ'‡ #ó–UY¹|[ÆŽž…°q5u0™ltÖ (ioFY»–3våc~ }¿ ¨ù_F–½N4¹øàú÷8CÚ;k쟞¾®7/ž×jµrþ€Wž-âP¨lÌ´ê ×™´éS}3|£gÅfO’ñÁ¾yMÚt\£¼Wäzlbš]+ utz F7™S$q¯ÅþW$5ÎöšÇggúîËÝ­ƒ‡_øyè×b.« ºZUÑsf£,Ç.X×:£eZuk‹?)¥MÐ^Mõéë™$E;U=ñ× ÆÕ‘‘…ë´Ì{×í³ßó éâ¸Ùxº»¹×ªÕ»ç{_nGÞ¾ó(WÞ¯šÙZ‘ºKr}B+ëYPk2d2Úx· —–Á˜tk¯ä±UeaËÐw”Mktt‚Uý6j_€n¶ d'UÞßÓï‚‚|ëim÷åZ­±¹ÙllŸ¯?øRÀïtÛà‚Ófq[mtêÇvP¬Ì:£»º™?ýòæÊ°gÅ55bѾÅÄæ¨hÜwùÎ51½<Xu¢©C,m|slÖÞßïšé²x{ó¦íZãüèDm˜?;ãkkwúé;ÏðlåØ%C_2Ž¨ìrv©9Ã¥œ¬ú¦°-šÝ)jîO0i%ȵ˜˜`…¼ßE _Ž. ÅÐß3üfØ?nÞ`Œváš±Ùüq㤆Z?:Ú=úóø ¬Kr)lA¹-©Áj!¢Ûdݽ![AŒXÉuÎÐI•¾¹G«1”Mk•5½Ê6=2Cö–’F*{tL‹Ž±¨QÕ1Ð<<‡? ±ÖbgétE =o£‡Ñeë'kŸxåO¸Ê¬ãm£¸8)ž]2"jQbMJ ëîÖ6ÔíÒHÖ5µMš@éc* ñH¤À§¥¤£÷0ÓÁCЫ:ªfzŸÑØ5Äú~}[ýòÀçº5O+Ÿø÷’]šA”qIT΂– ¡º6ü2Nz7dWd÷klϽ^—LX e’M´Uç­NMKú~¯O‹•!˜­±ž½Ú_qã´y‹}Ýo±³æÇ]6m¶žžÈ¶{øûÿáϸ_‚Ž.>cV!®Åúµ% µ ìüÚ¥sÿ ¬³Iáã二љ˜$î„6¯f¸,–¥g-+뎎Nô¥/†/N¬Š SóÕëG €™ÍBCh\ÐXÍž‡£XÎʽdŒ'Þ^®R¥žÉ5€Ó¾q.ŠWÄ]Ô4Zv^p80墩lëSK¡pûSç=+Oªìœ`X]ÉÎX…Ä™Nw–Üýý~Û'ƒ)¦¤e€V!£;uÒ¶Þq¬¬[ÓbhlZ™“1˜a ³Ä×AuFìÉWBž°õÚp»òððd1ÊþF~x>›"îñ[ãžPz¦cZ~"gnR…m;‹ »Ñ„²l%é±hB¦*Aí ö}3štŒ…Ü˱CsŠÈI³Ÿ%´žá2ÊÏN ÈMŸYèq ÇmÓà„sä©©pø77§w€‡Ãž`÷¤ð¾’sÍ*Ó‚‰á^ªz]óJ5sî˜t4!GÕŽ jlZ2ç/ÆT“nEeÆNqDN+,hWoð±~n™—é—/Öˆ x…&'§B!,ó²¿#}¾<ë‡Æç@÷-ÎwOÑ5¯òF(|T† "ºÆ`ØñèéŽoMG%o~.e=e'¼¬>ï{ž·O¦Ò^i‚8!¢‡©t‚ý:£ KV”‹ƒl·»\†¾Qؾ|.ëkp_Š€ 9õ:^^Ñd¨HRfŠèªSò4ל—£õ¦k¢ŽÅ&¼ñxo;SUô®Œ $R†ûs ßèRÏ0oá:í²Êñ ]¼GßÐäú^þwÏX?÷eS ›Jèr æ¤Ö_y;F½P#ÔœÀr[ÿ"\ß%èï@ÒáØêªs•3¸åëZ¹'Äád˜ÆF£qóÕÉ”ñº¦Æ Z—2+<¡ƒ{Ðo—C±­ r£‹ÓUD:Ч9tÀÂl<`à’ˆÛ%-šWÁy1‡u糬 »Úy%l‘4»7>fQ@¾ëG¯>ÁÓ2óëÑÛ'¸È®¶*K3™",²ÿâ4·ð.ÌrS€=?¤3nI!É+·Æé‰LW:‡y:l“‚NsæpÈsÆmBƪgr2Tä¡D?×gZ†wÁÖÄ»Wæ²B°ïê”™ó´àI¥˜g4'ˆd"ºYo‰œÕ2W#2'd‘±WªÛ ‹ÝÂÓ?ëŠó[xvÀ؉0Š¤q$0\5±CA9#•e³8qÄÜÎÈoÚY–­k\‹D·•«[à™[Où¥jýÜq1V05³…\¹zZTl3Ò"ç´,=Ó2KiB>Â… Àb=¶m”e¤,“_Ô‹ù*!ç€ØÄáö¿º$¥ÏÍI G÷‡OIZÃGÏ+©ÚYïm8%y°vF MLÓQq9G’VÜ ˆ` &eŠ”Ü)s8<¬—iÔUq9$Šf{Æ~K ûÚ_ëz“ÕS¶.ÏÕ„2Nºç\R´.>¼€P!µÉ‡L¹éù…‹úæj[)| ›‘Á¼9£°Õ.S¤O¨r¨B;^œÄãNìÉ8Måòíp6Wô…s.¿èwçñ0Ú¾xH·_xMr¿åÁÛ$N'6ÉÑ€ZÐù("û®XtÉLóØ_gKªi© öâjQ(žÄ^x&$GÔÅð[ô~]Ðïo`P] °)lŸæ²²uÆ ±è‰èaÓ(áÒÓ36Å­Á‡•Ø‚ÜÛüßø@&*b7¶ •a~&–ƒ†œsy_žÕ›Ïç¿>Î_·e £³·Ã.W:­·}¦ŽË ›3‘§EÙŽ Z š´¨jtßÞÞ.œ+JÜ„ð[ê«rUhAókØÕg®Ô‡¢3¾°Fz0Í0>ò6FP7Û&^|>Ó$oLÖŒ %à g‹Ù|Û,@I__û½~ïùøûõéó]³'êÄüfAóú\ç$ë±™ÞsIEND®B`‚images/filter_arch.png100644 0 0 4553 11256637627 12470 0ustar 0 0 ‰PNG  IHDR9ˆ™[ccPLTEÿÿÿUÂÓ~ IDATxÚíœOLÙÀßÌxíÉ–5H­ii˜x­hUõ`"U•&C°[»ê岇Æ,‚½T•æ`…I0‘¢{/TBJ•zéa{ëq¢D¤H[ºRo=Í©Ü*Ø^ˆ„ oÞ¼ùã?d3ó}YwžÛóó{ï{ß¿7Ï!IKZÒ’öuµ1ˆ.#€®3ÐÏ1z45²O~ñv”/Óõf$t}Æ@]¼Afp†¶’jªRc ·ÞF˜£Úwç§ÞÂÚ¹lFï‚ìôµ¤ƒžõ²Š$ ôF–©÷@ü5 QÉŠ‡@–k%¨GŒ 2=PÕ ?=ôØ^ªÖï<·Ì¿o(í£ÚÜÁ’òCú´}4ù« }uPõÉÁIuãÙ-óêÏOæN”kÖê‡Ç·—7¬s´6¼[Ýœ£Õ݉ݥáÛóûʸ5VŸx°¿¸iFÕ_¬Uí¯ÐåÅÏ2/샹á5¥h-nçF¬ê#;ÂО9 ç_Ðå>:bsÄAævî8ÈÜ–Öª›d‘š ”&#Y´¼=ü™Åžz6±ûÑÖ¿Çhb÷·¶çØ­Ó}6GÕ­(=z~p²¼ñìÐ2ûF¹Ôær' dÍ3©U£HÍüÂ^úqýŽÍ@ýî:Ê-9 9û?“Õ:¤´énÿ§chÛ5Òn7Ðò©¹GÇ]ž¥ÆµÈ [OJ6F‘uæ(‹Zp@’æH”K žÔ¤]ñ÷Aª ‚çëE$Q(È+<Û–™P *}Oiµó’=Ú« q,P†ªHR»…%þÌC¬•} K×æ)–öC»äÛ£ в†e³X—B^d’ý\d†)æ’ üšÓ¥KñA!O˺d4~³þטc |?ë’Ѹ\Ž»ÈCÑÈ$bƒBñ‘…#64Ð¥¡ËÐÅw~°¶‰“A¦°RÑóêÙ¼ÿv d\À½¿uTÉÏR P­’/!õèê4H7(Ò•@[Ó‰®½D‘@ VF°@6H¡H ,©- À#ó@ÐÜ_9=ÁÙ1™:òÂRHëgCãû­ÐÕ.ÀG¦PÕBw~ú¸ÔØü@G&’¼ƒd¸?td’È ûÒÐÕ(z•‚Ò̱DÄèdÙP}Uhœ"l(H[`ß&@9,‰"çäIÐóòV¶D°t`i?äÛ#”h̀ﰆl6´ù^<Ûõ¾ÈÈ÷ýàæE#ðYòâ£ÏûPJ@ (% 74z*¤a…Çÿ/ åô †´¬NÐ1é·^v‰íEùAh–±É5: )Cæ 'eïÜGðn›+¶{Jµ«Áqeçýœ¯Iª'ÝòY$ÎÍWÿV¥ÂòOqFÀw5™ìí.ÎsMºí"ÉwêÙïÛî n8Î/´ƒäJqAÒPa§é€\Áé]©Ü¸b¸]u7ˆ?9þÛrAƒ…A‡’½ÔRò†HŸ,ÿW_ècuô‚ƒÔ ¥<ò±Y{ªŽ2PÑO” Ñê®y ÇäfZü´ÅÝpÖ[Pµ¼!Ò§œ7/" ¢~b¬I¼¡é´ïþ);R|úéç.ˆÏ‘åçR"G´ˆ¯)wí]^ržªòù'Ýý[#_)ìðá¨ï2©™â³SÄ?ªb´ƒü•=å>ë\q´þ0?•ºï§•ºw‰LüdS'þ,¹´"=ùIó‰a0AÓõ‡W‹OcƒäÂÎ'ËÈ9 ]-„@™Ómÿ”œ9º_lÓ¸WïQ¹Y0xêŽÔÖ?ÿ*Pûd“VP«±" ©Ý¥æƒvšlŽ‚^ðû)ï‰Åa}~^î.¬Ð‚äé¬ÊÅȤönø6×pÕà Sl¡yDÜ•Rþ>boe”©ö?[âJ«Ô‰²Ú‘γ¥PZåöHõí‘!ìQšáÃ`jeT[͈òNêF#_›á2å[HCXHÉR=S«ý¬quzg°Õ°½×24f׹͖ƒã%ýžñ×<㯕ôïQÈÔ¾w/ž£ËlŽZ½È”çE2ž;RÙÐ\PÈø—*…°Ô¾=þ‘ë×h‡_#×<™¹102ýç½VwTÓI‡z„©`ÕêmZÐê kc¹® ³dt.{µ’ê *~¨#ˆX½Wèêþs úÒ°fõ^îÌ}´H —n¶€¤xÁ¨r6(ZxìoúWÈ1ãl d¶_‘Š *bríW¨1A}X tûZLŒ’Ú¯Ðãæk dœiá"‚t,Öv RÏÐâÈ Tw)FÉg(hº.'[oˆeÅþþZ¡E©BÝ®C{tᧅ?¾Ÿýž~ýf=››ùðãø Fá_4®è×gËBsv36èp Ð,¯äõZ‰ÅŒ«¥õØ i”6ò†Q*æf —–„€|›£Rü9’² ô»?PcÚ‘Zécèʦ@OÛa× _7ÂwA%ø&¤ÛnãƒÃrQ| Fì(dΑ,÷ ¸¥CÉ7¨åÒWót/¥bÜ3h§4ÀGü/yAAÞI°“Dù‡tôôÚABj&–øáçØÄÊNƒW¶Ð5i…"iÿ¯±ìÑE, ù 4› ¶þž{6ϯÁW O ?îåù~+©÷â#÷/Ö±@Y,üûžQ3±@9,P /Íàþ"¨ ¤`À>é5ìDÈ°Ò¯ôá_¾…še·£Q@¥û½ Ú¹‚úôŸH+›’ž‘^)_– ’ÁÉ¿ÜÛÄU† (s´WÔ‘zôe $§@ "Ì‘dËò{ñ‡æ׉臭ë rì«A- `T÷˜„̯7 Ø‚ (À8;¨É¬7æW‰Æ´~Ýh.jŠ•ý‹¼Zþ&¨6dCÓG¡´ýX…”n!ÕÑ’hÏÖÑ:G óWF ­B^Í:OûÁ‰1Z]?´JƒhµѪ1¢Õ‡Ä«X‰VCóÕªzF‹z:I@ (% ”€’–4œö?)Å0ðê3IEND®B`‚images/filter_arch.tr.png100644 0 0 4706 11256637627 13114 0ustar 0 0 ‰PNG  IHDR9ˆÞû³ PLTE333fffÿÿÿf°À· uIDATx^íÝËŠä:`™]A Ì‹äVO1ï+ж!³œz…€ØüC¦3KÇVÞªOg*Ò¸‚¦ý!)¬‹3!T)!=Ó3=Ó3=Ó3=Ó#ÀP’­‹à£~ ͳØ3åâÕ{ÜÝíÔD„sâWpöÑ<<ÊÊ)„' „}¼GÎíµöŸ,§þ¼æ×;=süšžAez–陞ß/ž{¦§/2=Ó3=/+Ó3=Ú‡œ§'@{µf õ ­~ pÚ6}…G)´G¾=Îß y^Ý^¶õðhO­þIžøcAÊ' ž””Ô3®ù“àœø*ü±ÖE_äY–¢™h)žK:U?3תêLT>2-ðüAT«fZÊç1Z^â‘ê¤Õ?YHä§#T=3©VÏ\Ίc€HDê+öRg…G‰8Pegr]<³Õ³‡@ä¼Ä“Ò‘VO¢Óõ䜒~zNËÙÉ)¥³'-/ê?¬ÎZ.õƒ£€B3Ÿ› ÎÊ+<ΞïôÏ™k}Kÿižs~‘öù…#ââ!¢ZWÏËòËüIJ”˜tsÿqRR|páÖHéìyÁýçÇ {®æS¢{ž‡{b4ñørn¯ôŽùXyn+JÖ³óÃÒòËi¼Ç¹y ã=u“ï4ÜÃö(6çÁžºõ€{h穃=¼óØXcçñé¹:úË®ã{¦G9–…Ž”_…ƒå{ÉÁîÏ…ƒ_…ƒï…ƒÍ › 6V ¶¾P ¶þR๷>Uàé×ï=h½ËÓïoô wä žÇû?ºØ qž7Ül‘P‘XŽåÑHEÕ^îʃÅÍjOƒÆñX0Ïòûžù>ÉôxÚôlí1ð¡y€Dò(ÜuQ)XLùÀ£=Nî!În"<Ü=y„3bx,’2¬Ðx!»C„&ëáÕ£ŽýGÏ÷Ö_#=N[® /´"ØXòîe¨Ç)Öø^Ê£ËCéÑ”ÒÒµÖ0O"@<µ&réIçö*ߊ%Æû-¥EÆy”±Û_ué!4sS…xžR[dG6œFzœ·.BÅHbë©ÊC=uçQÂPì<c=¼õ(s(Ï‚±ÇÆS äqŽå©ˆåÁô<È/€§çÞýÙXãk|kþÄšˆ5k}ÄZˆµ>kýÄÚßaÿg´g>?žé™žé™žé™žé™žé™žé™ž¯O—òÏóÉ`Ͼ~ü¯KzŠã)@—1î<Ê«ŽBÔOs(«á¨ß€ú„ÇÀ;Ÿèªhçæ§ê‡›ÞmnÝ ¢Cšy*”Öˆ¡6ú-m<ºtŸî‚»Þ°ì=‹Óÿ„ù`ˆ¹|0øí¥™Šûö…‚º„S;Ùx²›ýWò% Ÿ]P£Ë s¶]F¶Öé‚]ßÔf_r¸êIb¿øèD}ì©`β†ºÆèƒ}×í<º|Ér Ðê©’ÝúØ£Ì)Óæ?n§·‚0ìÏ›Çðun¯ÕÍÉLŽþÎ0w’âµ^ñ@˜Ý6ßÎo·µí]ÿiÀ¾z”‹ÇL8ç|·ÿTôíÑû'µà}~}}ç—¡yLÚ“U…pv¿Ú^—ü" o›>Øß?¤Û_Í#fU$ë_=N’:Ï®p>øØc{’Døìy`Â~ÛÓ_Ãî»óoàëfP¾ûÏ{/˜žé™žé™žé™žé™žé™žé™ž1ez¦gz¦çÿ⨠ÉgjoIEND®B`‚images/left.gif100644 0 0 74 11256637627 11053 0ustar 0 0 GIF89a €ÿÿÿ@Xq!ù, Œi ÜLrºe z¿½€J;images/mod_filter_new.gif100644 0 0 4530 11256637627 13157 0ustar 0 0 GIF87a§K€ÿÿÿ,§Kþ„©Ëí£œ´Ú‹³Þ¼û†âH–扦êʶî ÇòL×öçúÎ÷þ ‡Ä¢ñˆL*—̦ó J§ÔªõŠÍj·Ü®÷ ‹Çä²ùŒN«×ì¶û ËçôºýŽÏë÷ü¾ÿ(8HXhxˆ˜¨¸ÈØèø)9ù`y™yp¹`IÊÅ©™@jp*’*Êš³ZñŠë1Ûj³º Q jŠÙÙ뉪{{,“ªüÀ»,[ -ŒLkzíÐÌð<ÍÝ[ îâýͼ lìÍÎ^‰=Ý ýùNOŽÚŽo2.?/­@]¿|5ø"Æ,X'…ÅC¸ïWÁ‰+Z¼ˆ1£Æþ;zü2¤È‘$Kš<‰2¥Ê•OÖ±|YÂ%Ì™•$Ò¼IÂ!Î5eòü¹‹!СŒ= ©Ò¥L›:} u†Ï¨?§RÝiõªÖ­\»zýš1+Ø”bÇž,k6­ÚµlÛº]ƒömǸr7Ò­‹7¯Þ½|¡lú 8°àÁ„ ¶)çîQÅ<bëXGd-“yV¾q¹o“Ì58kVâYêg5¡“Ù)ý5 Õ~!WaÝÒ5Ø£ƒÐfq»¶ƒ:kš3¨ûL®z+èæ^r¼äp€-ŒŸ–Íœ'‡F¹õFªzÀÏ×ò¶)q:¶}ô~YÏN<8˜åÿüYhÏ_·w§Æ©_Ïý\~xèþë= Ÿ,½qXˆà€ ±·_tõÅ7Ðñ”Ó‚=°F[rŽ0˜ž@¯¨#ž~"dTcÅ5wVƒé=„„,ÖçIvBÕâÓ_®œˆ[Š³iRâ žð##AÆÔ“…9½¦ãœHäŽ& ydq=n€!ŠO"‰Ë”T™ã•NÚ`ã\⨖i P&²¦*D„)Ÿm2'un Ê´´”`Ÿ~þÙžªI¦ ‚e¦A.ʨa„jåf‰Š4&¤*é%¦—Ê™i‘2ñŒóICsæÑ'í´áûj»Ç>-*J¸°»ý*Ùh˪;í{ÛúW¡ÂÙûkj[²0©ªl/…תŠÈþ®Ø­‡óZÜ­ÇNÏuôºB[j°Ó¶B ®®™ÈHÝÔ´ŽÛtÔTSÌê‚b‡}c²­­,¯=Ú=ä3uËm¡Ñ`¯=tBh‹0ÆãýÍ3Ú–ýñÙÃÆâÅŠ#Íøà96×6þ g‰h þ&á­ƒ²É'?øáUãmªáˆw|pÓ{l·×¤íµän/íp¶­¶È Þš;­‹¨Ë»ì;1±ÍçðÊÊÁïù¾‰u &ÉéBÁ<ÂôëŽY¸RƒF½²8\Ïîã[»ùÞš¿¹æúxüØÒ‡ÿúû¼Ã+?òÛ÷^$Dû¿¿Ñï~nbÔ ˆ'6 }¥ËZfèÁOb´Ëç|„¿¶éxd®ŽÁ (Ðùë`ހƫš¥nàr[ÀR¸.õ¥m~]ò`®´8éÐLc‰“Oxˆ#CUP#;ëGg73¦,uA´Þòž˜ úán‡HTYþ7*—ÞÇ EŒYy’¶Ã)Î+ÎcGÁ¨14ñˆ\ 3²E¯vZsa×ÚFF8Šo‹b(ãÙøØ?Þ [¤ëà`Hj$òfˆÔcýé÷’‹’œä°HK®yô?Y îh2,£,¥)O‰ÊTR$“ª d+'ÂÊWÊr–´¬¥-kxKEæ±Ü¥ô@ LÂøRVœfæ.iLÉü‚É4™ÙÌcÒp™ÑÜM%«9ÃêaS½üÞ61CÍ(}Ï\à8­YBhžSˆÅ\çø®ÉÍ`Ê“[ l'&ቑrŠ“lÈ´ˆ>³Ç½€žÏS–;Hã (@þpÄœ;þJÌz²¡ÿ”¦6%ŠG:¨ ÓâA‡ÐM71X·Ý=ô ‘¶Ñ™ø¼È¹`« ÆÇ*™ ©CIÙÐ4ÅÔ¨ë?í¹Ð‰²nŒbD”Ú>e'~+€+5©çŠêÓˆ~p_¥°áUHÇP èŽK=êGZ0ŒªS£CÝ~¸°a'«;cPM8ÍŸÒ‘i:ô›O7Õ”öì„dMç=‘F2™¹(c‚Ý«Xú×6þÌsƒ #3:PeÍ3˜Ø[,âÔ˜W¨®”#œû* jZYÚùL´)Õ¬7q»®†ÓqŠ•£ZCe;;‚G¨o%mTû*ÕGF–´oÛÕÜn·Õû¶ŸáRùþS¯À.‡NqWiºö(×®9<ípÊÙèÞЋ«ÜoM›Ø‹Â®mGìiÏdÒ\•Ú¦¥þŒ.]-[× ÚG½ädoqµ»Vî"÷¬Z/KŸ Kû^HÀðljÓ4 8y“,SC =w²·–08ýºO ¿ÓÀ+b;LBì‚X«Eèˆ;SbŸøÂqmñŠC,ÞS5Æ2&1‡k<( ƒÇ3†k…yl¨7ÈD.²‘Œ#9ÅK~ƒ’› å(KyÊWx2•M|åNfyË\î²— aå/‡Ṳ!³™ÏŒæ4“!Ìj~^›ÍÀæ7ËyÎt^rœëŒ=ºœ* MhZLð—M4IGÕDGÔn‘–´FÙè:/Ж¾tò½ieúË£¦Ÿ?Sj>É9Õ~9u^\}U/Ú‘\ž5d¯lkÚJù.ó ™§=LeÅôÚ¨§µ“¬s\ìÈÙxËŒ9oÏjX¬J‡ÕÉr³=mê‚ê®.¬¶g‰Üì•7¯+ôáf åp§U!«‹6·“뮨›¹™¥¢Õšåy»‡çåw¹¿ît#Û‡ Ûk~_\’5ïØnˆ÷Wë`·â£™)~Ó)Cãi¡¶š8®#乳ȃ}rÛ¤×+?pË™ýòÎÄ\Ö3oNÍÉ\i@W„ÚÒ9OÆÎ;ÝB0ýèzú«Mô¤b[LƒNºT˜çô¨K}êT¯ºÕ¯Žõ¬k}ë\ïº×¿ö°‹}ìd¯@;images/mod_filter_new.png100644 0 0 2034 11256637627 13173 0ustar 0 0 ‰PNG  IHDR§KH§Ñ"PLTEúúúú1=ÑIDATxÚíšÝNAÇg¶w4&»Å.L;&$ôŽzçEi»b„+ã#ÃôÚ4ÐV"51Ò0Ñ„Yƒ‰¯Qx‚å®D~°Ý’mwþ‡Ò62'ÐÐÃ9Ìœʘ1cÆŒ›nù€ñ°[)K}©6J1œrEÕÊ[ùB ©(Ï/1%)Ô!‰ªâ”PU,†<ìÕËòcÃycó2¹@ª¶òTo”4'jI”‰¡‰¡‰aÌœ¿‘~[@¾<Š­µyÉ°½ªþ#µ‡î׈ڟAq;‰*Ûîñé9DéÜJ›t—íú›-÷ø¬ fëy±³·á{YÏdgÏFÿÂ)¿ÿFÿB»%eGÉ• õIQö냔'` »©¹7¡:¸Iç0µ…” ë’êrH©Ë.¥Ká!…ÊQz›AC S9B8Ü ö+§ÛUÆ甌v/Ÿ8JúÝò˜ÊúÔxN)éwæã9åz+-¿¢9¥NÃ9%§›áœMmã9¢¢9ÅhF·¹½_4ÅìÕWBM51\•^t'Ž;¥äÊSlå©{ÃÉÙaŽÑ"U¬¾EØ‹¬GQ¨ÅêQ’U˜Ô£´µ/›¢b‘ô(禕N%è6w©bIºŠ5©,éªX“ÚWŠŠ• ­œŠeô¨¥èQ·Èós¡4+‘émLosbH›8̬gæeCCCÃyR‡7õ_-Hõƒ06|ÇÓÞ8– *7z.AT8zv”‰^ܨ§ «t«E+ˆ`´Lu+¶~§M=Ž­×µ©õ)¿Aÿ´[ÚT5mª1õ‹YŸºqÕRŸ»e(J4ª¯7´Ê[®Ÿ¹PÒ¨?¼ØùigÛÕâ²ãÛYRE9— ¤üþ^¥v¤ò ¡‘ß–'»gçàÿ O÷ôsˆS´›B¼•´ @Ë6´ÌFË¢´ŒM«ÄJD«z´ K¬æ´ÎÖ¥;"b÷e̘±%Ù?íÂ¥Ù‰ì IEND®B`‚images/mod_filter_new.tr.png100644 0 0 2456 11256637627 13627 0ustar 0 0 ‰PNG  IHDR§K«ò PLTE333ÿÿÿ,/ÈàIDATx^íÝ1n+7à ‹<@Îð0§x—‹œÀð)—¬Ò¤qÅÈbðŸ2УlJ&™X‡yZÌ‚¡BúwE?`ª£n£Œ2Ê(£ŒÊ»¤°Ž ——–©ü¿QØ •ˆ““ã ^ÄJT”/’ãû_ˆZ>(ì‡JÎ(òJäàŒRžÀ€ä >9É19$Òº¯Ú»£’›GÙŠÉ(£ò.©peñž(ýÚƒÉL–@K Q–@‹…%ÐxèÏ‹5øÌŸ‚‚QS¿+£ˆ‹Ëê±xFÀŒUTÀê4¬‹J%ò`GÁ+’ëD0ð~®¬•ÀÏ•ž1Q¡È«S±\• Ž©Da*÷bq%õܧ¾;mª&PˆûÔv3õBœäŃ|"$‡€ ¸.…Û©ÂÆ“~þ´8¿°­G½L£€@ó©Sn“»¤ò³©ñ§$úDmj@~…DË(€~Ý@¼„Â_O‚˜st)l_¢þ>tçéªÈ&_ û†îl…NKEò‰@œœ:…Ó³9Š&U9àBA•BŒÁ2êT´XAÅ#èR% üÔ)šx½›àß@ÎÈw&0Qs_u)ñ÷Q—íQXD'BFr‚( bá©ä 7¤N7>V|¸…ª3N`CA‰‚¼o2M¥‡ït1OºFV¾ª…TœAu2Ä_¢âõ8çs‡{Tr=‹¿šŠTè&ðråo~Ü6¾U–1§æ(yá.U7Ä·SuSâ¥úÓ^F VQ¥9ŠHŸŠˆ8¢P¤ž Å÷Pºóû¥ôË&%ÍwuÅNä í4o6!$*÷b¹¯|Cæëõ²ùaEèQÄÓ)ž[̦ÄAªÒ<*øø%®òíg1"¶”¸iç•JÜPEšK ¥’ÃtJÁ!"ø NBÂ’ŸvL\)€¹Dg°àÇË[‘æRÁ7x̧… \¥Þ0¢p•Q(Îc*QgfQÓ¦R|%•§R¬D/ÄÁÁ!8!N,„Ä*TMØy¨Æ‡ ¾âªT;±0ª£Æ;‘}–ö¬h U£¶‡‰…Q›&5^³+PƒMÏŽ(ì„×p”©ía(£ O+Rmãg”òw5.©Sµ\t};kÿå"+éS¬©·%R,í?jí¬–Rkgµå"õvVõvVívVkgM)èÓüÖ«L)•‹ú”J¹(N¢_«Õ–‹ôÚYm¹H³2ð2J0¤Æí,+UŠPM¹Hê—‹¨Qãg¥±™S.Z¿Ã·3¦¬MåŠÚ)§*e‡ßë¨P.Ò£ÚÙ¬.ðSv‹…%Ðh”%Ðba ´è8 ¨pÚ½)SR ‚yMJܹ›¼U¥j©QÔ$„•¨Ä ît(ñ½÷T¨Ð}SƒßWJèΫ5¶ðljü‘~:•1˜<Š#J¦S Ðå—Ãåu2%õÊ>Sq*©¬C "ÄÁXX…Šg” Æo=ŽhPÁŸSФ"–Sä—QÀN¨•êá¼ÜQÇà·f6GÈw8EǸ”6Vø·ˆ˜8©è(h(¶Iy1h©))JêÙyúTö‰êÆDö–×æªêÆš«»ËÛëû ,Ü÷ªnÛT™f>Û»gmáÃn?f<„Öå¿Ûî&îû9¯Ô«[¿¾¦öíP¹Ÿö®¼øñ䃖ÿ~¾UúõìÛÇt_Š}røôëœ_?=ýöþûûgÇØ H`œs¼×\n "× dÒ…– n7¡.z!tJv×kbÔU¡†‘…AYtŽvâ"q9ØȈ“½Öš-² ¸"ˆ$θØ&Õ¸³!h£ ©žg’4ÖâtIªwÙe`ÅçX‡ŠMi—“èáøá•LªEH²I¹eyÝH#lBæd`š㚈0—!š%ªææ:q4œ’ ¶É'›*b˜£„Ng`¡†Þô_¢ŠÊ“&:žó袒NL¤åX*¦”nÊé›õiÊ ¨ŽJê8ŸžZj:‡®Ê*‰rî(w~ç Îz\–±â «®¾òj« ¿ŽPë°eÎRþ6Åê–—Ⱥ+“1vGlMâ˜,ÈÚˆm”}²¶#‘…yȘ}K%µ\r¦Ö~Áã¸2rû^´ÔBÙ$¹é.éç´ûfAص7kì³ÚֲͶȞ , 3û°…Ûì«¢{«½OüÑœ +q¿ œq¥ÖR"*­®l L¨Â—rª2ÏÜBÌÐØÜ Î4ï̳r/»§sÏB]/Ð?tÒ's´2MgU F5ô¤?!žåš£Ù9µµÓ]õu¥aãàMI®^s¶†i£¼6c³­óÛh¶ÝÎÓŽJwq–æm¶6æ¤i7‡¦ªêÄ;ümtK"rw H‰£&-´æ©±y¯³lÍgc6ŠÙY+–éÅ·¸Iyqµ!f¦r‹æ{;Cæ[–bi²§‚ÅQ‚— ‰©?B/å­ß>‰î¦³{/JɹþG-°‹2Öãø]ã>*;îL ¦ðé¾On8ÙÝ{`á„þ·#øCèÈí}~ax·¯2­êË÷ühÛ½¸6ö7‘ÿOû Ø¿¢pnÿcʽr@å$°¥‹JÖì15,Tm"-Sš/ˆÁ jpƒœ*;images/mod_rewrite_fig1.gif100644 0 0 6705 11256637627 13416 0ustar 0 0 GIF87a¬¡¯ÿÿÿÿ,¬þœ©Ëí£œ´Ú‹³Þ¼û†âH–扦êʶî ÇòL×öçúÎ÷þ ‡Ä¢ñˆL*—̦ó J§ÔªõŠÍj·Ü®÷ ‹Çä²ùŒN«×ì¶û ËçôºýŽÏë÷ü¾ÿ(8HXhxˆ˜¨¸ÈØèø)9IYiy‰™©¹ÉÙéù ª jGzªÚ–ºêú +;K[k{‹;ØšËû´Û ¬ôL\l|Œœ¬¼ÌÜÜ7ìí-]Bm­½ÍÝíý Š-^þ@nž®€®Þîþ/?OÁNÿm߯¿Íß0 À <8†”Âò-Tá´‡rJ9ÈiÆþ‹#v´×‘G«[(6À²^¡_$7°L¹î‡FV`Ö´yÎg![^<×s§¡5frJ4 ?6Ùùœ£ñåH‹S,Dj"Òª[³vzó)ˆA§>$[õªÖ"kÁºµšm)µ©®Âu{íºb½œM@50Ö»0©Öüwïá·‚‹šd¬ø­WÂÕ"iûq¯a¼’G.¾ Ú3ÞÊvøNÜxób¹•ç¦ì9¯ã°!ÇÖ¬Ùu­\Nîy²ïÆ”u8Žü8ƒäÉ—7÷Eü÷͸„c†.½6eТ"–ûYxRi¹‚¾Žû7ßÔª·{eŽÜ9|ùÊ¡§—ž›ºd΃þ§÷×ÝlÖ!Üyý…fÄkXñV pþ¥YŒ©6õ9ñRzÞ©g„^e(^pæÅ@ €f¦ŠDl8—{ÕñgX-ƈ¢o&\ØÄZ:bv"‹Q™•uÙµEbS½g×y‘Xˆq÷’ì}·d_àˆP–ZnÉe—^~ f˜bŽIf™fž)–h£æš½´éf.pÆyËœtÖbç³ä©g,|f_ ‚Jh¡ö¹G>(ŠèŒ.Úhþ0i¤oTÚ¦–²¡é .ðç¦c|š© ˜**¨"ߌ¾ª\|­6×j«¦Æ­®¾êª¼úê«¢±ÛëºNþª3ºVú룰ÊJì±ÇJ’l3ËòÚì°›­±¢TËŒ´õ=笶ãF»ì·Ó.³n í>.»C\oõ&óî ¦ o¾ pÀLpÁ<èróž:0}Ï1<¨‡J1ÄÌ9\küR|1Ã. rÈ"L²¡ Á,Áù±Åk<±Ë³3ÌÛÜq ÷‹A¹»Î §„"³³#ïúŒtжæ\LÑ­-±Åú{jNŸrõ"P£ ôT“µ"[O¬Ô|Í&Úb÷õÔ¿z ö›q#r4¹m3Í68a'2÷ }ã²7Ý ëýw!…“p8ž‰ ²¸Òá~Hã^‹þ¹!’ÃMùåh®ç°T¹ç€.§è~”ŒºéŸ«Žk ¤·®5ë°Ÿ.ûì|¼n{è¹»‚ûî„ôî;ãµoðÄo>üñs¯üíÉ7óÐç!ýôŽ>o=§Øg¯FõÜ/¿ý÷gx/~ôá—¯êù觩þú`ïþðÇŸÆüôßþý[دúýC¿ÿå*´B è…" \ è@,@0‚,œlÆR¡Ü©€>(€tÐ áFH›õlÐ ¤[Rþ"P „%¬@^Hò˜Ÿ†Ì@“.à#ð‘ †,èŽ:ÂÃ$*‘†ÑÃs’ ,qŠTLbþC<¤ íçUìb [ÐB,Ž(z¢¼ØÅ+ZÀ…êßhE2bð>Ba£àXÅîGa™Ò‡xãšéæ$;ÂL’zè€)®;f d`Ê¢“¬§(d€"'€Žég+‚]¹ HZéˆdA“4šïÀè6±$mœ¨Ê·”Ò’Lôák6ƒËÓtòHu¥kiCrÔˆ44zŒŠ:9PV2‘&4å]ÉI9È@/zR³šlg– à¦;tjê(œzμLB¶rÈĦˆ>C¡²à‡èôÛ3T¢@V“•ø¦6W‰Äfž`¨DÏ:ä'¹H@¯le(þéxK i•çêy£{F)…úÜb<Ê€Úˆô3 ACJ!wjñ?=¥üI €HIíQQ8‚’"N£MKUú Ž>tš©”¥@MpRñ“Eä¤#qÀ’wrÈ ó4‘Tj#èt§ Ò“à‰B)šc5Ïc¶úB‚ÒGIDźLä°­¢K#$%N6ÈŽ=j©´Ra¥§lÐ ÃJA;…õ+ &hÅ*e¦¡ìÙûËB¡ ¦Ðì [ÏžI´ÿ¬H[&Ô^´DPí˜\k5Óö¶a¢­±dËÛ~I·KÓo»ôÛ+ávÁÝRqþÀÚ!7KË•˜o»©æz,Ò5Huiö\Û]×\ÙÝvËF]èZê»»ê.ìÈ›\!7 è®Ö öš·uò ¯vÅ[‚ô¿ª/ðà xÀ<”Œà+XÀz|î‚ a88®°…ÑØ`¾ÔroeùKJ—n 1à< Š³ ÅŸP±2ôû ã‹Åž1ÑhÜ Ʈб1x¼ 7 Çœ2؈¼ #§Ä&æp$€¬ %ÊðŠ™lå#YR––#àdn9]æ•;Ûd×i̘(óˆ5œæ+Ã9Ë3þ2ÂÜ/;?ÏFcó%Ü|þb=3SÎì³–…[­ žp<ŠV'WgLÎÖ@È_äQ\z©}ÕÌѵ¥ïZÆÃÞ “”¥ãéL¢p™quÉPšÐ"Š±¡2K]¨²ª‚4‚™ÁMlÐiÖ(ÃÕÚš|%Ka¬O(GP?5XÃƬ·øëNß1»æõQ"Àc_»sÍÞÁжmÈ#…²<‚Œ;m$éض¬!ä\«1ùÕšà’WTd éH!I³8t­+¦«ƒQs¤ ~Ma€#Š‚µ¨Ü~N£éÕ2,(p­JÔ\ú§f/íéív™†’×ø?e3ò­3Ý·µtS®¤ åçß{V3P ~LþÆæü§.z¤´½æçåSH•y´£*Uš»;oMÒcyÁÀá>õéÔÝê¥c×>=Õå&NUˆªœá6(‘Ä©ÞThËD¥µ)Qß>ÉŽû²Õ-çzOƒXtš5–Ã)µ¬iÍq«V)A… BqŠqÃ>énßéfù¨×«~Ýç‘/dW†¤ur”ïeMhæGÐ$^–u¢¤ç|•èÞ[ êNõ–ó3ëîú×ãà̲'ík²Øãž·ß=¥tï{w?øú>ñÁhüã{*ùÊÿkóÅüçgTúÔ‹>õ}ýëe¿xÖß>нO‡Þƒâ†ÍŸiô›OýégÊïþÇþv?þ±¥¿üæo À?ÿØ7G³_­ û·6™€øç(@`€J €‘ƒ2¦°€–Ó€êB9ˆ-Ÿ•€Gð€†ã7f“7 ¿²+Â",ÌF‚´r!*ø8!X6(x.dÓ+#XW‚zã‚?3‚v#ƒ'ƒ¨rFðƒ„àåƒIC6?È+ CÈ89ø3/ˆ„4X+oƒ\7ø ¸„Eà„®38KÓ…¸…q …ˆæl|3<ëF3g‚*؆ö†,³iæ†:è†v‡xˆ#eˆ3ÿ燈&#jH‡g¨‡Bˆqˆˆs¨ˆ+³ˆu¸n|XˆH‰•ˆ¸ZwØãþˆa¸;có6Vh!`˜‡üç (5¢øYõ·cch{ø,1ȉYèŠ_h5wc„ŽC‹‹è²„ó8µÐ1Hs‡£Œ¼8ŒÞà‰R ‰Ì(ŒAðŒÝÐŒQ [Ñè;×hŠ¥²ŒÛ˜_è*\Õø?–Ø0ሎ騎¯@Žëèîøí03] õ^ø˜÷ˆü¨ÿ)Iii~þ8yrŒ‰zÑvs™I‘YpiI†šV‡i‘‹öi?§v7’!ɹm˜l”‡‚¨mÊ6P³jÜÑxgÀX eC-ù>w0Ï&“G”l$É‘Cþt“AÅ(9”@yl:)ßÆiÙGœ÷U„’in ×REéív’y•Ri•Bµ"J¹xboR©–béqXùVé’¥xPnéPNÒE%hs¶a–EB—‹×¸´–É•+ —;‡xIuˆÙ–Ô´?"MÖt’1v¬A˜‘)x`ÉPáqL'WN…i˜_ u„…q¢É—G’k`š v™3R™7¥P{¹PeÇtTyŠ™š9nv’b%2‘'Fb‹`™¥Ã1ßÊ?²P|I ôRI%RŒHª4NÆfà'¬vþ!z е~Åà)’ „^þ-Ä} ž$2 ¢E?jµóÅ€C_V"†À»„¢x×=?8 ðäR²Á°ø±9n'¾péyðV˜Ï‚Çåp>ëò¦–Zj©¥–ZjýÖŸõ©ö:úlw¿ŸgÏÍ53¬–Zj©¥–Zj©¥–ZjMb¹ŒÕߨW¡ôêoTVsý /ª¿±­×™œ®¿Q¯ÆèÕߨ­êú×…õ76õÆ¡úE{…£ï\bûú›èUëo½Å‘­õ)ƒõ7¾Rz¥[£m5׿zõ7†¬êÛcõ7Š,9Q£¾þ5RcÛ·d¬þF‘Õ±1P£¾86R£o‰ŒÕߨS¯ëoÔÇŽëoœ²Däîõ7Æ-­¿ñcëo¨¥–Zj©¥–Zj©¥–Zj©5Oý¨oY/­ý”Öwכߣ6ËîÁ¬}]Xd;Ǹjkâº=û§§ç]¶Y.‹|z«Ø<ç«òý¹ÜÍ`-³|U¾g³Xeö²*ßWsXûüéeUl—3X£ÛS[?¹~ÔÙ¢Lõc¸~Ôù¶¼‹•]o]3‡7ÖºÒº©~Ô-–ÖÒúQ·œÕ:Ý÷î–üãÖœõ`ïQ?êâv‡úQsµG¶t]¶Zj=Ʊ¬–Zÿš5óyãLþa³óí÷ÿ:ŸX·;Üÿk“K‘eù,÷ÿª¬å\÷ÿ:“X·ûÜÿëLþá!6îqÿ¯3ù‡‡yºæþ_8v,O•8hM”8lM“8hM”¨ï)j©¥Ö=-½Ÿ¯Æ†Æ¼ZójijÌ«¥q¨±¡1¯–Zj©¥ÖTí¦ç®ˆ${‘IEND®B`‚images/mod_rewrite_fig2.gif100644 0 0 4771 11256637627 13420 0ustar 0 0 GIF87a}³¡¯ÿÿÿÿ,}³þœ©Ëí£œ´Ú‹³Þ¼û†âH–扦êʶî ÇòL×öçúÎ÷þ ‡Ä¢ñˆL*—̦ó J§ÔªõŠÍj·Ü®÷[ˆÇ8L.gΖ€;PS›Æ89†ž¶³èu9»óx¡'ñ†‘LJÖø`8ù’·æ§F¸2)3¸Y’é¹x‘HªÈpiº`§šz×zÒiyð’I#+â º!W L iK‹iˆË‘¬Y,ˆêêÀ¶Œ¦Sk-}œz|†Ý]6=@fü˜v` !|­Ð~ÙîÏ*??®¯=ïPÏ^À{žiÓç.á»l ç%øgC!«~ö*úyH+£@þ^Æ Y¼h@ƒRþ!Ôˆ© I•¿É{ÆÎDá~£¹p¥G·¹Ä‡±šK– kZ¤¹Ó¦Âh=r 1RtêЩΗ<éÉ<’«ÖŽ›&EIÖ¡Éf*Z¦U©©Õlp@½kv€ÈOôf$«³'ݧ^9MºËР_˜ƒ‹j\1?·óAÅyõmPhxiî%¸2ç …{"uŒ•ÒaÀhG*ÌÓêÛزûÔ¥ü1ïÙÜ)ŸDÉóóˆÀ)GGþ¹±îå0¶o}üuÞØao–<¹%ñ‡¸ë¡–HÔõ¾_m×fÏ~=Ö|®!Œ±ÔfZËC#³|Õqéó`þjÇòW0@`(€€"üwÅe úàƒ0hnòá…PXá{æá‡p(b‰+„hb$¦È" (¶ÁŠ0ÎØÁ‹46 ã:Z`㎠äècô(¤^E©‘B‰d“JÉd“G>éã^^‰e–ZnÉe—^~ f˜bŽIf™fn)%V¦Éf› ¬éfœlÂ)gGÒigž;â©gŸ0òég %*h¡jh¢ÜÅçÁLÄ Vy Øh`±8ʉ/ôaz)[(¨ˆ-kùbΔ^)D.©]%e£‘Š·¬¹”ÆLYT•:©©hºjZÌ"¬\.ŒúþÊ|µû•f®£ë¼NJ&1³Úgëžj»-XÊB‹-©¶´~±GAœÊ§Q’Fð«3‹.¤®y‰‰Õ¤ë~ºI@–…‡S_>éçÝO?‰ÖÇwæ"WÕ\ý¬ ­V­ˆ*5¬×—nEÑ7WqÃ2³g/a¦Ôe]Ý&_CÈeŸª"ïv–ª›Õ™G¸+Íu­7Ù΄Õçðǹ®R]}&KG²lóçÞݽv0mÕqÇtOåe!G»Xr·)×ò­Ä>·Ñ|È0–_o_ Ýln•,×ÔTm\ÝK5•ÖBÿV® œšjtÿ­4d§-ÍÜvÌF[c5Œv¾ ÓþÞÃHbrÌi?FùiÑÖÖ‚s/× ªÆI *uؽÃ.ÌYñ—nÉ€?Њé0˜ïy¨€—ÕêÜê±À+f°Û‹.L/çËjèíÎ'BD€†‚é¦íÂá ¢P¹§åˆ,a¡öðVo9Á‹ï÷:f~êßÈ~û_¼OcüòwAÿŒöß¿Eþ?ì{‚ýñ/ þóM À^¡€=8` ¨À*00EŒà&h"+iƒì ?Šð@äë•OÈD¡p…AP! _ÈÂp†Îb i8C’à†8|¡GÀà ц¦¢ýSDjáìˆL|`€¥&JÑ„âÒþ¯Ø” ‹\DÇâÕE?ýpA_DP5ÆÜ ƒglRAPÁ6Ê1*s¬#íˆÇ Ä1\Ü#A@½6ùñ-`#vd0HBžÈ|Ýê@"™CŽ „ä $y4rC–L&/TÉNº¨„¢,Â'UJ#œòA¡L% IéÊ ¬²m/he,kÄHDúj„¼ì¥/ Ì`.Ñ šÔ¥ oYÇ "“‰Ê\¦›éL!B3š8œ&5ghÍk¾0›Ú,‚&¿YLn9â›TyN5ÌLñ%cê´„Á¹xfÅ05LVªpUˆis—$d8É)€ BoõLÁ?»Ïpʳ<>‹UCþ º²œé˜ç#×<& ¶i,´Z¶îù­xv´9ø|–]"*-:*QLÖ²ØBÃ¥Œ„ Nœ½×Kµ6ҙΜÈK™O|ú¨œ¸KŸCÒHgGNž 4]ÅüçF–™ 碌“'O°ƒ& MMªL¥z««ŽN¡ˆ›ÎsnŠÕŽÕt¢ð2£Å‚uµÂ9èª]mêÅ:ˆ†ìg7ÙÍAÍ 3…úÔ®/Û¤€–Áe=ÀÑjÕì†Qsƒ}ó;À6µœ¬°:ÛÏ»¤ùUgiC2é8¢Å…±£+¨ÒÆòZ•ò pi]ÛáÌ…××– Ÿ£KW͆0·mÕª¶Ènþ…¶·Í³6r{¨çb{ë¹Áž VegSÖÖ±3t{Ul\q«±ì‚Ž¸Ekgɺ¹Ì& ½KE/hs{·Cs€ Kzý¶Öñ^‡»¤…ïÒ¤Û ÅÌ:¬eëb'`rEç§ãÙn*ÛÜîQHÝjbCº¼ö踯¨X-¬TÃ)ؽåNU÷¨ç©Ø–€pm¡¬(HïÍ×›½ß,$Ýï)Á½/¼q¤ËHóFÐÇ``q7·Ë#×€È_0²’‡”ä'Ë€É^p²”µå+¿€Ê]°²–¡˜å/³€Ë\𲘠@æ-˜ùÌiÖšÅÜæ,¼ùËq–óŠïŒç<ëÙye¦Ÿÿüþ¥3gÉ‚^!Å mè/"…‡^´íhB:Òü›4¥ågéK£/ÓšÖ§;¨OƒºP¢uŠmjñ•:ÕzZ5«íäêWË)Ö²ók}jBã:×ã £ciÔ¥žÔ€ÎÁª+%Qo¥ÉÂÈ=*L?ç4ÓàØ»§°=›ª”RÁª¦¯‹ó:ÉnßQ×Z´hoÁ•Ñ;tȹÊ@÷³kLÏê¦+¦‡Í*yWµZn¹„ûS² Üq¾«X-UÚ€suáe»¶ Ì­\ÀÖÄÃ^…°R ·fûîZM{î=ŸwOêë?Ô—¾§§küä+ùÌo¾óŸýèKúÔ¯þ— ;images/mod_rewrite_fig2.png100644 0 0 2545 11256637627 13434 0ustar 0 0 ‰PNG  IHDR}³‚$²sRGB®ÎégAMA± üa cHRMz&€„ú€èu0ê`:˜pœºQ< PLTE¯ÿÿÿÿ`pÏ pHYsÄÄ•+¶IDATxÚí›MŠã<†Úê*†Þ êM/s”¹{ÑGAmt•‚ÚVò~ 'ù'§ó† ïb?þ‘=õ*ûn94@4À‹B?8Щpü¨Ûò÷—°Ü]w)O¢€ÆÇ÷yün¦ËÑlrŠãÙ‘ÈuŸÏ®@üJtöðþ)Àå¨g9*¬Þðp|·_.7¡\ŽEb€ê €rPUíRÌ=àQ£‡ãxäQ»=Jè3ÏÙ{Î\Äc4÷<äèªjæÔ¦¦ê#à¤f…38§¾ó„R?€Sdæ@ffž´‹ló+ IÍÀ)ÀÜÜFÀa¼qV¬ÌâÚ»£ê/8§. ÅÌÜÔ»úG€(¼3pb­—ç˜Ù=qQU×9)õÎ%ó´¨Â;2pbç@'C©™Çë 1<¹yb°”b÷úž{QJLd`¦ŽTÕ\§€ÂI=LÌ1(’«›:ƒK)f¢K@v `ÖÄ1sŽUÇ^ty/3ïƒ3«¨’׷ȃGõ¾KŒ("JEã–±èxc‘ #Ð0 öm”;ý ²3@igÀÖ­à5§á©m`ß™]4À¿Xõƒ#N8}®úA¼çüàˆNÃ犸ÞóƒÄü` ŸK?0¿ãÞâãìfø½ô¿ç À-?8 Ã׊è=?pÞè§ákÍìžøV?8}­úA¹çö¤ð=?([ý`ôä¹8îùoõƒÑ“ç~`~ÇÝô¦Œž<÷ƒïøA6EWOÞÏΞ¼Ÿ—Çÿýàxh~ðr€j˜m€æmnº`ÚMà_xÈS?Ø0|î xšð×Áîâ».~°W7ýöƒ_Ø°ó{Ð{žÉÚÌ®M )ïì¯7³k€Ø x0?pªÖ­æñºpá'ùÁ¥Éù+ùA•ü$?@´úå_Y_”7Ûòƒ¸²Vi’,åi¶j™ô3Àƒùk]]_ËÒÛì Ë&€Õü`x,?0ŸùAÂðX~`õòœµüÀ«¤íGùA@¬çeöˤ¬æsÀúXôL~€–´¹i4@¼ ï7·qBól†s{;^Ïï™Ùu4@4@4@ü­^¤'–µ„4œ‹I¶h¾Ôõ"gš.Çà‰×Ã'g@_\¯ÉÀë€ás\|ú€oœé{¶táa~CÏ5#‚Lÿ¨v«^”8JvŸ,ëuç ]Ì©—jÿXLR6³¨] PJÈN—€º^”›»Éô!»;˜RÌo5à €“™š¦RJQ³ºÉZ½¨ëaîÓÞ«0wprÎø\LŠ"b æBTL,Ë  ªybsŸ6Rˆª§èkš/ÅÜSG$Åd 0©Ñ (jîP”ª5“Ø$–âÉ™;b)R7Y­±¨ºê `æî ªïHþ*œüÆ\J¡@]/J”½Ói/dUOÑ@2©÷|D2OLD$™Iž‹¦¦ðk—Áîzì 8`_ÀûöûÁi€x9À´¨÷4d»IEND®B`‚images/right.gif100644 0 0 73 11256637627 11235 0ustar 0 0 GIF89a €ÿÿÿsÇ!ù, Œ™°lÜcrªJ%ÔÛ6;images/ssl_intro_fig1.gif100644 0 0 13152 11256637627 13124 0ustar 0 0 GIF89a§G³ÿÿÿÌÌÿÌÌÌÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ!þGIF SmartSaver Ver1.1a,§GþÈI«½8ëÍ»ÿ`(Ždižhª®lë¾p,Ïtmßx®ï|ïÿÀ pH,ȤrÉl:ŸÐ¨tJ­Z¯Ø¬vËíz¿à°xL.›Ïè´zÍn»ßð¸|N¯Ûïø¼¾5èûÿ€‚ƒ„…†‡ˆ‰Š‹ŒŽ€;{0“'™š›œžŸ ¡¢£¤¥¦§¨©ª«š–9±²³´µ¶·¸¹º»¼½¾¿²®%˜¬ÅÆÇÈÉÊ˧Â7°ÀÑÒÓÔÕÔÎ#ÄÌÛÜÝÞßÅØ5ÐÖÑ~°}±ä¼çèê´ððåÖâ!ÚàùúûüÈö3ìèµ -ஂ³ ® &° |™}‚¸‰"&Š“a4µqUG}þ'v )àŸ … mDø‹åB• SN3éÁ"©Ž6A‘,µSg¿ŸGѬ$óà­tää¥[§Ž]Ò¤1Ý=øpäÄ>%±fÕv‘kÉVZ»ZÕú•˜Ÿ­`¹â;›±•Ûˆd/Â5;×-YOlѦÝûµnÙœYû†úåÔ—µX*^ŠŽéŸ—.7>œ‹ðÀí¶í6#]ÏŸÁ¶íìùmÙÑoצNZ®×À‚9y}=[³`±±9Ã*‰òÑß“‡œÐqäÉÈ}'®*Ðæç¨Q‡Þ ‘¶i¹Ôs[ÏüZ7tìÞs›Î®]vöîÑÅì­<žûáÉỄ³1ÔöË/YÅKzkëÒ~¡þwy§g^zú7[àýw•Yð¥×:8{øÕwŸbÄÑ'b’æ›e`†Wx‚g[yéÕf`f(F®­݉U‡â€0 ˆ†:FpJ!õŽ;HÔÔ’"ŽÈŒánºQ8l6h[Šû‘×]-Š” •ºÈ¢ëéÐdl¶yÔ“iåÅà”tÅu[:ÚÉW\|V¤'”~ÅÆ` Ûù©ÖZ|¶†g”ªnFÊæ<ñÀ ”P—þÔS¦Ž–©¤ *H¥úqŠ©© ¡zêj†êj{ƒ¬c©ª´Öjë…jB¢ë®¼öÚ묷+¬ª$²°æ«ÈÎ$ˆ¬¥þëì³—»Â±ÉVë˨ å¶Ì¨m—ÝLwS·ŸZk®9(I{Á¦àrÃî·ÝÞ(Ê»¼µzî½2©kÖuv—œÚ-Ꞔüj×”•ùo¢ÔùkSX‡Ö…[ Ñ;o¹øf,¾äô™ÃaÂvZÊëm㦲2b7›¸9ÚÇ6ÞåÆçÜ Ç˜HæŽ32*³É:†Ü2á}÷"‹nW¨…á¬óÔ¸ð<ÏKC8èH7Øh»O¯èµœ ïXáÈÎö2VCõÛ;ÏZ´™âvzô݃ ´–h^é²ØzËÈ2—&³Ò6 ÔÂ=õáÏøÓÿÈ?ïz)QR"ÁãDID`†òÇÀ6p}”™ý<4¨¼ç€ÖÛ ÜÒ¶ªæ}Cytà Xz€%ìÐq¤—@Ó.o΂a =ˆ Ö¤24D"¥Š„@&~ï;‡T&%·.©å`«›XÅþ¦°ÖÎu*+ÚhÖ0×Å°\Ø"Æ8ø:’Q‰Bd¼Ý±x28Îs. [ßÒgÄ8eYj\ã U2Ümîsò*™ )8Í…IˆÍë¯&IÉJZÒj&¥HÖäå9Z[甆(¬¤ˆ6[`9ðÇ@R>lãÙ9¸ÂMN”›+Ï-½´¼®ò2* Þ+ÏÅF¹ñ˜¦¬ÔHÖIZH“»©\!øË!q˜ø*¦sv‡»drÓŒšÓÁÈÈ€µŒlà¤&±y/6f ’Däã:Ùi.wòãkñÌçÅìEÏ·ÙSŸ½U53Ä~^OM(ªŠ‚´|U¨DþÂÐu=”jÿœ¨Fï9Ï‹ºŠq— ©HGJÒ’"¢£=(%V ‡¦T…,)\úRXÉô¦ÓòCÏtz5žJà?=R+‡š) ó¨FMê•JÔ!5Õ8E]ªT…Ôžöa§Wµ*U} €ªþ”«^í*XÇšÕ¯–U¬g «Zɺմ²«m+\çªUºšU®@ iM„Ó¾A¯{=LEýJXV¶…Ml{Ø|)ö±þ+_S®åÔÑ ²e¬9¢ ⥰jÖº,f«Ù–œp|4JµD;Ú––²Á”Ÿ‘b¤÷Aq¶Æk­n S¾ê¹¯„PáÐpDè&ÖÝY0'ÿÜ Æ£€Â„èq§ûÞg%Q|8”Ü™P÷»n³î‡r¸CRð³À¯z¿w”BŠŸ+q[Ù%åv½ø5ìs§ØX˜æ÷¿% ûkS®&M°‚yu‰;øÁ¶džâJ÷Ððܨ†=5Óö ØÂ!Œè†G¼Ï%æ~ q,IÌâþ)Á½)n‰ˆ[LãGu8Æ¡²ç'Od·SeXLAdM¯¤ ãŠÇ*Å0íϺ± ZbDž1Œü<$'y`Ä$41€‰Œ_ä\،ʖ°2&H4{˜š ˆÑ‹Êìµrq«Ø£8zérÑQ]Ö°ä8Î1ó˜eîÑy~ö7dþ¹Ä/–³t•Ì-ÂIó@—3¦ŸÉ4B¯P™Û3NŒÆ“ +zαœ[Íx93Òˆ³9ZK&§Û¼µsžEÒq*$߸fj|ÞÄÓŸ¦b¨!=j@7óÔ8ÒÛ½•i¦az“€CvÒŠˆë\ûËVD³ij¢%»–“f™ .Ýk¼ÍºŽ«vqô*EØ UxÑ­§¶>Ùå±á±ÐN®]êR‰Nhfñ*÷ž#ʾøÆTŠ 4}JgƒÞê¶àÕ`lF¹å×ØpÍÞØi žÚW¦â5ŒÞŒº‡+â›­|qK_©8Q!Ò«ßRì?!}Ø÷øˆáüÀ„ûö¶6D¡pC<“Ÿÿ·å º²b™?œæ3´¹‡-HŸùÅ—¶ž¥_¹Íû˜% dáF'1Òx ÷`W»#üºÐÃC:èW9M QQ=q8ÄoÜuó’W»;ÿyÔ?ôÛ±óáÀÀú¼(:Ä‘áƒÿ8ݯ±Ô§CI-‡*Ë£ÊY•Kå&¬;¦;óhßÌ,%íÐìj,îXd´ëŠ7UúW“™£‹oßKaL•]÷ÙeÕq´¥‹=êSž9ÏB>ð‹½Çpœ€³¿2â€8Ên’únQ&åó‰­l§Åˆ;åÇÖýÕ4>ôåf4ªwBÖ’…­ö[îZMýñ;úú¡Œµ¦<áúÛ?þâÇc.Ÿ9}& ûÿ×HÆFjd9÷B+Ζv¶·(³„L»g&½×ãkÃG²6±‡| ¨q+¦j(c3¢'œD1sÂ5bó'ZD%„B‚-‚(vzù°}úÕ^èù×r—uÇ@ƒÀtƒ¢¢vOƃÉs|@èXEG„Zg„GØ‚§„åƒÖÔ„‚%„PPRHPTX…Ix…•… µ…ác…^O``bAql؆nxVãAàxLô\P´_søl`šÅCWp~ØDµ‡{؇ìƒq˜B´W{„ȇ${#ç>Å3?v>G=I"uEq†H¯U?"ÿòQAT^C‡BÁ±r€·1舛Ua‹e'‹ÎEB¢8\ys­˜_Ý%BÁ¥ˆ‚¸]µè‹Í…ŠH¸‹ëeˆv'>v—y÷s7d‰zwŒÈ^}˜TñåŒd[™E'TRårµ¥†Õ¨^'¶ˆ8ƉåØ=—‹i˜ëH]æ}ïØñø]o˜ vÓ5éV•Áý¸tècê(WpŽy-¹[ÙÙTð ‘)ély‘-µ8È‘¤å‘Â’™%’DG’‰•‘¹¶‘(ib&™p-™’/y 1‰kåV8i P×} ‹@yn?)”A‰TSÕ“EÉTv…VÿxuWKy“MÉ”OùVuU•Ni•R‰•P9•9É•Q¹•X¹X3é]5éW*ùi,Y–Fp–Š––jùWcÉŠoySl)gn9—AP—S7AéOx)SlY‰‡‰ÊZSgùuƒ‰q‹‰, ¥™"Å„#bƒ‘h$%gyÞè˜dX†g´°rshg@Çw«ˆOè™ú´‘‰¹\LgŠ”gî„]¨š ÅšÅåu'„CÆhšÉ’š¶ID¸™›Ë˜]±8^¥™cÀbkR¶F*qÔƒ«”.Œi«¯:§:è«¿ê³zq"Ç$˜‰yšI_`y7[¬ê„Uôy.H¨3'0¸ƒ¶iªH˜£ÙtÈ9Ã"•CÜjºg™æ4䪚æªtxx­°ù^²iuóhœ¼IŽ°;£Ä¢ý׬ά!W‹üŠwï1vºùY{v¹|Œb~ó5ù©±ª°¬â’NhC¯ ±ëJŒ9W±äs±ÙmBó¤÷ê™ùZÇ·GéŠHaÚ9¬Ôˆ±~–gÍ¢”²E*²ÿ@è^J0 Xo{â­¬ƒ´©P³h™¬B[µT[© ›Ž´Ç«á¹µ°§´¡Z5£*¶EصŠrg‹¶´bµGj m붎ª¶/Ù¡sK·œÂš1Ú·»’·z-ÏZxÛ`~{¸ˆ{ƒûŽr{˜+U—Åžwé¸<¹H6¹”ËOe[:™›–›Ž«Ÿk¡ë¹›¥{£›b˜›º4°º Öº®{§k¶³K°ka²{»Yy•¾›•;9”FùTª:¼HY¼Lu¼Æ+¼J©•Tù»` ½ÏÛ»Ô½Õ;½Ö›½Ø»½]é¼Ýû¹K`»Ë»|P»œK¾o¾ý5¾è«ê¹í ï{Xÿì¿—`¾*a¿n0¿U¿ú‹8è¶rŸˆª(G-ÿ~ÿ›ÇY+[wµJp´˜ ¼.%v# ´ÈšÁº6Á6©¯ t!Ò+k_ÐÅÀ“µµ¥r ÇÁ ìÁðUš'\œ¾tª˜Š |[~Ç€,lLvOÇ®DâÃÓÄ»éT “;ÌÃ.Ì]Ëè‡|œN·w‚ÙÀ4™Äe°ÀÒ˜wO|wh—ÃêŠÃì:’Vì‰ü^ÒJršé¯Q‰#'Žû[\Åc,Ÿ›ˆ´*<6Ç`PÇÇŠ«ì„l«Ça0º³¹_ÑÞ wT‚<ȧ[¸‹ì‰ɉðÈ_À¿ôäÈ”¼–ÌN›ÉÿšÜÈìÉZ°É³'ÊŸ|„¬ˆ _ÄdÊ£|=}ŒZ~|_®œ°ì²ü›µŒ;@¼¨hyó뿦ÜË—HÀ£¨s6ÜÊ»l½,¸H˜UË‹ÖÌSðÌKšLœ«†iÍyËèêÅ9lÇÊà Éè,É‹[ÆFœ³'‡­ŒšŠ,©Dë,†˜œµõ|>|›ÎþVú¼ÏÌ·ë¹,`+Ð{{Ï[ØÉʨ3ëÐãy2x}=è~Ö&ž=¨ÐT(¹Ë™}Û3dï¢@4„‡vx £ÑÙ´¨Ãe­‡{XS%ôÙ‚*b%âÊ/zWª¦‚zsG¶øË,‹oЇHsÑþé{ÿmT&üקgŠi *%šÑv ©*8ž³ŽÚƱŽ4l 'ç¢ë¦÷Ó¤Ô:µ+꣔sH» P­ <úÕ$š5r´°>ýÓU ¢jÃmMÊ×joydKØö€aíy%Ý (½›ç| J´EM ŠK ô"ËôØ@“ÓõŠÕE¶Ø©cÿ’íÒ"h·ó¡j6µ)ão X~"H¦)¸L=Õ— ¸ÚœõLЛ{Ð<1Ñ̀к]¶¼ÐuÏå¶ÊÊ’œ¬|…¼‰¶MÜڷΕXZS¬ÁE,)à Ýck {«Lŧ ÞyÐÚ=,ÁËÐ8‰> Š²‡yš(_Û•Âÿ>¯hØ#mžN­Ýç­Á1lÃ0ìÝËŒ™É|‡ Æ,ûÿó‹¥S:y5yUL"¯Ç[%VòØS@ÿ@ûòS—à¹Óô5±.PaROõÏS"DUD_V=phV_T>uöJßò&¡“TUöCõ¢ÛöPöpï “ÀUÀ@NZÁ°ËÍÇß:1#KóDSu=E0Ô&äXûÆs}ç{ÿWu2#™…x&•@XEˆ>‘KjÕzÅfƒÆZ×[ôJµãÞ³‹E¹dvÛýn«Ãèé#†ç‡v°y:ÿÓ$,t¢ñ¸ûÐX¼XDl44T4kDc ‰”äìôü %-5=EMU]emu}…•¥­µ½ÅÍÕÝåíõý&.6>FNV^fnv~†Ž–ž¦®¶¾ÆÎÖÞæîVŠ;images/ssl_intro_fig1.png100644 0 0 6403 11256637627 13124 0ustar 0 0 ‰PNG  IHDR§GxÅk‰sRGB®ÎégAMA± üa cHRMz&€„ú€èu0ê`:˜pœºQ< PLTEÿÿÿÌÌÿÌÌÌo`ò pHYsÄÄ•+ TIDATxÚí͊뺲€2 ô«4ìÙåÀ~ ¡‘ðSˆŒŒß§ Jw\»a=À Bæ¤.& ,Ûwàüv'îÄ6{\=è‚¿UªrIª*i==M2É$“LòÛ{äô ¯·!ÝGþî<}Ž7åÏFÕ+%„U-ÒtX””¥Bh§…R—PmðÈ@݃üé/pø]E)qå¡CÁEÔgù %Ó$ѵөRÙETQÿ†\P„7ä¦1>ï™ ä†ŠñFßX¸þ ¥t¹ÔmU*åÜ%”_3ÇÀþ †€Ì–˜=³-Df¿¦€9#å_¢²Ri§Û˨6zö=ø€ÈlÙ“÷Á" 0{‚€ÌH_ÚJi©´ÓîšV™èQm€Æ"@SÄã-””RéRi§¯ ¬™}`XÔ ;2€§[(Q'm’¬²ªN³ì²[ø5Çد b‡"fàv¨ƒ­n nE‹6ÆðrAoMÞy BÐpCÄdFløg¨äJ´¸ø6ñÇ_†ªÇCµU_1ðÓÛX“HZýÄV¸†ýôÔƒñ‰ÕðÀ ¯kr7êä½ÊɆ£…‚¨ð @ŽÑ†Ûc4Ïs¶9Fó *PnQ~M å¹ ù1š‡ÀÇÇPžØ"ƒ§剘-ò1š#2$bîe†‚Èb{D£9b{C0Àš,‰V‡hŽÈÐ*P¾À£­˜màc4ïks²12ØXß0ä™mÎ'Ñß"Fóµ[$ÕnÚÊD’\^ò…ØŠwD ­wß•r`”¸‰ê+*‘¦uZm´J¤LÜ  iW&z¡Ò¬Ö¥Üæ@ÛÝ*UÖZ«lx”SªZ+-/¢Úøi¢§+SýM,•”Jkue=<Š’;ZæÒLŠª®³$Y­.-9Ñ¿Ac}î°&ä¸6!ÏÁû†½oŒ¿…jÝwc ¬‰cÀœC@ÈÙÊÙ†> û€Ì7PÙ·Qm\xÌ> 0X$b‹:Ô\Ý^1ý>hÅÞ·Ì>´Àf{DµìC{s³ ø€Ì>0µBìþÔ¯­|0Ì! 0´"4ß²ÕÁoÛj‹è½ß2ç¾6±1¶\|ÇïÉ[øÑR$í”ø™P¯=¥¿z\þ»PÏïÝתJn}½?ßýõ4ÙêG%K!„ÚoHEéT%´BrJ%´%Ò´MëªN’Õà¨2QJ/”.µÕ*¥ôB$e64J¹¥K=´êR ;€‡Ý|âÒ,ÉêºJ6ø…lG‹íh¨o¬Þï[[¼ß­ÕWLÿ{·­z@‰d<”ø¢Œß¥›øòîÑðá ˜÷O¹Šêö¨£<Ù°Åh}C9ñõ¹ÇX`N&0DŠÐp4!6£rD¹EÊ ØbÎÁù°&¶‰m@¶Äðqs bF² ŒÈìýnÏo-"[€>Q-YZfï1¶¹ØB±Ed &†¶/”E² `Ù{ ÈŒ€ÀˆÈ˜C˜w(Cìm7€äx¶€Ô qür3-„лi>«®½WÖo12o‰=ß0càMˆ&``Ž†¿ô@W ¡E)„PâØ, ¯g¤ý½ÑB -„îÛ(„ûQ¢ÚÔ›MY¥Y*”JärSºº J!Uªµ[êR•"©ô2ÕË…Òàj­µ[ŠLµBél©ôjã†A-D‡*•Jk¥ôR¤P|–Ò²³!ÿÁ„×<°Tú0€J]ÀsQ'?ÊDU§ífã²U*2¹’ËdSVé9ªÀÜ0rƒkæ·¢Åhß<ú‹uã£yóÍ—¨‹©Gu)0…ÀRΉ<’%Ê-ûˆC—òü Õ~µ¯\va<‚%b > q¸ºœ&¾ÔÚQt¨–ˆm‹Ñ#XÓ°‚¶C™-¶_ ~’üîP@Ä€<‚%è´B$ÀáçZ],kîðÔVÜÙ ‰ñö[],k4¡Áµ‰ ÆÎÙzôâš}4öürHã-9é¿iu;¡þTÔ}M³+Cw=£I;`Šdߤ×5rJ1`âgÿè=J‡Ò¢ÚT›rÙõŒJ¡ëÔUà©R·ÔU×3ZŠ…Lj tVYëER¹®g´ ©õP(¡J¸®g´C å¥ÒJi×õŒ–¢”j¨lEU+YnºžÑ¤u–öïßÌÆLùÀó”VcÚjDœªrjBMíS»À„êu––¸}š–už–n×ø)-=è^ø<-=4ê$-=0ê4-=l2á,-})Ëéw9iöûªÈYó$ßen ÎÒÒ—ÒļG 0gu̇~œ"‘îU`n"ûƆx^Ç´ÆMÈ1@Í]¨öô`‘8`Îê˜9³#¶È{ºO«¶>ÚªKdöçuLföû¬øÔO°q»GµÌþ¼ŽÉE,º>æØ>®•ç]“tZÔ1™ÖÄ<Ü‹:q‹ni7€guLÞÙ °•;y¯ D!²o˜ãy“wˆ‹;µúI´ ñ²œ4ånÇ@6WÊM%„:žUêuÖ\éœB_Gñ·ÊÝ×PgÍ•J …:m®t®J뺮? Öl™ hš¶ Nš+R%J+íQÑÃÜà1 Nš+²VJŒuˆû“/ìÃC¶:i®\H¡”VŸPm@æÖ7Ü>‚:k®TR]DyDfÈ@5W*QeY-Åç<Ø {ŸQlM, É‹ïœùJ]x¯p˜X‡=²ŸLøƒ£ÚQu_¨áîL¸_«>÷Â7l5|ŠäàSâgBM¨)Ï>åÙ'Ô„•-Ûo-Òc Õ(Wm¿-T½£äa?ßm¿ÅpÝYRˆe’è¬tNlVÊU-W‰¬†Amt¹,•vBW«…JQUK= ªLJU&•Ú-µεËlUêR¥J8¥Ýr!´p®¦É¹R—Ê)­µ®– ¥hE&7«v•I—¸z•¥UÝŠU²ïý"Zt/Ó‡ŽÁñP­Ù³®Sœ|u'²ß_=.ßÞ5þQZM»ÆkøµJ¤âãPݯã0(1Jo–i¦\•ŽJ*½Qe²PåZéRUjQ»l¥K•¨… UªÅÙe·‡W¸×tV&ÚM[giuz\sJ=þ{´úAšØøãÔ¸»ºÕDÀ}–±%ÀC÷Å#Éo>^dF´Kï3ËÁŒg§n<±îŠ†`Ü]ÝÊĶ0Š†ÈŒo=  ·hˆ· »«[Ø3¢!Ž”[¢ØÃ9|`î5ÃîêVÙ3 36Ä–À÷ƒê5îP¦a ¶TDh‰˜ˆ-Æ>P;M,ãîêV&¶Ä€x@õ€bfkˆx‹@´»ºµC1šŠú@ϼ%2ÜÆÝÕ­&š­1¶D&ö7€ç·Uò¥²®lÔƒg»7û&³ºÒ !ë¡P*Ùm±¥tB8qþ¿ôŠÒRíçüj°ÔB¹j#ëT‰$­–I²iUeŸ^á®­¹3A‹d¡Ò¥.•‰ÚèÒUIrèGì¥t­—ºUB*Uf¥P*©?µ Ðþ†Vã}ˆwÛj¡t霥R¥–B©D¸ 1°»¡•9ÝéJ-”^ŠRJ™¨R—J]À¶énhE^ß‹’U–¶õ¦JE,7›U²ªTµ¿\àt·HdšØ˜æ‘hqÜ_÷.˜DÀ"s {Ü¢újwC+Ç»lu\5w ˜ìÓõ'¸»¡Õð=¸j«‘ÂílÄ…ôxZÚjøùªuj%ÛR'é°gN3ªj𢒣¡Ê$-Ëj™Èåà¨V&z©7z™¯•Tz%Êl9‚­¤Ò®*µU£–ºÔiu˜d•´Y[nVrë¾n–Ùˆ)ýñ´úþ$Ò³N5ü 5:j’I&™d’I&9¬lÿšÝúÈÿõƒšÏþ¹ù‘ç~P/O¿ºú™õƒzýê©/Ôlöô÷ì?Ï×ïvz~š½ÿÕþ={ÿëõQÔóÓë?_úÆû|þ{>ŸÏ÷ Uûk6ûÒ/~¿ÌçÏ¿_z@½Î¾DÍæO/³—ù£F{yúu õÒj>›Íž^ÍfןóŸù|þ2{™Ï_Ïÿ¼þýüϯëÞõ×ûìý÷Óëìý÷Ó$“L2É$ÿjù ^>;—â.UIEND®B`‚images/ssl_intro_fig2.gif100644 0 0 5214 11256637627 13105 0ustar 0 0 GIF89a¬Ù³ÌÌÌÌÌÿÿÿÿ™™Ìÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ!þGIF SmartSaver Ver1.1a,¬ÙþPÈI«½8ëÍ»ÿ`(Ždižhª®lë¾p,Ïtmßx®ï|ïÿÀ pH,ȤrÉl:ŸÐ¨tJ­Z¯Ø¬vËíz¿à°¸E(›Ïè´zÍn»ßð¸|N¯Ûïø¼~ϯ%‚ƒ„…†‡ˆ‰Š‹Œ‘Ž’•–š›œžŸ ¡¢£šS¦”—«¬„ª­°—¯±´“¤·¸¹¸¨Q¼b³µÁˆÀÂÅ®ÆȆ™ºÌͺ¾OÐ`ÄÉÁÔÕµ×Ø°ËÎÞßžÒMâ^ÚÛ¬æç«éê•ÝàðÞäKó\ìí‘÷ø˜ûÖñÿÎê%¨Eß03ƒÎ2Ȉa¿D*H1Á#±DLxLU þÃ$Ò)²QÅ“£2Qi…䬗ÅH–”)ñÊ››XÑIEf™B?9 £Y³d+›8oò ²T Ñ  jt]ÕuI³húƒ+”©”…zÕjYwZ“zí±Ö‰ËŽpÉF…ªpìAJ`.ªÛ¡ÝTïM‹³íÃL|úíÍÈÀã»°Ú5#C´«-RÂÿç­$o;ÊzS‹K·ñâŸR¡^}LõdÎ 36÷4<Ò7€#1­Îã+ÙÄ€é¦Ì<7îÚcÞܼ²î†¾O ¯±Ýñs/¥W¾M;6lŽÌùŽß+þ¯j©»5»–½b÷÷‰|ß–œµ`èòþˆ5÷ÀD`]ò­çY}僃Bì‡ jÖIVž‚cWa_ÏÍf[‚ BWauóMÆ @¾"0yØmÿMâÊk~9]B‡š†‹¹8ck®õx\†×q8X@œ,ƒÆVg”bÆo# ÁEM­ØŒ µ¸™$µ×Yh!™S’¼ÓMo»”P•$X郖œ‰—f}4'|qö¦z1‚yd3f’)h)c~Ã4f"À$š¨n²¥Œ$Òàrèu¨œŸ\rŠ‰«òÊß>ƒp£ë.ŒÊ££û0Å€à sÍ8t™ÌtzÙiÝ–,´Æs 0|æ1†ôÓ5 |b<í¦ÀÏ9g€upÙnY²´L3^x3±ÈY]¥$Ú25”NÁê32@KF«Bbèþâ¨÷ßö–ÑÛp÷"w×ÿm:íŠÐjÛã}RH'´€J¸¡ÿ§Žx¯;ª/µz>­¾‘n륔»}y@™7ÛпJ¿˜Ï¤ÍÙt‰éôÓ¤›m·ï5Ê«³·ë$ Þ»ìüŒ,W¿›U¼ñ†#ßxŽ· $Ô'3ÿ¼%sÓòôŸT‚ù£ o¼l§î}ô_#>>ùe¶>†g¯™^ùçÎï|¶ó£_Nì÷‹þi*C©kÛû྘Ð" ƒg.´¡öÍ€ÑkàP˜¦ãÝÏ€¹rÎî´g+ nNƒþà )ÐgrÍñ“ ¢ÂFp3üsÀºÐaÖc`uè« ð‡QÒ Qh Ö0%7üÃC'>1H„”þý7E*.ñŠXŒb9ªHÆ/‚±|bìB¹1Ä5åŒhôà/ú@Ç:ÚñŽxÌ£÷ÈÇ>úQè¢ IÈBÊ/†L¤"ÉÈ !²‘Œ¤$'9ŒGRò’˜Ì¤ YâFMzò“ lœ%CIÊRš<£<¥*WÉJY¤²•°Œ¥,òÊYÚò–¡ä$.wÉËOê²—À &$)Ìbs“µ<¦2—é)b2ó™Ð<‹3£IÍjîcšÖ̦6Å—Ìmzó›îè&8ÇIÎɈ³œè$'6Ëi£Y}Œv|ú'š<~ú«H…\VCÚSU£a¥æXZÖ´:µ­]UP@iÚV¬æªÞÜ(Gù´Ô4|ôG!œÕlê;élo7?B,ÚWŸZÖ˜‚½¬f™™ÙÍz¶˜ý¬hyÚÑšv–¥=­jY™ÚÕº¶”­}­l=ÛÙÚ–’µ½­n™ÛÝúÖ½ý­pÛXÙáw‰Å=®ryÿÐå:W‘Á}®t÷”ÜéZ·*ѽ®v’Ýíz·8Õý®xyÐ?š÷¼èM¯z×ËÞöò ˆ¯|çKßúÚ÷¾øͯ~÷Ëßþú÷¿°€LàøÀN°‚<_N2øÁŽ°„'Lá [ø®°ƒ3Ìá{øà ±ˆGÌß “øÄ(N±ŠWÌ⛸Å0Ž±ŒgL㿸Æ8αŽwÌc߸Ç@²‡ÌâùÈHN²’lä%;ùÉPŽ²|›,å*[ùÊ9¦2–·Ìå.‹XË^³˜Çü`0“ùÌhNs‰Ñ¥æ6»ùÍ÷53œçLç+˹ÎxÎs’ï¬ç>ûyÇ|þ³ mc6þÉjh°}†C/9ÐŽ¦1ê;é)[ºÁ‘F´¡3MäJ_Óðt|EÍi CºÔ6¦/©AýiT÷øÔ®V1©WÝêPÇÚÔ›¾5 Uß4èúÕ¹þ5ŽgÝka ÖÆ1±ymëd¾Î®ñªEíiZG{ÆȾ6‡iÝèZkÛÁþ¶¸µíq›{Ðå>·ºõœîu»{Îí~·¼ÕïyÛ{Ìõ¾·¾¹œï}û»Êýþ·ÀðüÈ?¸Âq í…;\Ì ¸ÄÁÝð‰[àᾸƕñ{üËÿ¸ÈŸÝÒ‘›üØ!?¹ÊeÜñ•»¼Ì)¹ÌOÌI÷Úüæ8ϹÎwÎs5Äÿ|æ@q˃Nt½èHßïÑ“Îtû.½éPõÏ£Nõ?½êI¿:Ö‹®õ­½ë^Ÿ9ØÃþò±“}åf?ûÉÓ®ö‘³½í;Ü7.÷¹_¼îvŸ8Þ÷]m4ä}ïú®6³áø{ žÕm/¼½ïm²+~ÞŒµÝ/ï¾w{î”wäóê©G}ó÷<ÔA?yÑ7ô˜7=çÞùÕû»õ®¼êc_uØÓò³¿ýès¯{¦Û¾÷ëþ=ðÏ-üá»øÆÿ6ò“íå3ßÙξ±£/ý_S¿ú·¾>ö]­ýí—ºûÞÏ4øÃïèñ“ŸÐ5ï¹ú×Ïþö»ÿýƒ•üçOÿúÛÿþ.øÏ¿þ÷Ïÿþûÿÿ€8€X€x€˜€ ¸€ Ø€ø€8X?;images/ssl_intro_fig2.png100644 0 0 2270 11256637627 13123 0ustar 0 0 ‰PNG  IHDR¬ÙŽ~YsRGB®ÎégAMA± üa cHRMz&€„ú€èu0ê`:˜pœºQ<PLTEÌÌÌÌÌÿÿÿÿ™™ÌÙi®- pHYsÄÄ•+IDATxÚíÚQ’¢0à_ÊßíÞš†·±šÄBÔç¬%¾ßÏÒ”³¦ASó¼éU–mb ˆˆ2c½»x’ôœ•‡œóP^ßë­šØA…PË7³šÞzpm Ó¥œ‡œ¥ï±–ÄFéªÚ[øQÖ£$œ†<Ì]µÅÊÓ0 Z¶>e­‰ˆàÕ ¬õ-ﮪ+ÖòaÜUÿ¯³>„Ò0dMuëóA¸&v ÑFFí8¶ÕkÞø>kДóMyú[Öóšɨ5n™ÊN3o "(ª|Am±Þ0m~‘¬5n)—‚÷Š%¢^©±Þºí³‚ojr©”Ñî¬×V¬,‰µTÍÛ å8¬rŸMÑàÖ ¼bíaJ·SÛû-•È(·¼e¼mEF©‹ñÓ‘ñuÖ<÷n³¶æ\áÉS H(¨Ú)]°Ê%ˆ€ê}ïÑŸªÜÎ,v ü,õÄ‚‚#Ãÿd5Ë,³Ì2ˬŸb©«öBo¨Ñ,³Ì2Ë,³Ì2Ë,³Ì2Ë,³Ìz3KŠòuW±ù¬‡ë|ñ9Ð?`ÍËr¹®þâ6ëzaï!Y ²$6ÅÌ •Å¯Wì”UßV]χ!”e»DÝ)_­Ä>¯­¨ow,Ô³æ:㊅³Ê½e}‰¤¨keoX%VÚÇáÜ[eaåMoá8¬ûÈ`Ÿ¬æÜg·Y»ŽŒy:.ñ}Àc x Êê–ý¼kB³Ì2Ë,³Ì2Ë,³Ì2Ë,³Ì2ë—X®þSGíd–Yf™e–Yf™e–Yf™e–Y{dIÓIc:IcG½uJ)é”Ne³#Ö)¥4öÉJfŠÕ]d̽•úŒŒÎXsÀ÷Æ:iìåšÐ,³Ì2Ë,³Ì2Ë,³Ì2Ë,³Ì2ëË«?=Í2Ë,³Ì2Ë,³Ì2Ë,³Ì2ë¯Û˜$õÈSÍ2Ë,GÆ×{Ë,³Ìrñd–Yf™e–Yf™e–Yf™e–Yf™õ»¬NWö×Ì2Ë,³ÌJ)™u˜ördî.ÐÖIEND®B`‚images/ssl_intro_fig3.gif100644 0 0 7664 11256637627 13121 0ustar 0 0 GIF89a§C³ÿÿÿÌÌÌÌÌÿ™™Ì™™fff™ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ!þGIF SmartSaver Ver1.1a,§CþÈI«½8ëÍ»ÿ`(Ždižhª®lë¾p,Ïtmßx®ï|ïÿÀ pH,ȤrÉl:ŸÐ¨tJ­Z¯Ø¬vËíz¿à°x¼5˜Ïè´zÍn»ßð¸|N¯ÛïxùDžBÂê&l´ ýÙ´·r[–žÇ"Ûë²N¸ÐµÂÍ8l´2aËî‘×öÓ°íb›²uÒ.¹™¶Új·ÝÚ‹îÀëroÀ.Œp¼\Þ°o¬üRÄèyW\pD ¯ÅwœðÅæYó°¿®FŒÚÄܱ»/L¬Ë)ÓËñ½Ì怯ɥ¢ؼ3«üqn÷,óÐ0óss°6ã4¶¢+„Ÿ IÈÂe¨ð„Z3Ç è)WÌP„,±!+pH£ã%ωážX¾CE‰X‘bX\iþ€.ÊÖÉÈ/ äAí d.aì`kÆ¥ˆq#HÓƒ³—muq‡vL—xê8­-§4ÅÁÅP3™ÇÈF-fäScH”,ЃE)$mÖØŽ'r'AuÜÖy¶ÈÇtAK“=1pög ÛÌf’CI$$]cH Úã‘j!d+ãø=PeF>žœÖò†³ÇÞ`”œôå/ÑFI2’†Ö#!›sÈT²q•t9¥#GÊN=ä¡(;IÂ^Α›†Ù[#Mì¨2–¬ !-]IÎcN³¼¼$8»óË óž½ÜÎ7÷¨ËR®Ò˜lif&b¨‰vô´Pæ"êJaôç“ YÕCÆþ3Ñ]ö<(q0 1çyÓ‹.ŠÉHFD±˜ÓÉ9ŸéA7Îr¥Ìk¨>J¡š†Ú“é˜8ÆLšq÷N¬bc¦ÇÖ«±Ã„ìã¬mؾßCr]ŒáÄÙÇLðg‹ì°Â)9½RÕ1•eexy^˜¿æ1‹¹Ìh&³šÏìå+?êÆ®«'•ÜÜ3Û9ÍlÎó×¼g:Š0"Æãœ[x=þãyφæó¡àç>=9Ç‚¾Ë£—áe„ÙÒ•¾´¦3Íi`ÚÓ›öt£ù„(R«;XĘy,i‹z§šÅÆ¢MëDÛzÔwjÒo¶òGßh&Šó¼¤œ¿sOl úس¶uŸ¬ë`ƒó*!‹¶‡íìYÙúÓØu¶;ýi0ãÚNÍÆç´7ÉkØJÔ›û·µAÝid×ÚÝ¢f6WÔϾj¸ìæ«‹m»dÃûßxþ6¸÷]oÞ`óŠ׋z îIÛüÝþÞ´À¾jŠr“0ªæh;Õ_ÇÓÚfGÎíP{{˵|s»Mqˆyâe›´Šºìre·<Ï0ÿšÌ—å£ÿ<×(ûù’…+ô¸¬èC':ÒÃÊÜ¥§ÕhN/+Ô£ÎÕ*Q«V¿úûR’s­Û(L^Ï©XÃ^ 훿û_:‡·èhý¶IÚüðG—ÔßëoZ.LþðÏ¿ü±Dÿ<¶?æå—ú'o§FE·\Ú!€ ¸QrG‡kág2F£€È€KyRNv'*NBh³‡y@b!ÈeÒU‚&_(è+浂§Ò‚.*0ƒš2ƒ4X)6xƒov‚:)9؃ƃ@ˆ(?8„¤&„FèhH˜„p"x‹zLØ€s7‚P…UU…‚Vˆ7XQZ¸…@Àx·`x:âäseˆ68ô…iˆ*gȆmø|H‡¥Ðsv‡1hxè‚zH‡MæX~(z„ˆ"HnO•9„Hw£qsgsm†ˆ‰hW,r$Çn–¸m—(qÜ…8‘¨W9a‰Šÿh¦}f‡>S˜}{è5'Šïv&ç7vKU3«Cª¸f˜x‹•ˆ‰ïœSq3'h(‹£A‰«Èˆi†˜uásQÅEÁº!Q<ŒÙ7 hŒÅHf\÷ÚUvæâkGOþWdaþŽ˜ŽP%È}~‹;ÔG•p —MˆEsy†‹%·™øˆÖÐŽ¯t¾XAÀ4êæ…õW‡ƒAŒéÈŠlÖÇ5ñ˜M­FúwÓÕe"‡Ž¢È9€éÉO*´*ãÔh,Ö¨Ž¹ø’/—-w0’¾Ã;Ø$^‘Q±Æq8B…Y‰$v€fraÖjCÒ‡1fIxB”ÿY—Ó”¶s‡? •Tyƒ{X•N‰•;¨•>È•]镉r•`b9–f–Gˆ–J¨–iÉ–àæ–@—qR–rIyuI&ty—¨§—k—n(†,¶—~I~I{ƒ)‡,i˜‡Ym‚’;axY¼¦˜‹Y˜b.?ƒ™§hO&2¢&:£(Z£ Z£*Ú5ötpu(Àh<¤:¤BZ¤Dz¤Fz £¨Q;jMÙCôc<4z£Vz¢7ʤ+ê¤= ¥Ðen™D} (£6Š¥fZ¥'ª¥2Æ¥ö÷qö2J\$Oº°rhZ§ej§¨¦8`”> AÒ†“õ€Ô3 P¨Jj ‡š¨IŠ¤Œº¨Ž:¤z:dl ŽwKZH¦WŠ§gz§é©r6¦“0ŠGŸ$øe`‹º©žÊªˆªÔ¥”ÊŒ§ì×'Q£Sl5K³¶º¨o)|Õ΂MtZ½f·Ýka Ìëw;ý.×ãë|?@<Á=»Aþ¼@Ä¿ÆÅCº³7ÊJËKÌL§ž1O°-¯PÐ2®Q±S2šIÍV×WØØ‘ÒžZÛŸ\([]Þ] Ù`áaâ7ƒcädåeæfçgèhéiêbëkìlímînïoðpñqòrósôtõuöv÷wøxùyúzû{ü|ý}þ~ÿ€3D;images/ssl_intro_fig3.png100644 0 0 5010 11256637627 13117 0ustar 0 0 ‰PNG  IHDR§ClÜ?sRGB®ÎégAMA± üa cHRMz&€„ú€èu0ê`:˜pœºQ<PLTEÿÿÿÌÌÌÌÌÿ™™Ì™™fff™Q< pHYsÄÄ•+ PIDATxÚíKrã8 †±Âž qÍ’T S57ð¬Á¤û¿ÿfAêMK”¬É€julYqø Q@iÓ¦M›6m?°1Nor<”9½)T©PŒÞkáÞǘÉqP¶yáŒ1a‹;J(ö…ÎcœímÙ …žpâ/ý;Œ¥wŒ¤Ü`Ë3P,+ Cˆ!à77PChQy¥œ¬uÆÂX笳p€uÏ©XˆÁÂ`aa„ÀB~X{ð‘Ÿ„²ÆYg³ÆYç¬qÆkµÏ@ùîJ·€ˆ”´PÄÿÿ®’rÖXãŒqÆÊoÙŠ%  pIµPÎ×ÃÜL¡@1(ÿéÐíïe³êgž…Q°§žME XŽ2€3Ö5ŽÂXÀÓPïÐò„…°¯MÅ<¼Ûc˜4,aR•P«@é(ý4¨¯|··¬;·™‰ëc^ÃÕqŠHˆêR@öD\•„•«2¨U‘Y¡•V=fÅÔÃázœDOF¨ÆIÄ~–oP=˜ ü:&+߬xª†Å›U_Õâ/ v£×E›r%LCCNbjHR¾“˜b”iV“^ˬOèÐì-ÞC‘xei®µ†Qׄ;H‚“H¢¼ŠGw$ñdQA‡b&˜þI#1 ÃCAˆYXH@Lþ)äleͱ;Ʀˆ…„„ýSòo„Iû‡C¿—ÌÄ“8–Q0i–îM€¢°¥Ûg¦³’à!O€bô8€%¨Öe‚¡NUÀ%CIQJ¢’ší©¤9Éá¸g- !÷¥S¿G:%+¶©~"„¦Ã bb{ÏGzï÷ÐN$màqõ9kÝ¡—}¾¤•«i/¸ Yù¨ û‰0×K¨´¾g~2Û=ÙÍl¯»Ï²æÃœ/î±™X ešíx¶fÅÏè&è$–U å9‰„¤<ƒZî5—È´( ”æ$öÐÏìœDRŸ³òë’rŒËi2œ“˜’rD Ùp%&*%#J&*È{B­Jå:Jö„’<´/íè2Ò¾L T§¡\îa0v=FûªÚrëzJtöåQÜIiÖCM¶»x½»:Þþ)(³TTCCv‘<¡…aÊ%CÙ.1vÊF2LeØEÄ¡d²ƒâ¡œIƒ2OBñc¨‰¬2‚(ä÷|îžÿ½ÍÚBù?Èà¼áF©¡Æ!äŽ/AÁ‹É®S(뜵nYýz¹ˆbA 5ÈÁìr=”„ìž$ÝðˆZãÌ89ß3嬳ÎÎCM %µP­£B ¡BJ&fÔÏF;‡²‰P>ßt^R,ÄÀJ¼X„¢9õÃ*(`/(jÌd+Ô`äRŽþcI™=¡¢6E 6EË6ÕHÊí¨~6Šeàý¨õ~DÏ{?[ý!˜Q?kìý¼ës)ÞoªÄa’«oìçj„²8}”^åõÔ±Er¹ûÌ ¥P ¥P ¥P ¥P ¥P ¥P 5ì,*„’į. ŠS»[A|æ³3Á§¨ n‚Åäs÷„…‰¥Í*âÒ¡Ú´©&Uj„Q<P¼úñTRá/–ª~>q­…’A¦^±PŒàýHH˜…˜Š÷~É'#…R(¥+”B)”Be ÅÉÁÙBñå‘ék‚w­Š.šX“DS%Tê­Ä*¡øò –GµJ¨ÔóO•Pe “(s¨òJU$´¯—·ÈrTšÏõQë>V;)Ñöûå5²œ…¤NŽ –ã+&¨·“ ó›1ÀOø¥¯ÛKd9Ê×lJkAü¿6¿IoiËo!o›b¡Â®ZÈœên¡ÐdFälST?™~С.Meø‘fS¿GËÛµP¾x¥Ï|Ûu{¹Mu»XR~„ÅhSÖB]zže-Ù”6·_ÙBÅÓ,“–jÑ|ýW@†²[f¢ÏDRÍlÁ~¾àþ¬Ámíòßöý¹¹ýÚ*T_~…"%5† µ‰CµìU¥+ò…’&›¯É!]uË ªç(àó.!«¡þ¼¿¼~6ëšöï1’¢¶¸yHÙ6Eã Ù&1vÔ-/—Nã ÙÍ6­ú}2”/¾Þ©Ðó~«NÂßïïÍú±bÍxìwk¥tÓ±_öP¬nƒwók¾P>Þ?Þ;«êÛ×ÒúK%u2Ô­:›ªò…6mÚ´iÓ¶Sûã[íá„IEND®B`‚images/up.gif100644 0 0 71 11256637627 10542 0ustar 0 0 GIF89a €ÿÿÿ@Xq!ù, Œ©Ë âŠ4Ñ{®n¼£;index.html100644 0 0 14236 11256637772 10250 0ustar 0 0 Documentation du Serveur HTTP Apache Version 2.2 - Serveur Apache HTTP

Modules | Directives | FAQ | Glossaire | Plan du site

Serveur Apache HTTP Version 2.2

<-

Documentation du Serveur HTTP Apache Version 2.2

Notes de version

Manuel de référence

Guide de l'utilisateur

Recettes / Tutoriels

Notes spécifiques aux différentes plateformes

Autres sujets

install.html100644 0 0 55355 11256637772 10616 0ustar 0 0 Compilation et installation - Serveur Apache HTTP

Modules | Directives | FAQ | Glossaire | Plan du site

Serveur Apache HTTP Version 2.2

<-

Compilation et installation

Ce document couvre l'installation et la compilation du serveur HTTP Apache sur les systèmes Unix et similaires seulement. Pour la compilation et l'installation sous Windows, voir Utiliser Apache HTTPd avec Microsoft Windows. Pour les autres plateformes, se référer à la documentation par plateforme.

Apache HTTPd utilise libtool et autoconf afin de créer un environnement de construction similaire à la plupart des projets Open Source .

Si vous effectuez une mise à jour depuis une version mineure vers la suivante (par exemple, 2.2.50 à 2.2.51), veuillez passer à la section mise à jour.

top

Aperçu pour les plus pressés

Téléchargement $ lynx http://httpd.apache.org/download.cgi
Extraction $ gzip -d httpd-NN.tar.gz
$ tar xvf httpd-NN.tar
$ cd httpd-NN
Configuration $ ./configure --prefix=PREFIX
Compilation $ make
Installation $ make install
Personnalisation $ vi PREFIX/conf/httpd.conf
Test $ PREFIX/bin/apachectl -k start

NN doit être remplacé par le numéro de version courant, et PREFIX par le chemin du répertoire d'installation. Si PREFIX n'est pas spécifié, le chemin du répertoire d'installation prendra sa valeur par défaut, à savoir /usr/local/apache2.

Chaque étape du processus de compilation et d'installation est décrite plus en détails ci-dessous, à commencer par les prérequis pour compiler et installer le serveur HTTP Apache.

top

Prérequis

Les prérequis pour la construction d'Apache HTTPd sont les suivants:

Espace disque
Assurez-vous d'avoir au moins 50 MB d'espace disque disponible temporaire. Après l'installation Apache occupe approximativement 10 MB d'espace disque. L'espace disque réellement nécessaire va varier considérablement en fonction de vos options de configuration et de la présence éventuelle de modules tiers.
Compilateur ANSI-C et système de construction
Vous devez disposer d'un compilateur ANSI-C. Le compilateur GNU C (GCC) de la Free Software Foundation (FSF) est recommandé. Si vous ne possédez pas GCC, assurez-vous au moins que votre compilateur soit compatible ANSI. En outre, votre PATH doit contenir les outils de construction de base tels que make.
Connaissance de l'heure exacte
Les éléments du protocole HTTP font référence à l'heure du jour. Par conséquent, il est nécessaire d'équiper votre système d'un dispositif de synchronisation du temps. Les programmes ntpdate ou xntpd, basés sur le protocole NTP, sont couramment utilisés à cet effet. Voir la page d'accueil de NTP pour plus de détails à propos du logiciel NTP et des serveurs de temps publics.
Perl 5 [OPTIONNEL]
L'interpréteur Perl 5 (les versions 5.003 ou supérieures conviennent) est nécessaire pour l'exécution de certains scripts comme apxs ou dbmmanage (qui sont écrits en Perl). Si vous disposez de plusieurs interpréteurs Perl (par exemple, une installation globale Perl 4, et votre installation personnelle de Perl 5), il vous faut utiliser l'option --with-perl (voir ci-dessous) afin de vous assurer que le bon interpréteur sera utilisé par configure. Si le script configure ne trouve pas d'interpréteur Perl 5, vous ne pourrez pas utiliser les scripts qui en ont besoin. Bien entendu, vous pourrez tout de même construire et utiliser Apache httpd.
apr/apr-util >= 1.2
apr et apr-util sont inclus dans les sources d'Apache HTTPd, et peuvent être utilisés sans problème dans la plupart des cas. Cependant, si apr ou apr-util, versions 1.0 ou 1.1, sont installés sur votre système, vous devez soit mettre à jour vos installations apr/apr-util vers la version 1.2, forcer l'utilisation des bibliothèques intégrées, soit faire en sorte que httpd utilise des constructions séparées. Pour utiliser les sources de apr/apr-util incluses, utilisez l'option --with-included-apr du script configure :

Note

L'option --with-included-apr est disponible à partir de la version 2.2.3

# Forcer l'utilisation des sources de apr/apr-util intégrées
./configure --with-included-apr

Pour construire Apache HTTPd suite à une installation manuelle de apr/apr-util :

# Construction et installation apr 1.2
cd srclib/apr
./configure --prefix=/usr/local/apr-httpd/
make
make install

# Construction et installation apr-util 1.2
cd ../apr-util
./configure --prefix=/usr/local/apr-util-httpd/ --with-apr=/usr/local/apr-httpd/
make
make install

# Configuration httpd
cd ../../
./configure --with-apr=/usr/local/apr-httpd/ --with-apr-util=/usr/local/apr-util-httpd/

top

Téléchargement

Le serveur HTTP Apache peut être téléchargé à partir du site de téléchargement du serveur HTTP Apache, qui fournit la liste de nombreux miroirs. Il sera plus commode à la plupart des utilisateurs d'Apache HTTPd sur les systèmes UNIX ou similaires de télécharger et de compiler la version sources. Le processus de construction (décrit ci-dessous) est simple, et vous permet de personnaliser votre serveur selon vos besoins. En outre, les versions binaires sont souvent plus anciennes que les dernières versions sources Si vous téléchargez une version binaire, suivez les instructions décrites dans le fichier INSTALL.bindist inclus dans la distribution.

Après le téléchargement, il est important de vérifier que vous disposez d'une version complète et non modifiée du serveur HTTP Apache. Vous pouvez le faire en testant l'archive téléchargée à l'aide de la signature PGP. Vous trouverez les détails de cette opération sur la page de téléchargement ainsi qu'un exemple précis décrivant l'utilisation de PGP.

top

Extraction

L'extraction des sources depuis l'archive Apache HTTPd consiste simplement à décompresser et à désarchiver cette dernière :

$ gzip -d httpd-NN.tar.gz
$ tar xvf httpd-NN.tar

Ceci créera, dans le répertoire courant, un nouveau répertoire contenant le code source de la distribution. Vous devrez vous positionner dans ce répertoire avant de procéder à la compilation du serveur.

top

Configuration de l'arborescence des sources

L'étape suivante consiste à configurer l'arborescence des sources d'Apache HTTPd en fonction de votre plateforme et de vos besoins personnels. Le script configure, situé à la racine du répertoire de la distribution, a été conçu à cet effet. (Les développeurs qui téléchargent une version non officielle de l'arborescence des sources d'Apache HTTPd devront disposer de autoconf et libtool et exécuter buildconf avant de passer à l'étape suivante, ce qui n'est pas nécessaire pour les versions officielles.)

Pour configurer l'arborescence des sources avec les valeurs par défaut pour toutes les options, entrez simplement ./configure. Pour modifier les valeurs des options, configure comprend toute une variété de variables et d'options de ligne de commande.

L'option la plus importante --prefix est le chemin du répertoire d'installation du serveur HTTP Apache, car Apache doit être configuré en fonction de ce chemin pour pouvoir fonctionner correctement. Il est possible de définir plus finement le chemin d'installation des fichiers à l'aide d' options supplémentaires de configure.

À ce niveau, vous pouvez aussi spécifier de quelles fonctionnalités vous voulez disposer dans Apache HTTPd en activant ou désactivant des modules. Apache est fourni avec un jeu de modules de Base inclus par défaut. Les autres modules sont activés à l'aide de l'option --enable-module, où module est le nom du module sans la chaîne mod_ et où tout caractère de soulignement est converti en tiret. Vous pouvez aussi choisir de compiler les modules comme objets partagés (DSOs) -- qui peuvent être chargés ou déchargés à l'exécution -- à l'aide de l'option --enable-module=shared. D'une manière similaire, vous pouvez désactiver des modules de base à l'aide de l'option --disable-module option. Faites très attention en utilisant ces options, car configure n'est pas en mesure de vous avertir si le module que vous avez spécifié n'existe pas; il ignorera tout simplement l'option.

En outre, vous devrez peut-être fournir au script configure des informations supplémentaires sur le chemin de votre compilateur, de vos librairies, ou de vos fichiers d'en-têtes. A cet effet, vous pouvez passer des options de ligne de commande ou des variables d'environnement au script configure. Pour plus d'informations, voir la page de manuel de configure.

Pour vous faire une idée des possibilités qui s'offrent à vous, voici un exemple typique de compilation d'Apache avec le répertoire d'installation /sw/pkg/apache, un compilateur et des drapeaux particuliers et les deux modules additionnels mod_rewrite et mod_speling qui pourront être chargés plus tard à l'aide du mécanisme DSO:

$ CC="pgcc" CFLAGS="-O2" \
./configure --prefix=/sw/pkg/apache \
--enable-rewrite=shared \
--enable-speling=shared

Quand configure est lancé, il peut prendre plusieurs minutes pour tester la disponibilité des fonctionnalités au sein de votre système, et construire les Makefiles qui seront utilisés par la suite pour compiler le serveur.

Vous trouverez une description détaillée des options de configure dans sa page de manuel.

top

Construction

Vous pouvez maintenant construire les différents éléments qui composent le paquet Apache HTTPd en lançant tout simplement la commande :

$ make

Vous devez être patient, car il faut plusieurs minutes pour compiler une configuration de base, et cette durée peut varier considérablement en fonction de votre matériel et du nombre de modules que vous avez activés.

top

Installation

Il est temps maintenant d'installer le paquet dans le répertoire d'installation défini par PREFIX (voir plus haut l'option --prefix) en lançant:

$ make install

Si vous effectuez une mise à jour, l'installation n'écrasera pas vos fichiers de configuration ou autres documents.

top

Personnalisation

Ensuite, vous pourrez personnaliser votre Serveur HTTP Apache en éditant les fichiers de configuration situés dans PREFIX/conf/.

$ vi PREFIX/conf/httpd.conf

Consultez le manuel du serveur HTTP Apache situé dans docs/manual/ ou http://httpd.apache.org/docs/2.2/ pour la version la plus récente de ce manuel et la liste complète des directives de configuration disponibles.

top

Test

Vous pouvez maintenant démarrer votre Serveur HTTP Apache en lançant:

$ PREFIX/bin/apachectl -k start

Vous devriez alors pouvoir requérir votre premier document à l'aide de l'URL http://localhost/. La page web que vous voyez est située dans le répertoire défini par la directive DocumentRoot, qui est généralement PREFIX/htdocs/. Pour arrêter le serveur, lancez:

$ PREFIX/bin/apachectl -k stop

top

Mise à jour

La première étape d'une mise à jour consiste à lire l'annonce de la sortie de la nouvelle version et le fichier CHANGES dans la distribution des sources afin de déceler toutes les modifications qui pourraient affecter votre site. Lors d'un changement majeur de version (par exemple de 1.3 à 2.0 ou de 2.0 à 2.2), il y aura certainement des différences importantes quant à la configuration de la compilation et de l'exécution qui nécessiteront des ajustements manuels. Tous les modules devront aussi être mis à jour pour qu'ils s'adaptent aux changements de l'API des modules.

La mise à jour d'une version mineure à la suivante (par exemple, de 2.2.55 à 2.2.57) est plus aisée. Le processus make install n'écrasera aucun de vos documents existants, fichiers de log, ou fichiers de configuration. De plus, les développeurs font tout leur possible pour éviter les changements entraînant une incompatibilité dans les options de configure, la configuration de l'exécution, ou l'API des modules d'une version mineure à l'autre. Dans la plupart des cas, vous pourrez utiliser une ligne de commande configure identique, le même fichier de configuration, et tous vos modules continueront de fonctionner.

Pour effectuer une mise à jour entre deux versions mineures, commencez par trouver le fichier config.nice dans le répertoire de construction de votre serveur installé ou à la racine de l'arborescence des sources de votre ancienne installation. Il contient la reproduction exacte de la ligne de commande configure que vous avez utilisée pour configurer l'arborescence des sources. Ensuite, pour mettre à jour l'ancienne version vers la nouvelle, il vous suffit de copier le fichier config.nice dans l'arborescence des sources de la nouvelle version, de l'éditer pour effectuer toute modification souhaitée, et de lancer:

$ ./config.nice
$ make
$ make install
$ PREFIX/bin/apachectl -k graceful-stop
$ PREFIX/bin/apachectl -k start

Vous devez toujours effectuer un test de la nouvelle version dans votre environnement avant de la mettre en production. Par exemple, vous pouvez installer et exécuter la nouvelle version en parallèle avec l'ancienne en utilisant une option --prefix et un port différents (en ajustant la directive Listen) afin de déceler toute incompatibilité avant d'effectuer la mise à jour définitive.
invoking.html100644 0 0 23437 11256637772 10770 0ustar 0 0 Démarrage d'Apache - Serveur Apache HTTP

Modules | Directives | FAQ | Glossaire | Plan du site

Serveur Apache HTTP Version 2.2

<-

Démarrage d'Apache

Apache est habituellement lancé en tant que service sous Windows NT, 2000 et XP, ou comme application en mode console sous Windows 9x et ME. Pour plus de détails, voir Démarrer Apache en tant que service et Démarrer Apache comme Application en mode console.

Sous Unix, le programme httpd est lancé en mode démon et s'exécute de manière permanente en arrière-plan pour gérer les requêtes. Ce document décrit comment invoquer httpd.

top

Comment Apache démarre

Si la directive Listen spécifiée dans le fichier de configuration est à sa valeur par défaut de 80 (ou tout autre port inférieur à 1024), il est nécessaire de posséder les privilèges root pour pouvoir démarrer apache, et lui permettre d'être associé à ce port privilégié. Lorsque le serveur est démarré, après avoir effectué quelques opérations préliminaires comme ouvrir ses fichiers de log, il lance plusieurs processus enfants qui ont pour rôle d'écouter et de répondre aux requêtes des clients. Le processus httpd principal continue à s'exécuter sous l'utilisateur root, tandis que les processus enfants s'exécutent sous un utilisateur aux privilèges restreints. Ceci s'effectue par la voie du Module Multi-Processus (MPM).

Il est recommandé d'utiliser le script de contrôle apachectl pour invoquer l'exécutable httpd. Avant d'invoquer le binaire httpd, ce script définit certaines variables d'environnement nécessaires pour permettre à httpd de fonctionner correctement sous certains systèmes d'exploitation. apachectl accepte des arguments de ligne de commande, ainsi toute option de httpd peut aussi être utilisée avec apachectl. Vous pouvez aussi éditer directement le script apachectl en modifiant la variable HTTPD située en début de script pour spécifier la localisation du binaire httpd et tout argument de ligne de commande que vous souhaitez voir systématiquement présent.

La première chose qu'effectue httpd quand il est invoqué est de localiser et lire le fichier de configuration httpd.conf. La localisation de ce fichier est définie à la compilation, mais il est possible d'en spécifier une autre à l'exécution en utilisant l'option de ligne de commande -f comme suit:

/usr/local/apache2/bin/apachectl -f /usr/local/apache2/conf/httpd.conf

Si tout se passe bien pendant le démarrage, le serveur va se dissocier du terminal et l'invite de commande réapparaîtra presque immédiatement. Ceci indique que le serveur a démarré et est en cours d'exécution. À partir de ce moment, vous pouvez utiliser votre navigateur pour vous connecter au serveur et afficher la page de test située dans le répertoire défini par la directive DocumentRoot.

top

Erreurs en cours de démarrage

Si Apache rencontre un problème fatal pendant le démarrage, il va afficher un message décrivant le problème sur la console ou enregistrer ces informations dans le fichier défini par la directive ErrorLog avant de quitter. Un des messages d'erreur les plus courants est "Unable to bind to Port ...". Ce message d'erreur est habituellement provoqué par:

  • Une tentative de démarrage du serveur avec un port privilégié sans être connecté root; ou
  • Une tentative de démarrage du serveur alors qu'une autre instance d'Apache ou un autre serveur web est déjà associé au même port.

Pour plus d'instructions de dépannage, consultez la FAQ Apache.

top

Lancement au démarrage du système

Si vous souhaitez que votre serveur continue de fonctionner après un redémarrage du système, vous devez ajouter un appel à apachectl à vos fichiers de démarrage système (en général rc.local ou un fichier dans un répertoire rc.N), ce qui démarrera Apache sous l'utilisateur root. Avant de faire ceci, assurez-vous que votre serveur est correctement configuré en ce qui concerne la sécurité et les restrictions d'accès.

Le script apachectl est conçu pour fonctionner comme un script d'initialisation SysV standard; il accepte les arguments start, restart, et stop et les traduit en signaux appropriés pour httpd. Il est ainsi souvent possible d'installer simplement un lien vers apachectl dans le répertoire d'initialisation approprié. Mais prenez soin de vérifier les besoins exacts de votre système en la matière.

top

Informations supplémentaires

Des informations supplémentaires à propos des options en ligne de commande de httpd et apachectl ainsi que d'autres programmes support inclus dans la distribution sont disponibles sur la page Le serveur et ses programmes support. Il existe aussi une documentation sur tous les modules inclus dans la distribution Apache et les directives qu'ils supportent.

license.html100644 0 0 32120 11256637772 10553 0ustar 0 0 The Apache License, Version 2.0 - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

The Apache License, Version 2.0

Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/

TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

  1. Definitions

    "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document.

    "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License.

    "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.

    "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License.

    "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files.

    "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types.

    "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below).

    "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.

    "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution."

    "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work.

  2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.
  3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.
  4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions:
    1. You must give any other recipients of the Work or Derivative Works a copy of this License; and
    2. You must cause any modified files to carry prominent notices stating that You changed the files; and
    3. You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and
    4. If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License.

    You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License.

  5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions.
  6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file.
  7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License.
  8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages.
  9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability.

END OF TERMS AND CONDITIONS

APPENDIX: How to apply the Apache License to your work.

To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives.

Copyright [yyyy] [name of copyright owner]

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
logs.html100644 0 0 76316 11256637772 10114 0ustar 0 0 Log Files - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Log Files

In order to effectively manage a web server, it is necessary to get feedback about the activity and performance of the server as well as any problems that may be occurring. The Apache HTTP Server provides very comprehensive and flexible logging capabilities. This document describes how to configure its logging capabilities, and how to understand what the logs contain.

top

Security Warning

Anyone who can write to the directory where Apache is writing a log file can almost certainly gain access to the uid that the server is started as, which is normally root. Do NOT give people write access to the directory the logs are stored in without being aware of the consequences; see the security tips document for details.

In addition, log files may contain information supplied directly by the client, without escaping. Therefore, it is possible for malicious clients to insert control-characters in the log files, so care must be taken in dealing with raw logs.

top

Error Log

Related ModulesRelated Directives

The server error log, whose name and location is set by the ErrorLog directive, is the most important log file. This is the place where Apache httpd will send diagnostic information and record any errors that it encounters in processing requests. It is the first place to look when a problem occurs with starting the server or with the operation of the server, since it will often contain details of what went wrong and how to fix it.

The error log is usually written to a file (typically error_log on Unix systems and error.log on Windows and OS/2). On Unix systems it is also possible to have the server send errors to syslog or pipe them to a program.

The format of the error log is relatively free-form and descriptive. But there is certain information that is contained in most error log entries. For example, here is a typical message.

[Wed Oct 11 14:32:52 2000] [error] [client 127.0.0.1] client denied by server configuration: /export/home/live/ap/htdocs/test

The first item in the log entry is the date and time of the message. The second item lists the severity of the error being reported. The LogLevel directive is used to control the types of errors that are sent to the error log by restricting the severity level. The third item gives the IP address of the client that generated the error. Beyond that is the message itself, which in this case indicates that the server has been configured to deny the client access. The server reports the file-system path (as opposed to the web path) of the requested document.

A very wide variety of different messages can appear in the error log. Most look similar to the example above. The error log will also contain debugging output from CGI scripts. Any information written to stderr by a CGI script will be copied directly to the error log.

It is not possible to customize the error log by adding or removing information. However, error log entries dealing with particular requests have corresponding entries in the access log. For example, the above example entry corresponds to an access log entry with status code 403. Since it is possible to customize the access log, you can obtain more information about error conditions using that log file.

During testing, it is often useful to continuously monitor the error log for any problems. On Unix systems, you can accomplish this using:

tail -f error_log

top

Access Log

Related ModulesRelated Directives

The server access log records all requests processed by the server. The location and content of the access log are controlled by the CustomLog directive. The LogFormat directive can be used to simplify the selection of the contents of the logs. This section describes how to configure the server to record information in the access log.

Of course, storing the information in the access log is only the start of log management. The next step is to analyze this information to produce useful statistics. Log analysis in general is beyond the scope of this document, and not really part of the job of the web server itself. For more information about this topic, and for applications which perform log analysis, check the Open Directory or Yahoo.

Various versions of Apache httpd have used other modules and directives to control access logging, including mod_log_referer, mod_log_agent, and the TransferLog directive. The CustomLog directive now subsumes the functionality of all the older directives.

The format of the access log is highly configurable. The format is specified using a format string that looks much like a C-style printf(1) format string. Some examples are presented in the next sections. For a complete list of the possible contents of the format string, see the mod_log_config format strings.

Common Log Format

A typical configuration for the access log might look as follows.

LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog logs/access_log common

This defines the nickname common and associates it with a particular log format string. The format string consists of percent directives, each of which tell the server to log a particular piece of information. Literal characters may also be placed in the format string and will be copied directly into the log output. The quote character (") must be escaped by placing a back-slash before it to prevent it from being interpreted as the end of the format string. The format string may also contain the special control characters "\n" for new-line and "\t" for tab.

The CustomLog directive sets up a new log file using the defined nickname. The filename for the access log is relative to the ServerRoot unless it begins with a slash.

The above configuration will write log entries in a format known as the Common Log Format (CLF). This standard format can be produced by many different web servers and read by many log analysis programs. The log file entries produced in CLF will look something like this:

127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326

Each part of this log entry is described below.

127.0.0.1 (%h)
This is the IP address of the client (remote host) which made the request to the server. If HostnameLookups is set to On, then the server will try to determine the hostname and log it in place of the IP address. However, this configuration is not recommended since it can significantly slow the server. Instead, it is best to use a log post-processor such as logresolve to determine the hostnames. The IP address reported here is not necessarily the address of the machine at which the user is sitting. If a proxy server exists between the user and the server, this address will be the address of the proxy, rather than the originating machine.
- (%l)
The "hyphen" in the output indicates that the requested piece of information is not available. In this case, the information that is not available is the RFC 1413 identity of the client determined by identd on the clients machine. This information is highly unreliable and should almost never be used except on tightly controlled internal networks. Apache httpd will not even attempt to determine this information unless IdentityCheck is set to On.
frank (%u)
This is the userid of the person requesting the document as determined by HTTP authentication. The same value is typically provided to CGI scripts in the REMOTE_USER environment variable. If the status code for the request (see below) is 401, then this value should not be trusted because the user is not yet authenticated. If the document is not password protected, this part will be "-" just like the previous one.
[10/Oct/2000:13:55:36 -0700] (%t)
The time that the request was received. The format is:

[day/month/year:hour:minute:second zone]
day = 2*digit
month = 3*letter
year = 4*digit
hour = 2*digit
minute = 2*digit
second = 2*digit
zone = (`+' | `-') 4*digit

It is possible to have the time displayed in another format by specifying %{format}t in the log format string, where format is as in strftime(3) from the C standard library.
"GET /apache_pb.gif HTTP/1.0" (\"%r\")
The request line from the client is given in double quotes. The request line contains a great deal of useful information. First, the method used by the client is GET. Second, the client requested the resource /apache_pb.gif, and third, the client used the protocol HTTP/1.0. It is also possible to log one or more parts of the request line independently. For example, the format string "%m %U%q %H" will log the method, path, query-string, and protocol, resulting in exactly the same output as "%r".
200 (%>s)
This is the status code that the server sends back to the client. This information is very valuable, because it reveals whether the request resulted in a successful response (codes beginning in 2), a redirection (codes beginning in 3), an error caused by the client (codes beginning in 4), or an error in the server (codes beginning in 5). The full list of possible status codes can be found in the HTTP specification (RFC2616 section 10).
2326 (%b)
The last part indicates the size of the object returned to the client, not including the response headers. If no content was returned to the client, this value will be "-". To log "0" for no content, use %B instead.

Combined Log Format

Another commonly used format string is called the Combined Log Format. It can be used as follows.

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
CustomLog log/access_log combined

This format is exactly the same as the Common Log Format, with the addition of two more fields. Each of the additional fields uses the percent-directive %{header}i, where header can be any HTTP request header. The access log under this format will look like:

127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 "http://www.example.com/start.html" "Mozilla/4.08 [en] (Win98; I ;Nav)"

The additional fields are:

"http://www.example.com/start.html" (\"%{Referer}i\")
The "Referer" (sic) HTTP request header. This gives the site that the client reports having been referred from. (This should be the page that links to or includes /apache_pb.gif).
"Mozilla/4.08 [en] (Win98; I ;Nav)" (\"%{User-agent}i\")
The User-Agent HTTP request header. This is the identifying information that the client browser reports about itself.

Multiple Access Logs

Multiple access logs can be created simply by specifying multiple CustomLog directives in the configuration file. For example, the following directives will create three access logs. The first contains the basic CLF information, while the second and third contain referer and browser information. The last two CustomLog lines show how to mimic the effects of the ReferLog and AgentLog directives.

LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog logs/access_log common
CustomLog logs/referer_log "%{Referer}i -> %U"
CustomLog logs/agent_log "%{User-agent}i"

This example also shows that it is not necessary to define a nickname with the LogFormat directive. Instead, the log format can be specified directly in the CustomLog directive.

Conditional Logs

There are times when it is convenient to exclude certain entries from the access logs based on characteristics of the client request. This is easily accomplished with the help of environment variables. First, an environment variable must be set to indicate that the request meets certain conditions. This is usually accomplished with SetEnvIf. Then the env= clause of the CustomLog directive is used to include or exclude requests where the environment variable is set. Some examples:

# Mark requests from the loop-back interface
SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
# Mark requests for the robots.txt file
SetEnvIf Request_URI "^/robots\.txt$" dontlog
# Log what remains
CustomLog logs/access_log common env=!dontlog

As another example, consider logging requests from english-speakers to one log file, and non-english speakers to a different log file.

SetEnvIf Accept-Language "en" english
CustomLog logs/english_log common env=english
CustomLog logs/non_english_log common env=!english

Although we have just shown that conditional logging is very powerful and flexible, it is not the only way to control the contents of the logs. Log files are more useful when they contain a complete record of server activity. It is often easier to simply post-process the log files to remove requests that you do not want to consider.

top

Log Rotation

On even a moderately busy server, the quantity of information stored in the log files is very large. The access log file typically grows 1 MB or more per 10,000 requests. It will consequently be necessary to periodically rotate the log files by moving or deleting the existing logs. This cannot be done while the server is running, because Apache will continue writing to the old log file as long as it holds the file open. Instead, the server must be restarted after the log files are moved or deleted so that it will open new log files.

By using a graceful restart, the server can be instructed to open new log files without losing any existing or pending connections from clients. However, in order to accomplish this, the server must continue to write to the old log files while it finishes serving old requests. It is therefore necessary to wait for some time after the restart before doing any processing on the log files. A typical scenario that simply rotates the logs and compresses the old logs to save space is:

mv access_log access_log.old
mv error_log error_log.old
apachectl graceful
sleep 600
gzip access_log.old error_log.old

Another way to perform log rotation is using piped logs as discussed in the next section.

top

Piped Logs

Apache httpd is capable of writing error and access log files through a pipe to another process, rather than directly to a file. This capability dramatically increases the flexibility of logging, without adding code to the main server. In order to write logs to a pipe, simply replace the filename with the pipe character "|", followed by the name of the executable which should accept log entries on its standard input. Apache will start the piped-log process when the server starts, and will restart it if it crashes while the server is running. (This last feature is why we can refer to this technique as "reliable piped logging".)

Piped log processes are spawned by the parent Apache httpd process, and inherit the userid of that process. This means that piped log programs usually run as root. It is therefore very important to keep the programs simple and secure.

One important use of piped logs is to allow log rotation without having to restart the server. The Apache HTTP Server includes a simple program called rotatelogs for this purpose. For example, to rotate the logs every 24 hours, you can use:

CustomLog "|/usr/local/apache/bin/rotatelogs /var/log/access_log 86400" common

Notice that quotes are used to enclose the entire command that will be called for the pipe. Although these examples are for the access log, the same technique can be used for the error log.

A similar but much more flexible log rotation program called cronolog is available at an external site.

As with conditional logging, piped logs are a very powerful tool, but they should not be used where a simpler solution like off-line post-processing is available.

top

Virtual Hosts

When running a server with many virtual hosts, there are several options for dealing with log files. First, it is possible to use logs exactly as in a single-host server. Simply by placing the logging directives outside the <VirtualHost> sections in the main server context, it is possible to log all requests in the same access log and error log. This technique does not allow for easy collection of statistics on individual virtual hosts.

If CustomLog or ErrorLog directives are placed inside a <VirtualHost> section, all requests or errors for that virtual host will be logged only to the specified file. Any virtual host which does not have logging directives will still have its requests sent to the main server logs. This technique is very useful for a small number of virtual hosts, but if the number of hosts is very large, it can be complicated to manage. In addition, it can often create problems with insufficient file descriptors.

For the access log, there is a very good compromise. By adding information on the virtual host to the log format string, it is possible to log all hosts to the same log, and later split the log into individual files. For example, consider the following directives.

LogFormat "%v %l %u %t \"%r\" %>s %b" comonvhost
CustomLog logs/access_log comonvhost

The %v is used to log the name of the virtual host that is serving the request. Then a program like split-logfile can be used to post-process the access log in order to split it into one file per virtual host.

top

Other Log Files

Related ModulesRelated Directives

Logging actual bytes sent and received

mod_logio adds in two additional LogFormat fields (%I and %O) that log the actual number of bytes received and sent on the network.

Forensic Logging

mod_log_forensic provides for forensic logging of client requests. Logging is done before and after processing a request, so the forensic log contains two log lines for each request. The forensic logger is very strict with no customizations. It can be an invaluable debugging and security tool.

PID File

On startup, Apache httpd saves the process id of the parent httpd process to the file logs/httpd.pid. This filename can be changed with the PidFile directive. The process-id is for use by the administrator in restarting and terminating the daemon by sending signals to the parent process; on Windows, use the -k command line option instead. For more information see the Stopping and Restarting page.

Script Log

In order to aid in debugging, the ScriptLog directive allows you to record the input to and output from CGI scripts. This should only be used in testing - not for live servers. More information is available in the mod_cgi documentation.

Rewrite Log

When using the powerful and complex features of mod_rewrite, it is almost always necessary to use the RewriteLog to help in debugging. This log file produces a detailed analysis of how the rewriting engine transforms requests. The level of detail is controlled by the RewriteLogLevel directive.

misc/index.html100644 0 0 7260 11256637772 11162 0ustar 0 0 Apache Miscellaneous Documentation - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Miscellaneous Documentation

Below is a list of additional documentation pages that apply to the Apache web server development project.

Warning

The documents below have not been fully updated to take into account changes made in the 2.1 version of the Apache HTTP Server. Some of the information may still be relevant, but please use it with care.

Performance Notes - Apache Tuning

Notes about how to (run-time and compile-time) configure Apache for highest performance. Notes explaining why Apache does some things, and why it doesn't do other things (which make it slower/faster).

Security Tips

Some "do"s - and "don't"s - for keeping your Apache web site secure.

URL Rewriting Guide

This document supplements the mod_rewrite reference documentation. It describes how one can use Apache's mod_rewrite to solve typical URL-based problems webmasters are usually confronted with in practice.

Relevant Standards

This document acts as a reference page for most of the relevant standards that Apache follows.

Password Encryption Formats

Discussion of the various ciphers supported by Apache for authentication purposes.

misc/password_encryptions.html100644 0 0 21773 11256637772 14377 0ustar 0 0 Password Formats - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Password Formats

Notes about the password encryption formats generated and understood by Apache.

top

Basic Authentication

There are four formats that Apache recognizes for basic-authentication passwords. Note that not all formats work on every platform:

PLAIN TEXT (i.e. unencrypted)
Windows, BEOS, & Netware only.
CRYPT
Unix only. Uses the traditional Unix crypt(3) function with a randomly-generated 32-bit salt (only 12 bits used) and the first 8 characters of the password.
SHA1
"{SHA}" + Base64-encoded SHA-1 digest of the password.
MD5
"$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password. See the APR source file apr_md5.c for the details of the algorithm.

Generating values with htpasswd

MD5

$ htpasswd -nbm myName myPassword
myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/

SHA1

$ htpasswd -nbs myName myPassword
myName:{SHA}VBPuJHI7uixaa6LQGWx4s+5GKNE=

CRYPT

$ htpasswd -nbd myName myPassword
myName:rqXexS6ZhobKA

Generating CRYPT and MD5 values with the OpenSSL command-line program

OpenSSL knows the Apache-specific MD5 algorithm.

MD5

$ openssl passwd -apr1 myPassword
$apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0

CRYPT

openssl passwd -crypt myPassword
qQ5vTYO3c8dsU

Validating CRYPT or MD5 passwords with the OpenSSL command line program

The salt for a CRYPT password is the first two characters (converted to a binary value). To validate myPassword against rqXexS6ZhobKA

CRYPT

$ openssl passwd -crypt -salt rq myPassword
Warning: truncating password to 8 characters
rqXexS6ZhobKA

Note that using myPasswo instead of myPassword will produce the same result because only the first 8 characters of CRYPT passwords are considered.

The salt for an MD5 password is between $apr1$ and the following $ (as a Base64-encoded binary value - max 8 chars). To validate myPassword against $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/

MD5

$ openssl passwd -apr1 -salt r31..... myPassword
$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/

Database password fields for mod_dbd

The SHA1 variant is probably the most useful format for DBD authentication. Since the SHA1 and Base64 functions are commonly available, other software can populate a database with encrypted passwords that are usable by Apache basic authentication.

To create Apache SHA1-variant basic-authentication passwords in various languages:

PHP

'{SHA}' . base64_encode(sha1($password, TRUE))

Java

"{SHA}" + new sun.misc.BASE64Encoder().encode(java.security.MessageDigest.getInstance("SHA1").digest(password.getBytes()))

ColdFusion

"{SHA}" & ToBase64(BinaryDecode(Hash(password, "SHA1"), "Hex"))

Ruby

require 'digest/sha1'
require 'base64'
'{SHA}' + Base64.encode64(Digest::SHA1.digest(password))

C or C++

Use the APR function: apr_sha1_base64

PostgreSQL (with the contrib/pgcrypto functions installed)

'{SHA}'||encode(digest(password,'sha1'),'base64')

top

Digest Authentication

Apache recognizes one format for digest-authentication passwords - the MD5 hash of the string user:realm:password as a 32-character string of hexadecimal digits. realm is the Authorization Realm argument to the AuthName directive in httpd.conf.

Database password fields for mod_dbd

Since the MD5 function is commonly available, other software can populate a database with encrypted passwords that are usable by Apache digest authentication.

To create Apache digest-authentication passwords in various languages:

PHP

md5($user . ':' . $realm . ':' .$password)

Java

byte b[] = java.security.MessageDigest.getInstance("MD5").digest( (user + ":" + realm + ":" + password ).getBytes());
java.math.BigInteger bi = new java.math.BigInteger(1, b);
String s = bi.toString(16);
while (s.length() < 32)
s = "0" + s; // String s is the encrypted password

ColdFusion

LCase(Hash( (user & ":" & realm & ":" & password) , "MD5"))

Ruby

require 'digest/md5'
Digest::MD5.hexdigest(user + ':' + realm + ':' + password)

PostgreSQL (with the contrib/pgcrypto functions installed)

encode(digest( user || ':' || realm || ':' || password , 'md5'), 'hex')

misc/perf-tuning.html100644 0 0 143765 11256637772 12364 0ustar 0 0 Apache Performance Tuning - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Performance Tuning

Apache 2.x is a general-purpose webserver, designed to provide a balance of flexibility, portability, and performance. Although it has not been designed specifically to set benchmark records, Apache 2.x is capable of high performance in many real-world situations.

Compared to Apache 1.3, release 2.x contains many additional optimizations to increase throughput and scalability. Most of these improvements are enabled by default. However, there are compile-time and run-time configuration choices that can significantly affect performance. This document describes the options that a server administrator can configure to tune the performance of an Apache 2.x installation. Some of these configuration options enable the httpd to better take advantage of the capabilities of the hardware and OS, while others allow the administrator to trade functionality for speed.

top

Hardware and Operating System Issues

The single biggest hardware issue affecting webserver performance is RAM. A webserver should never ever have to swap, as swapping increases the latency of each request beyond a point that users consider "fast enough". This causes users to hit stop and reload, further increasing the load. You can, and should, control the MaxClients setting so that your server does not spawn so many children it starts swapping. This procedure for doing this is simple: determine the size of your average Apache process, by looking at your process list via a tool such as top, and divide this into your total available memory, leaving some room for other processes.

Beyond that the rest is mundane: get a fast enough CPU, a fast enough network card, and fast enough disks, where "fast enough" is something that needs to be determined by experimentation.

Operating system choice is largely a matter of local concerns. But some guidelines that have proven generally useful are:

  • Run the latest stable release and patchlevel of the operating system that you choose. Many OS suppliers have introduced significant performance improvements to their TCP stacks and thread libraries in recent years.

  • If your OS supports a sendfile(2) system call, make sure you install the release and/or patches needed to enable it. (With Linux, for example, this means using Linux 2.4 or later. For early releases of Solaris 8, you may need to apply a patch.) On systems where it is available, sendfile enables Apache 2 to deliver static content faster and with lower CPU utilization.

top

Run-Time Configuration Issues

Related ModulesRelated Directives

HostnameLookups and other DNS considerations

Prior to Apache 1.3, HostnameLookups defaulted to On. This adds latency to every request because it requires a DNS lookup to complete before the request is finished. In Apache 1.3 this setting defaults to Off. If you need to have addresses in your log files resolved to hostnames, use the logresolve program that comes with Apache, or one of the numerous log reporting packages which are available.

It is recommended that you do this sort of postprocessing of your log files on some machine other than the production web server machine, in order that this activity not adversely affect server performance.

If you use any Allow from domain or Deny from domain directives (i.e., using a hostname, or a domain name, rather than an IP address) then you will pay for two DNS lookups (a reverse, followed by a forward lookup to make sure that the reverse is not being spoofed). For best performance, therefore, use IP addresses, rather than names, when using these directives, if possible.

Note that it's possible to scope the directives, such as within a <Location /server-status> section. In this case the DNS lookups are only performed on requests matching the criteria. Here's an example which disables lookups except for .html and .cgi files:

HostnameLookups off
<Files ~ "\.(html|cgi)$">
HostnameLookups on
 </Files>

But even still, if you just need DNS names in some CGIs you could consider doing the gethostbyname call in the specific CGIs that need it.

FollowSymLinks and SymLinksIfOwnerMatch

Wherever in your URL-space you do not have an Options FollowSymLinks, or you do have an Options SymLinksIfOwnerMatch Apache will have to issue extra system calls to check up on symlinks. One extra call per filename component. For example, if you had:

DocumentRoot /www/htdocs
<Directory />
Options SymLinksIfOwnerMatch
 </Directory>

and a request is made for the URI /index.html. Then Apache will perform lstat(2) on /www, /www/htdocs, and /www/htdocs/index.html. The results of these lstats are never cached, so they will occur on every single request. If you really desire the symlinks security checking you can do something like this:

DocumentRoot /www/htdocs
<Directory />
Options FollowSymLinks
 </Directory>

<Directory /www/htdocs>
Options -FollowSymLinks +SymLinksIfOwnerMatch
 </Directory>

This at least avoids the extra checks for the DocumentRoot path. Note that you'll need to add similar sections if you have any Alias or RewriteRule paths outside of your document root. For highest performance, and no symlink protection, set FollowSymLinks everywhere, and never set SymLinksIfOwnerMatch.

AllowOverride

Wherever in your URL-space you allow overrides (typically .htaccess files) Apache will attempt to open .htaccess for each filename component. For example,

DocumentRoot /www/htdocs
<Directory />
AllowOverride all
 </Directory>

and a request is made for the URI /index.html. Then Apache will attempt to open /.htaccess, /www/.htaccess, and /www/htdocs/.htaccess. The solutions are similar to the previous case of Options FollowSymLinks. For highest performance use AllowOverride None everywhere in your filesystem.

Negotiation

If at all possible, avoid content-negotiation if you're really interested in every last ounce of performance. In practice the benefits of negotiation outweigh the performance penalties. There's one case where you can speed up the server. Instead of using a wildcard such as:

DirectoryIndex index

Use a complete list of options:

DirectoryIndex index.cgi index.pl index.shtml index.html

where you list the most common choice first.

Also note that explicitly creating a type-map file provides better performance than using MultiViews, as the necessary information can be determined by reading this single file, rather than having to scan the directory for files.

If your site needs content negotiation consider using type-map files, rather than the Options MultiViews directive to accomplish the negotiation. See the Content Negotiation documentation for a full discussion of the methods of negotiation, and instructions for creating type-map files.

Memory-mapping

In situations where Apache 2.x needs to look at the contents of a file being delivered--for example, when doing server-side-include processing--it normally memory-maps the file if the OS supports some form of mmap(2).

On some platforms, this memory-mapping improves performance. However, there are cases where memory-mapping can hurt the performance or even the stability of the httpd:

  • On some operating systems, mmap does not scale as well as read(2) when the number of CPUs increases. On multiprocessor Solaris servers, for example, Apache 2.x sometimes delivers server-parsed files faster when mmap is disabled.

  • If you memory-map a file located on an NFS-mounted filesystem and a process on another NFS client machine deletes or truncates the file, your process may get a bus error the next time it tries to access the mapped file content.

For installations where either of these factors applies, you should use EnableMMAP off to disable the memory-mapping of delivered files. (Note: This directive can be overridden on a per-directory basis.)

Sendfile

In situations where Apache 2.x can ignore the contents of the file to be delivered -- for example, when serving static file content -- it normally uses the kernel sendfile support the file if the OS supports the sendfile(2) operation.

On most platforms, using sendfile improves performance by eliminating separate read and send mechanics. However, there are cases where using sendfile can harm the stability of the httpd:

  • Some platforms may have broken sendfile support that the build system did not detect, especially if the binaries were built on another box and moved to such a machine with broken sendfile support.

  • With an NFS-mounted files, the kernel may be unable to reliably serve the network file through it's own cache.

For installations where either of these factors applies, you should use EnableSendfile off to disable sendfile delivery of file contents. (Note: This directive can be overridden on a per-directory basis.)

Process Creation

Prior to Apache 1.3 the MinSpareServers, MaxSpareServers, and StartServers settings all had drastic effects on benchmark results. In particular, Apache required a "ramp-up" period in order to reach a number of children sufficient to serve the load being applied. After the initial spawning of StartServers children, only one child per second would be created to satisfy the MinSpareServers setting. So a server being accessed by 100 simultaneous clients, using the default StartServers of 5 would take on the order 95 seconds to spawn enough children to handle the load. This works fine in practice on real-life servers, because they aren't restarted frequently. But does really poorly on benchmarks which might only run for ten minutes.

The one-per-second rule was implemented in an effort to avoid swamping the machine with the startup of new children. If the machine is busy spawning children it can't service requests. But it has such a drastic effect on the perceived performance of Apache that it had to be replaced. As of Apache 1.3, the code will relax the one-per-second rule. It will spawn one, wait a second, then spawn two, wait a second, then spawn four, and it will continue exponentially until it is spawning 32 children per second. It will stop whenever it satisfies the MinSpareServers setting.

This appears to be responsive enough that it's almost unnecessary to twiddle the MinSpareServers, MaxSpareServers and StartServers knobs. When more than 4 children are spawned per second, a message will be emitted to the ErrorLog. If you see a lot of these errors then consider tuning these settings. Use the mod_status output as a guide.

Related to process creation is process death induced by the MaxRequestsPerChild setting. By default this is 0, which means that there is no limit to the number of requests handled per child. If your configuration currently has this set to some very low number, such as 30, you may want to bump this up significantly. If you are running SunOS or an old version of Solaris, limit this to 10000 or so because of memory leaks.

When keep-alives are in use, children will be kept busy doing nothing waiting for more requests on the already open connection. The default KeepAliveTimeout of 5 seconds attempts to minimize this effect. The tradeoff here is between network bandwidth and server resources. In no event should you raise this above about 60 seconds, as most of the benefits are lost.

top

Compile-Time Configuration Issues

Choosing an MPM

Apache 2.x supports pluggable concurrency models, called Multi-Processing Modules (MPMs). When building Apache, you must choose an MPM to use. There are platform-specific MPMs for some platforms: beos, mpm_netware, mpmt_os2, and mpm_winnt. For general Unix-type systems, there are several MPMs from which to choose. The choice of MPM can affect the speed and scalability of the httpd:

  • The worker MPM uses multiple child processes with many threads each. Each thread handles one connection at a time. Worker generally is a good choice for high-traffic servers because it has a smaller memory footprint than the prefork MPM.
  • The prefork MPM uses multiple child processes with one thread each. Each process handles one connection at a time. On many systems, prefork is comparable in speed to worker, but it uses more memory. Prefork's threadless design has advantages over worker in some situations: it can be used with non-thread-safe third-party modules, and it is easier to debug on platforms with poor thread debugging support.

For more information on these and other MPMs, please see the MPM documentation.

Modules

Since memory usage is such an important consideration in performance, you should attempt to eliminate modules that you are not actually using. If you have built the modules as DSOs, eliminating modules is a simple matter of commenting out the associated LoadModule directive for that module. This allows you to experiment with removing modules, and seeing if your site still functions in their absense.

If, on the other hand, you have modules statically linked into your Apache binary, you will need to recompile Apache in order to remove unwanted modules.

An associated question that arises here is, of course, what modules you need, and which ones you don't. The answer here will, of course, vary from one web site to another. However, the minimal list of modules which you can get by with tends to include mod_mime, mod_dir, and mod_log_config. mod_log_config is, of course, optional, as you can run a web site without log files. This is, however, not recommended.

Atomic Operations

Some modules, such as mod_cache and recent development builds of the worker MPM, use APR's atomic API. This API provides atomic operations that can be used for lightweight thread synchronization.

By default, APR implements these operations using the most efficient mechanism available on each target OS/CPU platform. Many modern CPUs, for example, have an instruction that does an atomic compare-and-swap (CAS) operation in hardware. On some platforms, however, APR defaults to a slower, mutex-based implementation of the atomic API in order to ensure compatibility with older CPU models that lack such instructions. If you are building Apache for one of these platforms, and you plan to run only on newer CPUs, you can select a faster atomic implementation at build time by configuring Apache with the --enable-nonportable-atomics option:

./buildconf
./configure --with-mpm=worker --enable-nonportable-atomics=yes

The --enable-nonportable-atomics option is relevant for the following platforms:

  • Solaris on SPARC
    By default, APR uses mutex-based atomics on Solaris/SPARC. If you configure with --enable-nonportable-atomics, however, APR generates code that uses a SPARC v8plus opcode for fast hardware compare-and-swap. If you configure Apache with this option, the atomic operations will be more efficient (allowing for lower CPU utilization and higher concurrency), but the resulting executable will run only on UltraSPARC chips.
  • Linux on x86
    By default, APR uses mutex-based atomics on Linux. If you configure with --enable-nonportable-atomics, however, APR generates code that uses a 486 opcode for fast hardware compare-and-swap. This will result in more efficient atomic operations, but the resulting executable will run only on 486 and later chips (and not on 386).

mod_status and ExtendedStatus On

If you include mod_status and you also set ExtendedStatus On when building and running Apache, then on every request Apache will perform two calls to gettimeofday(2) (or times(2) depending on your operating system), and (pre-1.3) several extra calls to time(2). This is all done so that the status report contains timing indications. For highest performance, set ExtendedStatus off (which is the default).

accept Serialization - multiple sockets

Warning:

This section has not been fully updated to take into account changes made in the 2.x version of the Apache HTTP Server. Some of the information may still be relevant, but please use it with care.

This discusses a shortcoming in the Unix socket API. Suppose your web server uses multiple Listen statements to listen on either multiple ports or multiple addresses. In order to test each socket to see if a connection is ready Apache uses select(2). select(2) indicates that a socket has zero or at least one connection waiting on it. Apache's model includes multiple children, and all the idle ones test for new connections at the same time. A naive implementation looks something like this (these examples do not match the code, they're contrived for pedagogical purposes):

for (;;) {
for (;;) {
fd_set accept_fds;

FD_ZERO (&accept_fds);
for (i = first_socket; i <= last_socket; ++i) {
FD_SET (i, &accept_fds);
 }
rc = select (last_socket+1, &accept_fds, NULL, NULL, NULL);
if (rc < 1) continue;
new_connection = -1;
for (i = first_socket; i <= last_socket; ++i) {
if (FD_ISSET (i, &accept_fds)) {
new_connection = accept (i, NULL, NULL);
if (new_connection != -1) break;
 }
 }
if (new_connection != -1) break;
 }
process the new_connection;
 }

But this naive implementation has a serious starvation problem. Recall that multiple children execute this loop at the same time, and so multiple children will block at select when they are in between requests. All those blocked children will awaken and return from select when a single request appears on any socket (the number of children which awaken varies depending on the operating system and timing issues). They will all then fall down into the loop and try to accept the connection. But only one will succeed (assuming there's still only one connection ready), the rest will be blocked in accept. This effectively locks those children into serving requests from that one socket and no other sockets, and they'll be stuck there until enough new requests appear on that socket to wake them all up. This starvation problem was first documented in PR#467. There are at least two solutions.

One solution is to make the sockets non-blocking. In this case the accept won't block the children, and they will be allowed to continue immediately. But this wastes CPU time. Suppose you have ten idle children in select, and one connection arrives. Then nine of those children will wake up, try to accept the connection, fail, and loop back into select, accomplishing nothing. Meanwhile none of those children are servicing requests that occurred on other sockets until they get back up to the select again. Overall this solution does not seem very fruitful unless you have as many idle CPUs (in a multiprocessor box) as you have idle children, not a very likely situation.

Another solution, the one used by Apache, is to serialize entry into the inner loop. The loop looks like this (differences highlighted):

for (;;) {
accept_mutex_on ();
for (;;) {
fd_set accept_fds;

FD_ZERO (&accept_fds);
for (i = first_socket; i <= last_socket; ++i) {
FD_SET (i, &accept_fds);
 }
rc = select (last_socket+1, &accept_fds, NULL, NULL, NULL);
if (rc < 1) continue;
new_connection = -1;
for (i = first_socket; i <= last_socket; ++i) {
if (FD_ISSET (i, &accept_fds)) {
new_connection = accept (i, NULL, NULL);
if (new_connection != -1) break;
 }
 }
if (new_connection != -1) break;
 }
accept_mutex_off ();
process the new_connection;
 }

The functions accept_mutex_on and accept_mutex_off implement a mutual exclusion semaphore. Only one child can have the mutex at any time. There are several choices for implementing these mutexes. The choice is defined in src/conf.h (pre-1.3) or src/include/ap_config.h (1.3 or later). Some architectures do not have any locking choice made, on these architectures it is unsafe to use multiple Listen directives.

The directive AcceptMutex can be used to change the selected mutex implementation at run-time.

AcceptMutex flock

This method uses the flock(2) system call to lock a lock file (located by the LockFile directive).

AcceptMutex fcntl

This method uses the fcntl(2) system call to lock a lock file (located by the LockFile directive).

AcceptMutex sysvsem

(1.3 or later) This method uses SysV-style semaphores to implement the mutex. Unfortunately SysV-style semaphores have some bad side-effects. One is that it's possible Apache will die without cleaning up the semaphore (see the ipcs(8) man page). The other is that the semaphore API allows for a denial of service attack by any CGIs running under the same uid as the webserver (i.e., all CGIs, unless you use something like suexec or cgiwrapper). For these reasons this method is not used on any architecture except IRIX (where the previous two are prohibitively expensive on most IRIX boxes).

AcceptMutex pthread

(1.3 or later) This method uses POSIX mutexes and should work on any architecture implementing the full POSIX threads specification, however appears to only work on Solaris (2.5 or later), and even then only in certain configurations. If you experiment with this you should watch out for your server hanging and not responding. Static content only servers may work just fine.

AcceptMutex posixsem

(2.0 or later) This method uses POSIX semaphores. The semaphore ownership is not recovered if a thread in the process holding the mutex segfaults, resulting in a hang of the web server.

If your system has another method of serialization which isn't in the above list then it may be worthwhile adding code for it to APR.

Another solution that has been considered but never implemented is to partially serialize the loop -- that is, let in a certain number of processes. This would only be of interest on multiprocessor boxes where it's possible multiple children could run simultaneously, and the serialization actually doesn't take advantage of the full bandwidth. This is a possible area of future investigation, but priority remains low because highly parallel web servers are not the norm.

Ideally you should run servers without multiple Listen statements if you want the highest performance. But read on.

accept Serialization - single socket

The above is fine and dandy for multiple socket servers, but what about single socket servers? In theory they shouldn't experience any of these same problems because all children can just block in accept(2) until a connection arrives, and no starvation results. In practice this hides almost the same "spinning" behaviour discussed above in the non-blocking solution. The way that most TCP stacks are implemented, the kernel actually wakes up all processes blocked in accept when a single connection arrives. One of those processes gets the connection and returns to user-space, the rest spin in the kernel and go back to sleep when they discover there's no connection for them. This spinning is hidden from the user-land code, but it's there nonetheless. This can result in the same load-spiking wasteful behaviour that a non-blocking solution to the multiple sockets case can.

For this reason we have found that many architectures behave more "nicely" if we serialize even the single socket case. So this is actually the default in almost all cases. Crude experiments under Linux (2.0.30 on a dual Pentium pro 166 w/128Mb RAM) have shown that the serialization of the single socket case causes less than a 3% decrease in requests per second over unserialized single-socket. But unserialized single-socket showed an extra 100ms latency on each request. This latency is probably a wash on long haul lines, and only an issue on LANs. If you want to override the single socket serialization you can define SINGLE_LISTEN_UNSERIALIZED_ACCEPT and then single-socket servers will not serialize at all.

Lingering Close

As discussed in draft-ietf-http-connection-00.txt section 8, in order for an HTTP server to reliably implement the protocol it needs to shutdown each direction of the communication independently (recall that a TCP connection is bi-directional, each half is independent of the other). This fact is often overlooked by other servers, but is correctly implemented in Apache as of 1.2.

When this feature was added to Apache it caused a flurry of problems on various versions of Unix because of a shortsightedness. The TCP specification does not state that the FIN_WAIT_2 state has a timeout, but it doesn't prohibit it. On systems without the timeout, Apache 1.2 induces many sockets stuck forever in the FIN_WAIT_2 state. In many cases this can be avoided by simply upgrading to the latest TCP/IP patches supplied by the vendor. In cases where the vendor has never released patches (i.e., SunOS4 -- although folks with a source license can patch it themselves) we have decided to disable this feature.

There are two ways of accomplishing this. One is the socket option SO_LINGER. But as fate would have it, this has never been implemented properly in most TCP/IP stacks. Even on those stacks with a proper implementation (i.e., Linux 2.0.31) this method proves to be more expensive (cputime) than the next solution.

For the most part, Apache implements this in a function called lingering_close (in http_main.c). The function looks roughly like this:

void lingering_close (int s)
{
char junk_buffer[2048];

/* shutdown the sending side */
shutdown (s, 1);

signal (SIGALRM, lingering_death);
alarm (30);

for (;;) {
select (s for reading, 2 second timeout);
if (error) break;
if (s is ready for reading) {
if (read (s, junk_buffer, sizeof (junk_buffer)) <= 0) {
break;
 }
/* just toss away whatever is here */
 }
 }

close (s);
 }

This naturally adds some expense at the end of a connection, but it is required for a reliable implementation. As HTTP/1.1 becomes more prevalent, and all connections are persistent, this expense will be amortized over more requests. If you want to play with fire and disable this feature you can define NO_LINGCLOSE, but this is not recommended at all. In particular, as HTTP/1.1 pipelined persistent connections come into use lingering_close is an absolute necessity (and pipelined connections are faster, so you want to support them).

Scoreboard File

Apache's parent and children communicate with each other through something called the scoreboard. Ideally this should be implemented in shared memory. For those operating systems that we either have access to, or have been given detailed ports for, it typically is implemented using shared memory. The rest default to using an on-disk file. The on-disk file is not only slow, but it is unreliable (and less featured). Peruse the src/main/conf.h file for your architecture and look for either USE_MMAP_SCOREBOARD or USE_SHMGET_SCOREBOARD. Defining one of those two (as well as their companions HAVE_MMAP and HAVE_SHMGET respectively) enables the supplied shared memory code. If your system has another type of shared memory, edit the file src/main/http_main.c and add the hooks necessary to use it in Apache. (Send us back a patch too please.)

Historical note: The Linux port of Apache didn't start to use shared memory until version 1.2 of Apache. This oversight resulted in really poor and unreliable behaviour of earlier versions of Apache on Linux.

DYNAMIC_MODULE_LIMIT

If you have no intention of using dynamically loaded modules (you probably don't if you're reading this and tuning your server for every last ounce of performance) then you should add -DDYNAMIC_MODULE_LIMIT=0 when building your server. This will save RAM that's allocated only for supporting dynamically loaded modules.

top

Appendix: Detailed Analysis of a Trace

Here is a system call trace of Apache 2.0.38 with the worker MPM on Solaris 8. This trace was collected using:

truss -l -p httpd_child_pid.

The -l option tells truss to log the ID of the LWP (lightweight process--Solaris's form of kernel-level thread) that invokes each system call.

Other systems may have different system call tracing utilities such as strace, ktrace, or par. They all produce similar output.

In this trace, a client has requested a 10KB static file from the httpd. Traces of non-static requests or requests with content negotiation look wildly different (and quite ugly in some cases).

/67:    accept(3, 0x00200BEC, 0x00200C0C, 1) (sleeping...)
/67:    accept(3, 0x00200BEC, 0x00200C0C, 1)            = 9

In this trace, the listener thread is running within LWP #67.

Note the lack of accept(2) serialization. On this particular platform, the worker MPM uses an unserialized accept by default unless it is listening on multiple ports.
/65:    lwp_park(0x00000000, 0)                         = 0
/67:    lwp_unpark(65, 1)                               = 0

Upon accepting the connection, the listener thread wakes up a worker thread to do the request processing. In this trace, the worker thread that handles the request is mapped to LWP #65.

/65:    getsockname(9, 0x00200BA4, 0x00200BC4, 1)       = 0

In order to implement virtual hosts, Apache needs to know the local socket address used to accept the connection. It is possible to eliminate this call in many situations (such as when there are no virtual hosts, or when Listen directives are used which do not have wildcard addresses). But no effort has yet been made to do these optimizations. 

/65:    brk(0x002170E8)                                 = 0
/65:    brk(0x002190E8)                                 = 0

The brk(2) calls allocate memory from the heap. It is rare to see these in a system call trace, because the httpd uses custom memory allocators (apr_pool and apr_bucket_alloc) for most request processing. In this trace, the httpd has just been started, so it must call malloc(3) to get the blocks of raw memory with which to create the custom memory allocators.

/65:    fcntl(9, F_GETFL, 0x00000000)                   = 2
/65:    fstat64(9, 0xFAF7B818)                          = 0
/65:    getsockopt(9, 65535, 8192, 0xFAF7B918, 0xFAF7B910, 2190656) = 0
/65:    fstat64(9, 0xFAF7B818)                          = 0
/65:    getsockopt(9, 65535, 8192, 0xFAF7B918, 0xFAF7B914, 2190656) = 0
/65:    setsockopt(9, 65535, 8192, 0xFAF7B918, 4, 2190656) = 0
/65:    fcntl(9, F_SETFL, 0x00000082)                   = 0

Next, the worker thread puts the connection to the client (file descriptor 9) in non-blocking mode. The setsockopt(2) and getsockopt(2) calls are a side-effect of how Solaris's libc handles fcntl(2) on sockets.

/65:    read(9, " G E T   / 1 0 k . h t m".., 8000)     = 97

The worker thread reads the request from the client.

/65:    stat("/var/httpd/apache/httpd-8999/htdocs/10k.html", 0xFAF7B978) = 0
/65:    open("/var/httpd/apache/httpd-8999/htdocs/10k.html", O_RDONLY) = 10

This httpd has been configured with Options FollowSymLinks and AllowOverride None. Thus it doesn't need to lstat(2) each directory in the path leading up to the requested file, nor check for .htaccess files. It simply calls stat(2) to verify that the file: 1) exists, and 2) is a regular file, not a directory.

/65:    sendfilev(0, 9, 0x00200F90, 2, 0xFAF7B53C)      = 10269

In this example, the httpd is able to send the HTTP response header and the requested file with a single sendfilev(2) system call. Sendfile semantics vary among operating systems. On some other systems, it is necessary to do a write(2) or writev(2) call to send the headers before calling sendfile(2).

/65:    write(4, " 1 2 7 . 0 . 0 . 1   -  ".., 78)      = 78

This write(2) call records the request in the access log. Note that one thing missing from this trace is a time(2) call. Unlike Apache 1.3, Apache 2.x uses gettimeofday(3) to look up the time. On some operating systems, like Linux or Solaris, gettimeofday has an optimized implementation that doesn't require as much overhead as a typical system call.

/65:    shutdown(9, 1, 1)                               = 0
/65:    poll(0xFAF7B980, 1, 2000)                       = 1
/65:    read(9, 0xFAF7BC20, 512)                        = 0
/65:    close(9)                                        = 0

The worker thread does a lingering close of the connection.

/65:    close(10)                                       = 0
/65:    lwp_park(0x00000000, 0)         (sleeping...)

Finally the worker thread closes the file that it has just delivered and blocks until the listener assigns it another connection.

/67:    accept(3, 0x001FEB74, 0x001FEB94, 1) (sleeping...)

Meanwhile, the listener thread is able to accept another connection as soon as it has dispatched this connection to a worker thread (subject to some flow-control logic in the worker MPM that throttles the listener if all the available workers are busy). Though it isn't apparent from this trace, the next accept(2) can (and usually does, under high load conditions) occur in parallel with the worker thread's handling of the just-accepted connection.

misc/relevant_standards.html100644 0 0 21375 11256637772 13761 0ustar 0 0 Relevant Standards - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Relevant Standards

This page documents all the relevant standards that the Apache HTTP Server follows, along with brief descriptions.

In addition to the information listed below, the following resources should be consulted:

Notice

This document is not yet complete.

top

HTTP Recommendations

Regardless of what modules are compiled and used, Apache as a basic web server complies with the following IETF recommendations:

RFC 1945 (Informational)
The Hypertext Transfer Protocol (HTTP) is an application-level protocol with the lightness and speed necessary for distributed, collaborative, hypermedia information systems. This documents HTTP/1.0.
RFC 2616 (Standards Track)
The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. This documents HTTP/1.1.
RFC 2396 (Standards Track)
A Uniform Resource Identifier (URI) is a compact string of characters for identifying an abstract or physical resource.
top

HTML Recommendations

Regarding the Hypertext Markup Language, Apache complies with the following IETF and W3C recommendations:

RFC 2854 (Informational)
This document summarizes the history of HTML development, and defines the "text/html" MIME type by pointing to the relevant W3C recommendations.
HTML 4.01 Specification (Errata)
This specification defines the HyperText Markup Language (HTML), the publishing language of the World Wide Web. This specification defines HTML 4.01, which is a subversion of HTML 4.
HTML 3.2 Reference Specification
The HyperText Markup Language (HTML) is a simple markup language used to create hypertext documents that are portable from one platform to another. HTML documents are SGML documents.
XHTML 1.1 - Module-based XHTML (Errata)
This Recommendation defines a new XHTML document type that is based upon the module framework and modules defined in Modularization of XHTML.
XHTML 1.0 The Extensible HyperText Markup Language (Second Edition) (Errata)
This specification defines the Second Edition of XHTML 1.0, a reformulation of HTML 4 as an XML 1.0 application, and three DTDs corresponding to the ones defined by HTML 4.
top

Authentication

Concerning the different methods of authentication, Apache follows the following IETF recommendations:

RFC 2617 (Draft standard)
"HTTP/1.0", includes the specification for a Basic Access Authentication scheme.
top

Language/Country Codes

The following links document ISO and other language and country code information:

ISO 639-2
ISO 639 provides two sets of language codes, one as a two-letter code set (639-1) and another as a three-letter code set (this part of ISO 639) for the representation of names of languages.
ISO 3166-1
These pages document the country names (official short names in English) in alphabetical order as given in ISO 3166-1 and the corresponding ISO 3166-1-alpha-2 code elements.
BCP 47 (Best Current Practice), RFC 3066
This document describes a language tag for use in cases where it is desired to indicate the language used in an information object, how to register values for use in this language tag, and a construct for matching such language tags.
RFC 3282 (Standards Track)
This document defines a "Content-language:" header, for use in cases where one desires to indicate the language of something that has RFC 822-like headers, like MIME body parts or Web documents, and an "Accept-Language:" header for use in cases where one wishes to indicate one's preferences with regard to language.
misc/rewriteguide.html100644 0 0 212072 11256637772 12611 0ustar 0 0 URL Rewriting Guide - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

URL Rewriting Guide

This document is obsolete. It has been replaced with a new Rewrite Guide.

Originally written by
Ralf S. Engelschall <rse@apache.org>
December 1997

This document supplements the mod_rewrite reference documentation. It describes how one can use Apache's mod_rewrite to solve typical URL-based problems with which webmasters are commonly confronted. We give detailed descriptions on how to solve each problem by configuring URL rewriting rulesets.

top

Introduction to mod_rewrite

The Apache module mod_rewrite is a killer one, i.e. it is a really sophisticated module which provides a powerful way to do URL manipulations. With it you can do nearly all types of URL manipulations you ever dreamed about. The price you have to pay is to accept complexity, because mod_rewrite's major drawback is that it is not easy to understand and use for the beginner. And even Apache experts sometimes discover new aspects where mod_rewrite can help.

In other words: With mod_rewrite you either shoot yourself in the foot the first time and never use it again or love it for the rest of your life because of its power. This paper tries to give you a few initial success events to avoid the first case by presenting already invented solutions to you.

top

Practical Solutions

Here come a lot of practical solutions I've either invented myself or collected from other people's solutions in the past. Feel free to learn the black magic of URL rewriting from these examples.

ATTENTION: Depending on your server-configuration it can be necessary to slightly change the examples for your situation, e.g. adding the [PT] flag when additionally using mod_alias and mod_userdir, etc. Or rewriting a ruleset to fit in .htaccess context instead of per-server context. Always try to understand what a particular ruleset really does before you use it. It avoid problems.
top

URL Layout

Canonical URLs

Description:

On some webservers there are more than one URL for a resource. Usually there are canonical URLs (which should be actually used and distributed) and those which are just shortcuts, internal ones, etc. Independent of which URL the user supplied with the request he should finally see the canonical one only.

Solution:

We do an external HTTP redirect for all non-canonical URLs to fix them in the location view of the Browser and for all subsequent requests. In the example ruleset below we replace /~user by the canonical /u/user and fix a missing trailing slash for /u/user.

RewriteRule   ^/~([^/]+)/?(.*)    /u/$1/$2  [R]
RewriteRule   ^/u/([^/]+)$  /$1/$2/   [R]

Canonical Hostnames

Description:
The goal of this rule is to force the use of a particular hostname, in preference to other hostnames which may be used to reach the same site. For example, if you wish to force the use of www.example.com instead of example.com, you might use a variant of the following recipe.
Solution:
# To force the use of 
RewriteEngine On
RewriteCond %{HTTP_HOST}   !^www\.example\.com [NC]
RewriteCond %{HTTP_HOST}   !^$
RewriteRule ^/(.*)         http://www.example.com/$1 [L,R]

Moved DocumentRoot

Description:

Usually the DocumentRoot of the webserver directly relates to the URL "/". But often this data is not really of top-level priority, it is perhaps just one entity of a lot of data pools. For instance at our Intranet sites there are /e/www/ (the homepage for WWW), /e/sww/ (the homepage for the Intranet) etc. Now because the data of the DocumentRoot stays at /e/www/ we had to make sure that all inlined images and other stuff inside this data pool work for subsequent requests.

Solution:

We redirect the URL / to /e/www/: 

RewriteEngine on
RewriteRule   ^/$  /e/www/  [R]

Note that this can also be handled using the RedirectMatch directive:

RedirectMatch ^/$ http://example.com/e/www/

Trailing Slash Problem

Description:

Every webmaster can sing a song about the problem of the trailing slash on URLs referencing directories. If they are missing, the server dumps an error, because if you say /~quux/foo instead of /~quux/foo/ then the server searches for a file named foo. And because this file is a directory it complains. Actually it tries to fix it itself in most of the cases, but sometimes this mechanism need to be emulated by you. For instance after you have done a lot of complicated URL rewritings to CGI scripts etc.

Solution:

The solution to this subtle problem is to let the server add the trailing slash automatically. To do this correctly we have to use an external redirect, so the browser correctly requests subsequent images etc. If we only did a internal rewrite, this would only work for the directory page, but would go wrong when any images are included into this page with relative URLs, because the browser would request an in-lined object. For instance, a request for image.gif in /~quux/foo/index.html would become /~quux/image.gif without the external redirect!

So, to do this trick we write:

RewriteEngine  on
RewriteBase    /~quux/
RewriteRule    ^foo$  foo/  [R]

The crazy and lazy can even do the following in the top-level .htaccess file of their homedir. But notice that this creates some processing overhead.

RewriteEngine  on
RewriteBase    /~quux/
RewriteCond    %{REQUEST_FILENAME}  -d
RewriteRule    ^(.+[^/])$           $1/  [R]

Webcluster through Homogeneous URL Layout

Description:

We want to create a homogeneous and consistent URL layout over all WWW servers on a Intranet webcluster, i.e. all URLs (per definition server local and thus server dependent!) become actually server independent! What we want is to give the WWW namespace a consistent server-independent layout: no URL should have to include any physically correct target server. The cluster itself should drive us automatically to the physical target host.

Solution:

First, the knowledge of the target servers come from (distributed) external maps which contain information where our users, groups and entities stay. The have the form

user1  server_of_user1
user2  server_of_user2
:      :

We put them into files map.xxx-to-host. Second we need to instruct all servers to redirect URLs of the forms

/u/user/anypath
/g/group/anypath
/e/entity/anypath

to

http://physical-host/u/user/anypath
http://physical-host/g/group/anypath
http://physical-host/e/entity/anypath

when the URL is not locally valid to a server. The following ruleset does this for us by the help of the map files (assuming that server0 is a default server which will be used if a user has no entry in the map):

RewriteEngine on

RewriteMap      user-to-host   txt:/path/to/map.user-to-host
RewriteMap     group-to-host   txt:/path/to/map.group-to-host
RewriteMap    entity-to-host   txt:/path/to/map.entity-to-host

RewriteRule   ^/u/([^/]+)/?(.*)   http://${user-to-host:$1|server0}/u/$1/$2
RewriteRule   ^/g/([^/]+)/?(.*)  http://${group-to-host:$1|server0}/g/$1/$2
RewriteRule   ^/e/([^/]+)/?(.*) http://${entity-to-host:$1|server0}/e/$1/$2

RewriteRule   ^/([uge])/([^/]+)/?$          /$1/$2/.www/
RewriteRule   ^/([uge])/([^/]+)/([^.]+.+)   /$1/$2/.www/$3\

Move Homedirs to Different Webserver

Description:

Many webmasters have asked for a solution to the following situation: They wanted to redirect just all homedirs on a webserver to another webserver. They usually need such things when establishing a newer webserver which will replace the old one over time.

Solution:

The solution is trivial with mod_rewrite. On the old webserver we just redirect all /~user/anypath URLs to http://newserver/~user/anypath.

RewriteEngine on
RewriteRule   ^/~(.+)  http://newserver/~$1  [R,L]

Structured Homedirs

Description:

Some sites with thousands of users usually use a structured homedir layout, i.e. each homedir is in a subdirectory which begins for instance with the first character of the username. So, /~foo/anypath is /home/f/foo/.www/anypath while /~bar/anypath is /home/b/bar/.www/anypath.

Solution:

We use the following ruleset to expand the tilde URLs into exactly the above layout.

RewriteEngine on
RewriteRule   ^/~(([a-z])[a-z0-9]+)(.*)  /home/$2/$1/.www$3

Filesystem Reorganization

Description:

This really is a hardcore example: a killer application which heavily uses per-directory RewriteRules to get a smooth look and feel on the Web while its data structure is never touched or adjusted. Background: net.sw is my archive of freely available Unix software packages, which I started to collect in 1992. It is both my hobby and job to to this, because while I'm studying computer science I have also worked for many years as a system and network administrator in my spare time. Every week I need some sort of software so I created a deep hierarchy of directories where I stored the packages:

drwxrwxr-x   2 netsw  users    512 Aug  3 18:39 Audio/
drwxrwxr-x   2 netsw  users    512 Jul  9 14:37 Benchmark/
drwxrwxr-x  12 netsw  users    512 Jul  9 00:34 Crypto/
drwxrwxr-x   5 netsw  users    512 Jul  9 00:41 Database/
drwxrwxr-x   4 netsw  users    512 Jul 30 19:25 Dicts/
drwxrwxr-x  10 netsw  users    512 Jul  9 01:54 Graphic/
drwxrwxr-x   5 netsw  users    512 Jul  9 01:58 Hackers/
drwxrwxr-x   8 netsw  users    512 Jul  9 03:19 InfoSys/
drwxrwxr-x   3 netsw  users    512 Jul  9 03:21 Math/
drwxrwxr-x   3 netsw  users    512 Jul  9 03:24 Misc/
drwxrwxr-x   9 netsw  users    512 Aug  1 16:33 Network/
drwxrwxr-x   2 netsw  users    512 Jul  9 05:53 Office/
drwxrwxr-x   7 netsw  users    512 Jul  9 09:24 SoftEng/
drwxrwxr-x   7 netsw  users    512 Jul  9 12:17 System/
drwxrwxr-x  12 netsw  users    512 Aug  3 20:15 Typesetting/
drwxrwxr-x  10 netsw  users    512 Jul  9 14:08 X11/

In July 1996 I decided to make this archive public to the world via a nice Web interface. "Nice" means that I wanted to offer an interface where you can browse directly through the archive hierarchy. And "nice" means that I didn't wanted to change anything inside this hierarchy - not even by putting some CGI scripts at the top of it. Why? Because the above structure should be later accessible via FTP as well, and I didn't want any Web or CGI stuff to be there.

Solution:

The solution has two parts: The first is a set of CGI scripts which create all the pages at all directory levels on-the-fly. I put them under /e/netsw/.www/ as follows:

-rw-r--r--   1 netsw  users    1318 Aug  1 18:10 .wwwacl
drwxr-xr-x  18 netsw  users     512 Aug  5 15:51 DATA/
-rw-rw-rw-   1 netsw  users  372982 Aug  5 16:35 LOGFILE
-rw-r--r--   1 netsw  users     659 Aug  4 09:27 TODO
-rw-r--r--   1 netsw  users    5697 Aug  1 18:01 netsw-about.html
-rwxr-xr-x   1 netsw  users     579 Aug  2 10:33 netsw-access.pl
-rwxr-xr-x   1 netsw  users    1532 Aug  1 17:35 netsw-changes.cgi
-rwxr-xr-x   1 netsw  users    2866 Aug  5 14:49 netsw-home.cgi
drwxr-xr-x   2 netsw  users     512 Jul  8 23:47 netsw-img/
-rwxr-xr-x   1 netsw  users   24050 Aug  5 15:49 netsw-lsdir.cgi
-rwxr-xr-x   1 netsw  users    1589 Aug  3 18:43 netsw-search.cgi
-rwxr-xr-x   1 netsw  users    1885 Aug  1 17:41 netsw-tree.cgi
-rw-r--r--   1 netsw  users     234 Jul 30 16:35 netsw-unlimit.lst

The DATA/ subdirectory holds the above directory structure, i.e. the real net.sw stuff and gets automatically updated via rdist from time to time. The second part of the problem remains: how to link these two structures together into one smooth-looking URL tree? We want to hide the DATA/ directory from the user while running the appropriate CGI scripts for the various URLs. Here is the solution: first I put the following into the per-directory configuration file in the DocumentRoot of the server to rewrite the announced URL /net.sw/ to the internal path /e/netsw:

RewriteRule  ^net.sw$       net.sw/        [R]
RewriteRule  ^net.sw/(.*)$  e/netsw/$1

The first rule is for requests which miss the trailing slash! The second rule does the real thing. And then comes the killer configuration which stays in the per-directory config file /e/netsw/.www/.wwwacl:

Options       ExecCGI FollowSymLinks Includes MultiViews

RewriteEngine on

#  we are reached via /net.sw/ prefix
RewriteBase   /net.sw/

#  first we rewrite the root dir to
#  the handling cgi script
RewriteRule   ^$                       netsw-home.cgi     [L]
RewriteRule   ^index\.html$            netsw-home.cgi     [L]

#  strip out the subdirs when
#  the browser requests us from perdir pages
RewriteRule   ^.+/(netsw-[^/]+/.+)$    $1                 [L]

#  and now break the rewriting for local files
RewriteRule   ^netsw-home\.cgi.*       -                  [L]
RewriteRule   ^netsw-changes\.cgi.*    -                  [L]
RewriteRule   ^netsw-search\.cgi.*     -                  [L]
RewriteRule   ^netsw-tree\.cgi$        -                  [L]
RewriteRule   ^netsw-about\.html$      -                  [L]
RewriteRule   ^netsw-img/.*$           -                  [L]

#  anything else is a subdir which gets handled
#  by another cgi script
RewriteRule   !^netsw-lsdir\.cgi.*     -                  [C]
RewriteRule   (.*)                     netsw-lsdir.cgi/$1

Some hints for interpretation:

  1. Notice the L (last) flag and no substitution field ('-') in the forth part
  2. Notice the ! (not) character and the C (chain) flag at the first rule in the last part
  3. Notice the catch-all pattern in the last rule

NCSA imagemap to Apache mod_imagemap

Description:

When switching from the NCSA webserver to the more modern Apache webserver a lot of people want a smooth transition. So they want pages which use their old NCSA imagemap program to work under Apache with the modern mod_imagemap. The problem is that there are a lot of hyperlinks around which reference the imagemap program via /cgi-bin/imagemap/path/to/page.map. Under Apache this has to read just /path/to/page.map.

Solution:

We use a global rule to remove the prefix on-the-fly for all requests:

RewriteEngine  on
RewriteRule    ^/cgi-bin/imagemap(.*)  $1  [PT]

Search pages in more than one directory

Description:

Sometimes it is necessary to let the webserver search for pages in more than one directory. Here MultiViews or other techniques cannot help.

Solution:

We program a explicit ruleset which searches for the files in the directories.

RewriteEngine on

#   first try to find it in custom/...
#   ...and if found stop and be happy:
RewriteCond         /your/docroot/dir1/%{REQUEST_FILENAME}  -f
RewriteRule  ^(.+)  /your/docroot/dir1/$1  [L]

#   second try to find it in pub/...
#   ...and if found stop and be happy:
RewriteCond         /your/docroot/dir2/%{REQUEST_FILENAME}  -f
RewriteRule  ^(.+)  /your/docroot/dir2/$1  [L]

#   else go on for other Alias or ScriptAlias directives,
#   etc.
RewriteRule   ^(.+)  -  [PT]

Set Environment Variables According To URL Parts

Description:

Perhaps you want to keep status information between requests and use the URL to encode it. But you don't want to use a CGI wrapper for all pages just to strip out this information.

Solution:

We use a rewrite rule to strip out the status information and remember it via an environment variable which can be later dereferenced from within XSSI or CGI. This way a URL /foo/S=java/bar/ gets translated to /foo/bar/ and the environment variable named STATUS is set to the value "java".

RewriteEngine on
RewriteRule   ^(.*)/S=([^/]+)/(.*)    $1/$3 [E=STATUS:$2]

Virtual User Hosts

Description:

Assume that you want to provide www.username.host.domain.com for the homepage of username via just DNS A records to the same machine and without any virtualhosts on this machine.

Solution:

For HTTP/1.0 requests there is no solution, but for HTTP/1.1 requests which contain a Host: HTTP header we can use the following ruleset to rewrite http://www.username.host.com/anypath internally to /home/username/anypath:

RewriteEngine on
RewriteCond   %{HTTP_HOST}                 ^www\.[^.]+\.host\.com$
RewriteRule   ^(.+)                        %{HTTP_HOST}$1          [C]
RewriteRule   ^www\.([^.]+)\.host\.com(.*) /home/$1$2

Redirect Homedirs For Foreigners

Description:

We want to redirect homedir URLs to another webserver www.somewhere.com when the requesting user does not stay in the local domain ourdomain.com. This is sometimes used in virtual host contexts.

Solution:

Just a rewrite condition:

RewriteEngine on
RewriteCond   %{REMOTE_HOST}  !^.+\.ourdomain\.com$
RewriteRule   ^(/~.+)         http://www.somewhere.com/$1 [R,L]

Redirect Failing URLs To Other Webserver

Description:

A typical FAQ about URL rewriting is how to redirect failing requests on webserver A to webserver B. Usually this is done via ErrorDocument CGI-scripts in Perl, but there is also a mod_rewrite solution. But notice that this performs more poorly than using an ErrorDocument CGI-script!

Solution:

The first solution has the best performance but less flexibility, and is less error safe:

RewriteEngine on
RewriteCond   /your/docroot/%{REQUEST_FILENAME} !-f
RewriteRule   ^(.+)                             http://webserverB.dom/$1

The problem here is that this will only work for pages inside the DocumentRoot. While you can add more Conditions (for instance to also handle homedirs, etc.) there is better variant:

RewriteEngine on
RewriteCond   %{REQUEST_URI} !-U
RewriteRule   ^(.+)          http://webserverB.dom/$1

This uses the URL look-ahead feature of mod_rewrite. The result is that this will work for all types of URLs and is a safe way. But it does a performance impact on the webserver, because for every request there is one more internal subrequest. So, if your webserver runs on a powerful CPU, use this one. If it is a slow machine, use the first approach or better a ErrorDocument CGI-script.

Extended Redirection

Description:

Sometimes we need more control (concerning the character escaping mechanism) of URLs on redirects. Usually the Apache kernels URL escape function also escapes anchors, i.e. URLs like "url#anchor". You cannot use this directly on redirects with mod_rewrite because the uri_escape() function of Apache would also escape the hash character. How can we redirect to such a URL?

Solution:

We have to use a kludge by the use of a NPH-CGI script which does the redirect itself. Because here no escaping is done (NPH=non-parseable headers). First we introduce a new URL scheme xredirect: by the following per-server config-line (should be one of the last rewrite rules):

RewriteRule ^xredirect:(.+) /path/to/nph-xredirect.cgi/$1 \
            [T=application/x-httpd-cgi,L]

This forces all URLs prefixed with xredirect: to be piped through the nph-xredirect.cgi program. And this program just looks like:

#!/path/to/perl
##
##  nph-xredirect.cgi -- NPH/CGI script for extended redirects
##  Copyright (c) 1997 Ralf S. Engelschall, All Rights Reserved.
##

$| = 1;
$url = $ENV{'PATH_INFO'};

print "HTTP/1.0 302 Moved Temporarily\n";
print "Server: $ENV{'SERVER_SOFTWARE'}\n";
print "Location: $url\n";
print "Content-type: text/html\n";
print "\n";
print "<html>\n";
print "<head>\n";
print "<title>302 Moved Temporarily (EXTENDED)</title>\n";
print "</head>\n";
print "<body>\n";
print "<h1>Moved Temporarily (EXTENDED)</h1>\n";
print "The document has moved <a HREF=\"$url\">here</a>.<p>\n";
print "</body>\n";
print "</html>\n";

##EOF##

This provides you with the functionality to do redirects to all URL schemes, i.e. including the one which are not directly accepted by mod_rewrite. For instance you can now also redirect to news:newsgroup via

RewriteRule ^anyurl  xredirect:news:newsgroup
Notice: You have not to put [R] or [R,L] to the above rule because the xredirect: need to be expanded later by our special "pipe through" rule above.

Archive Access Multiplexer

Description:

Do you know the great CPAN (Comprehensive Perl Archive Network) under http://www.perl.com/CPAN? This does a redirect to one of several FTP servers around the world which carry a CPAN mirror and is approximately near the location of the requesting client. Actually this can be called an FTP access multiplexing service. While CPAN runs via CGI scripts, how can a similar approach implemented via mod_rewrite?

Solution:

First we notice that from version 3.0.0 mod_rewrite can also use the "ftp:" scheme on redirects. And second, the location approximation can be done by a RewriteMap over the top-level domain of the client. With a tricky chained ruleset we can use this top-level domain as a key to our multiplexing map.

RewriteEngine on
RewriteMap    multiplex                txt:/path/to/map.cxan
RewriteRule   ^/CxAN/(.*)              %{REMOTE_HOST}::$1                 [C]
RewriteRule   ^.+\.([a-zA-Z]+)::(.*)$  ${multiplex:$1|ftp.default.dom}$2  [R,L]

##
##  map.cxan -- Multiplexing Map for CxAN
##

de        ftp://ftp.cxan.de/CxAN/
uk        ftp://ftp.cxan.uk/CxAN/
com       ftp://ftp.cxan.com/CxAN/
 :
##EOF##

Time-Dependent Rewriting

Description:

When tricks like time-dependent content should happen a lot of webmasters still use CGI scripts which do for instance redirects to specialized pages. How can it be done via mod_rewrite?

Solution:

There are a lot of variables named TIME_xxx for rewrite conditions. In conjunction with the special lexicographic comparison patterns <STRING, >STRING and =STRING we can do time-dependent redirects:

RewriteEngine on
RewriteCond   %{TIME_HOUR}%{TIME_MIN} >0700
RewriteCond   %{TIME_HOUR}%{TIME_MIN} <1900
RewriteRule   ^foo\.html$             foo.day.html
RewriteRule   ^foo\.html$             foo.night.html

This provides the content of foo.day.html under the URL foo.html from 07:00-19:00 and at the remaining time the contents of foo.night.html. Just a nice feature for a homepage...

Backward Compatibility for YYYY to XXXX migration

Description:

How can we make URLs backward compatible (still existing virtually) after migrating document.YYYY to document.XXXX, e.g. after translating a bunch of .html files to .phtml?

Solution:

We just rewrite the name to its basename and test for existence of the new extension. If it exists, we take that name, else we rewrite the URL to its original state.

#   backward compatibility ruleset for
#   rewriting document.html to document.phtml
#   when and only when document.phtml exists
#   but no longer document.html
RewriteEngine on
RewriteBase   /~quux/
#   parse out basename, but remember the fact
RewriteRule   ^(.*)\.html$              $1      [C,E=WasHTML:yes]
#   rewrite to document.phtml if exists
RewriteCond   %{REQUEST_FILENAME}.phtml -f
RewriteRule   ^(.*)$ $1.phtml                   [S=1]
#   else reverse the previous basename cutout
RewriteCond   %{ENV:WasHTML}            ^yes$
RewriteRule   ^(.*)$ $1.html
top

Content Handling

From Old to New (intern)

Description:

Assume we have recently renamed the page foo.html to bar.html and now want to provide the old URL for backward compatibility. Actually we want that users of the old URL even not recognize that the pages was renamed.

Solution:

We rewrite the old URL to the new one internally via the following rule:

RewriteEngine  on
RewriteBase    /~quux/
RewriteRule    ^foo\.html$  bar.html

From Old to New (extern)

Description:

Assume again that we have recently renamed the page foo.html to bar.html and now want to provide the old URL for backward compatibility. But this time we want that the users of the old URL get hinted to the new one, i.e. their browsers Location field should change, too.

Solution:

We force a HTTP redirect to the new URL which leads to a change of the browsers and thus the users view:

RewriteEngine  on
RewriteBase    /~quux/
RewriteRule    ^foo\.html$  bar.html  [R]

Browser Dependent Content

Description:

At least for important top-level pages it is sometimes necessary to provide the optimum of browser dependent content, i.e. one has to provide a maximum version for the latest Netscape variants, a minimum version for the Lynx browsers and a average feature version for all others.

Solution:

We cannot use content negotiation because the browsers do not provide their type in that form. Instead we have to act on the HTTP header "User-Agent". The following condig does the following: If the HTTP header "User-Agent" begins with "Mozilla/3", the page foo.html is rewritten to foo.NS.html and and the rewriting stops. If the browser is "Lynx" or "Mozilla" of version 1 or 2 the URL becomes foo.20.html. All other browsers receive page foo.32.html. This is done by the following ruleset:

RewriteCond %{HTTP_USER_AGENT}  ^Mozilla/3.*
RewriteRule ^foo\.html$         foo.NS.html          [L]

RewriteCond %{HTTP_USER_AGENT}  ^Lynx/.*         [OR]
RewriteCond %{HTTP_USER_AGENT}  ^Mozilla/[12].*
RewriteRule ^foo\.html$         foo.20.html          [L]

RewriteRule ^foo\.html$         foo.32.html          [L]

Dynamic Mirror

Description:

Assume there are nice webpages on remote hosts we want to bring into our namespace. For FTP servers we would use the mirror program which actually maintains an explicit up-to-date copy of the remote data on the local machine. For a webserver we could use the program webcopy which acts similar via HTTP. But both techniques have one major drawback: The local copy is always just as up-to-date as often we run the program. It would be much better if the mirror is not a static one we have to establish explicitly. Instead we want a dynamic mirror with data which gets updated automatically when there is need (updated data on the remote host).

Solution:

To provide this feature we map the remote webpage or even the complete remote webarea to our namespace by the use of the Proxy Throughput feature (flag [P]):

RewriteEngine  on
RewriteBase    /~quux/
RewriteRule    ^hotsheet/(.*)$  http://www.tstimpreso.com/hotsheet/$1  [P]

RewriteEngine  on
RewriteBase    /~quux/
RewriteRule    ^usa-news\.html$   http://www.quux-corp.com/news/index.html  [P]

Reverse Dynamic Mirror

Description:
...
Solution:
RewriteEngine on
RewriteCond   /mirror/of/remotesite/$1           -U
RewriteRule   ^http://www\.remotesite\.com/(.*)$ /mirror/of/remotesite/$1

Retrieve Missing Data from Intranet

Description:

This is a tricky way of virtually running a corporate (external) Internet webserver (www.quux-corp.dom), while actually keeping and maintaining its data on a (internal) Intranet webserver (www2.quux-corp.dom) which is protected by a firewall. The trick is that on the external webserver we retrieve the requested data on-the-fly from the internal one.

Solution:

First, we have to make sure that our firewall still protects the internal webserver and that only the external webserver is allowed to retrieve data from it. For a packet-filtering firewall we could for instance configure a firewall ruleset like the following:

ALLOW Host www.quux-corp.dom Port >1024 --> Host www2.quux-corp.dom Port 80
DENY  Host *                 Port *     --> Host www2.quux-corp.dom Port 80

Just adjust it to your actual configuration syntax. Now we can establish the mod_rewrite rules which request the missing data in the background through the proxy throughput feature:

RewriteRule ^/~([^/]+)/?(.*)          /home/$1/.www/$2
RewriteCond %{REQUEST_FILENAME}       !-f
RewriteCond %{REQUEST_FILENAME}       !-d
RewriteRule ^/home/([^/]+)/.www/?(.*) http://www2.quux-corp.dom/~$1/pub/$2 [P]

Load Balancing

Description:

Suppose we want to load balance the traffic to www.foo.com over www[0-5].foo.com (a total of 6 servers). How can this be done?

Solution:

There are a lot of possible solutions for this problem. We will discuss first a commonly known DNS-based variant and then the special one with mod_rewrite:

  1. DNS Round-Robin

    The simplest method for load-balancing is to use the DNS round-robin feature of BIND. Here you just configure www[0-9].foo.com as usual in your DNS with A(address) records, e.g.

    www0   IN  A       1.2.3.1
www1   IN  A       1.2.3.2
www2   IN  A       1.2.3.3
www3   IN  A       1.2.3.4
www4   IN  A       1.2.3.5
www5   IN  A       1.2.3.6

    Then you additionally add the following entry:

    www   IN  A       1.2.3.1
www   IN  A       1.2.3.2
www   IN  A       1.2.3.3
www   IN  A       1.2.3.4
www   IN  A       1.2.3.5

    Now when www.foo.com gets resolved, BIND gives out www0-www5 - but in a slightly permutated/rotated order every time. This way the clients are spread over the various servers. But notice that this not a perfect load balancing scheme, because DNS resolve information gets cached by the other nameservers on the net, so once a client has resolved www.foo.com to a particular wwwN.foo.com, all subsequent requests also go to this particular name wwwN.foo.com. But the final result is ok, because the total sum of the requests are really spread over the various webservers.

  2. DNS Load-Balancing

    A sophisticated DNS-based method for load-balancing is to use the program lbnamed which can be found at http://www.stanford.edu/~riepel/lbnamed/. It is a Perl 5 program in conjunction with auxiliary tools which provides a real load-balancing for DNS.

  3. Proxy Throughput Round-Robin

    In this variant we use mod_rewrite and its proxy throughput feature. First we dedicate www0.foo.com to be actually www.foo.com by using a single

    www    IN  CNAME   www0.foo.com.

    entry in the DNS. Then we convert www0.foo.com to a proxy-only server, i.e. we configure this machine so all arriving URLs are just pushed through the internal proxy to one of the 5 other servers (www1-www5). To accomplish this we first establish a ruleset which contacts a load balancing script lb.pl for all URLs.

    RewriteEngine on
RewriteMap    lb      prg:/path/to/lb.pl
RewriteRule   ^/(.+)$ ${lb:$1}           [P,L]

    Then we write lb.pl:

    #!/path/to/perl
##
##  lb.pl -- load balancing script
##

$| = 1;

$name   = "www";     # the hostname base
$first  = 1;         # the first server (not 0 here, because 0 is myself)
$last   = 5;         # the last server in the round-robin
$domain = "foo.dom"; # the domainname

$cnt = 0;
while (<STDIN>) {
    $cnt = (($cnt+1) % ($last+1-$first));
    $server = sprintf("%s%d.%s", $name, $cnt+$first, $domain);
    print "http://$server/$_";
}

##EOF##
    A last notice: Why is this useful? Seems like www0.foo.com still is overloaded? The answer is yes, it is overloaded, but with plain proxy throughput requests, only! All SSI, CGI, ePerl, etc. processing is completely done on the other machines. This is the essential point.
  4. Hardware/TCP Round-Robin

    There is a hardware solution available, too. Cisco has a beast called LocalDirector which does a load balancing at the TCP/IP level. Actually this is some sort of a circuit level gateway in front of a webcluster. If you have enough money and really need a solution with high performance, use this one.

New MIME-type, New Service

Description:

On the net there are a lot of nifty CGI programs. But their usage is usually boring, so a lot of webmaster don't use them. Even Apache's Action handler feature for MIME-types is only appropriate when the CGI programs don't need special URLs (actually PATH_INFO and QUERY_STRINGS) as their input. First, let us configure a new file type with extension .scgi (for secure CGI) which will be processed by the popular cgiwrap program. The problem here is that for instance we use a Homogeneous URL Layout (see above) a file inside the user homedirs has the URL /u/user/foo/bar.scgi. But cgiwrap needs the URL in the form /~user/foo/bar.scgi/. The following rule solves the problem:

RewriteRule ^/[uge]/([^/]+)/\.www/(.+)\.scgi(.*) ...
... /internal/cgi/user/cgiwrap/~$1/$2.scgi$3  [NS,T=application/x-http-cgi]

Or assume we have some more nifty programs: wwwlog (which displays the access.log for a URL subtree and wwwidx (which runs Glimpse on a URL subtree). We have to provide the URL area to these programs so they know on which area they have to act on. But usually this ugly, because they are all the times still requested from that areas, i.e. typically we would run the swwidx program from within /u/user/foo/ via hyperlink to

/internal/cgi/user/swwidx?i=/u/user/foo/

which is ugly. Because we have to hard-code both the location of the area and the location of the CGI inside the hyperlink. When we have to reorganize the area, we spend a lot of time changing the various hyperlinks.

Solution:

The solution here is to provide a special new URL format which automatically leads to the proper CGI invocation. We configure the following:

RewriteRule   ^/([uge])/([^/]+)(/?.*)/\*  /internal/cgi/user/wwwidx?i=/$1/$2$3/
RewriteRule   ^/([uge])/([^/]+)(/?.*):log /internal/cgi/user/wwwlog?f=/$1/$2$3

Now the hyperlink to search at /u/user/foo/ reads only

HREF="*"

which internally gets automatically transformed to

/internal/cgi/user/wwwidx?i=/u/user/foo/

The same approach leads to an invocation for the access log CGI program when the hyperlink :log gets used.

From Static to Dynamic

Description:

How can we transform a static page foo.html into a dynamic variant foo.cgi in a seamless way, i.e. without notice by the browser/user.

Solution:

We just rewrite the URL to the CGI-script and force the correct MIME-type so it gets really run as a CGI-script. This way a request to /~quux/foo.html internally leads to the invocation of /~quux/foo.cgi.

RewriteEngine  on
RewriteBase    /~quux/
RewriteRule    ^foo\.html$  foo.cgi  [T=application/x-httpd-cgi]

On-the-fly Content-Regeneration

Description:

Here comes a really esoteric feature: Dynamically generated but statically served pages, i.e. pages should be delivered as pure static pages (read from the filesystem and just passed through), but they have to be generated dynamically by the webserver if missing. This way you can have CGI-generated pages which are statically served unless one (or a cronjob) removes the static contents. Then the contents gets refreshed.

Solution:
This is done via the following ruleset: 
RewriteCond %{REQUEST_FILENAME}   !-s
RewriteRule ^page\.html$          page.cgi   [T=application/x-httpd-cgi,L]

Here a request to page.html leads to a internal run of a corresponding page.cgi if page.html is still missing or has filesize null. The trick here is that page.cgi is a usual CGI script which (additionally to its STDOUT) writes its output to the file page.html. Once it was run, the server sends out the data of page.html. When the webmaster wants to force a refresh the contents, he just removes page.html (usually done by a cronjob).

Document With Autorefresh

Description:

Wouldn't it be nice while creating a complex webpage if the webbrowser would automatically refresh the page every time we write a new version from within our editor? Impossible?

Solution:

No! We just combine the MIME multipart feature, the webserver NPH feature and the URL manipulation power of mod_rewrite. First, we establish a new URL feature: Adding just :refresh to any URL causes this to be refreshed every time it gets updated on the filesystem.

RewriteRule   ^(/[uge]/[^/]+/?.*):refresh  /internal/cgi/apache/nph-refresh?f=$1

Now when we reference the URL

/u/foo/bar/page.html:refresh

this leads to the internal invocation of the URL

/internal/cgi/apache/nph-refresh?f=/u/foo/bar/page.html

The only missing part is the NPH-CGI script. Although one would usually say "left as an exercise to the reader" ;-) I will provide this, too.

#!/sw/bin/perl
##
##  nph-refresh -- NPH/CGI script for auto refreshing pages
##  Copyright (c) 1997 Ralf S. Engelschall, All Rights Reserved.
##
$| = 1;

#   split the QUERY_STRING variable
@pairs = split(/&/, $ENV{'QUERY_STRING'});
foreach $pair (@pairs) {
    ($name, $value) = split(/=/, $pair);
    $name =~ tr/A-Z/a-z/;
    $name = 'QS_' . $name;
    $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
    eval "\$$name = \"$value\"";
}
$QS_s = 1 if ($QS_s eq '');
$QS_n = 3600 if ($QS_n eq '');
if ($QS_f eq '') {
    print "HTTP/1.0 200 OK\n";
    print "Content-type: text/html\n\n";
    print "&lt;b&gt;ERROR&lt;/b&gt;: No file given\n";
    exit(0);
}
if (! -f $QS_f) {
    print "HTTP/1.0 200 OK\n";
    print "Content-type: text/html\n\n";
    print "&lt;b&gt;ERROR&lt;/b&gt;: File $QS_f not found\n";
    exit(0);
}

sub print_http_headers_multipart_begin {
    print "HTTP/1.0 200 OK\n";
    $bound = "ThisRandomString12345";
    print "Content-type: multipart/x-mixed-replace;boundary=$bound\n";
    &print_http_headers_multipart_next;
}

sub print_http_headers_multipart_next {
    print "\n--$bound\n";
}

sub print_http_headers_multipart_end {
    print "\n--$bound--\n";
}

sub displayhtml {
    local($buffer) = @_;
    $len = length($buffer);
    print "Content-type: text/html\n";
    print "Content-length: $len\n\n";
    print $buffer;
}

sub readfile {
    local($file) = @_;
    local(*FP, $size, $buffer, $bytes);
    ($x, $x, $x, $x, $x, $x, $x, $size) = stat($file);
    $size = sprintf("%d", $size);
    open(FP, "&lt;$file");
    $bytes = sysread(FP, $buffer, $size);
    close(FP);
    return $buffer;
}

$buffer = &readfile($QS_f);
&print_http_headers_multipart_begin;
&displayhtml($buffer);

sub mystat {
    local($file) = $_[0];
    local($time);

    ($x, $x, $x, $x, $x, $x, $x, $x, $x, $mtime) = stat($file);
    return $mtime;
}

$mtimeL = &mystat($QS_f);
$mtime = $mtime;
for ($n = 0; $n &lt; $QS_n; $n++) {
    while (1) {
        $mtime = &mystat($QS_f);
        if ($mtime ne $mtimeL) {
            $mtimeL = $mtime;
            sleep(2);
            $buffer = &readfile($QS_f);
            &print_http_headers_multipart_next;
            &displayhtml($buffer);
            sleep(5);
            $mtimeL = &mystat($QS_f);
            last;
        }
        sleep($QS_s);
    }
}

&print_http_headers_multipart_end;

exit(0);

##EOF##

Mass Virtual Hosting

Description:

The <VirtualHost> feature of Apache is nice and works great when you just have a few dozens virtual hosts. But when you are an ISP and have hundreds of virtual hosts to provide this feature is not the best choice.

Solution:

To provide this feature we map the remote webpage or even the complete remote webarea to our namespace by the use of the Proxy Throughput feature (flag [P]):

##
##  vhost.map
##
www.vhost1.dom:80  /path/to/docroot/vhost1
www.vhost2.dom:80  /path/to/docroot/vhost2
     :
www.vhostN.dom:80  /path/to/docroot/vhostN

##
##  httpd.conf
##
    :
#   use the canonical hostname on redirects, etc.
UseCanonicalName on

    :
#   add the virtual host in front of the CLF-format
CustomLog  /path/to/access_log  "%{VHOST}e %h %l %u %t \"%r\" %>s %b"
    :

#   enable the rewriting engine in the main server
RewriteEngine on

#   define two maps: one for fixing the URL and one which defines
#   the available virtual hosts with their corresponding
#   DocumentRoot.
RewriteMap    lowercase    int:tolower
RewriteMap    vhost        txt:/path/to/vhost.map

#   Now do the actual virtual host mapping
#   via a huge and complicated single rule:
#
#   1. make sure we don't map for common locations
RewriteCond   %{REQUEST_URI}  !^/commonurl1/.*
RewriteCond   %{REQUEST_URI}  !^/commonurl2/.*
    :
RewriteCond   %{REQUEST_URI}  !^/commonurlN/.*
#
#   2. make sure we have a Host header, because
#      currently our approach only supports
#      virtual hosting through this header
RewriteCond   %{HTTP_HOST}  !^$
#
#   3. lowercase the hostname
RewriteCond   ${lowercase:%{HTTP_HOST}|NONE}  ^(.+)$
#
#   4. lookup this hostname in vhost.map and
#      remember it only when it is a path
#      (and not "NONE" from above)
RewriteCond   ${vhost:%1}  ^(/.*)$
#
#   5. finally we can map the URL to its docroot location
#      and remember the virtual host for logging puposes
RewriteRule   ^/(.*)$   %1/$1  [E=VHOST:${lowercase:%{HTTP_HOST}}]
    :
top

Access Restriction

Blocking of Robots

Description:

How can we block a really annoying robot from retrieving pages of a specific webarea? A /robots.txt file containing entries of the "Robot Exclusion Protocol" is typically not enough to get rid of such a robot.

Solution:

We use a ruleset which forbids the URLs of the webarea /~quux/foo/arc/ (perhaps a very deep directory indexed area where the robot traversal would create big server load). We have to make sure that we forbid access only to the particular robot, i.e. just forbidding the host where the robot runs is not enough. This would block users from this host, too. We accomplish this by also matching the User-Agent HTTP header information.

RewriteCond %{HTTP_USER_AGENT}   ^NameOfBadRobot.*
RewriteCond %{REMOTE_ADDR}       ^123\.45\.67\.[8-9]$
RewriteRule ^/~quux/foo/arc/.+   -   [F]

Blocked Inline-Images

Description:

Assume we have under http://www.quux-corp.de/~quux/ some pages with inlined GIF graphics. These graphics are nice, so others directly incorporate them via hyperlinks to their pages. We don't like this practice because it adds useless traffic to our server.

Solution:

While we cannot 100% protect the images from inclusion, we can at least restrict the cases where the browser sends a HTTP Referer header.

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://www.quux-corp.de/~quux/.*$ [NC]
RewriteRule .*\.gif$        -                                    [F]

RewriteCond %{HTTP_REFERER}         !^$
RewriteCond %{HTTP_REFERER}         !.*/foo-with-gif\.html$
RewriteRule ^inlined-in-foo\.gif$   -                        [F]

Host Deny

Description:

How can we forbid a list of externally configured hosts from using our server?

Solution:

For Apache >= 1.3b6:

RewriteEngine on
RewriteMap    hosts-deny  txt:/path/to/hosts.deny
RewriteCond   ${hosts-deny:%{REMOTE_HOST}|NOT-FOUND} !=NOT-FOUND [OR]
RewriteCond   ${hosts-deny:%{REMOTE_ADDR}|NOT-FOUND} !=NOT-FOUND
RewriteRule   ^/.*  -  [F]

For Apache <= 1.3b6:

RewriteEngine on
RewriteMap    hosts-deny  txt:/path/to/hosts.deny
RewriteRule   ^/(.*)$ ${hosts-deny:%{REMOTE_HOST}|NOT-FOUND}/$1
RewriteRule   !^NOT-FOUND/.* - [F]
RewriteRule   ^NOT-FOUND/(.*)$ ${hosts-deny:%{REMOTE_ADDR}|NOT-FOUND}/$1
RewriteRule   !^NOT-FOUND/.* - [F]
RewriteRule   ^NOT-FOUND/(.*)$ /$1

##
##  hosts.deny
##
##  ATTENTION! This is a map, not a list, even when we treat it as such.
##             mod_rewrite parses it for key/value pairs, so at least a
##             dummy value "-" must be present for each entry.
##

193.102.180.41 -
bsdti1.sdm.de  -
192.76.162.40  -

Proxy Deny

Description:

How can we forbid a certain host or even a user of a special host from using the Apache proxy?

Solution:

We first have to make sure mod_rewrite is below(!) mod_proxy in the Configuration file when compiling the Apache webserver. This way it gets called before mod_proxy. Then we configure the following for a host-dependent deny...

RewriteCond %{REMOTE_HOST} ^badhost\.mydomain\.com$
RewriteRule !^http://[^/.]\.mydomain.com.*  - [F]

...and this one for a user@host-dependent deny:

RewriteCond %{REMOTE_IDENT}@%{REMOTE_HOST}  ^badguy@badhost\.mydomain\.com$
RewriteRule !^http://[^/.]\.mydomain.com.*  - [F]

Special Authentication Variant

Description:

Sometimes a very special authentication is needed, for instance a authentication which checks for a set of explicitly configured users. Only these should receive access and without explicit prompting (which would occur when using the Basic Auth via mod_auth_basic).

Solution:

We use a list of rewrite conditions to exclude all except our friends:

RewriteCond %{REMOTE_IDENT}@%{REMOTE_HOST} !^friend1@client1.quux-corp\.com$
RewriteCond %{REMOTE_IDENT}@%{REMOTE_HOST} !^friend2@client2.quux-corp\.com$
RewriteCond %{REMOTE_IDENT}@%{REMOTE_HOST} !^friend3@client3.quux-corp\.com$
RewriteRule ^/~quux/only-for-friends/      -                                 [F]

Referer-based Deflector

Description:

How can we program a flexible URL Deflector which acts on the "Referer" HTTP header and can be configured with as many referring pages as we like?

Solution:

Use the following really tricky ruleset...

RewriteMap  deflector txt:/path/to/deflector.map

RewriteCond %{HTTP_REFERER} !=""
RewriteCond ${deflector:%{HTTP_REFERER}} ^-$
RewriteRule ^.* %{HTTP_REFERER} [R,L]

RewriteCond %{HTTP_REFERER} !=""
RewriteCond ${deflector:%{HTTP_REFERER}|NOT-FOUND} !=NOT-FOUND
RewriteRule ^.* ${deflector:%{HTTP_REFERER}} [R,L]

... in conjunction with a corresponding rewrite map:

##
##  deflector.map
##

http://www.badguys.com/bad/index.html    -
http://www.badguys.com/bad/index2.html   -
http://www.badguys.com/bad/index3.html   http://somewhere.com/

This automatically redirects the request back to the referring page (when "-" is used as the value in the map) or to a specific URL (when an URL is specified in the map as the second argument).

top

Other

External Rewriting Engine

Description:

A FAQ: How can we solve the FOO/BAR/QUUX/etc. problem? There seems no solution by the use of mod_rewrite...

Solution:

Use an external RewriteMap, i.e. a program which acts like a RewriteMap. It is run once on startup of Apache receives the requested URLs on STDIN and has to put the resulting (usually rewritten) URL on STDOUT (same order!).

RewriteEngine on
RewriteMap    quux-map       prg:/path/to/map.quux.pl
RewriteRule   ^/~quux/(.*)$  /~quux/${quux-map:$1}

#!/path/to/perl

#   disable buffered I/O which would lead
#   to deadloops for the Apache server
$| = 1;

#   read URLs one per line from stdin and
#   generate substitution URL on stdout
while (<>) {
    s|^foo/|bar/|;
    print $_;
}

This is a demonstration-only example and just rewrites all URLs /~quux/foo/... to /~quux/bar/.... Actually you can program whatever you like. But notice that while such maps can be used also by an average user, only the system administrator can define it.

misc/security_tips.html100644 0 0 42042 11256637772 12776 0ustar 0 0 Security Tips - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Security Tips

Some hints and tips on security issues in setting up a web server. Some of the suggestions will be general, others specific to Apache.

top

Keep up to Date

The Apache HTTP Server has a good record for security and a developer community highly concerned about security issues. But it is inevitable that some problems -- small or large -- will be discovered in software after it is released. For this reason, it is crucial to keep aware of updates to the software. If you have obtained your version of the HTTP Server directly from Apache, we highly recommend you subscribe to the Apache HTTP Server Announcements List where you can keep informed of new releases and security updates. Similar services are available from most third-party distributors of Apache software.

Of course, most times that a web server is compromised, it is not because of problems in the HTTP Server code. Rather, it comes from problems in add-on code, CGI scripts, or the underlying Operating System. You must therefore stay aware of problems and updates with all the software on your system.

top

Permissions on ServerRoot Directories

In typical operation, Apache is started by the root user, and it switches to the user defined by the User directive to serve hits. As is the case with any command that root executes, you must take care that it is protected from modification by non-root users. Not only must the files themselves be writeable only by root, but so must the directories, and parents of all directories. For example, if you choose to place ServerRoot in /usr/local/apache then it is suggested that you create that directory as root, with commands like these:

mkdir /usr/local/apache
cd /usr/local/apache
mkdir bin conf logs
chown 0 . bin conf logs
chgrp 0 . bin conf logs
chmod 755 . bin conf logs

It is assumed that /, /usr, and /usr/local are only modifiable by root. When you install the httpd executable, you should ensure that it is similarly protected:

cp httpd /usr/local/apache/bin
chown 0 /usr/local/apache/bin/httpd
chgrp 0 /usr/local/apache/bin/httpd
chmod 511 /usr/local/apache/bin/httpd

You can create an htdocs subdirectory which is modifiable by other users -- since root never executes any files out of there, and shouldn't be creating files in there.

If you allow non-root users to modify any files that root either executes or writes on then you open your system to root compromises. For example, someone could replace the httpd binary so that the next time you start it, it will execute some arbitrary code. If the logs directory is writeable (by a non-root user), someone could replace a log file with a symlink to some other system file, and then root might overwrite that file with arbitrary data. If the log files themselves are writeable (by a non-root user), then someone may be able to overwrite the log itself with bogus data.

top

Server Side Includes

Server Side Includes (SSI) present a server administrator with several potential security risks.

The first risk is the increased load on the server. All SSI-enabled files have to be parsed by Apache, whether or not there are any SSI directives included within the files. While this load increase is minor, in a shared server environment it can become significant.

SSI files also pose the same risks that are associated with CGI scripts in general. Using the exec cmd element, SSI-enabled files can execute any CGI script or program under the permissions of the user and group Apache runs as, as configured in httpd.conf.

There are ways to enhance the security of SSI files while still taking advantage of the benefits they provide.

To isolate the damage a wayward SSI file can cause, a server administrator can enable suexec as described in the CGI in General section.

Enabling SSI for files with .html or .htm extensions can be dangerous. This is especially true in a shared, or high traffic, server environment. SSI-enabled files should have a separate extension, such as the conventional .shtml. This helps keep server load at a minimum and allows for easier management of risk.

Another solution is to disable the ability to run scripts and programs from SSI pages. To do this replace Includes with IncludesNOEXEC in the Options directive. Note that users may still use <--#include virtual="..." --> to execute CGI scripts if these scripts are in directories designated by a ScriptAlias directive.

top

CGI in General

First of all, you always have to remember that you must trust the writers of the CGI scripts/programs or your ability to spot potential security holes in CGI, whether they were deliberate or accidental. CGI scripts can run essentially arbitrary commands on your system with the permissions of the web server user and can therefore be extremely dangerous if they are not carefully checked.

All the CGI scripts will run as the same user, so they have potential to conflict (accidentally or deliberately) with other scripts e.g. User A hates User B, so he writes a script to trash User B's CGI database. One program which can be used to allow scripts to run as different users is suEXEC which is included with Apache as of 1.2 and is called from special hooks in the Apache server code. Another popular way of doing this is with CGIWrap.

top

Non Script Aliased CGI

Allowing users to execute CGI scripts in any directory should only be considered if:

  • You trust your users not to write scripts which will deliberately or accidentally expose your system to an attack.
  • You consider security at your site to be so feeble in other areas, as to make one more potential hole irrelevant.
  • You have no users, and nobody ever visits your server.
top

Script Aliased CGI

Limiting CGI to special directories gives the admin control over what goes into those directories. This is inevitably more secure than non script aliased CGI, but only if users with write access to the directories are trusted or the admin is willing to test each new CGI script/program for potential security holes.

Most sites choose this option over the non script aliased CGI approach.

top

Other sources of dynamic content

Embedded scripting options which run as part of the server itself, such as mod_php, mod_perl, mod_tcl, and mod_python, run under the identity of the server itself (see the User directive), and therefore scripts executed by these engines potentially can access anything the server user can. Some scripting engines may provide restrictions, but it is better to be safe and assume not.

top

Protecting System Settings

To run a really tight ship, you'll want to stop users from setting up .htaccess files which can override security features you've configured. Here's one way to do it.

In the server configuration file, put

<Directory />
AllowOverride None
</Directory>

This prevents the use of .htaccess files in all directories apart from those specifically enabled.

top

Protect Server Files by Default

One aspect of Apache which is occasionally misunderstood is the feature of default access. That is, unless you take steps to change it, if the server can find its way to a file through normal URL mapping rules, it can serve it to clients.

For instance, consider the following example:

# cd /; ln -s / public_html
Accessing http://localhost/~root/

This would allow clients to walk through the entire filesystem. To work around this, add the following block to your server's configuration:

<Directory />
Order Deny,Allow
Deny from all
</Directory>

This will forbid default access to filesystem locations. Add appropriate Directory blocks to allow access only in those areas you wish. For example,

<Directory /usr/users/*/public_html>
Order Deny,Allow
Allow from all
</Directory>
<Directory /usr/local/httpd>
Order Deny,Allow
Allow from all
</Directory>

Pay particular attention to the interactions of Location and Directory directives; for instance, even if <Directory /> denies access, a <Location /> directive might overturn it.

Also be wary of playing games with the UserDir directive; setting it to something like ./ would have the same effect, for root, as the first example above. If you are using Apache 1.3 or above, we strongly recommend that you include the following line in your server configuration files:

UserDir disabled root

top

Watching Your Logs

To keep up-to-date with what is actually going on against your server you have to check the Log Files. Even though the log files only reports what has already happened, they will give you some understanding of what attacks is thrown against the server and allow you to check if the necessary level of security is present.

A couple of examples:

grep -c "/jsp/source.jsp?/jsp/ /jsp/source.jsp??" access_log
grep "client denied" error_log | tail -n 10

The first example will list the number of attacks trying to exploit the Apache Tomcat Source.JSP Malformed Request Information Disclosure Vulnerability, the second example will list the ten last denied clients, for example:

[Thu Jul 11 17:18:39 2002] [error] [client foo.example.com] client denied by server configuration: /usr/local/apache/htdocs/.htpasswd

As you can see, the log files only report what already has happened, so if the client had been able to access the .htpasswd file you would have seen something similar to:

foo.example.com - - [12/Jul/2002:01:59:13 +0200] "GET /.htpasswd HTTP/1.1"

in your Access Log. This means you probably commented out the following in your server configuration file:

<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

mod/beos.html100644 0 0 14205 11256637772 10644 0ustar 0 0 beos - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache MPM beos

Description:This Multi-Processing Module is optimized for BeOS.
Status:MPM
Module Identifier:mpm_beos_module
Source File:beos.c

Summary

This Multi-Processing Module (MPM) is the default for BeOS. It uses a single control process which creates threads to handle requests.

top

MaxRequestsPerThread Directive

Description:Limit on the number of requests that an individual thread will handle during its life
Syntax:MaxRequestsPerThread number
Default:MaxRequestsPerThread 0
Context:server config
Status:MPM
Module:beos

The MaxRequestsPerThread directive sets the limit on the number of requests that an individual server thread will handle. After MaxRequestsPerThread requests, the thread will die. If MaxRequestsPerThread is 0, then the thread will never expire.

Setting MaxRequestsPerThread to a non-zero limit has two beneficial effects:

  • it limits the amount of memory that a thread can consume by (accidental) memory leakage;
  • by giving threads a finite lifetime, it helps reduce the number of threads when the server load reduces.

Note:

For KeepAlive requests, only the first request is counted towards this limit. In effect, it changes the behavior to limit the number of connections per thread.

mod/core.html100644 0 0 567521 11256637772 10702 0ustar 0 0 core - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Core Features

Description:Core Apache HTTP Server features that are always available
Status:Core
top

AcceptFilter Directive

Description:Configures optimizations for a Protocol's Listener Sockets
Syntax:AcceptFilter protocol accept_filter
Context:server config
Status:Core
Module:core
Compatibility:Available in Apache 2.1.5 and later

This directive enables operating system specific optimizations for a listening socket by the Protocol type. The basic premise is for the kernel to not send a socket to the server process until either data is received or an entire HTTP Request is buffered. Only FreeBSD's Accept Filters and Linux's more primitive TCP_DEFER_ACCEPT are currently supported.

The default values on FreeBSD are:

AcceptFilter http httpready
AcceptFilter https dataready

The httpready accept filter buffers entire HTTP requests at the kernel level. Once an entire request is received, the kernel then sends it to the server. See the accf_http(9) man page for more details. Since HTTPS requests are encrypted only the accf_data(9) filter is used.

The default values on Linux are:

AcceptFilter http data
AcceptFilter https data

Linux's TCP_DEFER_ACCEPT does not support buffering http requests. Any value besides none will enable TCP_DEFER_ACCEPT on that listener. For more details see the Linux tcp(7) man page.

Using none for an argument will disable any accept filters for that protocol. This is useful for protocols that require a server send data first, such as nntp:

AcceptFilter nntp none

top

AcceptPathInfo Directive

Description:Resources accept trailing pathname information
Syntax:AcceptPathInfo On|Off|Default
Default:AcceptPathInfo Default
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Core
Module:core
Compatibility:Available in Apache 2.0.30 and later

This directive controls whether requests that contain trailing pathname information that follows an actual filename (or non-existent file in an existing directory) will be accepted or rejected. The trailing pathname information can be made available to scripts in the PATH_INFO environment variable.

For example, assume the location /test/ points to a directory that contains only the single file here.html. Then requests for /test/here.html/more and /test/nothere.html/more both collect /more as PATH_INFO.

The three possible arguments for the AcceptPathInfo directive are:

Off
A request will only be accepted if it maps to a literal path that exists. Therefore a request with trailing pathname information after the true filename such as /test/here.html/more in the above example will return a 404 NOT FOUND error.
On
A request will be accepted if a leading path component maps to a file that exists. The above example /test/here.html/more will be accepted if /test/here.html maps to a valid file.
Default
The treatment of requests with trailing pathname information is determined by the handler responsible for the request. The core handler for normal files defaults to rejecting PATH_INFO requests. Handlers that serve scripts, such as cgi-script and isapi-handler, generally accept PATH_INFO by default.

The primary purpose of the AcceptPathInfo directive is to allow you to override the handler's choice of accepting or rejecting PATH_INFO. This override is required, for example, when you use a filter, such as INCLUDES, to generate content based on PATH_INFO. The core handler would usually reject the request, so you can use the following configuration to enable such a script:

<Files "mypaths.shtml">
Options +Includes
SetOutputFilter INCLUDES
AcceptPathInfo On
 </Files>

top

AccessFileName Directive

Description:Name of the distributed configuration file
Syntax:AccessFileName filename [filename] ...
Default:AccessFileName .htaccess
Context:server config, virtual host
Status:Core
Module:core

While processing a request the server looks for the first existing configuration file from this list of names in every directory of the path to the document, if distributed configuration files are enabled for that directory. For example:

AccessFileName .acl

before returning the document /usr/local/web/index.html, the server will read /.acl, /usr/.acl, /usr/local/.acl and /usr/local/web/.acl for directives, unless they have been disabled with

<Directory />
AllowOverride None
 </Directory>

See also

top

AddDefaultCharset Directive

Description:Default charset parameter to be added when a response content-type is text/plain or text/html
Syntax:AddDefaultCharset On|Off|charset
Default:AddDefaultCharset Off
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Core
Module:core

This directive specifies a default value for the media type charset parameter (the name of a character encoding) to be added to a response if and only if the response's content-type is either text/plain or text/html. This should override any charset specified in the body of the response via a META element, though the exact behavior is often dependent on the user's client configuration. A setting of AddDefaultCharset Off disables this functionality. AddDefaultCharset On enables a default charset of iso-8859-1. Any other value is assumed to be the charset to be used, which should be one of the IANA registered charset values for use in MIME media types. For example:

AddDefaultCharset utf-8

AddDefaultCharset should only be used when all of the text resources to which it applies are known to be in that character encoding and it is too inconvenient to label their charset individually. One such example is to add the charset parameter to resources containing generated content, such as legacy CGI scripts, that might be vulnerable to cross-site scripting attacks due to user-provided data being included in the output. Note, however, that a better solution is to just fix (or delete) those scripts, since setting a default charset does not protect users that have enabled the "auto-detect character encoding" feature on their browser.

See also

top

AddOutputFilterByType Directive

Description:assigns an output filter to a particular MIME-type
Syntax:AddOutputFilterByType filter[;filter...] MIME-type [MIME-type] ...
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Core
Module:core
Compatibility:Available in Apache 2.0.33 and later; deprecated in Apache 2.1 and later

This directive activates a particular output filter for a request depending on the response MIME-type. Because of certain problems discussed below, this directive is deprecated. The same functionality is available using mod_filter.

The following example uses the DEFLATE filter, which is provided by mod_deflate. It will compress all output (either static or dynamic) which is labeled as text/html or text/plain before it is sent to the client.

AddOutputFilterByType DEFLATE text/html text/plain

If you want the content to be processed by more than one filter, their names have to be separated by semicolons. It's also possible to use one AddOutputFilterByType directive for each of these filters.

The configuration below causes all script output labeled as text/html to be processed at first by the INCLUDES filter and then by the DEFLATE filter.

<Location /cgi-bin/>
Options Includes
AddOutputFilterByType INCLUDES;DEFLATE text/html
 </Location>

Note

Enabling filters with AddOutputFilterByType may fail partially or completely in some cases. For example, no filters are applied if the MIME-type could not be determined and falls back to the DefaultType setting, even if the DefaultType is the same.

However, if you want to make sure, that the filters will be applied, assign the content type to a resource explicitly, for example with AddType or ForceType. Setting the content type within a (non-nph) CGI script is also safe.

See also

top

AllowEncodedSlashes Directive

Description:Determines whether encoded path separators in URLs are allowed to be passed through
Syntax:AllowEncodedSlashes On|Off
Default:AllowEncodedSlashes Off
Context:server config, virtual host
Status:Core
Module:core
Compatibility:Available in Apache 2.0.46 and later

The AllowEncodedSlashes directive allows URLs which contain encoded path separators (%2F for / and additionally %5C for \ on according systems) to be used. Normally such URLs are refused with a 404 (Not found) error.

Turning AllowEncodedSlashes On is mostly useful when used in conjunction with PATH_INFO.

Note

Allowing encoded slashes does not imply decoding. Occurrences of %2F or %5C (only on according systems) will be left as such in the otherwise decoded URL string.

See also

top

AllowOverride Directive

Description:Types of directives that are allowed in .htaccess files
Syntax:AllowOverride All|None|directive-type [directive-type] ...
Default:AllowOverride All
Context:directory
Status:Core
Module:core

When the server finds an .htaccess file (as specified by AccessFileName) it needs to know which directives declared in that file can override earlier configuration directives.

Only available in <Directory> sections

AllowOverride is valid only in <Directory> sections specified without regular expressions, not in <Location>, <DirectoryMatch> or <Files> sections.

When this directive is set to None, then .htaccess files are completely ignored. In this case, the server will not even attempt to read .htaccess files in the filesystem.

When this directive is set to All, then any directive which has the .htaccess Context is allowed in .htaccess files.

The directive-type can be one of the following groupings of directives.

AuthConfig
Allow use of the authorization directives (AuthDBMGroupFile, AuthDBMUserFile, AuthGroupFile, AuthName, AuthType, AuthUserFile, Require, etc.).
FileInfo
Allow use of the directives controlling document types (DefaultType, ErrorDocument, ForceType, LanguagePriority, SetHandler, SetInputFilter, SetOutputFilter, and mod_mime Add* and Remove* directives, etc.), document meta data (Header, RequestHeader, SetEnvIf, SetEnvIfNoCase, BrowserMatch, CookieExpires, CookieDomain, CookieStyle, CookieTracking, CookieName), mod_rewrite directives RewriteEngine, RewriteOptions, RewriteBase, RewriteCond, RewriteRule) and Action from mod_actions.
Indexes
Allow use of the directives controlling directory indexing (AddDescription, AddIcon, AddIconByEncoding, AddIconByType, DefaultIcon, DirectoryIndex, FancyIndexing, HeaderName, IndexIgnore, IndexOptions, ReadmeName, etc.).
Limit
Allow use of the directives controlling host access (Allow, Deny and Order).
Options[=Option,...]
Allow use of the directives controlling specific directory features (Options and XBitHack). An equal sign may be given followed by a comma (but no spaces) separated lists of options that may be set using the Options command.

Example:

AllowOverride AuthConfig Indexes

In the example above all directives that are neither in the group AuthConfig nor Indexes cause an internal server error.

For security and performance reasons, do not set AllowOverride to anything other than None in your <Directory /> block. Instead, find (or create) the <Directory> block that refers to the directory where you're actually planning to place a .htaccess file.

See also

top

AuthName Directive

Description:Authorization realm for use in HTTP authentication
Syntax:AuthName auth-domain
Context:directory, .htaccess
Override:AuthConfig
Status:Core
Module:core

This directive sets the name of the authorization realm for a directory. This realm is given to the client so that the user knows which username and password to send. AuthName takes a single argument; if the realm name contains spaces, it must be enclosed in quotation marks. It must be accompanied by AuthType and Require directives, and directives such as AuthUserFile and AuthGroupFile to work.

For example:

AuthName "Top Secret"

The string provided for the AuthName is what will appear in the password dialog provided by most browsers.

See also

top

AuthType Directive

Description:Type of user authentication
Syntax:AuthType Basic|Digest
Context:directory, .htaccess
Override:AuthConfig
Status:Core
Module:core

This directive selects the type of user authentication for a directory. The authentication types available are Basic (implemented by mod_auth_basic) and Digest (implemented by mod_auth_digest).

To implement authentication, you must also use the AuthName and Require directives. In addition, the server must have an authentication-provider module such as mod_authn_file and an authorization module such as mod_authz_user.

See also

top

CGIMapExtension Directive

Description:Technique for locating the interpreter for CGI scripts
Syntax:CGIMapExtension cgi-path .extension
Context:directory, .htaccess
Override:FileInfo
Status:Core
Module:core
Compatibility:NetWare only

This directive is used to control how Apache finds the interpreter used to run CGI scripts. For example, setting CGIMapExtension sys:\foo.nlm .foo will cause all CGI script files with a .foo extension to be passed to the FOO interpreter.

top

ContentDigest Directive

Description:Enables the generation of Content-MD5 HTTP Response headers
Syntax:ContentDigest On|Off
Default:ContentDigest Off
Context:server config, virtual host, directory, .htaccess
Override:Options
Status:Core
Module:core

This directive enables the generation of Content-MD5 headers as defined in RFC1864 respectively RFC2616.

MD5 is an algorithm for computing a "message digest" (sometimes called "fingerprint") of arbitrary-length data, with a high degree of confidence that any alterations in the data will be reflected in alterations in the message digest.

The Content-MD5 header provides an end-to-end message integrity check (MIC) of the entity-body. A proxy or client may check this header for detecting accidental modification of the entity-body in transit. Example header:

Content-MD5: AuLb7Dp1rqtRtxz2m9kRpA==

Note that this can cause performance problems on your server since the message digest is computed on every request (the values are not cached).

Content-MD5 is only sent for documents served by the core, and not by any module. For example, SSI documents, output from CGI scripts, and byte range responses do not have this header.

top

DefaultType Directive

Description:MIME content-type that will be sent if the server cannot determine a type in any other way
Syntax:DefaultType MIME-type|none
Default:DefaultType text/plain
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Core
Module:core
Compatibility:The argument none is available in Apache 2.2.7 and later

There will be times when the server is asked to provide a document whose type cannot be determined by its MIME types mappings.

The server SHOULD inform the client of the content-type of the document. If the server is unable to determine this by normal means, it will set it to the configured DefaultType. For example:

DefaultType image/gif

would be appropriate for a directory which contained many GIF images with filenames missing the .gif extension.

In cases where it can neither be determined by the server nor the administrator (e.g. a proxy), it is preferable to omit the MIME type altogether rather than provide information that may be false. This can be accomplished using

DefaultType None

DefaultType None is only available in httpd-2.2.7 and later.

Note that unlike ForceType, this directive only provides the default mime-type. All other mime-type definitions, including filename extensions, that might identify the media type will override this default.

top

<Directory> Directive

Description:Enclose a group of directives that apply only to the named file-system directory and sub-directories
Syntax:<Directory directory-path> ... </Directory>
Context:server config, virtual host
Status:Core
Module:core

<Directory> and </Directory> are used to enclose a group of directives that will apply only to the named directory and sub-directories of that directory. Any directive that is allowed in a directory context may be used. Directory-path is either the full path to a directory, or a wild-card string using Unix shell-style matching. In a wild-card string, ? matches any single character, and * matches any sequences of characters. You may also use [] character ranges. None of the wildcards match a `/' character, so <Directory /*/public_html> will not match /home/user/public_html, but <Directory /home/*/public_html> will match. Example:

<Directory /usr/local/httpd/htdocs>
Options Indexes FollowSymLinks
 </Directory>

Be careful with the directory-path arguments: They have to literally match the filesystem path which Apache uses to access the files. Directives applied to a particular <Directory> will not apply to files accessed from that same directory via a different path, such as via different symbolic links.

Regular expressions can also be used, with the addition of the ~ character. For example:

<Directory ~ "^/www/.*/[0-9]{3}">

would match directories in /www/ that consisted of three numbers.

If multiple (non-regular expression) <Directory> sections match the directory (or one of its parents) containing a document, then the directives are applied in the order of shortest match first, interspersed with the directives from the .htaccess files. For example, with

<Directory />
AllowOverride None
 </Directory>

<Directory /home/>
AllowOverride FileInfo
 </Directory>

for access to the document /home/web/dir/doc.html the steps are:

  • Apply directive AllowOverride None (disabling .htaccess files).
  • Apply directive AllowOverride FileInfo (for directory /home).
  • Apply any FileInfo directives in /home/.htaccess, /home/web/.htaccess and /home/web/dir/.htaccess in that order.

Regular expressions are not considered until after all of the normal sections have been applied. Then all of the regular expressions are tested in the order they appeared in the configuration file. For example, with

<Directory ~ abc$>
# ... directives here ...
 </Directory>

the regular expression section won't be considered until after all normal <Directory>s and .htaccess files have been applied. Then the regular expression will match on /home/abc/public_html/abc and the corresponding <Directory> will be applied.

Note that the default Apache access for <Directory /> is Allow from All. This means that Apache will serve any file mapped from an URL. It is recommended that you change this with a block such as

<Directory />
Order Deny,Allow
Deny from All
 </Directory>

and then override this for directories you want accessible. See the Security Tips page for more details.

The directory sections occur in the httpd.conf file. <Directory> directives cannot nest, and cannot appear in a <Limit> or <LimitExcept> section.

See also

top

<DirectoryMatch> Directive

Description:Enclose directives that apply to file-system directories matching a regular expression and their subdirectories
Syntax:<DirectoryMatch regex> ... </DirectoryMatch>
Context:server config, virtual host
Status:Core
Module:core

<DirectoryMatch> and </DirectoryMatch> are used to enclose a group of directives which will apply only to the named directory and sub-directories of that directory, the same as <Directory>. However, it takes as an argument a regular expression. For example:

<DirectoryMatch "^/www/(.+/)?[0-9]{3}">

would match directories in /www/ that consisted of three numbers.

See also

top

DocumentRoot Directive

Description:Directory that forms the main document tree visible from the web
Syntax:DocumentRoot directory-path
Default:DocumentRoot /usr/local/apache/htdocs
Context:server config, virtual host
Status:Core
Module:core

This directive sets the directory from which httpd will serve files. Unless matched by a directive like Alias, the server appends the path from the requested URL to the document root to make the path to the document. Example:

DocumentRoot /usr/web

then an access to http://www.my.host.com/index.html refers to /usr/web/index.html. If the directory-path is not absolute then it is assumed to be relative to the ServerRoot.

The DocumentRoot should be specified without a trailing slash.

See also

top

EnableMMAP Directive

Description:Use memory-mapping to read files during delivery
Syntax:EnableMMAP On|Off
Default:EnableMMAP On
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Core
Module:core

This directive controls whether the httpd may use memory-mapping if it needs to read the contents of a file during delivery. By default, when the handling of a request requires access to the data within a file -- for example, when delivering a server-parsed file using mod_include -- Apache memory-maps the file if the OS supports it.

This memory-mapping sometimes yields a performance improvement. But in some environments, it is better to disable the memory-mapping to prevent operational problems:

  • On some multiprocessor systems, memory-mapping can reduce the performance of the httpd.
  • Deleting or truncating a file while httpd has it memory-mapped can cause httpd to crash with a segmentation fault.

For server configurations that are vulnerable to these problems, you should disable memory-mapping of delivered files by specifying:

EnableMMAP Off

For NFS mounted files, this feature may be disabled explicitly for the offending files by specifying:

<Directory "/path-to-nfs-files"> EnableMMAP Off </Directory>

Please note that the per-directory and .htaccess configuration of EnableSendfile is not supported by mod_disk_cache. Only global definition of EnableSendfile is taken into account by the module.

top

EnableSendfile Directive

Description:Use the kernel sendfile support to deliver files to the client
Syntax:EnableSendfile On|Off
Default:EnableSendfile On
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Core
Module:core
Compatibility:Available in version 2.0.44 and later

This directive controls whether httpd may use the sendfile support from the kernel to transmit file contents to the client. By default, when the handling of a request requires no access to the data within a file -- for example, when delivering a static file -- Apache uses sendfile to deliver the file contents without ever reading the file if the OS supports it.

This sendfile mechanism avoids separate read and send operations, and buffer allocations. But on some platforms or within some filesystems, it is better to disable this feature to avoid operational problems:

  • Some platforms may have broken sendfile support that the build system did not detect, especially if the binaries were built on another box and moved to such a machine with broken sendfile support.
  • On Linux the use of sendfile triggers TCP-checksum offloading bugs on certain networking cards when using IPv6.
  • On Linux on Itanium, sendfile may be unable to handle files over 2GB in size.
  • With a network-mounted DocumentRoot (e.g., NFS or SMB), the kernel may be unable to serve the network file through its own cache.

For server configurations that are vulnerable to these problems, you should disable this feature by specifying:

EnableSendfile Off

For NFS or SMB mounted files, this feature may be disabled explicitly for the offending files by specifying:

<Directory "/path-to-nfs-files"> EnableSendfile Off </Directory>

top

ErrorDocument Directive

Description:What the server will return to the client in case of an error
Syntax:ErrorDocument error-code document
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Core
Module:core
Compatibility:Quoting syntax for text messages is different in Apache 2.0

In the event of a problem or error, Apache can be configured to do one of four things,

  1. output a simple hardcoded error message
  2. output a customized message
  3. redirect to a local URL-path to handle the problem/error
  4. redirect to an external URL to handle the problem/error

The first option is the default, while options 2-4 are configured using the ErrorDocument directive, which is followed by the HTTP response code and a URL or a message. Apache will sometimes offer additional information regarding the problem/error.

URLs can begin with a slash (/) for local web-paths (relative to the DocumentRoot), or be a full URL which the client can resolve. Alternatively, a message can be provided to be displayed by the browser. Examples:

ErrorDocument 500 http://foo.example.com/cgi-bin/tester
ErrorDocument 404 /cgi-bin/bad_urls.pl
ErrorDocument 401 /subscription_info.html
ErrorDocument 403 "Sorry can't allow you access today"

Additionally, the special value default can be used to specify Apache's simple hardcoded message. While not required under normal circumstances, default will restore Apache's simple hardcoded message for configurations that would otherwise inherit an existing ErrorDocument.

ErrorDocument 404 /cgi-bin/bad_urls.pl

<Directory /web/docs>
ErrorDocument 404 default
 </Directory>

Note that when you specify an ErrorDocument that points to a remote URL (ie. anything with a method such as http in front of it), Apache will send a redirect to the client to tell it where to find the document, even if the document ends up being on the same server. This has several implications, the most important being that the client will not receive the original error status code, but instead will receive a redirect status code. This in turn can confuse web robots and other clients which try to determine if a URL is valid using the status code. In addition, if you use a remote URL in an ErrorDocument 401, the client will not know to prompt the user for a password since it will not receive the 401 status code. Therefore, if you use an ErrorDocument 401 directive then it must refer to a local document.

Microsoft Internet Explorer (MSIE) will by default ignore server-generated error messages when they are "too small" and substitute its own "friendly" error messages. The size threshold varies depending on the type of error, but in general, if you make your error document greater than 512 bytes, then MSIE will show the server-generated error rather than masking it. More information is available in Microsoft Knowledge Base article Q294807.

Although most error messages can be overriden, there are certain circumstances where the internal messages are used regardless of the setting of ErrorDocument. In particular, if a malformed request is detected, normal request processing will be immediately halted and the internal error message returned. This is necessary to guard against security problems caused by bad requests.

Prior to version 2.0, messages were indicated by prefixing them with a single unmatched double quote character.

See also

top

ErrorLog Directive

Description:Location where the server will log errors
Syntax: ErrorLog file-path|syslog[:facility]
Default:ErrorLog logs/error_log (Unix) ErrorLog logs/error.log (Windows and OS/2)
Context:server config, virtual host
Status:Core
Module:core

The ErrorLog directive sets the name of the file to which the server will log any errors it encounters. If the file-path is not absolute then it is assumed to be relative to the ServerRoot.

Example

ErrorLog /var/log/httpd/error_log

If the file-path begins with a pipe (|) then it is assumed to be a command to spawn to handle the error log.

Example

ErrorLog "|/usr/local/bin/httpd_errors"

Using syslog instead of a filename enables logging via syslogd(8) if the system supports it. The default is to use syslog facility local7, but you can override this by using the syslog:facility syntax where facility can be one of the names usually documented in syslog(1).

Example

ErrorLog syslog:user

SECURITY: See the security tips document for details on why your security could be compromised if the directory where log files are stored is writable by anyone other than the user that starts the server.

Note

When entering a file path on non-Unix platforms, care should be taken to make sure that only forward slashed are used even though the platform may allow the use of back slashes. In general it is a good idea to always use forward slashes throughout the configuration files.

See also

top

FileETag Directive

Description:File attributes used to create the ETag HTTP response header
Syntax:FileETag component ...
Default:FileETag INode MTime Size
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Core
Module:core

The FileETag directive configures the file attributes that are used to create the ETag (entity tag) response header field when the document is based on a file. (The ETag value is used in cache management to save network bandwidth.) In Apache 1.3.22 and earlier, the ETag value was always formed from the file's inode, size, and last-modified time (mtime). The FileETag directive allows you to choose which of these -- if any -- should be used. The recognized keywords are:

INode
The file's i-node number will be included in the calculation
MTime
The date and time the file was last modified will be included
Size
The number of bytes in the file will be included
All
All available fields will be used. This is equivalent to:

FileETag INode MTime Size

None
If a document is file-based, no ETag field will be included in the response

The INode, MTime, and Size keywords may be prefixed with either + or -, which allow changes to be made to the default setting inherited from a broader scope. Any keyword appearing without such a prefix immediately and completely cancels the inherited setting.

If a directory's configuration includes FileETag INode MTime Size, and a subdirectory's includes FileETag -INode, the setting for that subdirectory (which will be inherited by any sub-subdirectories that don't override it) will be equivalent to FileETag MTime Size.

Warning

Do not change the default for directories or locations that have WebDAV enabled and use mod_dav_fs as a storage provider. mod_dav_fs uses INode MTime Size as a fixed format for ETag comparisons on conditional requests. These conditional requests will break if the ETag format is changed via FileETag.
top

<Files> Directive

Description:Contains directives that apply to matched filenames
Syntax:<Files filename> ... </Files>
Context:server config, virtual host, directory, .htaccess
Override:All
Status:Core
Module:core

The <Files> directive limits the scope of the enclosed directives by filename. It is comparable to the <Directory> and <Location> directives. It should be matched with a </Files> directive. The directives given within this section will be applied to any object with a basename (last component of filename) matching the specified filename. <Files> sections are processed in the order they appear in the configuration file, after the <Directory> sections and .htaccess files are read, but before <Location> sections. Note that <Files> can be nested inside <Directory> sections to restrict the portion of the filesystem they apply to.

The filename argument should include a filename, or a wild-card string, where ? matches any single character, and * matches any sequences of characters. Regular expressions can also be used, with the addition of the ~ character. For example:

<Files ~ "\.(gif|jpe?g|png)$">

would match most common Internet graphics formats. <FilesMatch> is preferred, however.

Note that unlike <Directory> and <Location> sections, <Files> sections can be used inside .htaccess files. This allows users to control access to their own files, at a file-by-file level.

See also

top

<FilesMatch> Directive

Description:Contains directives that apply to regular-expression matched filenames
Syntax:<FilesMatch regex> ... </FilesMatch>
Context:server config, virtual host, directory, .htaccess
Override:All
Status:Core
Module:core

The <FilesMatch> directive limits the scope of the enclosed directives by filename, just as the <Files> directive does. However, it accepts a regular expression. For example:

<FilesMatch "\.(gif|jpe?g|png)$">

would match most common Internet graphics formats.

See also

top

ForceType Directive

Description:Forces all matching files to be served with the specified MIME content-type
Syntax:ForceType MIME-type|None
Context:directory, .htaccess
Override:FileInfo
Status:Core
Module:core
Compatibility:Moved to the core in Apache 2.0

When placed into an .htaccess file or a <Directory>, or <Location> or <Files> section, this directive forces all matching files to be served with the content type identification given by MIME-type. For example, if you had a directory full of GIF files, but did not want to label them all with .gif, you might want to use:

ForceType image/gif

Note that unlike DefaultType, this directive overrides all mime-type associations, including filename extensions, that might identify the media type.

You can override any ForceType setting by using the value of None:

# force all files to be image/gif:
<Location /images>
ForceType image/gif
 </Location>

# but normal mime-type associations here:
<Location /images/mixed>
ForceType None
 </Location>

top

HostnameLookups Directive

Description:Enables DNS lookups on client IP addresses
Syntax:HostnameLookups On|Off|Double
Default:HostnameLookups Off
Context:server config, virtual host, directory
Status:Core
Module:core

This directive enables DNS lookups so that host names can be logged (and passed to CGIs/SSIs in REMOTE_HOST). The value Double refers to doing double-reverse DNS lookup. That is, after a reverse lookup is performed, a forward lookup is then performed on that result. At least one of the IP addresses in the forward lookup must match the original address. (In "tcpwrappers" terminology this is called PARANOID.)

Regardless of the setting, when mod_authz_host is used for controlling access by hostname, a double reverse lookup will be performed. This is necessary for security. Note that the result of this double-reverse isn't generally available unless you set HostnameLookups Double. For example, if only HostnameLookups On and a request is made to an object that is protected by hostname restrictions, regardless of whether the double-reverse fails or not, CGIs will still be passed the single-reverse result in REMOTE_HOST.

The default is Off in order to save the network traffic for those sites that don't truly need the reverse lookups done. It is also better for the end users because they don't have to suffer the extra latency that a lookup entails. Heavily loaded sites should leave this directive Off, since DNS lookups can take considerable amounts of time. The utility logresolve, compiled by default to the bin subdirectory of your installation directory, can be used to look up host names from logged IP addresses offline.

top

<IfDefine> Directive

Description:Encloses directives that will be processed only if a test is true at startup
Syntax:<IfDefine [!]parameter-name> ... </IfDefine>
Context:server config, virtual host, directory, .htaccess
Override:All
Status:Core
Module:core

The <IfDefine test>...</IfDefine> section is used to mark directives that are conditional. The directives within an <IfDefine> section are only processed if the test is true. If test is false, everything between the start and end markers is ignored.

The test in the <IfDefine> section directive can be one of two forms:

  • parameter-name
  • !parameter-name

In the former case, the directives between the start and end markers are only processed if the parameter named parameter-name is defined. The second format reverses the test, and only processes the directives if parameter-name is not defined.

The parameter-name argument is a define as given on the httpd command line via -Dparameter- , at the time the server was started.

<IfDefine> sections are nest-able, which can be used to implement simple multiple-parameter tests. Example:

httpd -DReverseProxy -DUseCache -DMemCache ...

# httpd.conf
<IfDefine ReverseProxy>
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
<IfDefine UseCache>
LoadModule cache_module modules/mod_cache.so
<IfDefine MemCache>
LoadModule mem_cache_module modules/mod_mem_cache.so
 </IfDefine>
<IfDefine !MemCache>
LoadModule disk_cache_module modules/mod_disk_cache.so
 </IfDefine> </IfDefine> </IfDefine>

top

<IfModule> Directive

Description:Encloses directives that are processed conditional on the presence or absence of a specific module
Syntax:<IfModule [!]module-file|module-identifier> ... </IfModule>
Context:server config, virtual host, directory, .htaccess
Override:All
Status:Core
Module:core
Compatibility:Module identifiers are available in version 2.1 and later.

The <IfModule test>...</IfModule> section is used to mark directives that are conditional on the presence of a specific module. The directives within an <IfModule> section are only processed if the test is true. If test is false, everything between the start and end markers is ignored.

The test in the <IfModule> section directive can be one of two forms:

  • module
  • !module

In the former case, the directives between the start and end markers are only processed if the module named module is included in Apache -- either compiled in or dynamically loaded using LoadModule. The second format reverses the test, and only processes the directives if module is not included.

The module argument can be either the module identifier or the file name of the module, at the time it was compiled. For example, rewrite_module is the identifier and mod_rewrite.c is the file name. If a module consists of several source files, use the name of the file containing the string STANDARD20_MODULE_STUFF.

<IfModule> sections are nest-able, which can be used to implement simple multiple-module tests.

This section should only be used if you need to have one configuration file that works whether or not a specific module is available. In normal operation, directives need not be placed in <IfModule> sections.
top

Include Directive

Description:Includes other configuration files from within the server configuration files
Syntax:Include file-path|directory-path
Context:server config, virtual host, directory
Status:Core
Module:core
Compatibility:Wildcard matching available in 2.0.41 and later

This directive allows inclusion of other configuration files from within the server configuration files.

Shell-style (fnmatch()) wildcard characters can be used to include several files at once, in alphabetical order. In addition, if Include points to a directory, rather than a file, Apache will read all files in that directory and any subdirectory. But including entire directories is not recommended, because it is easy to accidentally leave temporary files in a directory that can cause httpd to fail.

The file path specified may be an absolute path, or may be relative to the ServerRoot directory.

Examples:

Include /usr/local/apache2/conf/ssl.conf
Include /usr/local/apache2/conf/vhosts/*.conf

Or, providing paths relative to your ServerRoot directory:

Include conf/ssl.conf
Include conf/vhosts/*.conf

See also

top

KeepAlive Directive

Description:Enables HTTP persistent connections
Syntax:KeepAlive On|Off
Default:KeepAlive On
Context:server config, virtual host
Status:Core
Module:core

The Keep-Alive extension to HTTP/1.0 and the persistent connection feature of HTTP/1.1 provide long-lived HTTP sessions which allow multiple requests to be sent over the same TCP connection. In some cases this has been shown to result in an almost 50% speedup in latency times for HTML documents with many images. To enable Keep-Alive connections, set KeepAlive On.

For HTTP/1.0 clients, Keep-Alive connections will only be used if they are specifically requested by a client. In addition, a Keep-Alive connection with an HTTP/1.0 client can only be used when the length of the content is known in advance. This implies that dynamic content such as CGI output, SSI pages, and server-generated directory listings will generally not use Keep-Alive connections to HTTP/1.0 clients. For HTTP/1.1 clients, persistent connections are the default unless otherwise specified. If the client requests it, chunked encoding will be used in order to send content of unknown length over persistent connections.

When a client uses a Keep-Alive connection it will be counted as a single "request" for the MaxRequestsPerChild directive, regardless of how many requests are sent using the connection.

See also

top

KeepAliveTimeout Directive

Description:Amount of time the server will wait for subsequent requests on a persistent connection
Syntax:KeepAliveTimeout seconds
Default:KeepAliveTimeout 5
Context:server config, virtual host
Status:Core
Module:core

The number of seconds Apache will wait for a subsequent request before closing the connection. Once a request has been received, the timeout value specified by the Timeout directive applies.

Setting KeepAliveTimeout to a high value may cause performance problems in heavily loaded servers. The higher the timeout, the more server processes will be kept occupied waiting on connections with idle clients.

In a name-based virtual host context, the value of the first defined virtual host (the default host) in a set of NameVirtualHost will be used. The other values will be ignored.

top

<Limit> Directive

Description:Restrict enclosed access controls to only certain HTTP methods
Syntax:<Limit method [method] ... > ... </Limit>
Context:server config, virtual host, directory, .htaccess
Override:All
Status:Core
Module:core

Access controls are normally effective for all access methods, and this is the usual desired behavior. In the general case, access control directives should not be placed within a <Limit> section.

The purpose of the <Limit> directive is to restrict the effect of the access controls to the nominated HTTP methods. For all other methods, the access restrictions that are enclosed in the <Limit> bracket will have no effect. The following example applies the access control only to the methods POST, PUT, and DELETE, leaving all other methods unprotected:

<Limit POST PUT DELETE>
Require valid-user
 </Limit>

The method names listed can be one or more of: GET, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK. The method name is case-sensitive. If GET is used it will also restrict HEAD requests. The TRACE method cannot be limited.

A <LimitExcept> section should always be used in preference to a <Limit> section when restricting access, since a <LimitExcept> section provides protection against arbitrary methods.
top

<LimitExcept> Directive

Description:Restrict access controls to all HTTP methods except the named ones
Syntax:<LimitExcept method [method] ... > ... </LimitExcept>
Context:server config, virtual host, directory, .htaccess
Override:All
Status:Core
Module:core

<LimitExcept> and </LimitExcept> are used to enclose a group of access control directives which will then apply to any HTTP access method not listed in the arguments; i.e., it is the opposite of a <Limit> section and can be used to control both standard and nonstandard/unrecognized methods. See the documentation for <Limit> for more details.

For example:

<LimitExcept POST GET>
Require valid-user
 </LimitExcept>

top

LimitInternalRecursion Directive

Description:Determine maximum number of internal redirects and nested subrequests
Syntax:LimitInternalRecursion number [number]
Default:LimitInternalRecursion 10
Context:server config, virtual host
Status:Core
Module:core
Compatibility:Available in Apache 2.0.47 and later

An internal redirect happens, for example, when using the Action directive, which internally redirects the original request to a CGI script. A subrequest is Apache's mechanism to find out what would happen for some URI if it were requested. For example, mod_dir uses subrequests to look for the files listed in the DirectoryIndex directive.

LimitInternalRecursion prevents the server from crashing when entering an infinite loop of internal redirects or subrequests. Such loops are usually caused by misconfigurations.

The directive stores two different limits, which are evaluated on per-request basis. The first number is the maximum number of internal redirects, that may follow each other. The second number determines, how deep subrequests may be nested. If you specify only one number, it will be assigned to both limits.

Example

LimitInternalRecursion 5

top

LimitRequestBody Directive

Description:Restricts the total size of the HTTP request body sent from the client
Syntax:LimitRequestBody bytes
Default:LimitRequestBody 0
Context:server config, virtual host, directory, .htaccess
Override:All
Status:Core
Module:core

This directive specifies the number of bytes from 0 (meaning unlimited) to 2147483647 (2GB) that are allowed in a request body.

The LimitRequestBody directive allows the user to set a limit on the allowed size of an HTTP request message body within the context in which the directive is given (server, per-directory, per-file or per-location). If the client request exceeds that limit, the server will return an error response instead of servicing the request. The size of a normal request message body will vary greatly depending on the nature of the resource and the methods allowed on that resource. CGI scripts typically use the message body for retrieving form information. Implementations of the PUT method will require a value at least as large as any representation that the server wishes to accept for that resource.

This directive gives the server administrator greater control over abnormal client request behavior, which may be useful for avoiding some forms of denial-of-service attacks.

If, for example, you are permitting file upload to a particular location, and wish to limit the size of the uploaded file to 100K, you might use the following directive:

LimitRequestBody 102400

top

LimitRequestFields Directive

Description:Limits the number of HTTP request header fields that will be accepted from the client
Syntax:LimitRequestFields number
Default:LimitRequestFields 100
Context:server config
Status:Core
Module:core

Number is an integer from 0 (meaning unlimited) to 32767. The default value is defined by the compile-time constant DEFAULT_LIMIT_REQUEST_FIELDS (100 as distributed).

The LimitRequestFields directive allows the server administrator to modify the limit on the number of request header fields allowed in an HTTP request. A server needs this value to be larger than the number of fields that a normal client request might include. The number of request header fields used by a client rarely exceeds 20, but this may vary among different client implementations, often depending upon the extent to which a user has configured their browser to support detailed content negotiation. Optional HTTP extensions are often expressed using request header fields.

This directive gives the server administrator greater control over abnormal client request behavior, which may be useful for avoiding some forms of denial-of-service attacks. The value should be increased if normal clients see an error response from the server that indicates too many fields were sent in the request.

For example:

LimitRequestFields 50

top

LimitRequestFieldSize Directive

Description:Limits the size of the HTTP request header allowed from the client
Syntax:LimitRequestFieldSize bytes
Default:LimitRequestFieldSize 8190
Context:server config
Status:Core
Module:core

This directive specifies the number of bytes that will be allowed in an HTTP request header.

The LimitRequestFieldSize directive allows the server administrator to reduce or increase the limit on the allowed size of an HTTP request header field. A server needs this value to be large enough to hold any one header field from a normal client request. The size of a normal request header field will vary greatly among different client implementations, often depending upon the extent to which a user has configured their browser to support detailed content negotiation. SPNEGO authentication headers can be up to 12392 bytes.

This directive gives the server administrator greater control over abnormal client request behavior, which may be useful for avoiding some forms of denial-of-service attacks.

For example:

LimitRequestFieldSize 4094

Under normal conditions, the value should not be changed from the default.
top

LimitRequestLine Directive

Description:Limit the size of the HTTP request line that will be accepted from the client
Syntax:LimitRequestLine bytes
Default:LimitRequestLine 8190
Context:server config
Status:Core
Module:core

This directive sets the number of bytes that will be allowed on the HTTP request-line.

The LimitRequestLine directive allows the server administrator to reduce or increase the limit on the allowed size of a client's HTTP request-line. Since the request-line consists of the HTTP method, URI, and protocol version, the LimitRequestLine directive places a restriction on the length of a request-URI allowed for a request on the server. A server needs this value to be large enough to hold any of its resource names, including any information that might be passed in the query part of a GET request.

This directive gives the server administrator greater control over abnormal client request behavior, which may be useful for avoiding some forms of denial-of-service attacks.

For example:

LimitRequestLine 4094

Under normal conditions, the value should not be changed from the default.
top

LimitXMLRequestBody Directive

Description:Limits the size of an XML-based request body
Syntax:LimitXMLRequestBody bytes
Default:LimitXMLRequestBody 1000000
Context:server config, virtual host, directory, .htaccess
Override:All
Status:Core
Module:core

Limit (in bytes) on maximum size of an XML-based request body. A value of 0 will disable any checking.

Example:

LimitXMLRequestBody 0

top

<Location> Directive

Description:Applies the enclosed directives only to matching URLs
Syntax:<Location URL-path|URL> ... </Location>
Context:server config, virtual host
Status:Core
Module:core

The <Location> directive limits the scope of the enclosed directives by URL. It is similar to the <Directory> directive, and starts a subsection which is terminated with a </Location> directive. <Location> sections are processed in the order they appear in the configuration file, after the <Directory> sections and .htaccess files are read, and after the <Files> sections.

<Location> sections operate completely outside the filesystem. This has several consequences. Most importantly, <Location> directives should not be used to control access to filesystem locations. Since several different URLs may map to the same filesystem location, such access controls may by circumvented.

When to use <Location>

Use <Location> to apply directives to content that lives outside the filesystem. For content that lives in the filesystem, use <Directory> and <Files>. An exception is <Location />, which is an easy way to apply a configuration to the entire server.

For all origin (non-proxy) requests, the URL to be matched is a URL-path of the form /path/. No scheme, hostname, port, or query string may be included. For proxy requests, the URL to be matched is of the form scheme://servername/path, and you must include the prefix.

The URL may use wildcards. In a wild-card string, ? matches any single character, and * matches any sequences of characters. Neither wildcard character matches a / in the URL-path.

Regular expressions can also be used, with the addition of the ~ character. For example:

<Location ~ "/(extra|special)/data">

would match URLs that contained the substring /extra/data or /special/data. The directive <LocationMatch> behaves identical to the regex version of <Location>.

The <Location> functionality is especially useful when combined with the SetHandler directive. For example, to enable status requests, but allow them only from browsers at example.com, you might use:

<Location /status>
SetHandler server-status
Order Deny,Allow
Deny from all
Allow from .example.com
 </Location>

Note about / (slash)

The slash character has special meaning depending on where in a URL it appears. People may be used to its behavior in the filesystem where multiple adjacent slashes are frequently collapsed to a single slash (i.e., /home///foo is the same as /home/foo). In URL-space this is not necessarily true. The <LocationMatch> directive and the regex version of <Location> require you to explicitly specify multiple slashes if that is your intention.

For example, <LocationMatch ^/abc> would match the request URL /abc but not the request URL //abc. The (non-regex) <Location> directive behaves similarly when used for proxy requests. But when (non-regex) <Location> is used for non-proxy requests it will implicitly match multiple slashes with a single slash. For example, if you specify <Location /abc/def> and the request is to /abc//def then it will match.

See also

top

<LocationMatch> Directive

Description:Applies the enclosed directives only to regular-expression matching URLs
Syntax:<LocationMatch regex> ... </LocationMatch>
Context:server config, virtual host
Status:Core
Module:core

The <LocationMatch> directive limits the scope of the enclosed directives by URL, in an identical manner to <Location>. However, it takes a regular expression as an argument instead of a simple string. For example:

<LocationMatch "/(extra|special)/data">

would match URLs that contained the substring /extra/data or /special/data.

See also

top

LogLevel Directive

Description:Controls the verbosity of the ErrorLog
Syntax:LogLevel level
Default:LogLevel warn
Context:server config, virtual host
Status:Core
Module:core

LogLevel adjusts the verbosity of the messages recorded in the error logs (see ErrorLog directive). The following levels are available, in order of decreasing significance:

Level Description Example
emerg Emergencies - system is unusable. "Child cannot open lock file. Exiting"
alert Action must be taken immediately. "getpwuid: couldn't determine user name from uid"
crit Critical Conditions. "socket: Failed to get a socket, exiting child"
error Error conditions. "Premature end of script headers"
warn Warning conditions. "child process 1234 did not exit, sending another SIGHUP"
notice Normal but significant condition. "httpd: caught SIGBUS, attempting to dump core in ..."
info Informational. "Server seems busy, (you may need to increase StartServers, or Min/MaxSpareServers)..."
debug Debug-level messages "Opening config file ..."

When a particular level is specified, messages from all other levels of higher significance will be reported as well. E.g., when LogLevel info is specified, then messages with log levels of notice and warn will also be posted.

Using a level of at least crit is recommended.

For example:

LogLevel notice

Note

When logging to a regular file messages of the level notice cannot be suppressed and thus are always logged. However, this doesn't apply when logging is done using syslog.

top

MaxKeepAliveRequests Directive

Description:Number of requests allowed on a persistent connection
Syntax:MaxKeepAliveRequests number
Default:MaxKeepAliveRequests 100
Context:server config, virtual host
Status:Core
Module:core

The MaxKeepAliveRequests directive limits the number of requests allowed per connection when KeepAlive is on. If it is set to 0, unlimited requests will be allowed. We recommend that this setting be kept to a high value for maximum server performance.

For example:

MaxKeepAliveRequests 500

top

NameVirtualHost Directive

Description:Designates an IP address for name-virtual hosting
Syntax:NameVirtualHost addr[:port]
Context:server config
Status:Core
Module:core

The NameVirtualHost directive is a required directive if you want to configure name-based virtual hosts.

Although addr can be hostname it is recommended that you always use an IP address, e.g.

NameVirtualHost 111.22.33.44

With the NameVirtualHost directive you specify the IP address on which the server will receive requests for the name-based virtual hosts. This will usually be the address to which your name-based virtual host names resolve. In cases where a firewall or other proxy receives the requests and forwards them on a different IP address to the server, you must specify the IP address of the physical interface on the machine which will be servicing the requests. If you have multiple name-based hosts on multiple addresses, repeat the directive for each address.

Note

Note, that the "main server" and any _default_ servers will never be served for a request to a NameVirtualHost IP address (unless for some reason you specify NameVirtualHost but then don't define any VirtualHosts for that address).

Optionally you can specify a port number on which the name-based virtual hosts should be used, e.g.

NameVirtualHost 111.22.33.44:8080

IPv6 addresses must be enclosed in square brackets, as shown in the following example:

NameVirtualHost [2001:db8::a00:20ff:fea7:ccea]:8080

To receive requests on all interfaces, you can use an argument of *

NameVirtualHost *

Argument to <VirtualHost> directive

Note that the argument to the <VirtualHost> directive must exactly match the argument to the NameVirtualHost directive.

NameVirtualHost 1.2.3.4
<VirtualHost 1.2.3.4>
# ...
</VirtualHost>

See also

top

Options Directive

Description:Configures what features are available in a particular directory
Syntax:Options [+|-]option [[+|-]option] ...
Default:Options All
Context:server config, virtual host, directory, .htaccess
Override:Options
Status:Core
Module:core

The Options directive controls which server features are available in a particular directory.

option can be set to None, in which case none of the extra features are enabled, or one or more of the following:

All
All options except for MultiViews. This is the default setting.
ExecCGI
Execution of CGI scripts using mod_cgi is permitted.
FollowSymLinks
The server will follow symbolic links in this directory.

Even though the server follows the symlink it does not change the pathname used to match against <Directory> sections.

Note also, that this option gets ignored if set inside a <Location> section.

Omitting this option should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable.

Includes
Server-side includes provided by mod_include are permitted.
IncludesNOEXEC
Server-side includes are permitted, but the #exec cmd and #exec cgi are disabled. It is still possible to #include virtual CGI scripts from ScriptAliased directories.
Indexes
If a URL which maps to a directory is requested, and there is no DirectoryIndex (e.g., index.html) in that directory, then mod_autoindex will return a formatted listing of the directory.
MultiViews
Content negotiated "MultiViews" are allowed using mod_negotiation.
SymLinksIfOwnerMatch
The server will only follow symbolic links for which the target file or directory is owned by the same user id as the link.

Note

This option gets ignored if set inside a <Location> section.

This option should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable.

Normally, if multiple Options could apply to a directory, then the most specific one is used and others are ignored; the options are not merged. (See how sections are merged.) However if all the options on the Options directive are preceded by a + or - symbol, the options are merged. Any options preceded by a + are added to the options currently in force, and any options preceded by a - are removed from the options currently in force.

Warning

Mixing Options with a + or - with those without is not valid syntax, and is likely to cause unexpected results.

For example, without any + and - symbols:

<Directory /web/docs>
Options Indexes FollowSymLinks
 </Directory>

<Directory /web/docs/spec>
Options Includes
 </Directory>

then only Includes will be set for the /web/docs/spec directory. However if the second Options directive uses the + and - symbols:

<Directory /web/docs>
Options Indexes FollowSymLinks
 </Directory>

<Directory /web/docs/spec>
Options +Includes -Indexes
 </Directory>

then the options FollowSymLinks and Includes are set for the /web/docs/spec directory.

Note

Using -IncludesNOEXEC or -Includes disables server-side includes completely regardless of the previous setting.

The default in the absence of any other settings is All.

top

Require Directive

Description:Selects which authenticated users can access a resource
Syntax:Require entity-name [entity-name] ...
Context:directory, .htaccess
Override:AuthConfig
Status:Core
Module:core

This directive selects which authenticated users can access a resource. The restrictions are processed by authorization modules. Some of the allowed syntaxes provided by mod_authz_user and mod_authz_groupfile are:

Require user userid [userid] ...
Only the named users can access the resource.
Require group group-name [group-name] ...
Only users in the named groups can access the resource.
Require valid-user
All valid users can access the resource.

Other authorization modules that implement require options include mod_authnz_ldap, mod_authz_dbm, and mod_authz_owner.

Require must be accompanied by AuthName and AuthType directives, and directives such as AuthUserFile and AuthGroupFile (to define users and groups) in order to work correctly. Example:

AuthType Basic
AuthName "Restricted Resource"
AuthUserFile /web/users
AuthGroupFile /web/groups
Require group admin

Access controls which are applied in this way are effective for all methods. This is what is normally desired. If you wish to apply access controls only to specific methods, while leaving other methods unprotected, then place the Require statement into a <Limit> section.

If Require is used together with the Allow or Deny directives, then the interaction of these restrictions is controlled by the Satisfy directive.

Removing controls in subdirectories

The following example shows how to use the Satisfy directive to disable access controls in a subdirectory of a protected directory. This technique should be used with caution, because it will also disable any access controls imposed by mod_authz_host.

<Directory /path/to/protected/>
Require user david
 </Directory>
<Directory /path/to/protected/unprotected>
# All access controls and authentication are disabled
# in this directory
Satisfy Any
Allow from all
 </Directory>

See also

top

RLimitCPU Directive

Description:Limits the CPU consumption of processes launched by Apache children
Syntax:RLimitCPU seconds|max [seconds|max]
Default:Unset; uses operating system defaults
Context:server config, virtual host, directory, .htaccess
Override:All
Status:Core
Module:core

Takes 1 or 2 parameters. The first parameter sets the soft resource limit for all processes and the second parameter sets the maximum resource limit. Either parameter can be a number, or max to indicate to the server that the limit should be set to the maximum allowed by the operating system configuration. Raising the maximum resource limit requires that the server is running as root, or in the initial startup phase.

This applies to processes forked off from Apache children servicing requests, not the Apache children themselves. This includes CGI scripts and SSI exec commands, but not any processes forked off from the Apache parent such as piped logs.

CPU resource limits are expressed in seconds per process.

See also

top

RLimitMEM Directive

Description:Limits the memory consumption of processes launched by Apache children
Syntax:RLimitMEM bytes|max [bytes|max]
Default:Unset; uses operating system defaults
Context:server config, virtual host, directory, .htaccess
Override:All
Status:Core
Module:core

Takes 1 or 2 parameters. The first parameter sets the soft resource limit for all processes and the second parameter sets the maximum resource limit. Either parameter can be a number, or max to indicate to the server that the limit should be set to the maximum allowed by the operating system configuration. Raising the maximum resource limit requires that the server is running as root, or in the initial startup phase.

This applies to processes forked off from Apache children servicing requests, not the Apache children themselves. This includes CGI scripts and SSI exec commands, but not any processes forked off from the Apache parent such as piped logs.

Memory resource limits are expressed in bytes per process.

See also

top

RLimitNPROC Directive

Description:Limits the number of processes that can be launched by processes launched by Apache children
Syntax:RLimitNPROC number|max [number|max]
Default:Unset; uses operating system defaults
Context:server config, virtual host, directory, .htaccess
Override:All
Status:Core
Module:core

Takes 1 or 2 parameters. The first parameter sets the soft resource limit for all processes and the second parameter sets the maximum resource limit. Either parameter can be a number, or max to indicate to the server that the limit should be set to the maximum allowed by the operating system configuration. Raising the maximum resource limit requires that the server is running as root, or in the initial startup phase.

This applies to processes forked off from Apache children servicing requests, not the Apache children themselves. This includes CGI scripts and SSI exec commands, but not any processes forked off from the Apache parent such as piped logs.

Process limits control the number of processes per user.

Note

If CGI processes are not running under user ids other than the web server user id, this directive will limit the number of processes that the server itself can create. Evidence of this situation will be indicated by cannot fork messages in the error_log.

See also

top

Satisfy Directive

Description:Interaction between host-level access control and user authentication
Syntax:Satisfy Any|All
Default:Satisfy All
Context:directory, .htaccess
Override:AuthConfig
Status:Core
Module:core
Compatibility:Influenced by <Limit> and <LimitExcept> in version 2.0.51 and later

Access policy if both Allow and Require used. The parameter can be either All or Any. This directive is only useful if access to a particular area is being restricted by both username/password and client host address. In this case the default behavior (All) is to require that the client passes the address access restriction and enters a valid username and password. With the Any option the client will be granted access if they either pass the host restriction or enter a valid username and password. This can be used to password restrict an area, but to let clients from particular addresses in without prompting for a password.

For example, if you wanted to let people on your network have unrestricted access to a portion of your website, but require that people outside of your network provide a password, you could use a configuration similar to the following:

Require valid-user
Order allow,deny
Allow from 192.168.1
Satisfy Any

Since version 2.0.51 Satisfy directives can be restricted to particular methods by <Limit> and <LimitExcept> sections.

See also

top

ScriptInterpreterSource Directive

Description:Technique for locating the interpreter for CGI scripts
Syntax:ScriptInterpreterSource Registry|Registry-Strict|Script
Default:ScriptInterpreterSource Script
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Core
Module:core
Compatibility:Win32 only; option Registry-Strict is available in Apache 2.0 and later

This directive is used to control how Apache finds the interpreter used to run CGI scripts. The default setting is Script. This causes Apache to use the interpreter pointed to by the shebang line (first line, starting with #!) in the script. On Win32 systems this line usually looks like:

#!C:/Perl/bin/perl.exe

or, if perl is in the PATH, simply:

#!perl

Setting ScriptInterpreterSource Registry will cause the Windows Registry tree HKEY_CLASSES_ROOT to be searched using the script file extension (e.g., .pl) as a search key. The command defined by the registry subkey Shell\ExecCGI\Command or, if it does not exist, by the subkey Shell\Open\Command is used to open the script file. If the registry keys cannot be found, Apache falls back to the behavior of the Script option.

For example, the registry setting to have a script with the .pl extension processed via perl would be:

HKEY_CLASSES_ROOT\.pl\Shell\ExecCGI\Command\(Default) => C:\Perl\bin\perl.exe -wT

Security

Be careful when using ScriptInterpreterSource Registry with ScriptAlias'ed directories, because Apache will try to execute every file within this directory. The Registry setting may cause undesired program calls on files which are typically not executed. For example, the default open command on .htm files on most Windows systems will execute Microsoft Internet Explorer, so any HTTP request for an .htm file existing within the script directory would start the browser in the background on the server. This is a good way to crash your system within a minute or so.

The option Registry-Strict which is new in Apache 2.0 does the same thing as Registry but uses only the subkey Shell\ExecCGI\Command. The ExecCGI key is not a common one. It must be configured manually in the windows registry and hence prevents accidental program calls on your system.

top

ServerAdmin Directive

Description:Email address that the server includes in error messages sent to the client
Syntax:ServerAdmin email-address|URL
Context:server config, virtual host
Status:Core
Module:core

The ServerAdmin sets the contact address that the server includes in any error messages it returns to the client. If the httpd doesn't recognize the supplied argument as an URL, it assumes, that it's an email-address and prepends it with mailto: in hyperlink targets. However, it's recommended to actually use an email address, since there are a lot of CGI scripts that make that assumption. If you want to use an URL, it should point to another server under your control. Otherwise users may not be able to contact you in case of errors.

It may be worth setting up a dedicated address for this, e.g.

ServerAdmin www-admin@foo.example.com

as users do not always mention that they are talking about the server!

top

ServerAlias Directive

Description:Alternate names for a host used when matching requests to name-virtual hosts
Syntax:ServerAlias hostname [hostname] ...
Context:virtual host
Status:Core
Module:core

The ServerAlias directive sets the alternate names for a host, for use with name-based virtual hosts. The ServerAlias may include wildcards, if appropriate.

<VirtualHost *:80>
ServerName server.domain.com
ServerAlias server server2.domain.com server2
ServerAlias *.example.com
# ...
</VirtualHost>

See also

top

ServerName Directive

Description:Hostname and port that the server uses to identify itself
Syntax:ServerName [scheme://]fully-qualified-domain-name[:port]
Context:server config, virtual host
Status:Core
Module:core
Compatibility:In version 2.0, this directive supersedes the functionality of the Port directive from version 1.3.

The ServerName directive sets the request scheme, hostname and port that the server uses to identify itself. This is used when creating redirection URLs. For example, if the name of the machine hosting the web server is simple.example.com, but the machine also has the DNS alias www.example.com and you wish the web server to be so identified, the following directive should be used:

ServerName www.example.com:80

If no ServerName is specified, then the server attempts to deduce the hostname by performing a reverse lookup on the IP address. If no port is specified in the ServerName, then the server will use the port from the incoming request. For optimal reliability and predictability, you should specify an explicit hostname and port using the ServerName directive.

If you are using name-based virtual hosts, the ServerName inside a <VirtualHost> section specifies what hostname must appear in the request's Host: header to match this virtual host.

Sometimes, the server runs behind a device that processes SSL, such as a reverse proxy, load balancer or SSL offload appliance. When this is the case, specify the https:// scheme and the port number to which the clients connect in the ServerName directive to make sure that the server generates the correct self-referential URLs.

See the description of the UseCanonicalName and UseCanonicalPhysicalPort directives for settings which determine whether self-referential URLs (e.g., by the mod_dir module) will refer to the specified port, or to the port number given in the client's request.

See also

top

ServerPath Directive

Description:Legacy URL pathname for a name-based virtual host that is accessed by an incompatible browser
Syntax:ServerPath URL-path
Context:virtual host
Status:Core
Module:core

The ServerPath directive sets the legacy URL pathname for a host, for use with name-based virtual hosts.

See also

top

ServerRoot Directive

Description:Base directory for the server installation
Syntax:ServerRoot directory-path
Default:ServerRoot /usr/local/apache
Context:server config
Status:Core
Module:core

The ServerRoot directive sets the directory in which the server lives. Typically it will contain the subdirectories conf/ and logs/. Relative paths in other configuration directives (such as Include or LoadModule, for example) are taken as relative to this directory.

Example

ServerRoot /home/httpd

See also

top

ServerSignature Directive

Description:Configures the footer on server-generated documents
Syntax:ServerSignature On|Off|EMail
Default:ServerSignature Off
Context:server config, virtual host, directory, .htaccess
Override:All
Status:Core
Module:core

The ServerSignature directive allows the configuration of a trailing footer line under server-generated documents (error messages, mod_proxy ftp directory listings, mod_info output, ...). The reason why you would want to enable such a footer line is that in a chain of proxies, the user often has no possibility to tell which of the chained servers actually produced a returned error message.

The Off setting, which is the default, suppresses the footer line (and is therefore compatible with the behavior of Apache-1.2 and below). The On setting simply adds a line with the server version number and ServerName of the serving virtual host, and the EMail setting additionally creates a "mailto:" reference to the ServerAdmin of the referenced document.

After version 2.0.44, the details of the server version number presented are controlled by the ServerTokens directive.

See also

top

ServerTokens Directive

Description:Configures the Server HTTP response header
Syntax:ServerTokens Major|Minor|Min[imal]|Prod[uctOnly]|OS|Full
Default:ServerTokens Full
Context:server config
Status:Core
Module:core

This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.

ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache
ServerTokens Major
Server sends (e.g.): Server: Apache/2
ServerTokens Minor
Server sends (e.g.): Server: Apache/2.0
ServerTokens Min[imal]
Server sends (e.g.): Server: Apache/2.0.41
ServerTokens OS
Server sends (e.g.): Server: Apache/2.0.41 (Unix)
ServerTokens Full (or not specified)
Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2

This setting applies to the entire server, and cannot be enabled or disabled on a virtualhost-by-virtualhost basis.

After version 2.0.44, this directive also controls the information presented by the ServerSignature directive.

See also

top

SetHandler Directive

Description:Forces all matching files to be processed by a handler
Syntax:SetHandler handler-name|None
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Core
Module:core
Compatibility:Moved into the core in Apache 2.0

When placed into an .htaccess file or a <Directory> or <Location> section, this directive forces all matching files to be parsed through the handler given by handler-name. For example, if you had a directory you wanted to be parsed entirely as imagemap rule files, regardless of extension, you might put the following into an .htaccess file in that directory:

SetHandler imap-file

Another example: if you wanted to have the server display a status report whenever a URL of http://servername/status was called, you might put the following into httpd.conf:

<Location /status>
SetHandler server-status
 </Location>

You can override an earlier defined SetHandler directive by using the value None.

See also

top

SetInputFilter Directive

Description:Sets the filters that will process client requests and POST input
Syntax:SetInputFilter filter[;filter...]
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Core
Module:core

The SetInputFilter directive sets the filter or filters which will process client requests and POST input when they are received by the server. This is in addition to any filters defined elsewhere, including the AddInputFilter directive.

If more than one filter is specified, they must be separated by semicolons in the order in which they should process the content.

See also

top

SetOutputFilter Directive

Description:Sets the filters that will process responses from the server
Syntax:SetOutputFilter filter[;filter...]
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Core
Module:core

The SetOutputFilter directive sets the filters which will process responses from the server before they are sent to the client. This is in addition to any filters defined elsewhere, including the AddOutputFilter directive.

For example, the following configuration will process all files in the /www/data/ directory for server-side includes.

<Directory /www/data/>
SetOutputFilter INCLUDES
 </Directory>

If more than one filter is specified, they must be separated by semicolons in the order in which they should process the content.

See also

top

TimeOut Directive

Description:Amount of time the server will wait for certain events before failing a request
Syntax:TimeOut seconds
Default:TimeOut 300
Context:server config, virtual host
Status:Core
Module:core

The TimeOut directive defines the length of time Apache will wait for I/O in various circumstances:

  1. When reading data from the client, the length of time to wait for a TCP packet to arrive if the read buffer is empty.
  2. When writing data to the client, the length of time to wait for an acknowledgement of a packet if the send buffer is full.
  3. In mod_cgi, the length of time to wait for output from a CGI script.
  4. In mod_ext_filter, the length of time to wait for output from a filtering process.
  5. In mod_proxy, the default timeout value if ProxyTimeout is not configured.
top

TraceEnable Directive

Description:Determines the behaviour on TRACE requests
Syntax:TraceEnable [on|off|extended]
Default:TraceEnable on
Context:server config
Status:Core
Module:core
Compatibility:Available in Apache 1.3.34, 2.0.55 and later

This directive overrides the behavior of TRACE for both the core server and mod_proxy. The default TraceEnable on permits TRACE requests per RFC 2616, which disallows any request body to accompany the request. TraceEnable off causes the core server and mod_proxy to return a 405 (Method not allowed) error to the client.

Finally, for testing and diagnostic purposes only, request bodies may be allowed using the non-compliant TraceEnable extended directive. The core (as an origin server) will restrict the request body to 64k (plus 8k for chunk headers if Transfer-Encoding: chunked is used). The core will reflect the full headers and all chunk headers with the response body. As a proxy server, the request body is not restricted to 64k.

top

UseCanonicalName Directive

Description:Configures how the server determines its own name and port
Syntax:UseCanonicalName On|Off|DNS
Default:UseCanonicalName Off
Context:server config, virtual host, directory
Status:Core
Module:core

In many situations Apache must construct a self-referential URL -- that is, a URL that refers back to the same server. With UseCanonicalName On Apache will use the hostname and port specified in the ServerName directive to construct the canonical name for the server. This name is used in all self-referential URLs, and for the values of SERVER_NAME and SERVER_PORT in CGIs.

With UseCanonicalName Off Apache will form self-referential URLs using the hostname and port supplied by the client if any are supplied (otherwise it will use the canonical name, as defined above). These values are the same that are used to implement name based virtual hosts, and are available with the same clients. The CGI variables SERVER_NAME and SERVER_PORT will be constructed from the client supplied values as well.

An example where this may be useful is on an intranet server where you have users connecting to the machine using short names such as www. You'll notice that if the users type a shortname, and a URL which is a directory, such as http://www/splat, without the trailing slash then Apache will redirect them to http://www.domain.com/splat/. If you have authentication enabled, this will cause the user to have to authenticate twice (once for www and once again for www.domain.com -- see the FAQ on this subject for more information). But if UseCanonicalName is set Off, then Apache will redirect to http://www/splat/.

There is a third option, UseCanonicalName DNS, which is intended for use with mass IP-based virtual hosting to support ancient clients that do not provide a Host: header. With this option Apache does a reverse DNS lookup on the server IP address that the client connected to in order to work out self-referential URLs.

Warning

If CGIs make assumptions about the values of SERVER_NAME they may be broken by this option. The client is essentially free to give whatever value they want as a hostname. But if the CGI is only using SERVER_NAME to construct self-referential URLs then it should be just fine.

See also

top

UseCanonicalPhysicalPort Directive

Description:Configures how the server determines its own name and port
Syntax:UseCanonicalPhysicalPort On|Off
Default:UseCanonicalPhysicalPort Off
Context:server config, virtual host, directory
Status:Core
Module:core

In many situations Apache must construct a self-referential URL -- that is, a URL that refers back to the same server. With UseCanonicalPhysicalPort On Apache will, when constructing the canonical port for the server to honor the UseCanonicalName directive, provide the actual physical port number being used by this request as a potential port. With UseCanonicalPhysicalPort Off Apache will not ever use the actual physical port number, instead relying on all configured information to construct a valid port number.

Note

The ordering of when the physical port is used is as follows:

UseCanonicalName On

  • Port provided in Servername
  • Physical port
  • Default port
UseCanonicalName Off | DNS
  • Parsed port from Host: header
  • Physical port
  • Port provided in Servername
  • Default port

With UseCanonicalPhysicalPort Off, the physical ports are removed from the ordering.

See also

top

<VirtualHost> Directive

Description:Contains directives that apply only to a specific hostname or IP address
Syntax:<VirtualHost addr[:port] [addr[:port]] ...> ... </VirtualHost>
Context:server config
Status:Core
Module:core

<VirtualHost> and </VirtualHost> are used to enclose a group of directives that will apply only to a particular virtual host. Any directive that is allowed in a virtual host context may be used. When the server receives a request for a document on a particular virtual host, it uses the configuration directives enclosed in the <VirtualHost> section. Addr can be:

  • The IP address of the virtual host;
  • A fully qualified domain name for the IP address of the virtual host (not recommended);
  • The character *, which is used only in combination with NameVirtualHost * to match all IP addresses; or
  • The string _default_, which is used only with IP virtual hosting to catch unmatched IP addresses.

Example

<VirtualHost 10.1.2.3>
ServerAdmin webmaster@host.example.com
DocumentRoot /www/docs/host.example.com
ServerName host.example.com
ErrorLog logs/host.example.com-error_log
TransferLog logs/host.example.com-access_log
 </VirtualHost>

IPv6 addresses must be specified in square brackets because the optional port number could not be determined otherwise. An IPv6 example is shown below:

<VirtualHost [2001:db8::a00:20ff:fea7:ccea]>
ServerAdmin webmaster@host.example.com
DocumentRoot /www/docs/host.example.com
ServerName host.example.com
ErrorLog logs/host.example.com-error_log
TransferLog logs/host.example.com-access_log
 </VirtualHost>

Each Virtual Host must correspond to a different IP address, different port number or a different host name for the server, in the former case the server machine must be configured to accept IP packets for multiple addresses. (If the machine does not have multiple network interfaces, then this can be accomplished with the ifconfig alias command -- if your OS supports it).

Note

The use of <VirtualHost> does not affect what addresses Apache listens on. You may need to ensure that Apache is listening on the correct addresses using Listen.

When using IP-based virtual hosting, the special name _default_ can be specified in which case this virtual host will match any IP address that is not explicitly listed in another virtual host. In the absence of any _default_ virtual host the "main" server config, consisting of all those definitions outside any VirtualHost section, is used when no IP-match occurs. (But note that any IP address that matches a NameVirtualHost directive will use neither the "main" server config nor the _default_ virtual host. See the name-based virtual hosting documentation for further details.)

You can specify a :port to change the port that is matched. If unspecified then it defaults to the same port as the most recent Listen statement of the main server. You may also specify :* to match all ports on that address. (This is recommended when used with _default_.)

A ServerName should be specified inside each <VirtualHost> block. If it is absent, the ServerName from the "main" server configuration will be inherited.

Security

See the security tips document for details on why your security could be compromised if the directory where log files are stored is writable by anyone other than the user that starts the server.

See also

mod/directive-dict.html100644 0 0 34006 11256637772 12614 0ustar 0 0 Terms Used to Describe Directives - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Terms Used to Describe Directives

This document describes the terms that are used to describe each Apache configuration directive.

top

Description

A brief description of the purpose of the directive.

top

Syntax

This indicates the format of the directive as it would appear in a configuration file. This syntax is extremely directive-specific, and is described in detail in the directive's definition. Generally, the directive name is followed by a series of one or more space-separated arguments. If an argument contains a space, the argument must be enclosed in double quotes. Optional arguments are enclosed in square brackets. Where an argument can take on more than one possible value, the possible values are separated by vertical bars "|". Literal text is presented in the default font, while argument-types for which substitution is necessary are emphasized. Directives which can take a variable number of arguments will end in "..." indicating that the last argument is repeated.

Directives use a great number of different argument types. A few common ones are defined below.

URL
A complete Uniform Resource Locator including a scheme, hostname, and optional pathname as in http://www.example.com/path/to/file.html
URL-path
The part of a url which follows the scheme and hostname as in /path/to/file.html. The url-path represents a web-view of a resource, as opposed to a file-system view.
file-path
The path to a file in the local file-system beginning with the root directory as in /usr/local/apache/htdocs/path/to/file.html. Unless otherwise specified, a file-path which does not begin with a slash will be treated as relative to the ServerRoot.
directory-path
The path to a directory in the local file-system beginning with the root directory as in /usr/local/apache/htdocs/path/to/.
filename
The name of a file with no accompanying path information as in file.html.
regex
A Perl-compatible regular expression. The directive definition will specify what the regex is matching against.
extension
In general, this is the part of the filename which follows the last dot. However, Apache recognizes multiple filename extensions, so if a filename contains more than one dot, each dot-separated part of the filename following the first dot is an extension. For example, the filename file.html.en contains two extensions: .html and .en. For Apache directives, you may specify extensions with or without the leading dot. In addition, extensions are not case sensitive.
MIME-type
A method of describing the format of a file which consists of a major format type and a minor format type, separated by a slash as in text/html.
env-variable
The name of an environment variable defined in the Apache configuration process. Note this is not necessarily the same as an operating system environment variable. See the environment variable documentation for more details.
top

Default

If the directive has a default value (i.e., if you omit it from your configuration entirely, the Apache Web server will behave as though you set it to a particular value), it is described here. If there is no default value, this section should say "None". Note that the default listed here is not necessarily the same as the value the directive takes in the default httpd.conf distributed with the server.

top

Context

This indicates where in the server's configuration files the directive is legal. It's a comma-separated list of one or more of the following values:

server config
This means that the directive may be used in the server configuration files (e.g., httpd.conf), but not within any <VirtualHost> or <Directory> containers. It is not allowed in .htaccess files at all.
virtual host
This context means that the directive may appear inside <VirtualHost> containers in the server configuration files.
directory
A directive marked as being valid in this context may be used inside <Directory>, <Location>, <Files>, and <Proxy> containers in the server configuration files, subject to the restrictions outlined in Configuration Sections.
.htaccess
If a directive is valid in this context, it means that it can appear inside per-directory .htaccess files. It may not be processed, though depending upon the overrides currently active.

The directive is only allowed within the designated context; if you try to use it elsewhere, you'll get a configuration error that will either prevent the server from handling requests in that context correctly, or will keep the server from operating at all -- i.e., the server won't even start.

The valid locations for the directive are actually the result of a Boolean OR of all of the listed contexts. In other words, a directive that is marked as being valid in "server config, .htaccess" can be used in the httpd.conf file and in .htaccess files, but not within any <Directory> or <VirtualHost> containers.

top

Override

This directive attribute indicates which configuration override must be active in order for the directive to be processed when it appears in a .htaccess file. If the directive's context doesn't permit it to appear in .htaccess files, then no context will be listed.

Overrides are activated by the AllowOverride directive, and apply to a particular scope (such as a directory) and all descendants, unless further modified by other AllowOverride directives at lower levels. The documentation for that directive also lists the possible override names available.

top

Status

This indicates how tightly bound into the Apache Web server the directive is; in other words, you may need to recompile the server with an enhanced set of modules in order to gain access to the directive and its functionality. Possible values for this attribute are:

Core
If a directive is listed as having "Core" status, that means it is part of the innermost portions of the Apache Web server, and is always available.
MPM
A directive labeled as having "MPM" status is provided by a Multi-Processing Module. This type of directive will be available if and only if you are using one of the MPMs listed on the Module line of the directive definition.
Base
A directive labeled as having "Base" status is supported by one of the standard Apache modules which is compiled into the server by default, and is therefore normally available unless you've taken steps to remove the module from your configuration.
Extension
A directive with "Extension" status is provided by one of the modules included with the Apache server kit, but the module isn't normally compiled into the server. To enable the directive and its functionality, you will need to change the server build configuration files and re-compile Apache.
Experimental
"Experimental" status indicates that the directive is available as part of the Apache kit, but you're on your own if you try to use it. The directive is being documented for completeness, and is not necessarily supported. The module which provides the directive may or may not be compiled in by default; check the top of the page which describes the directive and its module to see if it remarks on the availability.
top

Module

This quite simply lists the name of the source module which defines the directive.

top

Compatibility

If the directive wasn't part of the original Apache version 2 distribution, the version in which it was introduced should be listed here. In addition, if the directive is available only on certain platforms, it will be noted here.

mod/directives.html100644 0 0 74676 11256637772 12077 0ustar 0 0 Directive Index - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Directive Index

Each Apache directive available in the standard Apache distribution is listed here. They are described using a consistent format, and there is a dictionary of the terms used in their descriptions available.

A Directive Quick-Reference is also available giving details about each directive in a summary form.

 A  |  B  |  C  |  D  |  E  |  F  |  G  |  H  |  I  |  K  |  L  |  M  |  N  |  O  |  P  |  R  |  S  |  T  |  U  |  V  |  W  |  X 

mod/event.html100644 0 0 21443 11256637772 11037 0ustar 0 0 event - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache MPM event

Description:An experimental variant of the standard worker MPM
Status:MPM
Module Identifier:mpm_event_module
Source File:event.c

Summary

Warning

This MPM is experimental, so it may or may not work as expected.

The event Multi-Processing Module (MPM) is designed to allow more requests to be served simultaneously by passing off some processing work to supporting threads, freeing up the main threads to work on new requests. It is based on the worker MPM, which implements a hybrid multi-process multi-threaded server. Run-time configuration directives are identical to those provided by worker.

To use the event MPM, add --with-mpm=event to the configure script's arguments when building the httpd.

top

How it Works

This MPM tries to fix the 'keep alive problem' in HTTP. After a client completes the first request, the client can keep the connection open, and send further requests using the same socket. This can save signifigant overhead in creating TCP connections. However, Apache traditionally keeps an entire child process/thread waiting for data from the client, which brings its own disadvantages. To solve this problem, this MPM uses a dedicated thread to handle both the Listening sockets, and all sockets that are in a Keep Alive state.

The MPM assumes that the underlying apr_pollset implementation is reasonably threadsafe. This enables the MPM to avoid excessive high level locking, or having to wake up the listener thread in order to send it a keep-alive socket. This is currently only compatible with KQueue and EPoll.

top

Requirements

This MPM depends on APR's atomic compare-and-swap operations for thread synchronization. If you are compiling for an x86 target and you don't need to support 386s, or you are compiling for a SPARC and you don't need to run on pre-UltraSPARC chips, add --enable-nonportable-atomics=yes to the configure script's arguments. This will cause APR to implement atomic operations using efficient opcodes not available in older CPUs.

This MPM does not perform well on older platforms which lack good threading, but the requirement for EPoll or KQueue makes this moot.

  • To use this MPM on FreeBSD, FreeBSD 5.3 or higher is recommended. However, it is possible to run this MPM on FreeBSD 5.2.1, if you use libkse (see man libmap.conf).
  • For NetBSD, at least version 2.0 is recommended.
  • For Linux, a 2.6 kernel is recommended. It is also necessary to ensure that your version of glibc has been compiled with support for EPoll.
top

Issues

At present, this MPM is incompatible with mod_ssl, and other input filters.

mod/index.html100644 0 0 33260 11256637772 11025 0ustar 0 0 Module Index - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Module Index

Below is a list of all of the modules that come as part of the Apache distribution. See also the complete alphabetical list of all Apache directives.

top

Core Features and Multi-Processing Modules

core
Core Apache HTTP Server features that are always available
mpm_common
A collection of directives that are implemented by more than one multi-processing module (MPM)
beos
This Multi-Processing Module is optimized for BeOS.
event
An experimental variant of the standard worker MPM
mpm_netware
Multi-Processing Module implementing an exclusively threaded web server optimized for Novell NetWare
mpmt_os2
Hybrid multi-process, multi-threaded MPM for OS/2
prefork
Implements a non-threaded, pre-forking web server
mpm_winnt
This Multi-Processing Module is optimized for Windows NT.
worker
Multi-Processing Module implementing a hybrid multi-threaded multi-process web server
top

Other Modules

 A  |  C  |  D  |  E  |  F  |  H  |  I  |  L  |  M  |  N  |  P  |  R  |  S  |  U  |  V 

mod_actions
This module provides for executing CGI scripts based on media type or request method.
mod_alias
Provides for mapping different parts of the host filesystem in the document tree and for URL redirection
mod_asis
Sends files that contain their own HTTP headers
mod_auth_basic
Basic authentication
mod_auth_digest
User authentication using MD5 Digest Authentication.
mod_authn_alias
Provides the ability to create extended authentication providers based on actual providers
mod_authn_anon
Allows "anonymous" user access to authenticated areas
mod_authn_dbd
User authentication using an SQL database
mod_authn_dbm
User authentication using DBM files
mod_authn_default
Authentication fallback module
mod_authn_file
User authentication using text files
mod_authnz_ldap
Allows an LDAP directory to be used to store the database for HTTP Basic authentication.
mod_authz_dbm
Group authorization using DBM files
mod_authz_default
Authorization fallback module
mod_authz_groupfile
Group authorization using plaintext files
mod_authz_host
Group authorizations based on host (name or IP address)
mod_authz_owner
Authorization based on file ownership
mod_authz_user
User Authorization
mod_autoindex
Generates directory indexes, automatically, similar to the Unix ls command or the Win32 dir shell command
mod_cache
Content cache keyed to URIs.
mod_cern_meta
CERN httpd metafile semantics
mod_cgi
Execution of CGI scripts
mod_cgid
Execution of CGI scripts using an external CGI daemon
mod_charset_lite
Specify character set translation or recoding
mod_dav
Distributed Authoring and Versioning (WebDAV) functionality
mod_dav_fs
filesystem provider for mod_dav
mod_dav_lock
generic locking module for mod_dav
mod_dbd
Manages SQL database connections
mod_deflate
Compress content before it is delivered to the client
mod_dir
Provides for "trailing slash" redirects and serving directory index files
mod_disk_cache
Content cache storage manager keyed to URIs
mod_dumpio
Dumps all I/O to error log as desired.
mod_echo
A simple echo server to illustrate protocol modules
mod_env
Modifies the environment which is passed to CGI scripts and SSI pages
mod_example
Illustrates the Apache module API
mod_expires
Generation of Expires and Cache-Control HTTP headers according to user-specified criteria
mod_ext_filter
Pass the response body through an external program before delivery to the client
mod_file_cache
Caches a static list of files in memory
mod_filter
Context-sensitive smart filter configuration module
mod_headers
Customization of HTTP request and response headers
mod_ident
RFC 1413 ident lookups
mod_imagemap
Server-side imagemap processing
mod_include
Server-parsed html documents (Server Side Includes)
mod_info
Provides a comprehensive overview of the server configuration
mod_isapi
ISAPI Extensions within Apache for Windows
mod_ldap
LDAP connection pooling and result caching services for use by other LDAP modules
mod_log_config
Logging of the requests made to the server
mod_log_forensic
Forensic Logging of the requests made to the server
mod_logio
Logging of input and output bytes per request
mod_mem_cache
Content cache keyed to URIs
mod_mime
Associates the requested filename's extensions with the file's behavior (handlers and filters) and content (mime-type, language, character set and encoding)
mod_mime_magic
Determines the MIME type of a file by looking at a few bytes of its contents
mod_negotiation
Provides for content negotiation
mod_nw_ssl
Enable SSL encryption for NetWare
mod_proxy
HTTP/1.1 proxy/gateway server
mod_proxy_ajp
AJP support module for mod_proxy
mod_proxy_balancer
mod_proxy extension for load balancing
mod_proxy_connect
mod_proxy extension for CONNECT request handling
mod_proxy_ftp
FTP support module for mod_proxy
mod_proxy_http
HTTP support module for mod_proxy
mod_proxy_scgi
SCGI gateway module for mod_proxy
mod_rewrite
Provides a rule-based rewriting engine to rewrite requested URLs on the fly
mod_setenvif
Allows the setting of environment variables based on characteristics of the request
mod_so
Loading of executable code and modules into the server at start-up or restart time
mod_speling
Attempts to correct mistaken URLs that users might have entered by ignoring capitalization and by allowing up to one misspelling
mod_ssl
Strong cryptography using the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols
mod_status
Provides information on server activity and performance
mod_substitute
Perform search and replace operations on response bodies
mod_suexec
Allows CGI scripts to run as a specified user and Group
mod_unique_id
Provides an environment variable with a unique identifier for each request
mod_userdir
User-specific directories
mod_usertrack
Clickstream logging of user activity on a site
mod_version
Version dependent configuration
mod_vhost_alias
Provides for dynamically configured mass virtual hosting
mod/mod_actions.html100644 0 0 21653 11256637772 12220 0ustar 0 0 mod_actions - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_actions

Description:This module provides for executing CGI scripts based on media type or request method.
Status:Base
Module Identifier:actions_module
Source File:mod_actions.c

Summary

This module has two directives. The Action directive lets you run CGI scripts whenever a file of a certain MIME content type is requested. The Script directive lets you run CGI scripts whenever a particular method is used in a request. This makes it much easier to execute scripts that process files.

top

Action Directive

Description:Activates a CGI script for a particular handler or content-type
Syntax:Action action-type cgi-script [virtual]
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_actions
Compatibility:The virtual modifier and handler passing were introduced in Apache 2.1

This directive adds an action, which will activate cgi-script when action-type is triggered by the request. The cgi-script is the URL-path to a resource that has been designated as a CGI script using ScriptAlias or AddHandler. The action-type can be either a handler or a MIME content type. It sends the URL and file path of the requested document using the standard CGI PATH_INFO and PATH_TRANSLATED environment variables. The handler used for the particular request is passed using the REDIRECT_HANDLER variable.

Examples

# Requests for files of a particular MIME content type:
Action image/gif /cgi-bin/images.cgi

# Files of a particular file extension
AddHandler my-file-type .xyz
Action my-file-type /cgi-bin/program.cgi

In the first example, requests for files with a MIME content type of image/gif will be handled by the specified cgi script /cgi-bin/images.cgi.

In the second example, requests for files with a file extension of .xyz are handled by the specified cgi script /cgi-bin/program.cgi.

The optional virtual modifier turns off the check whether the requested file really exists. This is useful, for example, if you want to use the Action directive in virtual locations.

Example

<Location /news>
SetHandler news-handler
Action news-handler /cgi-bin/news.cgi virtual
 </Location>

See also

top

Script Directive

Description:Activates a CGI script for a particular request method.
Syntax:Script method cgi-script
Context:server config, virtual host, directory
Status:Base
Module:mod_actions

This directive adds an action, which will activate cgi-script when a file is requested using the method of method. The cgi-script is the URL-path to a resource that has been designated as a CGI script using ScriptAlias or AddHandler. The URL and file path of the requested document is sent using the standard CGI PATH_INFO and PATH_TRANSLATED environment variables.

Any arbitrary method name may be used. Method names are case-sensitive, so Script PUT and Script put have two entirely different effects.

Note that the Script command defines default actions only. If a CGI script is called, or some other resource that is capable of handling the requested method internally, it will do so. Also note that Script with a method of GET will only be called if there are query arguments present (e.g., foo.html?hi). Otherwise, the request will proceed normally.

Examples

# For <ISINDEX>-style searching
Script GET /cgi-bin/search

# A CGI PUT handler
Script PUT /~bob/put.cgi

mod/mod_alias.html100644 0 0 60127 11256637772 11650 0ustar 0 0 mod_alias - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_alias

Description:Provides for mapping different parts of the host filesystem in the document tree and for URL redirection
Status:Base
Module Identifier:alias_module
Source File:mod_alias.c

Summary

The directives contained in this module allow for manipulation and control of URLs as requests arrive at the server. The Alias and ScriptAlias directives are used to map between URLs and filesystem paths. This allows for content which is not directly under the DocumentRoot served as part of the web document tree. The ScriptAlias directive has the additional effect of marking the target directory as containing only CGI scripts.

The Redirect directives are used to instruct clients to make a new request with a different URL. They are often used when a resource has moved to a new location.

mod_alias is designed to handle simple URL manipulation tasks. For more complicated tasks such as manipulating the query string, use the tools provided by mod_rewrite.

top

Order of Processing

Aliases and Redirects occuring in different contexts are processed like other directives according to standard merging rules. But when multiple Aliases or Redirects occur in the same context (for example, in the same <VirtualHost> section) they are processed in a particular order.

First, all Redirects are processed before Aliases are processed, and therefore a request that matches a Redirect or RedirectMatch will never have Aliases applied. Second, the Aliases and Redirects are processed in the order they appear in the configuration files, with the first match taking precedence.

For this reason, when two or more of these directives apply to the same sub-path, you must list the most specific path first in order for all the directives to have an effect. For example, the following configuration will work as expected:

Alias /foo/bar /baz
Alias /foo /gaq

But if the above two directives were reversed in order, the /foo Alias would always match before the /foo/bar Alias, so the latter directive would be ignored.

top

Alias Directive

Description:Maps URLs to filesystem locations
Syntax:Alias URL-path file-path|directory-path
Context:server config, virtual host
Status:Base
Module:mod_alias

The Alias directive allows documents to be stored in the local filesystem other than under the DocumentRoot. URLs with a (%-decoded) path beginning with url-path will be mapped to local files beginning with directory-path. The url-path is case-sensitive, even on case-insensitive file systems.

Example:

Alias /image /ftp/pub/image

A request for http://myserver/image/foo.gif would cause the server to return the file /ftp/pub/image/foo.gif. Only complete path segments are matched, so the above alias would not match a request for http://myserver/imagefoo.gif. For more complex matching using regular expressions, see the AliasMatch directive.

Note that if you include a trailing / on the url-path then the server will require a trailing / in order to expand the alias. That is, if you use

Alias /icons/ /usr/local/apache/icons/

then the url /icons will not be aliased.

Note that you may need to specify additional <Directory> sections which cover the destination of aliases. Aliasing occurs before <Directory> sections are checked, so only the destination of aliases are affected. (Note however <Location> sections are run through once before aliases are performed, so they will apply.)

In particular, if you are creating an Alias to a directory outside of your DocumentRoot, you may need to explicitly permit access to the target directory.

Example:

Alias /image /ftp/pub/image
<Directory /ftp/pub/image>
Order allow,deny
Allow from all
 </Directory>

top

AliasMatch Directive

Description:Maps URLs to filesystem locations using regular expressions
Syntax:AliasMatch regex file-path|directory-path
Context:server config, virtual host
Status:Base
Module:mod_alias

This directive is equivalent to Alias, but makes use of regular expressions, instead of simple prefix matching. The supplied regular expression is matched against the URL-path, and if it matches, the server will substitute any parenthesized matches into the given string and use it as a filename. For example, to activate the /icons directory, one might use:

AliasMatch ^/icons(.*) /usr/local/apache/icons$1

It is also possible to construct an alias with case-insensitive matching of the url-path:

AliasMatch (?i)^/image(.*) /ftp/pub/image$1

top

Redirect Directive

Description:Sends an external redirect asking the client to fetch a different URL
Syntax:Redirect [status] URL-path URL
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_alias

The Redirect directive maps an old URL into a new one by asking the client to refetch the resource at the new location.

The old URL-path is a case-sensitive (%-decoded) path beginning with a slash. A relative path is not allowed. The new URL should be an absolute URL beginning with a scheme and hostname, but a URL-path beginning with a slash may also be used, in which case the scheme and hostname of the current server will be added.

Then any request beginning with URL-Path will return a redirect request to the client at the location of the target URL. Additional path information beyond the matched URL-Path will be appended to the target URL.

Example:

Redirect /service http://foo2.example.com/service

If the client requests http://example.com/service/foo.txt, it will be told to access http://foo2.example.com/service/foo.txt instead. Only complete path segments are matched, so the above example would not match a request for http://example.com/servicefoo.txt. For more complex matching using regular expressions, see the RedirectMatch directive.

Note

Redirect directives take precedence over Alias and ScriptAlias directives, irrespective of their ordering in the configuration file.

If no status argument is given, the redirect will be "temporary" (HTTP status 302). This indicates to the client that the resource has moved temporarily. The status argument can be used to return other HTTP status codes:

permanent
Returns a permanent redirect status (301) indicating that the resource has moved permanently.
temp
Returns a temporary redirect status (302). This is the default.
seeother
Returns a "See Other" status (303) indicating that the resource has been replaced.
gone
Returns a "Gone" status (410) indicating that the resource has been permanently removed. When this status is used the URL argument should be omitted.

Other status codes can be returned by giving the numeric status code as the value of status. If the status is between 300 and 399, the URL argument must be present, otherwise it must be omitted. Note that the status must be known to the Apache code (see the function send_error_response in http_protocol.c).

Example:

Redirect permanent /one http://example.com/two
Redirect 303 /three http://example.com/other

top

RedirectMatch Directive

Description:Sends an external redirect based on a regular expression match of the current URL
Syntax:RedirectMatch [status] regex URL
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_alias

This directive is equivalent to Redirect, but makes use of regular expressions, instead of simple prefix matching. The supplied regular expression is matched against the URL-path, and if it matches, the server will substitute any parenthesized matches into the given string and use it as a filename. For example, to redirect all GIF files to like-named JPEG files on another server, one might use:

RedirectMatch (.*)\.gif$ http://www.anotherserver.com$1.jpg

top

RedirectPermanent Directive

Description:Sends an external permanent redirect asking the client to fetch a different URL
Syntax:RedirectPermanent URL-path URL
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_alias

This directive makes the client know that the Redirect is permanent (status 301). Exactly equivalent to Redirect permanent.

top

RedirectTemp Directive

Description:Sends an external temporary redirect asking the client to fetch a different URL
Syntax:RedirectTemp URL-path URL
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_alias

This directive makes the client know that the Redirect is only temporary (status 302). Exactly equivalent to Redirect temp.

top

ScriptAlias Directive

Description:Maps a URL to a filesystem location and designates the target as a CGI script
Syntax:ScriptAlias URL-path file-path|directory-path
Context:server config, virtual host
Status:Base
Module:mod_alias

The ScriptAlias directive has the same behavior as the Alias directive, except that in addition it marks the target directory as containing CGI scripts that will be processed by mod_cgi's cgi-script handler. URLs with a case-sensitive (%-decoded) path beginning with URL-path will be mapped to scripts beginning with the second argument, which is a full pathname in the local filesystem.

Example:

ScriptAlias /cgi-bin/ /web/cgi-bin/

A request for http://myserver/cgi-bin/foo would cause the server to run the script /web/cgi-bin/foo. This configuration is essentially equivalent to:

Alias /cgi-bin/ /web/cgi-bin/
<Location /cgi-bin >
SetHandler cgi-script
Options +ExecCGI
 </Location>

It is safer to avoid placing CGI scripts under the DocumentRoot in order to avoid accidentally revealing their source code if the configuration is ever changed. The ScriptAlias makes this easy by mapping a URL and designating CGI scripts at the same time. If you do choose to place your CGI scripts in a directory already accessible from the web, do not use ScriptAlias. Instead, use <Directory>, SetHandler, and Options as in:

<Directory /usr/local/apache2/htdocs/cgi-bin >
SetHandler cgi-script
Options ExecCGI
 </Directory>

This is necessary since multiple URL-paths can map to the same filesystem location, potentially bypassing the ScriptAlias and revealing the source code of the CGI scripts if they are not restricted by a Directory section.

See also

top

ScriptAliasMatch Directive

Description:Maps a URL to a filesystem location using a regular expression and designates the target as a CGI script
Syntax:ScriptAliasMatch regex file-path|directory-path
Context:server config, virtual host
Status:Base
Module:mod_alias

This directive is equivalent to ScriptAlias, but makes use of regular expressions, instead of simple prefix matching. The supplied regular expression is matched against the URL-path, and if it matches, the server will substitute any parenthesized matches into the given string and use it as a filename. For example, to activate the standard /cgi-bin, one might use:

ScriptAliasMatch ^/cgi-bin(.*) /usr/local/apache/cgi-bin$1

mod/mod_asis.html100644 0 0 12015 11256637772 11507 0ustar 0 0 mod_asis - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_asis

Description:Sends files that contain their own HTTP headers
Status:Base
Module Identifier:asis_module
Source File:mod_asis.c

Summary

This module provides the handler send-as-is which causes Apache to send the document without adding most of the usual HTTP headers.

This can be used to send any kind of data from the server, including redirects and other special HTTP responses, without requiring a cgi-script or an nph script.

For historical reasons, this module will also process any file with the mime type httpd/send-as-is.

Directives

This module provides no directives.

Topics

See also

top

Usage

In the server configuration file, associate files with the send-as-is handler e.g.

AddHandler send-as-is asis

The contents of any file with a .asis extension will then be sent by Apache to the client with almost no changes. In particular, HTTP headers are derived from the file itself according to mod_cgi rules, so an asis file must include valid headers, and may also use the CGI Status: header to determine the HTTP response code.

Here's an example of a file whose contents are sent as is so as to tell the client that a file has redirected.

Status: 301 Now where did I leave that URL
Location: http://xyz.abc.com/foo/bar.html
Content-type: text/html

<html>
<head>
<title>Lame excuses'R'us</title>
</head>
<body>
<h1>Fred's exceptionally wonderful page has moved to
<a href="http://xyz.abc.com/foo/bar.html">Joe's</a> site.
</h1>
</body>
</html>

Notes:

The server always adds a Date: and Server: header to the data returned to the client, so these should not be included in the file. The server does not add a Last-Modified header; it probably should.

mod/mod_auth_basic.html100644 0 0 17625 11256637772 12666 0ustar 0 0 mod_auth_basic - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_auth_basic

Description:Basic authentication
Status:Base
Module Identifier:auth_basic_module
Source File:mod_auth_basic.c
Compatibility:Available in Apache 2.1 and later

Summary

This module allows the use of HTTP Basic Authentication to restrict access by looking up users in the given providers. HTTP Digest Authentication is provided by mod_auth_digest. This module should usually be combined with at least one authentication module such as mod_authn_file and one authorization module such as mod_authz_user.

top

AuthBasicAuthoritative Directive

Description:Sets whether authorization and authentication are passed to lower level modules
Syntax:AuthBasicAuthoritative On|Off
Default:AuthBasicAuthoritative On
Context:directory, .htaccess
Override:AuthConfig
Status:Base
Module:mod_auth_basic

Normally, each authorization module listed in AuthBasicProvider will attempt to verify the user, and if the user is not found in any provider, access will be denied. Setting the AuthBasicAuthoritative directive explicitly to Off allows for both authentication and authorization to be passed on to other non-provider-based modules if there is no userID or rule matching the supplied userID. This should only be necessary when combining mod_auth_basic with third-party modules that are not configured with the AuthBasicProvider directive. When using such modules, the order of processing is determined in the modules' source code and is not configurable.

top

AuthBasicProvider Directive

Description:Sets the authentication provider(s) for this location
Syntax:AuthBasicProvider provider-name [provider-name] ...
Default:AuthBasicProvider file
Context:directory, .htaccess
Override:AuthConfig
Status:Base
Module:mod_auth_basic

The AuthBasicProvider directive sets which provider is used to authenticate the users for this location. The default file provider is implemented by the mod_authn_file module. Make sure that the chosen provider module is present in the server.

Example

<Location /secure>
AuthType basic
AuthName "private area"
AuthBasicProvider dbm
AuthDBMType SDBM
AuthDBMUserFile /www/etc/dbmpasswd
Require valid-user
 </Location>

Providers are implemented by mod_authn_dbm, mod_authn_file, mod_authn_dbd, and mod_authnz_ldap.

mod/mod_auth_digest.html100644 0 0 51020 11256637772 13047 0ustar 0 0 mod_auth_digest - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_auth_digest

Description:User authentication using MD5 Digest Authentication.
Status:Extension
Module Identifier:auth_digest_module
Source File:mod_auth_digest.c

Summary

This module implements HTTP Digest Authentication (RFC2617), and provides a more secure alternative to mod_auth_basic.

top

Using Digest Authentication

Using MD5 Digest authentication is very simple. Simply set up authentication normally, using AuthType Digest and AuthDigestProvider instead of the normal AuthType Basic and AuthBasicProvider. Then add a AuthDigestDomain directive containing at least the root URI(s) for this protection space.

Appropriate user (text) files can be created using the htdigest tool.

Example:

<Location /private/>
AuthType Digest
AuthName "private area"
AuthDigestDomain /private/ http://mirror.my.dom/private2/

AuthDigestProvider file
AuthUserFile /web/auth/.digest_pw
Require valid-user
 </Location>

Note

Digest authentication is more secure than Basic authentication, but only works with supporting browsers. As of September 2004, major browsers that support digest authentication include Amaya, Konqueror, MS Internet Explorer for Mac OS X and Windows (although the Windows version fails when used with a query string -- see "Working with MS Internet Explorer" below for a workaround), Mozilla, Netscape 7, Opera, and Safari. lynx does not support digest authentication. Since digest authentication is not as widely implemented as basic authentication, you should use it only in environments where all users will have supporting browsers.

top

Working with MS Internet Explorer

The Digest authentication implementation in previous Internet Explorer for Windows versions (5 and 6) had issues, namely that GET requests with a query string were not RFC compliant. There are a few ways to work around this issue.

The first way is to use POST requests instead of GET requests to pass data to your program. This method is the simplest approach if your application can work with this limitation.

Since version 2.0.51 Apache also provides a workaround in the AuthDigestEnableQueryStringHack environment variable. If AuthDigestEnableQueryStringHack is set for the request, Apache will take steps to work around the MSIE bug and remove the query string from the digest comparison. Using this method would look similar to the following.

Using Digest Authentication with MSIE:

BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On

This workaround is not necessary for MSIE 7, though enabling it does not cause any compatibility issues or significant overhead.

See the BrowserMatch directive for more details on conditionally setting environment variables.

top

AuthDigestAlgorithm Directive

Description:Selects the algorithm used to calculate the challenge and response hashes in digest authentication
Syntax:AuthDigestAlgorithm MD5|MD5-sess
Default:AuthDigestAlgorithm MD5
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_auth_digest

The AuthDigestAlgorithm directive selects the algorithm used to calculate the challenge and response hashes.

MD5-sess is not correctly implemented yet.
top

AuthDigestDomain Directive

Description:URIs that are in the same protection space for digest authentication
Syntax:AuthDigestDomain URI [URI] ...
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_auth_digest

The AuthDigestDomain directive allows you to specify one or more URIs which are in the same protection space (i.e. use the same realm and username/password info). The specified URIs are prefixes; the client will assume that all URIs "below" these are also protected by the same username/password. The URIs may be either absolute URIs (i.e. including a scheme, host, port, etc.) or relative URIs.

This directive should always be specified and contain at least the (set of) root URI(s) for this space. Omitting to do so will cause the client to send the Authorization header for every request sent to this server. Apart from increasing the size of the request, it may also have a detrimental effect on performance if AuthDigestNcCheck is on.

The URIs specified can also point to different servers, in which case clients (which understand this) will then share username/password info across multiple servers without prompting the user each time.

top

AuthDigestNcCheck Directive

Description:Enables or disables checking of the nonce-count sent by the server
Syntax:AuthDigestNcCheck On|Off
Default:AuthDigestNcCheck Off
Context:server config
Status:Extension
Module:mod_auth_digest
Not implemented yet.
top

AuthDigestNonceFormat Directive

Description:Determines how the nonce is generated
Syntax:AuthDigestNonceFormat format
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_auth_digest
Not implemented yet.
top

AuthDigestNonceLifetime Directive

Description:How long the server nonce is valid
Syntax:AuthDigestNonceLifetime seconds
Default:AuthDigestNonceLifetime 300
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_auth_digest

The AuthDigestNonceLifetime directive controls how long the server nonce is valid. When the client contacts the server using an expired nonce the server will send back a 401 with stale=true. If seconds is greater than 0 then it specifies the amount of time for which the nonce is valid; this should probably never be set to less than 10 seconds. If seconds is less than 0 then the nonce never expires.

top

AuthDigestProvider Directive

Description:Sets the authentication provider(s) for this location
Syntax:AuthDigestProvider provider-name [provider-name] ...
Default:AuthDigestProvider file
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_auth_digest

The AuthDigestProvider directive sets which provider is used to authenticate the users for this location. The default file provider is implemented by the mod_authn_file module. Make sure that the chosen provider module is present in the server.

See mod_authn_dbm, mod_authn_file, and mod_authn_dbd for providers.

top

AuthDigestQop Directive

Description:Determines the quality-of-protection to use in digest authentication
Syntax:AuthDigestQop none|auth|auth-int [auth|auth-int]
Default:AuthDigestQop auth
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_auth_digest

The AuthDigestQop directive determines the quality-of-protection to use. auth will only do authentication (username/password); auth-int is authentication plus integrity checking (an MD5 hash of the entity is also computed and checked); none will cause the module to use the old RFC-2069 digest algorithm (which does not include integrity checking). Both auth and auth-int may be specified, in which the case the browser will choose which of these to use. none should only be used if the browser for some reason does not like the challenge it receives otherwise.

auth-int is not implemented yet.
top

AuthDigestShmemSize Directive

Description:The amount of shared memory to allocate for keeping track of clients
Syntax:AuthDigestShmemSize size
Default:AuthDigestShmemSize 1000
Context:server config
Status:Extension
Module:mod_auth_digest

The AuthDigestShmemSize directive defines the amount of shared memory, that will be allocated at the server startup for keeping track of clients. Note that the shared memory segment cannot be set less than the space that is necessary for tracking at least one client. This value is dependant on your system. If you want to find out the exact value, you may simply set AuthDigestShmemSize to the value of 0 and read the error message after trying to start the server.

The size is normally expressed in Bytes, but you may let the number follow a K or an M to express your value as KBytes or MBytes. For example, the following directives are all equivalent:

AuthDigestShmemSize 1048576
AuthDigestShmemSize 1024K
AuthDigestShmemSize 1M

mod/mod_authn_alias.html100644 0 0 16671 11256637772 13054 0ustar 0 0 mod_authn_alias - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_authn_alias

Description:Provides the ability to create extended authentication providers based on actual providers
Status:Extension
Module Identifier:authn_alias_module
Source File:mod_authn_alias.c
Compatibility:Available in Apache 2.1 and later

Summary

This module allows extended authentication providers to be created within the configuration file and assigned an alias name. The alias providers can then be referenced through the directives AuthBasicProvider or AuthDigestProvider in the same way as a base authentication provider. Besides the ability to create and alias an extended provider, it also allows the same extended authentication provider to be reference by multiple locations.

Directives

Topics

top

Examples

This example checks for passwords in two different text files.

Checking multiple text password files

# Check here first
<AuthnProviderAlias file file1>
AuthUserFile /www/conf/passwords1
 </AuthnProviderAlias>

# Then check here
<AuthnProviderAlias file file2>
AuthUserFile /www/conf/passwords2
 </AuthnProviderAlias>

<Directory /var/web/pages/secure>
AuthBasicProvider file1 file2

AuthType Basic
AuthName "Protected Area"
Require valid-user
 </Directory>

The example below creates two different ldap authentication provider aliases based on the ldap provider. This allows a single authenticated location to be serviced by multiple ldap hosts:

Checking multiple LDAP servers

LoadModule authn_alias_module modules/mod_authn_alias.so

<AuthnProviderAlias ldap ldap-alias1>
AuthLDAPBindDN cn=youruser,o=ctx
AuthLDAPBindPassword yourpassword
AuthLDAPURL ldap://ldap.host/o=ctx
 </AuthnProviderAlias>

<AuthnProviderAlias ldap ldap-other-alias>
AuthLDAPBindDN cn=yourotheruser,o=dev
AuthLDAPBindPassword yourotherpassword
AuthLDAPURL ldap://other.ldap.host/o=dev?cn
 </AuthnProviderAlias>

Alias /secure /webpages/secure
<Directory /webpages/secure>
Order deny,allow
Allow from all

AuthBasicProvider ldap-other-alias ldap-alias1

AuthType Basic
AuthName LDAP_Protected_Place
AuthzLDAPAuthoritative off
Require valid-user
 </Directory>

top

<AuthnProviderAlias> Directive

Description:Enclose a group of directives that represent an extension of a base authentication provider and referenced by the specified alias
Syntax:<AuthnProviderAlias baseProvider Alias> ... </AuthnProviderAlias>
Context:server config
Status:Extension
Module:mod_authn_alias

<AuthnProviderAlias> and </AuthnProviderAlias> are used to enclose a group of authentication directives that can be referenced by the alias name using one of the directives AuthBasicProvider or AuthDigestProvider.

mod/mod_authn_anon.html100644 0 0 31542 11256637772 12710 0ustar 0 0 mod_authn_anon - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_authn_anon

Description:Allows "anonymous" user access to authenticated areas
Status:Extension
Module Identifier:authn_anon_module
Source File:mod_authn_anon.c
Compatibility:Available in Apache 2.1 and later

Summary

This module provides authentication front-ends such as mod_auth_basic to authenticate users similar to anonymous-ftp sites, i.e. have a 'magic' user id 'anonymous' and the email address as a password. These email addresses can be logged.

Combined with other (database) access control methods, this allows for effective user tracking and customization according to a user profile while still keeping the site open for 'unregistered' users. One advantage of using Auth-based user tracking is that, unlike magic-cookies and funny URL pre/postfixes, it is completely browser independent and it allows users to share URLs.

When using mod_auth_basic, this module is invoked via the AuthBasicProvider directive with the anon value.

top

Example

The example below is combined with "normal" htpasswd-file based authentication and allows users in additionally as 'guests' with the following properties:

  • It insists that the user enters a userID. (Anonymous_NoUserID)
  • It insists that the user enters a password. (Anonymous_MustGiveEmail)
  • The password entered must be a valid email address, i.e. contain at least one '@' and a '.'. (Anonymous_VerifyEmail)
  • The userID must be one of anonymous guest www test welcome and comparison is not case sensitive. (Anonymous)
  • And the Email addresses entered in the passwd field are logged to the error log file. (Anonymous_LogEmail)

Example

<Directory /foo> AuthName "Use 'anonymous' & Email address for guest entry"
AuthType Basic
AuthBasicProvider file anon
AuthUserFile /path/to/your/.htpasswd

Anonymous_NoUserID off
Anonymous_MustGiveEmail on
Anonymous_VerifyEmail on
Anonymous_LogEmail on
Anonymous anonymous guest www test welcome

Order Deny,Allow
Allow from all

Require valid-user
 </Directory>

top

Anonymous Directive

Description:Specifies userIDs that are allowed access without password verification
Syntax:Anonymous user [user] ...
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_authn_anon

A list of one or more 'magic' userIDs which are allowed access without password verification. The userIDs are space separated. It is possible to use the ' and " quotes to allow a space in a userID as well as the \ escape character.

Please note that the comparison is case-IN-sensitive.
It's strongly recommended that the magic username 'anonymous' is always one of the allowed userIDs.

Example:

Anonymous anonymous "Not Registered" "I don't know"

This would allow the user to enter without password verification by using the userIDs "anonymous", "AnonyMous", "Not Registered" and "I Don't Know".

As of Apache 2.1 it is possible to specify the userID as "*". That allows any supplied userID to be accepted.

top

Anonymous_LogEmail Directive

Description:Sets whether the password entered will be logged in the error log
Syntax:Anonymous_LogEmail On|Off
Default:Anonymous_LogEmail On
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_authn_anon

When set On, the default, the 'password' entered (which hopefully contains a sensible email address) is logged in the error log.

top

Anonymous_MustGiveEmail Directive

Description:Specifies whether blank passwords are allowed
Syntax:Anonymous_MustGiveEmail On|Off
Default:Anonymous_MustGiveEmail On
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_authn_anon

Specifies whether the user must specify an email address as the password. This prohibits blank passwords.

top

Anonymous_NoUserID Directive

Description:Sets whether the userID field may be empty
Syntax:Anonymous_NoUserID On|Off
Default:Anonymous_NoUserID Off
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_authn_anon

When set On, users can leave the userID (and perhaps the password field) empty. This can be very convenient for MS-Explorer users who can just hit return or click directly on the OK button; which seems a natural reaction.

top

Anonymous_VerifyEmail Directive

Description:Sets whether to check the password field for a correctly formatted email address
Syntax:Anonymous_VerifyEmail On|Off
Default:Anonymous_VerifyEmail Off
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_authn_anon

When set On the 'password' entered is checked for at least one '@' and a '.' to encourage users to enter valid email addresses (see the above Anonymous_LogEmail).

mod/mod_authn_dbd.html100644 0 0 24761 11256637772 12513 0ustar 0 0 mod_authn_dbd - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_authn_dbd

Description:User authentication using an SQL database
Status:Extension
Module Identifier:authn_dbd_module
Source File:mod_authn_dbd.c
Compatibility:Available in Apache 2.1 and later

Summary

This module provides authentication front-ends such as mod_auth_digest and mod_auth_basic to authenticate users by looking up users in SQL tables. Similar functionality is provided by, for example, mod_authn_file.

This module relies on mod_dbd to specify the backend database driver and connection parameters, and manage the database connections.

When using mod_auth_basic or mod_auth_digest, this module is invoked via the AuthBasicProvider or AuthDigestProvider with the dbd value.

top

Configuration Example

This simple example shows use of this module in the context of the Authentication and DBD frameworks. Please note that you need to load an authorization module, such as mod_authz_user, to get it working.

# mod_dbd configuration
DBDriver pgsql
DBDParams "dbname=apacheauth user=apache password=xxxxxx"

DBDMin  4
DBDKeep 8
DBDMax  20
DBDExptime 300

<Directory /usr/www/myhost/private>
  # core authentication and mod_auth_basic configuration
  # for mod_authn_dbd
  AuthType Basic
  AuthName "My Server"
  AuthBasicProvider dbd

  # core authorization configuration
  Require valid-user

  # mod_authn_dbd SQL query to authenticate a user
  AuthDBDUserPWQuery \
    "SELECT password FROM authn WHERE user = %s"
</Directory>
top

Exposing Login Information

If httpd was built against APR version 1.3.0 or higher, then whenever a query is made to the database server, all column values in the first row returned by the query are placed in the environment, using environment variables with the prefix "AUTHENTICATE_".

If a database query for example returned the username, full name and telephone number of a user, a CGI program will have access to this information without the need to make a second independent database query to gather this additional information.

This has the potential to dramatically simplify the coding and configuration required in some web applications.

top

AuthDBDUserPWQuery Directive

Description:SQL query to look up a password for a user
Syntax:AuthDBDUserPWQuery query
Context:directory
Status:Extension
Module:mod_authn_dbd

The AuthDBDUserPWQuery specifies an SQL query to look up a password for a specified user. The user's ID will be passed as a single string parameter when the SQL query is executed. It may be referenced within the query statement using a %s format specifier.

Example

AuthDBDUserPWQuery \
  "SELECT password FROM authn WHERE user = %s"

The first column value of the first row returned by the query statement should be a string containing the encrypted password. Subsequent rows will be ignored. If no rows are returned, the user will not be authenticated through mod_authn_dbd.

If httpd was built against APR version 1.3.0 or higher, any additional column values in the first row returned by the query statement will be stored as environment variables with names of the form AUTHENTICATE_COLUMN.

top

AuthDBDUserRealmQuery Directive

Description:SQL query to look up a password hash for a user and realm.
Syntax:AuthDBDUserRealmQuery query
Context:directory
Status:Extension
Module:mod_authn_dbd

The AuthDBDUserRealmQuery specifies an SQL query to look up a password for a specified user and realm. The user's ID and the realm, in that order, will be passed as string parameters when the SQL query is executed. They may be referenced within the query statement using %s format specifiers.

Example

AuthDBDUserRealmQuery \
  "SELECT password FROM authn WHERE user = %s AND realm = %s"

The first column value of the first row returned by the query statement should be a string containing the encrypted password. Subsequent rows will be ignored. If no rows are returned, the user will not be authenticated through mod_authn_dbd.

If httpd was built against APR version 1.3.0 or higher, any additional column values in the first row returned by the query statement will be stored as environment variables with names of the form AUTHENTICATE_COLUMN.

mod/mod_authn_dbm.html100644 0 0 17605 11256637772 12523 0ustar 0 0 mod_authn_dbm - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_authn_dbm

Description:User authentication using DBM files
Status:Extension
Module Identifier:authn_dbm_module
Source File:mod_authn_dbm.c
Compatibility:Available in Apache 2.1 and later

Summary

This module provides authentication front-ends such as mod_auth_digest and mod_auth_basic to authenticate users by looking up users in dbm password files. Similar functionality is provided by mod_authn_file.

When using mod_auth_basic or mod_auth_digest, this module is invoked via the AuthBasicProvider or AuthDigestProvider with the dbm value.

top

AuthDBMType Directive

Description:Sets the type of database file that is used to store passwords
Syntax:AuthDBMType default|SDBM|GDBM|NDBM|DB
Default:AuthDBMType default
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_authn_dbm

Sets the type of database file that is used to store the passwords. The default database type is determined at compile time. The availability of other types of database files also depends on compile-time settings.

It is crucial that whatever program you use to create your password files is configured to use the same type of database.

top

AuthDBMUserFile Directive

Description:Sets the name of a database file containing the list of users and passwords for authentication
Syntax:AuthDBMUserFile file-path
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_authn_dbm

The AuthDBMUserFile directive sets the name of a DBM file containing the list of users and passwords for user authentication. File-path is the absolute path to the user file.

The user file is keyed on the username. The value for a user is the encrypted password, optionally followed by a colon and arbitrary data. The colon and the data following it will be ignored by the server.

Security:

Make sure that the AuthDBMUserFile is stored outside the document tree of the web-server; do not put it in the directory that it protects. Otherwise, clients will be able to download the AuthDBMUserFile.

Important compatibility note: The implementation of dbmopen in the apache modules reads the string length of the hashed values from the DBM data structures, rather than relying upon the string being NULL-appended. Some applications, such as the Netscape web server, rely upon the string being NULL-appended, so if you are having trouble using DBM files interchangeably between applications this may be a part of the problem.

A perl script called dbmmanage is included with Apache. This program can be used to create and update DBM format password files for use with this module.

mod/mod_authn_default.html100644 0 0 11036 11256637772 13375 0ustar 0 0 mod_authn_default - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_authn_default

Description:Authentication fallback module
Status:Base
Module Identifier:authn_default_module
Source File:mod_authn_default.c
Compatibility:Available in Apache 2.1 and later

Summary

This module is designed to be the fallback module, if you don't have configured an authentication module like mod_auth_basic. It simply rejects any credentials supplied by the user.

top

AuthDefaultAuthoritative Directive

Description:Sets whether authentication is passed to lower level modules
Syntax:AuthDefaultAuthoritative On|Off
Default:AuthDefaultAuthoritative On
Context:directory, .htaccess
Override:AuthConfig
Status:Base
Module:mod_authn_default

Setting the AuthDefaultAuthoritative directive explicitly to Off allows for authentication to be passed on to lower level modules (as defined in the modules.c files).

Note

Normally there are no lower level modules, since mod_authn_default is defined to be already on a very low level. Therefore you should leave the value of AuthDefaultAuthoritative as default (On).

mod/mod_authn_file.html100644 0 0 16401 11256637772 12671 0ustar 0 0 mod_authn_file - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_authn_file

Description:User authentication using text files
Status:Base
Module Identifier:authn_file_module
Source File:mod_authn_file.c
Compatibility:Available in Apache 2.1 and later

Summary

This module provides authentication front-ends such as mod_auth_digest and mod_auth_basic to authenticate users by looking up users in plain text password files. Similar functionality is provided by mod_authn_dbm.

When using mod_auth_basic or mod_auth_digest, this module is invoked via the AuthBasicProvider or AuthDigestProvider with the file value.

top

AuthUserFile Directive

Description:Sets the name of a text file containing the list of users and passwords for authentication
Syntax:AuthUserFile file-path
Context:directory, .htaccess
Override:AuthConfig
Status:Base
Module:mod_authn_file

The AuthUserFile directive sets the name of a textual file containing the list of users and passwords for user authentication. File-path is the path to the user file. If it is not absolute, it is treated as relative to the ServerRoot.

Each line of the user file contains a username followed by a colon, followed by the encrypted password. If the same user ID is defined multiple times, mod_authn_file will use the first occurrence to verify the password.

The utility htpasswd which is installed as part of the binary distribution, or which can be found in src/support, is used to maintain the password file for HTTP Basic Authentication. See the man page for more details. In short:

Create a password file Filename with username as the initial ID. It will prompt for the password:

htpasswd -c Filename username

Add or modify username2 in the password file Filename:

htpasswd Filename username2

Note that searching large text files is very inefficient; AuthDBMUserFile should be used instead.

If you are using HTTP Digest Authentication, the htpasswd tool is not sufficient. You have to use htdigest instead. Note that you cannot mix user data for Digest Authentication and Basic Authentication within the same file.

Security

Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.

mod/mod_authnz_ldap.html100644 0 0 155255 11256637772 13117 0ustar 0 0 mod_authnz_ldap - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_authnz_ldap

Description:Allows an LDAP directory to be used to store the database for HTTP Basic authentication.
Status:Extension
Module Identifier:authnz_ldap_module
Source File:mod_authnz_ldap.c
Compatibility:Available in version 2.1 and later

Summary

This module provides authentication front-ends such as mod_auth_basic to authenticate users through an ldap directory.

mod_authnz_ldap supports the following features:

  • Known to support the OpenLDAP SDK (both 1.x and 2.x), Novell LDAP SDK and the iPlanet (Netscape) SDK.
  • Complex authorization policies can be implemented by representing the policy with LDAP filters.
  • Uses extensive caching of LDAP operations via mod_ldap.
  • Support for LDAP over SSL (requires the Netscape SDK) or TLS (requires the OpenLDAP 2.x SDK or Novell LDAP SDK).

When using mod_auth_basic, this module is invoked via the AuthBasicProvider directive with the ldap value.

top

Contents

top

Operation

There are two phases in granting access to a user. The first phase is authentication, in which the mod_authnz_ldap authentication provider verifies that the user's credentials are valid. This is also called the search/bind phase. The second phase is authorization, in which mod_authnz_ldap determines if the authenticated user is allowed access to the resource in question. This is also known as the compare phase.

mod_authnz_ldap registers both an authn_ldap authentication provider and an authz_ldap authorization handler. The authn_ldap authentication provider can be enabled through the AuthBasicProvider directive using the ldap value. The authz_ldap handler extends the Require directive's authorization types by adding ldap-user, ldap-dn and ldap-group values.

The Authentication Phase

During the authentication phase, mod_authnz_ldap searches for an entry in the directory that matches the username that the HTTP client passes. If a single unique match is found, then mod_authnz_ldap attempts to bind to the directory server using the DN of the entry plus the password provided by the HTTP client. Because it does a search, then a bind, it is often referred to as the search/bind phase. Here are the steps taken during the search/bind phase.

  1. Generate a search filter by combining the attribute and filter provided in the AuthLDAPURL directive with the username passed by the HTTP client.
  2. Search the directory using the generated filter. If the search does not return exactly one entry, deny or decline access.
  3. Fetch the distinguished name of the entry retrieved from the search and attempt to bind to the LDAP server using the DN and the password passed by the HTTP client. If the bind is unsuccessful, deny or decline access.

The following directives are used during the search/bind phase

AuthLDAPURL Specifies the LDAP server, the base DN, the attribute to use in the search, as well as the extra search filter to use.
AuthLDAPBindDN An optional DN to bind with during the search phase.
AuthLDAPBindPassword An optional password to bind with during the search phase.

The Authorization Phase

During the authorization phase, mod_authnz_ldap attempts to determine if the user is authorized to access the resource. Many of these checks require mod_authnz_ldap to do a compare operation on the LDAP server. This is why this phase is often referred to as the compare phase. mod_authnz_ldap accepts the following Require directives to determine if the credentials are acceptable:

  • Grant access if there is a Require ldap-user directive, and the username in the directive matches the username passed by the client.
  • Grant access if there is a Require ldap-dn directive, and the DN in the directive matches the DN fetched from the LDAP directory.
  • Grant access if there is a Require ldap-group directive, and the DN fetched from the LDAP directory (or the username passed by the client) occurs in the LDAP group.
  • Grant access if there is a Require ldap-attribute directive, and the attribute fetched from the LDAP directory matches the given value.
  • Grant access if there is a Require ldap-filter directive, and the search filter successfully finds a single user object that matches the dn of the authenticated user.
  • otherwise, deny or decline access

Other Require values may also be used which may require loading additional authorization modules. Note that if you use a Require value from another authorization module, you will need to ensure that AuthzLDAPAuthoritative is set to off to allow the authorization phase to fall back to the module providing the alternate Require value. When no LDAP-specific Require directives are used, authorization is allowed to fall back to other modules as if AuthzLDAPAuthoritative was set to off.

mod_authnz_ldap uses the following directives during the compare phase:

AuthLDAPURL The attribute specified in the URL is used in compare operations for the Require ldap-user operation.
AuthLDAPCompareDNOnServer Determines the behavior of the Require ldap-dn directive.
AuthLDAPGroupAttribute Determines the attribute to use for comparisons in the Require ldap-group directive.
AuthLDAPGroupAttributeIsDN Specifies whether to use the user DN or the username when doing comparisons for the Require ldap-group directive.
top

The Require Directives

Apache's Require directives are used during the authorization phase to ensure that a user is allowed to access a resource. mod_authnz_ldap extends the authorization types with ldap-user, ldap-dn, ldap-group, ldap-attribute and ldap-filter. Other authorization types may also be used but may require that additional authorization modules be loaded.

Require valid-user

If this directive exists, mod_authnz_ldap grants access to any user that has successfully authenticated during the search/bind phase. Requires that mod_authz_user be loaded.

Require ldap-user

The Require ldap-user directive specifies what usernames can access the resource. Once mod_authnz_ldap has retrieved a unique DN from the directory, it does an LDAP compare operation using the username specified in the Require ldap-user to see if that username is part of the just-fetched LDAP entry. Multiple users can be granted access by putting multiple usernames on the line, separated with spaces. If a username has a space in it, then it must be surrounded with double quotes. Multiple users can also be granted access by using multiple Require ldap-user directives, with one user per line. For example, with a AuthLDAPURL of ldap://ldap/o=Airius?cn (i.e., cn is used for searches), the following Require directives could be used to restrict access:

Require ldap-user "Barbara Jenson"
Require ldap-user "Fred User"
Require ldap-user "Joe Manager"

Because of the way that mod_authnz_ldap handles this directive, Barbara Jenson could sign on as Barbara Jenson, Babs Jenson or any other cn that she has in her LDAP entry. Only the single Require ldap-user line is needed to support all values of the attribute in the user's entry.

If the uid attribute was used instead of the cn attribute in the URL above, the above three lines could be condensed to

Require ldap-user bjenson fuser jmanager

Require ldap-group

This directive specifies an LDAP group whose members are allowed access. It takes the distinguished name of the LDAP group. Note: Do not surround the group name with quotes. For example, assume that the following entry existed in the LDAP directory:

dn: cn=Administrators, o=Airius
objectClass: groupOfUniqueNames
uniqueMember: cn=Barbara Jenson, o=Airius
uniqueMember: cn=Fred User, o=Airius

The following directive would grant access to both Fred and Barbara:

Require ldap-group cn=Administrators, o=Airius

Behavior of this directive is modified by the AuthLDAPGroupAttribute and AuthLDAPGroupAttributeIsDN directives.

Require ldap-dn

The Require ldap-dn directive allows the administrator to grant access based on distinguished names. It specifies a DN that must match for access to be granted. If the distinguished name that was retrieved from the directory server matches the distinguished name in the Require ldap-dn, then authorization is granted. Note: do not surround the distinguished name with quotes.

The following directive would grant access to a specific DN:

Require ldap-dn cn=Barbara Jenson, o=Airius

Behavior of this directive is modified by the AuthLDAPCompareDNOnServer directive.

Require ldap-attribute

The Require ldap-attribute directive allows the administrator to grant access based on attributes of the authenticated user in the LDAP directory. If the attribute in the directory matches the value given in the configuration, access is granted.

The following directive would grant access to anyone with the attribute employeeType = active

Require ldap-attribute employeeType=active

Multiple attribute/value pairs can be specified on the same line separated by spaces or they can be specified in multiple Require ldap-attribute directives. The effect of listing multiple attribute/values pairs is an OR operation. Access will be granted if any of the listed attribute values match the value of the corresponding attribute in the user object. If the value of the attribute contains a space, only the value must be within double quotes.

The following directive would grant access to anyone with the city attribute equal to "San Jose" or status equal to "Active"

Require ldap-attribute city="San Jose" status=active

Require ldap-filter

The Require ldap-filter directive allows the administrator to grant access based on a complex LDAP search filter. If the dn returned by the filter search matches the authenticated user dn, access is granted.

The following directive would grant access to anyone having a cell phone and is in the marketing department

Require ldap-filter &(cell=*)(department=marketing)

The difference between the Require ldap-filter directive and the Require ldap-attribute directive is that ldap-filter performs a search operation on the LDAP directory using the specified search filter rather than a simple attribute comparison. If a simple attribute comparison is all that is required, the comparison operation performed by ldap-attribute will be faster than the search operation used by ldap-filter especially within a large directory.

top

Examples

  • Grant access to anyone who exists in the LDAP directory, using their UID for searches.

    AuthLDAPURL "ldap://ldap1.airius.com:389/ou=People, o=Airius?uid?sub?(objectClass=*)"
    Require valid-user

  • The next example is the same as above; but with the fields that have useful defaults omitted. Also, note the use of a redundant LDAP server.

    AuthLDAPURL "ldap://ldap1.airius.com ldap2.airius.com/ou=People, o=Airius"
    Require valid-user

  • The next example is similar to the previous one, but it uses the common name instead of the UID. Note that this could be problematical if multiple people in the directory share the same cn, because a search on cn must return exactly one entry. That's why this approach is not recommended: it's a better idea to choose an attribute that is guaranteed unique in your directory, such as uid.

    AuthLDAPURL "ldap://ldap.airius.com/ou=People, o=Airius?cn"
    Require valid-user

  • Grant access to anybody in the Administrators group. The users must authenticate using their UID.

    AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid
    Require ldap-group cn=Administrators, o=Airius

  • The next example assumes that everyone at Airius who carries an alphanumeric pager will have an LDAP attribute of qpagePagerID. The example will grant access only to people (authenticated via their UID) who have alphanumeric pagers:

    AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid??(qpagePagerID=*)
    Require valid-user

  • The next example demonstrates the power of using filters to accomplish complicated administrative requirements. Without filters, it would have been necessary to create a new LDAP group and ensure that the group's members remain synchronized with the pager users. This becomes trivial with filters. The goal is to grant access to anyone who has a pager, plus grant access to Joe Manager, who doesn't have a pager, but does need to access the same resource:

    AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid??(|(qpagePagerID=*)(uid=jmanager))
    Require valid-user

    This last may look confusing at first, so it helps to evaluate what the search filter will look like based on who connects, as shown below. If Fred User connects as fuser, the filter would look like

    (&(|(qpagePagerID=*)(uid=jmanager))(uid=fuser))

    The above search will only succeed if fuser has a pager. When Joe Manager connects as jmanager, the filter looks like

    (&(|(qpagePagerID=*)(uid=jmanager))(uid=jmanager))

    The above search will succeed whether jmanager has a pager or not.

top

Using TLS

To use TLS, see the mod_ldap directives LDAPTrustedClientCert, LDAPTrustedGlobalCert and LDAPTrustedMode.

An optional second parameter can be added to the AuthLDAPURL to override the default connection type set by LDAPTrustedMode. This will allow the connection established by an ldap:// Url to be upgraded to a secure connection on the same port.

top

Using SSL

To use SSL, see the mod_ldap directives LDAPTrustedClientCert, LDAPTrustedGlobalCert and LDAPTrustedMode.

To specify a secure LDAP server, use ldaps:// in the AuthLDAPURL directive, instead of ldap://.

top

Exposing Login Information

When this module performs authentication, LDAP attributes specified in the AuthLDAPUrl directive are placed in environment variables with the prefix "AUTHENTICATE_".

If the attribute field contains the username, common name and telephone number of a user, a CGI program will have access to this information without the need to make a second independent LDAP query to gather this additional information.

This has the potential to dramatically simplify the coding and configuration required in some web applications.

top

Using Microsoft FrontPage with mod_authnz_ldap

Normally, FrontPage uses FrontPage-web-specific user/group files (i.e., the mod_authn_file and mod_authz_groupfile modules) to handle all authentication. Unfortunately, it is not possible to just change to LDAP authentication by adding the proper directives, because it will break the Permissions forms in the FrontPage client, which attempt to modify the standard text-based authorization files.

Once a FrontPage web has been created, adding LDAP authentication to it is a matter of adding the following directives to every .htaccess file that gets created in the web

AuthLDAPURL            "the url"
AuthGroupFile mygroupfile
Require group mygroupfile

How It Works

FrontPage restricts access to a web by adding the Require valid-user directive to the .htaccess files. The Require valid-user directive will succeed for any user who is valid as far as LDAP is concerned. This means that anybody who has an entry in the LDAP directory is considered a valid user, whereas FrontPage considers only those people in the local user file to be valid. By substituting the ldap-group with group file authorization, Apache is allowed to consult the local user file (which is managed by FrontPage) - instead of LDAP - when handling authorizing the user.

Once directives have been added as specified above, FrontPage users will be able to perform all management operations from the FrontPage client.

Caveats

  • When choosing the LDAP URL, the attribute to use for authentication should be something that will also be valid for putting into a mod_authn_file user file. The user ID is ideal for this.
  • When adding users via FrontPage, FrontPage administrators should choose usernames that already exist in the LDAP directory (for obvious reasons). Also, the password that the administrator enters into the form is ignored, since Apache will actually be authenticating against the password in the LDAP database, and not against the password in the local user file. This could cause confusion for web administrators.
  • Apache must be compiled with mod_auth_basic, mod_authn_file and mod_authz_groupfile in order to use FrontPage support. This is because Apache will still use the mod_authz_groupfile group file for determine the extent of a user's access to the FrontPage web.
  • The directives must be put in the .htaccess files. Attempting to put them inside <Location> or <Directory> directives won't work. This is because mod_authnz_ldap has to be able to grab the AuthGroupFile directive that is found in FrontPage .htaccess files so that it knows where to look for the valid user list. If the mod_authnz_ldap directives aren't in the same .htaccess file as the FrontPage directives, then the hack won't work, because mod_authnz_ldap will never get a chance to process the .htaccess file, and won't be able to find the FrontPage-managed user file.
top

AuthLDAPBindDN Directive

Description:Optional DN to use in binding to the LDAP server
Syntax:AuthLDAPBindDN distinguished-name
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_authnz_ldap

An optional DN used to bind to the server when searching for entries. If not provided, mod_authnz_ldap will use an anonymous bind.

top

AuthLDAPBindPassword Directive

Description:Password used in conjuction with the bind DN
Syntax:AuthLDAPBindPassword password
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_authnz_ldap

A bind password to use in conjunction with the bind DN. Note that the bind password is probably sensitive data, and should be properly protected. You should only use the AuthLDAPBindDN and AuthLDAPBindPassword if you absolutely need them to search the directory.

top

AuthLDAPCharsetConfig Directive

Description:Language to charset conversion configuration file
Syntax:AuthLDAPCharsetConfig file-path
Context:server config
Status:Extension
Module:mod_authnz_ldap

The AuthLDAPCharsetConfig directive sets the location of the language to charset conversion configuration file. File-path is relative to the ServerRoot. This file specifies the list of language extensions to character sets. Most administrators use the provided charset.conv file, which associates common language extensions to character sets.

The file contains lines in the following format:

Language-Extension charset [Language-String] ...

The case of the extension does not matter. Blank lines, and lines beginning with a hash character (#) are ignored.

top

AuthLDAPCompareDNOnServer Directive

Description:Use the LDAP server to compare the DNs
Syntax:AuthLDAPCompareDNOnServer on|off
Default:AuthLDAPCompareDNOnServer on
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_authnz_ldap

When set, mod_authnz_ldap will use the LDAP server to compare the DNs. This is the only foolproof way to compare DNs. mod_authnz_ldap will search the directory for the DN specified with the Require dn directive, then, retrieve the DN and compare it with the DN retrieved from the user entry. If this directive is not set, mod_authnz_ldap simply does a string comparison. It is possible to get false negatives with this approach, but it is much faster. Note the mod_ldap cache can speed up DN comparison in most situations.

top

AuthLDAPDereferenceAliases Directive

Description:When will the module de-reference aliases
Syntax:AuthLDAPDereferenceAliases never|searching|finding|always
Default:AuthLDAPDereferenceAliases Always
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_authnz_ldap

This directive specifies when mod_authnz_ldap will de-reference aliases during LDAP operations. The default is always.

top

AuthLDAPGroupAttribute Directive

Description:LDAP attributes used to check for group membership
Syntax:AuthLDAPGroupAttribute attribute
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_authnz_ldap

This directive specifies which LDAP attributes are used to check for group membership. Multiple attributes can be used by specifying this directive multiple times. If not specified, then mod_authnz_ldap uses the member and uniquemember attributes.

top

AuthLDAPGroupAttributeIsDN Directive

Description:Use the DN of the client username when checking for group membership
Syntax:AuthLDAPGroupAttributeIsDN on|off
Default:AuthLDAPGroupAttributeIsDN on
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_authnz_ldap

When set on, this directive says to use the distinguished name of the client username when checking for group membership. Otherwise, the username will be used. For example, assume that the client sent the username bjenson, which corresponds to the LDAP DN cn=Babs Jenson, o=Airius. If this directive is set, mod_authnz_ldap will check if the group has cn=Babs Jenson, o=Airius as a member. If this directive is not set, then mod_authnz_ldap will check if the group has bjenson as a member.

top

AuthLDAPRemoteUserAttribute Directive

Description:Use the value of the attribute returned during the user query to set the REMOTE_USER environment variable
Syntax:AuthLDAPRemoteUserAttribute uid
Default:none
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_authnz_ldap

If this directive is set, the value of the REMOTE_USER environment variable will be set to the value of the attribute specified. Make sure that this attribute is included in the list of attributes in the AuthLDAPUrl definition, otherwise this directive will have no effect. This directive, if present, takes precedence over AuthLDAPRemoteUserIsDN. This directive is useful should you want people to log into a website using an email address, but a backend application expects the username as a userid.

top

AuthLDAPRemoteUserIsDN Directive

Description:Use the DN of the client username to set the REMOTE_USER environment variable
Syntax:AuthLDAPRemoteUserIsDN on|off
Default:AuthLDAPRemoteUserIsDN off
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_authnz_ldap

If this directive is set to on, the value of the REMOTE_USER environment variable will be set to the full distinguished name of the authenticated user, rather than just the username that was passed by the client. It is turned off by default.

top

AuthLDAPUrl Directive

Description:URL specifying the LDAP search parameters
Syntax:AuthLDAPUrl url [NONE|SSL|TLS|STARTTLS]
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_authnz_ldap

An RFC 2255 URL which specifies the LDAP search parameters to use. The syntax of the URL is

ldap://host:port/basedn?attribute?scope?filter

ldap
For regular ldap, use the string ldap. For secure LDAP, use ldaps instead. Secure LDAP is only available if Apache was linked to an LDAP library with SSL support.
host:port

The name/port of the ldap server (defaults to localhost:389 for ldap, and localhost:636 for ldaps). To specify multiple, redundant LDAP servers, just list all servers, separated by spaces. mod_authnz_ldap will try connecting to each server in turn, until it makes a successful connection.

Once a connection has been made to a server, that connection remains active for the life of the httpd process, or until the LDAP server goes down.

If the LDAP server goes down and breaks an existing connection, mod_authnz_ldap will attempt to re-connect, starting with the primary server, and trying each redundant server in turn. Note that this is different than a true round-robin search.

basedn
The DN of the branch of the directory where all searches should start from. At the very least, this must be the top of your directory tree, but could also specify a subtree in the directory.
attribute
The attribute to search for. Although RFC 2255 allows a comma-separated list of attributes, only the first attribute will be used, no matter how many are provided. If no attributes are provided, the default is to use uid. It's a good idea to choose an attribute that will be unique across all entries in the subtree you will be using.
scope
The scope of the search. Can be either one or sub. Note that a scope of base is also supported by RFC 2255, but is not supported by this module. If the scope is not provided, or if base scope is specified, the default is to use a scope of sub.
filter
A valid LDAP search filter. If not provided, defaults to (objectClass=*), which will search for all objects in the tree. Filters are limited to approximately 8000 characters (the definition of MAX_STRING_LEN in the Apache source code). This should be more than sufficient for any application.

When doing searches, the attribute, filter and username passed by the HTTP client are combined to create a search filter that looks like (&(filter)(attribute=username)).

For example, consider an URL of ldap://ldap.airius.com/o=Airius?cn?sub?(posixid=*). When a client attempts to connect using a username of Babs Jenson, the resulting search filter will be (&(posixid=*)(cn=Babs Jenson)).

An optional parameter can be added to allow the LDAP Url to override the connection type. This parameter can be one of the following:

NONE
Establish an unsecure connection on the default LDAP port. This is the same as ldap:// on port 389.
SSL
Establish a secure connection on the default secure LDAP port. This is the same as ldaps://
TLS | STARTTLS
Establish an upgraded secure connection on the default LDAP port. This connection will be initiated on port 389 by default and then upgraded to a secure connection on the same port.

See above for examples of AuthLDAPURL URLs.

When AuthLDAPURL is enabled in a particular context, but some other module has performed authentication for the request, the server will try to map the username to a DN during authorization regardless of whether or not LDAP-specific requirements are present. To ignore the failures to map a username to a DN during authorization, set AuthzLDAPAutoritative to "off".

top

AuthzLDAPAuthoritative Directive

Description:Prevent other authentication modules from authenticating the user if this one fails
Syntax:AuthzLDAPAuthoritative on|off
Default:AuthzLDAPAuthoritative on
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_authnz_ldap

Set to off if this module should let other authorization modules attempt to authorize the user, should authorization with this module fail. Control is only passed on to lower modules if there is no DN or rule that matches the supplied user name (as passed by the client).

When no LDAP-specific Require directives are used, authorization is allowed to fall back to other modules as if AuthzLDAPAuthoritative was set to off.

mod/mod_authz_dbm.html100644 0 0 24766 11256637772 12545 0ustar 0 0 mod_authz_dbm - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_authz_dbm

Description:Group authorization using DBM files
Status:Extension
Module Identifier:authz_dbm_module
Source File:mod_authz_dbm.c
Compatibility:Available in Apache 2.1 and later

Summary

This module provides authorization capabilities so that authenticated users can be allowed or denied access to portions of the web site by group membership. Similar functionality is provided by mod_authz_groupfile.

top

AuthDBMGroupFile Directive

Description:Sets the name of the database file containing the list of user groups for authorization
Syntax:AuthDBMGroupFile file-path
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_authz_dbm

The AuthDBMGroupFile directive sets the name of a DBM file containing the list of user groups for user authorization. File-path is the absolute path to the group file.

The group file is keyed on the username. The value for a user is a comma-separated list of the groups to which the users belongs. There must be no whitespace within the value, and it must never contain any colons.

Security

Make sure that the AuthDBMGroupFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients will be able to download the AuthDBMGroupFile unless otherwise protected.

Combining Group and Password DBM files: In some cases it is easier to manage a single database which contains both the password and group details for each user. This simplifies any support programs that need to be written: they now only have to deal with writing to and locking a single DBM file. This can be accomplished by first setting the group and password files to point to the same DBM:

AuthDBMGroupFile /www/userbase
AuthDBMUserFile /www/userbase

The key for the single DBM is the username. The value consists of

Encrypted Password : List of Groups [ : (ignored) ]

The password section contains the encrypted password as before. This is followed by a colon and the comma separated list of groups. Other data may optionally be left in the DBM file after another colon; it is ignored by the authorization module. This is what www.telescope.org uses for its combined password and group database.

top

AuthzDBMAuthoritative Directive

Description:Sets whether authorization will be passed on to lower level modules
Syntax:AuthzDBMAuthoritative On|Off
Default:AuthzDBMAuthoritative On
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_authz_dbm

Setting the AuthzDBMAuthoritative directive explicitly to Off allows group authorization to be passed on to lower level modules (as defined in the modules.c file) if there is no group found for the supplied userID. If there are any groups specified, the usual checks will be applied and a failure will give an Authentication Required reply.

So if a userID appears in the database of more than one module; or if a valid Require directive applies to more than one module; then the first module will verify the credentials; and no access is passed on; regardless of the AuthAuthoritative setting.

A common use for this is in conjunction with one of the auth providers; such as mod_authn_dbm or mod_authn_file. Whereas this DBM module supplies the bulk of the user credential checking; a few (administrator) related accesses fall through to a lower level with a well protected .htpasswd file.

By default, control is not passed on and an unknown group will result in an Authentication Required reply. Not setting it thus keeps the system secure and forces an NCSA compliant behaviour.

Security

Do consider the implications of allowing a user to allow fall-through in his .htaccess file; and verify that this is really what you want; Generally it is easier to just secure a single .htpasswd file, than it is to secure a database which might have more access interfaces.

top

AuthzDBMType Directive

Description:Sets the type of database file that is used to store list of user groups
Syntax:AuthzDBMType default|SDBM|GDBM|NDBM|DB
Default:AuthzDBMType default
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_authz_dbm

Sets the type of database file that is used to store the list of user groups. The default database type is determined at compile time. The availability of other types of database files also depends on compile-time settings.

It is crucial that whatever program you use to create your group files is configured to use the same type of database.

mod/mod_authz_default.html100644 0 0 11173 11256637772 13413 0ustar 0 0 mod_authz_default - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_authz_default

Description:Authorization fallback module
Status:Base
Module Identifier:authz_default_module
Source File:mod_authz_default.c
Compatibility:Available in Apache 2.1 and later

Summary

This module is designed to be the fallback module, if you don't have configured an authorization module like mod_authz_user or mod_authz_groupfile. It simply rejects any authorization request.

top

AuthzDefaultAuthoritative Directive

Description:Sets whether authorization is passed to lower level modules
Syntax:AuthzDefaultAuthoritative On|Off
Default:AuthzDefaultAuthoritative On
Context:directory, .htaccess
Override:AuthConfig
Status:Base
Module:mod_authz_default

Setting the AuthzDefaultAuthoritative directive explicitly to Off allows for authorization to be passed on to lower level modules (as defined in the modules.c files).

Note

Normally there are no lower level modules, since mod_authz_default is defined to be already on a very low level. Therefore you should leave the value of AuthzDefaultAuthoritative as default (On).

mod/mod_authz_groupfile.html100644 0 0 16426 11256637772 13771 0ustar 0 0 mod_authz_groupfile - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_authz_groupfile

Description:Group authorization using plaintext files
Status:Base
Module Identifier:authz_groupfile_module
Source File:mod_authz_groupfile.c
Compatibility:Available in Apache 2.1 and later

Summary

This module provides authorization capabilities so that authenticated users can be allowed or denied access to portions of the web site by group membership. Similar functionality is provided by mod_authz_dbm.

top

AuthGroupFile Directive

Description:Sets the name of a text file containing the list of user groups for authorization
Syntax:AuthGroupFile file-path
Context:directory, .htaccess
Override:AuthConfig
Status:Base
Module:mod_authz_groupfile

The AuthGroupFile directive sets the name of a textual file containing the list of user groups for user authorization. File-path is the path to the group file. If it is not absolute, it is treated as relative to the ServerRoot.

Each line of the group file contains a groupname followed by a colon, followed by the member usernames separated by spaces.

Example:

mygroup: bob joe anne

Note that searching large text files is very inefficient; AuthDBMGroupFile provides a much better performance.

Security

Make sure that the AuthGroupFile is stored outside the document tree of the web-server; do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthGroupFile.

top

AuthzGroupFileAuthoritative Directive

Description:Sets whether authorization will be passed on to lower level modules
Syntax:AuthzGroupFileAuthoritative On|Off
Default:AuthzGroupFileAuthoritative On
Context:directory, .htaccess
Override:AuthConfig
Status:Base
Module:mod_authz_groupfile

Setting the AuthzGroupFileAuthoritative directive explicitly to Off allows for group authorization to be passed on to lower level modules (as defined in the modules.c files) if there is no group matching the supplied userID.

By default, control is not passed on and an unknown group will result in an Authentication Required reply. Not setting it thus keeps the system secure and forces an NCSA compliant behaviour.

Security

Do consider the implications of allowing a user to allow fall-through in his .htaccess file; and verify that this is really what you want; Generally it is easier to just secure a single .htpasswd file, than it is to secure a database which might have more access interfaces.

mod/mod_authz_host.html100644 0 0 46436 11256637772 12756 0ustar 0 0 mod_authz_host - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_authz_host

Description:Group authorizations based on host (name or IP address)
Status:Base
Module Identifier:authz_host_module
Source File:mod_authz_host.c
Compatibility:Available in Apache 2.1 and later

Summary

The directives provided by mod_authz_host are used in <Directory>, <Files>, and <Location> sections as well as .htaccess files to control access to particular parts of the server. Access can be controlled based on the client hostname, IP address, or other characteristics of the client request, as captured in environment variables. The Allow and Deny directives are used to specify which clients are or are not allowed access to the server, while the Order directive sets the default access state, and configures how the Allow and Deny directives interact with each other.

Both host-based access restrictions and password-based authentication may be implemented simultaneously. In that case, the Satisfy directive is used to determine how the two sets of restrictions interact.

In general, access restriction directives apply to all access methods (GET, PUT, POST, etc). This is the desired behavior in most cases. However, it is possible to restrict some methods, while leaving other methods unrestricted, by enclosing the directives in a <Limit> section.

Directives

See also

top

Allow Directive

Description:Controls which hosts can access an area of the server
Syntax: Allow from all|host|env=[!]env-variable [host|env=[!]env-variable] ...
Context:directory, .htaccess
Override:Limit
Status:Base
Module:mod_authz_host

The Allow directive affects which hosts can access an area of the server. Access can be controlled by hostname, IP address, IP address range, or by other characteristics of the client request captured in environment variables.

The first argument to this directive is always from. The subsequent arguments can take three different forms. If Allow from all is specified, then all hosts are allowed access, subject to the configuration of the Deny and Order directives as discussed below. To allow only particular hosts or groups of hosts to access the server, the host can be specified in any of the following formats:

A (partial) domain-name

Example:

Allow from apache.org
Allow from .net example.edu

Hosts whose names match, or end in, this string are allowed access. Only complete components are matched, so the above example will match foo.apache.org but it will not match fooapache.org. This configuration will cause Apache to perform a double reverse DNS lookup on the client IP address, regardless of the setting of the HostnameLookups directive. It will do a reverse DNS lookup on the IP address to find the associated hostname, and then do a forward lookup on the hostname to assure that it matches the original IP address. Only if the forward and reverse DNS are consistent and the hostname matches will access be allowed.

A full IP address

Example:

Allow from 10.1.2.3
Allow from 192.168.1.104 192.168.1.205

An IP address of a host allowed access

A partial IP address

Example:

Allow from 10.1
Allow from 10 172.20 192.168.2

The first 1 to 3 bytes of an IP address, for subnet restriction.

A network/netmask pair

Example:

Allow from 10.1.0.0/255.255.0.0

A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet restriction.

A network/nnn CIDR specification

Example:

Allow from 10.1.0.0/16

Similar to the previous case, except the netmask consists of nnn high-order 1 bits.

Note that the last three examples above match exactly the same set of hosts.

IPv6 addresses and IPv6 subnets can be specified as shown below:

Allow from 2001:db8::a00:20ff:fea7:ccea
Allow from 2001:db8::a00:20ff:fea7:ccea/10

The third format of the arguments to the Allow directive allows access to the server to be controlled based on the existence of an environment variable. When Allow from env=env-variable is specified, then the request is allowed access if the environment variable env-variable exists. When Allow from env=!env-variable is specified, then the request is allowed access if the environment variable env-variable doesn't exist. The server provides the ability to set environment variables in a flexible way based on characteristics of the client request using the directives provided by mod_setenvif. Therefore, this directive can be used to allow access based on such factors as the clients User-Agent (browser type), Referer, or other HTTP request header fields.

Example:

SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in
<Directory /docroot>
Order Deny,Allow
Deny from all
Allow from env=let_me_in
 </Directory>

In this case, browsers with a user-agent string beginning with KnockKnock/2.0 will be allowed access, and all others will be denied.

top

Deny Directive

Description:Controls which hosts are denied access to the server
Syntax: Deny from all|host|env=[!]env-variable [host|env=[!]env-variable] ...
Context:directory, .htaccess
Override:Limit
Status:Base
Module:mod_authz_host

This directive allows access to the server to be restricted based on hostname, IP address, or environment variables. The arguments for the Deny directive are identical to the arguments for the Allow directive.

top

Order Directive

Description:Controls the default access state and the order in which Allow and Deny are evaluated.
Syntax: Order ordering
Default:Order Deny,Allow
Context:directory, .htaccess
Override:Limit
Status:Base
Module:mod_authz_host

The Order directive, along with the Allow and Deny directives, controls a three-pass access control system. The first pass processes either all Allow or all Deny directives, as specified by the Order directive. The second pass parses the rest of the directives (Deny or Allow). The third pass applies to all requests which do not match either of the first two.

Note that all Allow and Deny directives are processed, unlike a typical firewall, where only the first match is used. The last match is effective (also unlike a typical firewall). Additionally, the order in which lines appear in the configuration files is not significant -- all Allow lines are processed as one group, all Deny lines are considered as another, and the default state is considered by itself.

Ordering is one of:

Allow,Deny
First, all Allow directives are evaluated; at least one must match, or the request is rejected. Next, all Deny directives are evaluated. If any matches, the request is rejected. Last, any requests which do not match an Allow or a Deny directive are denied by default.
Deny,Allow
First, all Deny directives are evaluated; if any match, the request is denied unless it also matches an Allow directive. Any requests which do not match any Allow or Deny directives are permitted.
Mutual-failure
This order has the same effect as Order Allow,Deny and is deprecated in its favor.

Keywords may only be separated by a comma; no whitespace is allowed between them.

Match Allow,Deny result Deny,Allow result
Match Allow only Request allowed Request allowed
Match Deny only Request denied Request denied
No match Default to second directive: Denied Default to second directive: Allowed
Match both Allow & Deny Final match controls: Denied Final match controls: Allowed

In the following example, all hosts in the apache.org domain are allowed access; all other hosts are denied access.

Order Deny,Allow
Deny from all
Allow from apache.org

In the next example, all hosts in the apache.org domain are allowed access, except for the hosts which are in the foo.apache.org subdomain, who are denied access. All hosts not in the apache.org domain are denied access because the default state is to Deny access to the server.

Order Allow,Deny
Allow from apache.org
Deny from foo.apache.org

On the other hand, if the Order in the last example is changed to Deny,Allow, all hosts will be allowed access. This happens because, regardless of the actual ordering of the directives in the configuration file, the Allow from apache.org will be evaluated last and will override the Deny from foo.apache.org. All hosts not in the apache.org domain will also be allowed access because the default state is Allow.

The presence of an Order directive can affect access to a part of the server even in the absence of accompanying Allow and Deny directives because of its effect on the default access state. For example,

<Directory /www>
Order Allow,Deny
 </Directory>

will Deny all access to the /www directory because the default access state is set to Deny.

The Order directive controls the order of access directive processing only within each phase of the server's configuration processing. This implies, for example, that an Allow or Deny directive occurring in a <Location> section will always be evaluated after an Allow or Deny directive occurring in a <Directory> section or .htaccess file, regardless of the setting of the Order directive. For details on the merging of configuration sections, see the documentation on How Directory, Location and Files sections work.

mod/mod_authz_owner.html100644 0 0 24076 11256637772 13127 0ustar 0 0 mod_authz_owner - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_authz_owner

Description:Authorization based on file ownership
Status:Extension
Module Identifier:authz_owner_module
Source File:mod_authz_owner.c
Compatibility:Available in Apache 2.1 and later

Summary

This module authorizes access to files by comparing the userid used for HTTP authentication (the web userid) with the file-system owner or group of the requested file. The supplied username and password must be already properly verified by an authentication module, such as mod_auth_basic or mod_auth_digest. mod_authz_owner recognizes two arguments for the Require directive, file-owner and file-group, as follows:

file-owner
The supplied web-username must match the system's name for the owner of the file being requested. That is, if the operating system says the requested file is owned by jones, then the username used to access it through the web must be jones as well.
file-group
The name of the system group that owns the file must be present in a group database, which is provided, for example, by mod_authz_groupfile or mod_authz_dbm, and the web-username must be a member of that group. For example, if the operating system says the requested file is owned by (system) group accounts, the group accounts must appear in the group database and the web-username used in the request must be a member of that group.

Note

If mod_authz_owner is used in order to authorize a resource that is not actually present in the filesystem (i.e. a virtual resource), it will deny the access.

Particularly it will never authorize content negotiated "MultiViews" resources.

top

Configuration Examples

Require file-owner

Consider a multi-user system running the Apache Web server, with each user having his or her own files in ~/public_html/private. Assuming that there is a single AuthDBMUserFile database that lists all of their web-usernames, and that these usernames match the system's usernames that actually own the files on the server, then the following stanza would allow only the user himself access to his own files. User jones would not be allowed to access files in /home/smith/public_html/private unless they were owned by jones instead of smith.

<Directory /home/*/public_html/private>
AuthType Basic
AuthName MyPrivateFiles
AuthBasicProvider dbm
AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all
Satisfy All
Require file-owner
 </Directory>

Require file-group

Consider a system similar to the one described above, but with some users that share their project files in ~/public_html/project-foo. The files are owned by the system group foo and there is a single AuthDBMGroupFile database that contains all of the web-usernames and their group membership, i.e. they must be at least member of a group named foo. So if jones and smith are both member of the group foo, then both will be authorized to access the project-foo directories of each other.

<Directory /home/*/public_html/project-foo>
AuthType Basic
AuthName "Project Foo Files"
AuthBasicProvider dbm

# combined user/group database
AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all
AuthDBMGroupFile /usr/local/apache2/etc/.htdbm-all

Satisfy All
Require file-group
 </Directory>

top

AuthzOwnerAuthoritative Directive

Description:Sets whether authorization will be passed on to lower level modules
Syntax:AuthzOwnerAuthoritative On|Off
Default:AuthzOwnerAuthoritative On
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_authz_owner

Setting the AuthzOwnerAuthoritative directive explicitly to Off allows for user authorization to be passed on to lower level modules (as defined in the modules.c files) if:

  • in the case of file-owner the file-system owner does not match the supplied web-username or could not be determined, or
  • in the case of file-group the file-system group does not contain the supplied web-username or could not be determined.

Note that setting the value to Off also allows the combination of file-owner and file-group, so access will be allowed if either one or the other (or both) match.

By default, control is not passed on and an authorization failure will result in an "Authentication Required" reply. Not setting it to Off thus keeps the system secure and forces an NCSA compliant behaviour.

mod/mod_authz_user.html100644 0 0 11450 11256637772 12743 0ustar 0 0 mod_authz_user - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_authz_user

Description:User Authorization
Status:Base
Module Identifier:authz_user_module
Source File:mod_authz_user.c
Compatibility:Available in Apache 2.1 and later

Summary

This module provides authorization capabilities so that authenticated users can be allowed or denied access to portions of the web site. mod_authz_user grants access if the authenticated user is listed in a Require user directive. Alternatively Require valid-user can be used to grant access to all successfully authenticated users.

top

AuthzUserAuthoritative Directive

Description:Sets whether authorization will be passed on to lower level modules
Syntax:AuthzUserAuthoritative On|Off
Default:AuthzUserAuthoritative On
Context:directory, .htaccess
Override:AuthConfig
Status:Base
Module:mod_authz_user

Setting the AuthzUserAuthoritative directive explicitly to Off allows for user authorization to be passed on to lower level modules (as defined in the modules.c files) if there is no user matching the supplied userID.

By default, control is not passed on and an unknown user will result in an Authentication Required reply. Not setting it to Off thus keeps the system secure and forces an NCSA compliant behaviour.

mod/mod_autoindex.html100644 0 0 145777 11256637772 12616 0ustar 0 0 mod_autoindex - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_autoindex

Description:Generates directory indexes, automatically, similar to the Unix ls command or the Win32 dir shell command
Status:Base
Module Identifier:autoindex_module
Source File:mod_autoindex.c

Summary

The index of a directory can come from one of two sources:

  • A file written by the user, typically called index.html. The DirectoryIndex directive sets the name of this file. This is controlled by mod_dir.
  • Otherwise, a listing generated by the server. The other directives control the format of this listing. The AddIcon, AddIconByEncoding and AddIconByType are used to set a list of icons to display for various file types; for each file listed, the first icon listed that matches the file is displayed. These are controlled by mod_autoindex.

The two functions are separated so that you can completely remove (or replace) automatic index generation should you want to.

Automatic index generation is enabled with using Options +Indexes. See the Options directive for more details.

If the FancyIndexing option is given with the IndexOptions directive, the column headers are links that control the order of the display. If you select a header link, the listing will be regenerated, sorted by the values in that column. Selecting the same header repeatedly toggles between ascending and descending order. These column header links are suppressed with IndexOptions directive's SuppressColumnSorting option.

Note that when the display is sorted by "Size", it's the actual size of the files that's used, not the displayed value - so a 1010-byte file will always be displayed before a 1011-byte file (if in ascending order) even though they both are shown as "1K".

top

Autoindex Request Query Arguments

Apache 2.0.23 reorganized the Query Arguments for Column Sorting, and introduced an entire group of new query options. To effectively eliminate all client control over the output, the IndexOptions IgnoreClient option was introduced.

The column sorting headers themselves are self-referencing hyperlinks that add the sort query options shown below. Any option below may be added to any request for the directory resource.

  • C=N sorts the directory by file name
  • C=M sorts the directory by last-modified date, then file name
  • C=S sorts the directory by size, then file name
  • C=D sorts the directory by description, then file name
  • O=A sorts the listing in Ascending Order
  • O=D sorts the listing in Descending Order
  • F=0 formats the listing as a simple list (not FancyIndexed)
  • F=1 formats the listing as a FancyIndexed list
  • F=2 formats the listing as an HTMLTable FancyIndexed list
  • V=0 disables version sorting
  • V=1 enables version sorting
  • P=pattern lists only files matching the given pattern

Note that the 'P'attern query argument is tested after the usual IndexIgnore directives are processed, and all file names are still subjected to the same criteria as any other autoindex listing. The Query Arguments parser in mod_autoindex will stop abruptly when an unrecognized option is encountered. The Query Arguments must be well formed, according to the table above.

The simple example below, which can be clipped and saved in a header.html file, illustrates these query options. Note that the unknown "X" argument, for the submit button, is listed last to assure the arguments are all parsed before mod_autoindex encounters the X=Go input.

<form action="" method="get">
Show me a <select name="F">
<option value="0"> Plain list</option>
<option value="1" selected="selected"> Fancy list</option>
<option value="2"> Table list</option>
 </select>
Sorted by <select name="C">
<option value="N" selected="selected"> Name</option>
<option value="M"> Date Modified</option>
<option value="S"> Size</option>
<option value="D"> Description</option>
 </select>
<select name="O">
<option value="A" selected="selected"> Ascending</option>
<option value="D"> Descending</option>
 </select>
<select name="V">
<option value="0" selected="selected"> in Normal order</option>
<option value="1"> in Version order</option>
 </select>
Matching <input type="text" name="P" value="*" />
<input type="submit" name="X" value="Go" />
 </form>

top

AddAlt Directive

Description:Alternate text to display for a file, instead of an icon selected by filename
Syntax:AddAlt string file [file] ...
Context:server config, virtual host, directory, .htaccess
Override:Indexes
Status:Base
Module:mod_autoindex

AddAlt provides the alternate text to display for a file, instead of an icon, for FancyIndexing. File is a file extension, partial filename, wild-card expression or full filename for files to describe. If String contains any whitespace, you have to enclose it in quotes (" or '). This alternate text is displayed if the client is image-incapable, has image loading disabled, or fails to retrieve the icon.

Examples

AddAlt "PDF file" *.pdf
AddAlt Compressed *.gz *.zip *.Z

top

AddAltByEncoding Directive

Description:Alternate text to display for a file instead of an icon selected by MIME-encoding
Syntax:AddAltByEncoding string MIME-encoding [MIME-encoding] ...
Context:server config, virtual host, directory, .htaccess
Override:Indexes
Status:Base
Module:mod_autoindex

AddAltByEncoding provides the alternate text to display for a file, instead of an icon, for FancyIndexing. MIME-encoding is a valid content-encoding, such as x-compress. If String contains any whitespace, you have to enclose it in quotes (" or '). This alternate text is displayed if the client is image-incapable, has image loading disabled, or fails to retrieve the icon.

Example

AddAltByEncoding gzip x-gzip

top

AddAltByType Directive

Description:Alternate text to display for a file, instead of an icon selected by MIME content-type
Syntax:AddAltByType string MIME-type [MIME-type] ...
Context:server config, virtual host, directory, .htaccess
Override:Indexes
Status:Base
Module:mod_autoindex

AddAltByType sets the alternate text to display for a file, instead of an icon, for FancyIndexing. MIME-type is a valid content-type, such as text/html. If String contains any whitespace, you have to enclose it in quotes (" or '). This alternate text is displayed if the client is image-incapable, has image loading disabled, or fails to retrieve the icon.

Example

AddAltByType 'plain text' text/plain

top

AddDescription Directive

Description:Description to display for a file
Syntax:AddDescription string file [file] ...
Context:server config, virtual host, directory, .htaccess
Override:Indexes
Status:Base
Module:mod_autoindex

This sets the description to display for a file, for FancyIndexing. File is a file extension, partial filename, wild-card expression or full filename for files to describe. String is enclosed in double quotes (").

Example

AddDescription "The planet Mars" /web/pics/mars.gif

The typical, default description field is 23 bytes wide. 6 more bytes are added by the IndexOptions SuppressIcon option, 7 bytes are added by the IndexOptions SuppressSize option, and 19 bytes are added by the IndexOptions SuppressLastModified option. Therefore, the widest default the description column is ever assigned is 55 bytes.

See the DescriptionWidth IndexOptions keyword for details on overriding the size of this column, or allowing descriptions of unlimited length.

Caution

Descriptive text defined with AddDescription may contain HTML markup, such as tags and character entities. If the width of the description column should happen to truncate a tagged element (such as cutting off the end of a bolded phrase), the results may affect the rest of the directory listing.

top

AddIcon Directive

Description:Icon to display for a file selected by name
Syntax:AddIcon icon name [name] ...
Context:server config, virtual host, directory, .htaccess
Override:Indexes
Status:Base
Module:mod_autoindex

This sets the icon to display next to a file ending in name for FancyIndexing. Icon is either a (%-escaped) relative URL to the icon, or of the format (alttext,url) where alttext is the text tag given for an icon for non-graphical browsers.

Name is either ^^DIRECTORY^^ for directories, ^^BLANKICON^^ for blank lines (to format the list correctly), a file extension, a wildcard expression, a partial filename or a complete filename.

Examples

AddIcon (IMG,/icons/image.xbm) .gif .jpg .xbm
AddIcon /icons/dir.xbm ^^DIRECTORY^^
AddIcon /icons/backup.xbm *~

AddIconByType should be used in preference to AddIcon, when possible.

top

AddIconByEncoding Directive

Description:Icon to display next to files selected by MIME content-encoding
Syntax:AddIconByEncoding icon MIME-encoding [MIME-encoding] ...
Context:server config, virtual host, directory, .htaccess
Override:Indexes
Status:Base
Module:mod_autoindex

This sets the icon to display next to files with FancyIndexing. Icon is either a (%-escaped) relative URL to the icon, or of the format (alttext,url) where alttext is the text tag given for an icon for non-graphical browsers.

MIME-encoding is a valid content-encoding, such as x-compress.

Example

AddIconByEncoding /icons/compress.xbm x-compress

top

AddIconByType Directive

Description:Icon to display next to files selected by MIME content-type
Syntax:AddIconByType icon MIME-type [MIME-type] ...
Context:server config, virtual host, directory, .htaccess
Override:Indexes
Status:Base
Module:mod_autoindex

This sets the icon to display next to files of type MIME-type for FancyIndexing. Icon is either a (%-escaped) relative URL to the icon, or of the format (alttext,url) where alttext is the text tag given for an icon for non-graphical browsers.

MIME-type is a wildcard expression matching required the mime types.

Example

AddIconByType (IMG,/icons/image.xbm) image/*

top

DefaultIcon Directive

Description:Icon to display for files when no specific icon is configured
Syntax:DefaultIcon url-path
Context:server config, virtual host, directory, .htaccess
Override:Indexes
Status:Base
Module:mod_autoindex

The DefaultIcon directive sets the icon to display for files when no specific icon is known, for FancyIndexing. Url-path is a (%-escaped) relative URL to the icon.

Example

DefaultIcon /icon/unknown.xbm

top

HeaderName Directive

Description:Name of the file that will be inserted at the top of the index listing
Syntax:HeaderName filename
Context:server config, virtual host, directory, .htaccess
Override:Indexes
Status:Base
Module:mod_autoindex

The HeaderName directive sets the name of the file that will be inserted at the top of the index listing. Filename is the name of the file to include.

Example

HeaderName HEADER.html

Both HeaderName and ReadmeName now treat Filename as a URI path relative to the one used to access the directory being indexed. If Filename begins with a slash, it will be taken to be relative to the DocumentRoot.

Example

HeaderName /include/HEADER.html

Filename must resolve to a document with a major content type of text/* (e.g., text/html, text/plain, etc.). This means that filename may refer to a CGI script if the script's actual file type (as opposed to its output) is marked as text/html such as with a directive like:

AddType text/html .cgi

Content negotiation will be performed if Options MultiViews is in effect. If filename resolves to a static text/html document (not a CGI script) and either one of the options Includes or IncludesNOEXEC is enabled, the file will be processed for server-side includes (see the mod_include documentation).

If the file specified by HeaderName contains the beginnings of an HTML document (<html>, <head>, etc.) then you will probably want to set IndexOptions +SuppressHTMLPreamble, so that these tags are not repeated.

top

IndexHeadInsert Directive

Description:Inserts text in the HEAD section of an index page.
Syntax:IndexHeadInsert "markup ..."
Context:server config, virtual host, directory, .htaccess
Override:Indexes
Status:Base
Module:mod_autoindex
Compatibility:Available in Apache 2.2.11 and later

The IndexHeadInsert directive specifies a string to insert in the <head> section of the HTML generated for the index page.

Example

IndexHeadInsert "<link rel=\"sitemap\" href=\"/sitemap.html\">"

top

IndexIgnore Directive

Description:Adds to the list of files to hide when listing a directory
Syntax:IndexIgnore file [file] ...
Context:server config, virtual host, directory, .htaccess
Override:Indexes
Status:Base
Module:mod_autoindex

The IndexIgnore directive adds to the list of files to hide when listing a directory. File is a shell-style wildcard expression or full filename. Multiple IndexIgnore directives add to the list, rather than the replacing the list of ignored files. By default, the list contains . (the current directory).

IndexIgnore README .htaccess *.bak *~

top

IndexOptions Directive

Description:Various configuration settings for directory indexing
Syntax:IndexOptions [+|-]option [[+|-]option] ...
Context:server config, virtual host, directory, .htaccess
Override:Indexes
Status:Base
Module:mod_autoindex

The IndexOptions directive specifies the behavior of the directory indexing. Option can be one of

Charset=character-set (Apache 2.0.61 and later)
The Charset keyword allows you to specify the character set of the generated page. The default is either ISO-8859-1 or UTF-8, depending on whether the underlying file system is unicode or not.

Example:

IndexOptions Charset=UTF-8

Type=MIME content-type (Apache 2.0.61 and later)
The Type keyword allows you to specify the MIME content-type of the generated page. The default is text/html.

Example:

IndexOptions Type=text/plain

DescriptionWidth=[n | *] (Apache 2.0.23 and later)
The DescriptionWidth keyword allows you to specify the width of the description column in characters.
-DescriptionWidth (or unset) allows mod_autoindex to calculate the best width.
DescriptionWidth=n fixes the column width to n bytes wide.
DescriptionWidth=* grows the column to the width necessary to accommodate the longest description string.
See the section on AddDescription for dangers inherent in truncating descriptions.
FancyIndexing
This turns on fancy indexing of directories.
FoldersFirst (Apache 2.0.23 and later)
If this option is enabled, subdirectory listings will always appear first, followed by normal files in the directory. The listing is basically broken into two components, the files and the subdirectories, and each is sorted separately and then displayed subdirectories-first. For instance, if the sort order is descending by name, and FoldersFirst is enabled, subdirectory Zed will be listed before subdirectory Beta, which will be listed before normal files Gamma and Alpha. This option only has an effect if FancyIndexing is also enabled.
HTMLTable (Experimental, Apache 2.0.23 and later)
This experimental option with FancyIndexing constructs a simple table for the fancy directory listing. Note this will confuse older browsers. It is particularly necessary if file names or description text will alternate between left-to-right and right-to-left reading order, as can happen on WinNT or other utf-8 enabled platforms.
IconsAreLinks
This makes the icons part of the anchor for the filename, for fancy indexing.
IconHeight[=pixels]
Presence of this option, when used with IconWidth, will cause the server to include height and width attributes in the img tag for the file icon. This allows browser to precalculate the page layout without having to wait until all the images have been loaded. If no value is given for the option, it defaults to the standard height of the icons supplied with the Apache software.
IconWidth[=pixels]
Presence of this option, when used with IconHeight, will cause the server to include height and width attributes in the img tag for the file icon. This allows browser to precalculate the page layout without having to wait until all the images have been loaded. If no value is given for the option, it defaults to the standard width of the icons supplied with the Apache software.
IgnoreCase
If this option is enabled, names are sorted in a case-insensitive manner. For instance, if the sort order is ascending by name, and IgnoreCase is enabled, file Zeta will be listed after file alfa (Note: file GAMMA will always be listed before file gamma).
IgnoreClient
This option causes mod_autoindex to ignore all query variables from the client, including sort order (implies SuppressColumnSorting.)
NameWidth=[n | *]
The NameWidth keyword allows you to specify the width of the filename column in bytes.
-NameWidth (or unset) allows mod_autoindex to calculate the best width.
NameWidth=n fixes the column width to n bytes wide.
NameWidth=* grows the column to the necessary width.
ScanHTMLTitles
This enables the extraction of the title from HTML documents for fancy indexing. If the file does not have a description given by AddDescription then httpd will read the document for the value of the title element. This is CPU and disk intensive.
ShowForbidden
If specified, Apache will show files normally hidden because the subrequest returned HTTP_UNAUTHORIZED or HTTP_FORBIDDEN
SuppressColumnSorting
If specified, Apache will not make the column headings in a FancyIndexed directory listing into links for sorting. The default behavior is for them to be links; selecting the column heading will sort the directory listing by the values in that column. Prior to Apache 2.0.23, this also disabled parsing the Query Arguments for the sort string. That behavior is now controlled by IndexOptions IgnoreClient in Apache 2.0.23.
SuppressDescription
This will suppress the file description in fancy indexing listings. By default, no file descriptions are defined, and so the use of this option will regain 23 characters of screen space to use for something else. See AddDescription for information about setting the file description. See also the DescriptionWidth index option to limit the size of the description column.
SuppressHTMLPreamble
If the directory actually contains a file specified by the HeaderName directive, the module usually includes the contents of the file after a standard HTML preamble (<html>, <head>, et cetera). The SuppressHTMLPreamble option disables this behaviour, causing the module to start the display with the header file contents. The header file must contain appropriate HTML instructions in this case. If there is no header file, the preamble is generated as usual.
SuppressIcon (Apache 2.0.23 and later)
This will suppress the icon in fancy indexing listings. Combining both SuppressIcon and SuppressRules yields proper HTML 3.2 output, which by the final specification prohibits img and hr elements from the pre block (used to format FancyIndexed listings.)
SuppressLastModified
This will suppress the display of the last modification date, in fancy indexing listings.
SuppressRules (Apache 2.0.23 and later)
This will suppress the horizontal rule lines (hr elements) in directory listings. Combining both SuppressIcon and SuppressRules yields proper HTML 3.2 output, which by the final specification prohibits img and hr elements from the pre block (used to format FancyIndexed listings.)
SuppressSize
This will suppress the file size in fancy indexing listings.
TrackModified (Apache 2.0.23 and later)
This returns the Last-Modified and ETag values for the listed directory in the HTTP header. It is only valid if the operating system and file system return appropriate stat() results. Some Unix systems do so, as do OS2's JFS and Win32's NTFS volumes. OS2 and Win32 FAT volumes, for example, do not. Once this feature is enabled, the client or proxy can track changes to the list of files when they perform a HEAD request. Note some operating systems correctly track new and removed files, but do not track changes for sizes or dates of the files within the directory. Changes to the size or date stamp of an existing file will not update the Last-Modified header on all Unix platforms. If this is a concern, leave this option disabled.
VersionSort (Apache 2.0a3 and later)
The VersionSort keyword causes files containing version numbers to sort in a natural way. Strings are sorted as usual, except that substrings of digits in the name and description are compared according to their numeric value.

Example:

foo-1.7
foo-1.7.2
foo-1.7.12
foo-1.8.2
foo-1.8.2a
foo-1.12

If the number starts with a zero, then it is considered to be a fraction:

foo-1.001
foo-1.002
foo-1.030
foo-1.04

XHTML (Apache 2.0.49 and later)
The XHTML keyword forces mod_autoindex to emit XHTML 1.0 code instead of HTML 3.2.
Incremental IndexOptions

Apache 1.3.3 introduced some significant changes in the handling of IndexOptions directives. In particular:

  • Multiple IndexOptions directives for a single directory are now merged together. The result of:

    <Directory /foo> IndexOptions HTMLTable
    IndexOptions SuppressColumnsorting     </Directory>

    will be the equivalent of

    IndexOptions HTMLTable SuppressColumnsorting

  • The addition of the incremental syntax (i.e., prefixing keywords with + or -).

Whenever a '+' or '-' prefixed keyword is encountered, it is applied to the current IndexOptions settings (which may have been inherited from an upper-level directory). However, whenever an unprefixed keyword is processed, it clears all inherited options and any incremental settings encountered so far. Consider the following example:

IndexOptions +ScanHTMLTitles -IconsAreLinks FancyIndexing
IndexOptions +SuppressSize

The net effect is equivalent to IndexOptions FancyIndexing +SuppressSize, because the unprefixed FancyIndexing discarded the incremental keywords before it, but allowed them to start accumulating again afterward.

To unconditionally set the IndexOptions for a particular directory, clearing the inherited settings, specify keywords without any + or - prefixes.

top

IndexOrderDefault Directive

Description:Sets the default ordering of the directory index
Syntax:IndexOrderDefault Ascending|Descending Name|Date|Size|Description
Default:IndexOrderDefault Ascending Name
Context:server config, virtual host, directory, .htaccess
Override:Indexes
Status:Base
Module:mod_autoindex

The IndexOrderDefault directive is used in combination with the FancyIndexing index option. By default, fancyindexed directory listings are displayed in ascending order by filename; the IndexOrderDefault allows you to change this initial display order.

IndexOrderDefault takes two arguments. The first must be either Ascending or Descending, indicating the direction of the sort. The second argument must be one of the keywords Name, Date, Size, or Description, and identifies the primary key. The secondary key is always the ascending filename.

You can force a directory listing to only be displayed in a particular order by combining this directive with the SuppressColumnSorting index option; this will prevent the client from requesting the directory listing in a different order.

top

IndexStyleSheet Directive

Description:Adds a CSS stylesheet to the directory index
Syntax:IndexStyleSheet url-path
Context:server config, virtual host, directory, .htaccess
Override:Indexes
Status:Base
Module:mod_autoindex

The IndexStyleSheet directive sets the name of the file that will be used as the CSS for the index listing.

Example

IndexStyleSheet "/css/style.css"

top

ReadmeName Directive

Description:Name of the file that will be inserted at the end of the index listing
Syntax:ReadmeName filename
Context:server config, virtual host, directory, .htaccess
Override:Indexes
Status:Base
Module:mod_autoindex

The ReadmeName directive sets the name of the file that will be appended to the end of the index listing. Filename is the name of the file to include, and is taken to be relative to the location being indexed. If Filename begins with a slash, it will be taken to be relative to the DocumentRoot.

Example

ReadmeName FOOTER.html

Example 2

ReadmeName /include/FOOTER.html

See also HeaderName, where this behavior is described in greater detail.

mod/mod_cache.html100644 0 0 101444 11256637772 11640 0ustar 0 0 mod_cache - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_cache

Description:Content cache keyed to URIs.
Status:Extension
Module Identifier:cache_module
Source File:mod_cache.c

Summary

This module should be used with care and can be used to circumvent Allow and Deny directives. You should not enable caching for any content to which you wish to limit access by client host name, address or environment variable.

mod_cache implements an RFC 2616 compliant HTTP content cache that can be used to cache either local or proxied content. mod_cache requires the services of one or more storage management modules. Two storage management modules are included in the base Apache distribution:

mod_disk_cache
implements a disk based storage manager.
mod_mem_cache
implements a memory based storage manager. mod_mem_cache can be configured to operate in two modes: caching open file descriptors or caching objects in heap storage. mod_mem_cache can be used to cache locally generated content or to cache backend server content for mod_proxy when configured using ProxyPass (aka reverse proxy)

Content is stored in and retrieved from the cache using URI based keys. Content with access protection is not cached.

Further details, discussion, and examples, are provided in the Caching Guide.

top

Related Modules and Directives

Related ModulesRelated Directives
top

Sample Configuration

Sample httpd.conf

#
# Sample Cache Configuration
#
LoadModule cache_module modules/mod_cache.so

<IfModule mod_cache.c>
#LoadModule disk_cache_module modules/mod_disk_cache.so
# If you want to use mod_disk_cache instead of mod_mem_cache,
# uncomment the line above and comment out the LoadModule line below.
<IfModule mod_disk_cache.c>
CacheRoot c:/cacheroot
CacheEnable disk /
CacheDirLevels 5
CacheDirLength 3
 </IfModule>

LoadModule mem_cache_module modules/mod_mem_cache.so
<IfModule mod_mem_cache.c>
CacheEnable mem /
MCacheSize 4096
MCacheMaxObjectCount 100
MCacheMinObjectSize 1
MCacheMaxObjectSize 2048
 </IfModule>

# When acting as a proxy, don't cache the list of security updates
CacheDisable http://security.update.server/update-list/
 </IfModule>

top

CacheDefaultExpire Directive

Description:The default duration to cache a document when no expiry date is specified.
Syntax:CacheDefaultExpire seconds
Default:CacheDefaultExpire 3600 (one hour)
Context:server config, virtual host
Status:Extension
Module:mod_cache

The CacheDefaultExpire directive specifies a default time, in seconds, to cache a document if neither an expiry date nor last-modified date are provided with the document. The value specified with the CacheMaxExpire directive does not override this setting.

CacheDefaultExpire 86400

top

CacheDisable Directive

Description:Disable caching of specified URLs
Syntax:CacheDisable url-string
Context:server config, virtual host
Status:Extension
Module:mod_cache

The CacheDisable directive instructs mod_cache to not cache urls at or below url-string.

Example

CacheDisable /local_files

The no-cache environment variable can be set to disable caching on a finer grained set of resources in versions 2.2.12 and later.

See also

top

CacheEnable Directive

Description:Enable caching of specified URLs using a specified storage manager
Syntax:CacheEnable cache_type url-string
Context:server config, virtual host
Status:Extension
Module:mod_cache

The CacheEnable directive instructs mod_cache to cache urls at or below url-string. The cache storage manager is specified with the cache_type argument. cache_type mem instructs mod_cache to use the memory based storage manager implemented by mod_mem_cache. cache_type disk instructs mod_cache to use the disk based storage manager implemented by mod_disk_cache. cache_type fd instructs mod_cache to use the file descriptor cache implemented by mod_mem_cache.

In the event that the URL space overlaps between different CacheEnable directives (as in the example below), each possible storage manager will be run until the first one that actually processes the request. The order in which the storage managers are run is determined by the order of the CacheEnable directives in the configuration file.

CacheEnable mem /manual
CacheEnable fd /images
CacheEnable disk /

When acting as a forward proxy server, url-string can also be used to specify remote sites and proxy protocols which caching should be enabled for.

# Cache proxied url's
CacheEnable disk /

# Cache FTP-proxied url's
CacheEnable disk ftp://

# Cache content from www.apache.org
CacheEnable disk http://www.apache.org/

The no-cache environment variable can be set to disable caching on a finer grained set of resources in versions 2.2.12 and later.

See also

top

CacheIgnoreCacheControl Directive

Description:Ignore request to not serve cached content to client
Syntax:CacheIgnoreCacheControl On|Off
Default:CacheIgnoreCacheControl Off
Context:server config, virtual host
Status:Extension
Module:mod_cache

Ordinarily, requests containing a Cache-Control: no-cache or Pragma: no-cache header value will not be served from the cache. The CacheIgnoreCacheControl directive allows this behavior to be overridden. CacheIgnoreCacheControl On tells the server to attempt to serve the resource from the cache even if the request contains no-cache header values. Resources requiring authorization will never be cached.

CacheIgnoreCacheControl On

Warning:

This directive will allow serving from the cache even if the client has requested that the document not be served from the cache. This might result in stale content being served.

See also

top

CacheIgnoreHeaders Directive

Description:Do not store the given HTTP header(s) in the cache.
Syntax:CacheIgnoreHeaders header-string [header-string] ...
Default:CacheIgnoreHeaders None
Context:server config, virtual host
Status:Extension
Module:mod_cache

According to RFC 2616, hop-by-hop HTTP headers are not stored in the cache. The following HTTP headers are hop-by-hop headers and thus do not get stored in the cache in any case regardless of the setting of CacheIgnoreHeaders:

  • Connection
  • Keep-Alive
  • Proxy-Authenticate
  • Proxy-Authorization
  • TE
  • Trailers
  • Transfer-Encoding
  • Upgrade

CacheIgnoreHeaders specifies additional HTTP headers that should not to be stored in the cache. For example, it makes sense in some cases to prevent cookies from being stored in the cache.

CacheIgnoreHeaders takes a space separated list of HTTP headers that should not be stored in the cache. If only hop-by-hop headers not should be stored in the cache (the RFC 2616 compliant behaviour), CacheIgnoreHeaders can be set to None.

Example 1

CacheIgnoreHeaders Set-Cookie

Example 2

CacheIgnoreHeaders None

Warning:

If headers like Expires which are needed for proper cache management are not stored due to a CacheIgnoreHeaders setting, the behaviour of mod_cache is undefined.
top

CacheIgnoreNoLastMod Directive

Description:Ignore the fact that a response has no Last Modified header.
Syntax:CacheIgnoreNoLastMod On|Off
Default:CacheIgnoreNoLastMod Off
Context:server config, virtual host
Status:Extension
Module:mod_cache

Ordinarily, documents without a last-modified date are not cached. Under some circumstances the last-modified date is removed (during mod_include processing for example) or not provided at all. The CacheIgnoreNoLastMod directive provides a way to specify that documents without last-modified dates should be considered for caching, even without a last-modified date. If neither a last-modified date nor an expiry date are provided with the document then the value specified by the CacheDefaultExpire directive will be used to generate an expiration date.

CacheIgnoreNoLastMod On

top

CacheIgnoreQueryString Directive

Description:Ignore query string when caching
Syntax:CacheIgnoreQueryString On|Off
Default:CacheIgnoreQueryString Off
Context:server config, virtual host
Status:Extension
Module:mod_cache
Compatibility:Available in Apache 2.2.6 and later

Ordinarily, requests with query string parameters are cached separately for each unique query string. This is according to RFC 2616/13.9 done only if an expiration time is specified. The CacheIgnoreQueryString directive tells the cache to cache requests even if no expiration time is specified, and to reply with a cached reply even if the query string differs. From a caching point of view the request is treated as if having no query string when this directive is enabled.

CacheIgnoreQueryString On

top

CacheIgnoreURLSessionIdentifiers Directive

Description:Ignore defined session identifiers encoded in the URL when caching
Syntax:CacheIgnoreURLSessionIdentifiers identifier [identifier] ...
Default:CacheIgnoreURLSessionIdentifiers None
Context:server config, virtual host
Status:Extension
Module:mod_cache

Sometimes applications encode the session identifier into the URL like in the following Examples:

  • /someapplication/image.gif;jsessionid=123456789
  • /someapplication/image.gif?PHPSESSIONID=12345678

This causes cachable resources to be stored separately for each session, which is often not desired. CacheIgnoreURLSessionIdentifiers lets define a list of identifiers that are removed from the key that is used to identify an entity in the cache, such that cachable resources are not stored separately for each session.

CacheIgnoreURLSessionIdentifiers None clears the list of ignored identifiers. Otherwise, each identifier is added to the list.

Example 1

CacheIgnoreURLSessionIdentifiers jsessionid

Example 2

CacheIgnoreURLSessionIdentifiers None

top

CacheLastModifiedFactor Directive

Description:The factor used to compute an expiry date based on the LastModified date.
Syntax:CacheLastModifiedFactor float
Default:CacheLastModifiedFactor 0.1
Context:server config, virtual host
Status:Extension
Module:mod_cache

In the event that a document does not provide an expiry date but does provide a last-modified date, an expiry date can be calculated based on the time since the document was last modified. The CacheLastModifiedFactor directive specifies a factor to be used in the generation of this expiry date according to the following formula: expiry-period = time-since-last-modified-date * factor expiry-date = current-date + expiry-period For example, if the document was last modified 10 hours ago, and factor is 0.1 then the expiry-period will be set to 10*0.1 = 1 hour. If the current time was 3:00pm then the computed expiry-date would be 3:00pm + 1hour = 4:00pm. If the expiry-period would be longer than that set by CacheMaxExpire, then the latter takes precedence.

CacheLastModifiedFactor 0.5

top

CacheMaxExpire Directive

Description:The maximum time in seconds to cache a document
Syntax:CacheMaxExpire seconds
Default:CacheMaxExpire 86400 (one day)
Context:server config, virtual host
Status:Extension
Module:mod_cache

The CacheMaxExpire directive specifies the maximum number of seconds for which cachable HTTP documents will be retained without checking the origin server. Thus, documents will be out of date at most this number of seconds. This maximum value is enforced even if an expiry date was supplied with the document.

CacheMaxExpire 604800

top

CacheStoreNoStore Directive

Description:Attempt to cache requests or responses that have been marked as no-store.
Syntax:CacheStoreNoStore On|Off
Default:CacheStoreNoStore Off
Context:server config, virtual host
Status:Extension
Module:mod_cache

Ordinarily, requests or responses with Cache-Control: no-store header values will not be stored in the cache. The CacheStoreNoCache directive allows this behavior to be overridden. CacheStoreNoCache On tells the server to attempt to cache the resource even if it contains no-store header values. Resources requiring authorization will never be cached.

CacheStoreNoStore On

Warning:

As described in RFC 2616, the no-store directive is intended to "prevent the inadvertent release or retention of sensitive information (for example, on backup tapes)." Enabling this option could store sensitive information in the cache. You are hereby warned.

See also

top

CacheStorePrivate Directive

Description:Attempt to cache responses that the server has marked as private
Syntax:CacheStorePrivate On|Off
Default:CacheStorePrivate Off
Context:server config, virtual host
Status:Extension
Module:mod_cache

Ordinarily, responses with Cache-Control: private header values will not be stored in the cache. The CacheStorePrivate directive allows this behavior to be overridden. CacheStorePrivate On tells the server to attempt to cache the resource even if it contains private header values. Resources requiring authorization will never be cached.

CacheStorePrivate On

Warning:

This directive will allow caching even if the upstream server has requested that the resource not be cached. This directive is only ideal for a 'private' cache.

See also

mod/mod_cern_meta.html100644 0 0 16652 11256637772 12520 0ustar 0 0 mod_cern_meta - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_cern_meta

Description:CERN httpd metafile semantics
Status:Extension
Module Identifier:cern_meta_module
Source File:mod_cern_meta.c

Summary

Emulate the CERN HTTPD Meta file semantics. Meta files are HTTP headers that can be output in addition to the normal range of headers for each file accessed. They appear rather like the Apache .asis files, and are able to provide a crude way of influencing the Expires: header, as well as providing other curiosities. There are many ways to manage meta information, this one was chosen because there is already a large number of CERN users who can exploit this module.

More information on the CERN metafile semantics is available.

top

MetaDir Directive

Description:Name of the directory to find CERN-style meta information files
Syntax:MetaDir directory
Default:MetaDir .web
Context:server config, virtual host, directory, .htaccess
Override:Indexes
Status:Extension
Module:mod_cern_meta

Specifies the name of the directory in which Apache can find meta information files. The directory is usually a 'hidden' subdirectory of the directory that contains the file being accessed. Set to "." to look in the same directory as the file:

MetaDir .

Or, to set it to a subdirectory of the directory containing the files:

MetaDir .meta

top

MetaFiles Directive

Description:Activates CERN meta-file processing
Syntax:MetaFiles on|off
Default:MetaFiles off
Context:server config, virtual host, directory, .htaccess
Override:Indexes
Status:Extension
Module:mod_cern_meta

Turns on/off Meta file processing on a per-directory basis.

top

MetaSuffix Directive

Description:File name suffix for the file containg CERN-style meta information
Syntax:MetaSuffix suffix
Default:MetaSuffix .meta
Context:server config, virtual host, directory, .htaccess
Override:Indexes
Status:Extension
Module:mod_cern_meta

Specifies the file name suffix for the file containing the meta information. For example, the default values for the two directives will cause a request to DOCUMENT_ROOT/somedir/index.html to look in DOCUMENT_ROOT/somedir/.web/index.html.meta and will use its contents to generate additional MIME header information.

Example:

MetaSuffix .meta

mod/mod_cgi.html100644 0 0 33040 11256637772 11313 0ustar 0 0 mod_cgi - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_cgi

Description:Execution of CGI scripts
Status:Base
Module Identifier:cgi_module
Source File:mod_cgi.c

Summary

Any file that has the handler cgi-script will be treated as a CGI script, and run by the server, with its output being returned to the client. Files acquire this handler either by having a name containing an extension defined by the AddHandler directive, or by being in a ScriptAlias directory.

For an introduction to using CGI scripts with Apache, see our tutorial on Dynamic Content With CGI.

When using a multi-threaded MPM under unix, the module mod_cgid should be used in place of this module. At the user level, the two modules are essentially identical.

For backward-compatibility, the cgi-script handler will also be activated for any file with the mime-type application/x-httpd-cgi. The use of the magic mime-type is deprecated.

top

CGI Environment variables

The server will set the CGI environment variables as described in the CGI specification, with the following provisions:

PATH_INFO
This will not be available if the AcceptPathInfo directive is explicitly set to off. The default behavior, if AcceptPathInfo is not given, is that mod_cgi will accept path info (trailing /more/path/info following the script filename in the URI), while the core server will return a 404 NOT FOUND error for requests with additional path info. Omitting the AcceptPathInfo directive has the same effect as setting it On for mod_cgi requests.
REMOTE_HOST
This will only be set if HostnameLookups is set to on (it is off by default), and if a reverse DNS lookup of the accessing host's address indeed finds a host name.
REMOTE_IDENT
This will only be set if IdentityCheck is set to on and the accessing host supports the ident protocol. Note that the contents of this variable cannot be relied upon because it can easily be faked, and if there is a proxy between the client and the server, it is usually totally useless.
REMOTE_USER
This will only be set if the CGI script is subject to authentication.
top

CGI Debugging

Debugging CGI scripts has traditionally been difficult, mainly because it has not been possible to study the output (standard output and error) for scripts which are failing to run properly. These directives, included in Apache 1.2 and later, provide more detailed logging of errors when they occur.

CGI Logfile Format

When configured, the CGI error log logs any CGI which does not execute properly. Each CGI script which fails to operate causes several lines of information to be logged. The first two lines are always of the format:

%% [time] request-line
%% HTTP-status CGI-script-filename

If the error is that CGI script cannot be run, the log file will contain an extra two lines:

%%error
error-message

Alternatively, if the error is the result of the script returning incorrect header information (often due to a bug in the script), the following information is logged:

%request
All HTTP request headers received
POST or PUT entity (if any)
%response
All headers output by the CGI script
%stdout
CGI standard output
%stderr
CGI standard error

(The %stdout and %stderr parts may be missing if the script did not output anything on standard output or standard error).

top

ScriptLog Directive

Description:Location of the CGI script error logfile
Syntax:ScriptLog file-path
Context:server config, virtual host
Status:Base
Module:mod_cgi, mod_cgid

The ScriptLog directive sets the CGI script error logfile. If no ScriptLog is given, no error log is created. If given, any CGI errors are logged into the filename given as argument. If this is a relative file or path it is taken relative to the ServerRoot.

Example

ScriptLog logs/cgi_log

This log will be opened as the user the child processes run as, i.e. the user specified in the main User directive. This means that either the directory the script log is in needs to be writable by that user or the file needs to be manually created and set to be writable by that user. If you place the script log in your main logs directory, do NOT change the directory permissions to make it writable by the user the child processes run as.

Note that script logging is meant to be a debugging feature when writing CGI scripts, and is not meant to be activated continuously on running servers. It is not optimized for speed or efficiency, and may have security problems if used in a manner other than that for which it was designed.

top

ScriptLogBuffer Directive

Description:Maximum amount of PUT or POST requests that will be recorded in the scriptlog
Syntax:ScriptLogBuffer bytes
Default:ScriptLogBuffer 1024
Context:server config, virtual host
Status:Base
Module:mod_cgi, mod_cgid

The size of any PUT or POST entity body that is logged to the file is limited, to prevent the log file growing too big too quickly if large bodies are being received. By default, up to 1024 bytes are logged, but this can be changed with this directive.

top

ScriptLogLength Directive

Description:Size limit of the CGI script logfile
Syntax:ScriptLogLength bytes
Default:ScriptLogLength 10385760
Context:server config, virtual host
Status:Base
Module:mod_cgi, mod_cgid

ScriptLogLength can be used to limit the size of the CGI script logfile. Since the logfile logs a lot of information per CGI error (all request headers, all script output) it can grow to be a big file. To prevent problems due to unbounded growth, this directive can be used to set an maximum file-size for the CGI logfile. If the file exceeds this size, no more information will be written to it.

mod/mod_cgid.html100644 0 0 14005 11256637772 11457 0ustar 0 0 mod_cgid - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_cgid

Description:Execution of CGI scripts using an external CGI daemon
Status:Base
Module Identifier:cgid_module
Source File:mod_cgid.c
Compatibility:Unix threaded MPMs only

Summary

Except for the optimizations and the additional ScriptSock directive noted below, mod_cgid behaves similarly to mod_cgi. See the mod_cgi summary for additional details about Apache and CGI.

On certain unix operating systems, forking a process from a multi-threaded server is a very expensive operation because the new process will replicate all the threads of the parent process. In order to avoid incurring this expense on each CGI invocation, mod_cgid creates an external daemon that is responsible for forking child processes to run CGI scripts. The main server communicates with this daemon using a unix domain socket.

This module is used by default instead of mod_cgi whenever a multi-threaded MPM is selected during the compilation process. At the user level, this module is identical in configuration and operation to mod_cgi. The only exception is the additional directive ScriptSock which gives the name of the socket to use for communication with the cgi daemon.

top

ScriptSock Directive

Description:The filename prefix of the socket to use for communication with the cgi daemon
Syntax:ScriptSock file-path
Default:ScriptSock logs/cgisock
Context:server config
Status:Base
Module:mod_cgid

This directive sets the filename prefix of the socket to use for communication with the CGI daemon, an extension corresponding to the process ID of the server will be appended. The socket will be opened using the permissions of the user who starts Apache (usually root). To maintain the security of communications with CGI scripts, it is important that no other user has permission to write in the directory where the socket is located.

Example

ScriptSock /var/run/cgid.sock

mod/mod_charset_lite.html100644 0 0 27371 11256637772 13231 0ustar 0 0 mod_charset_lite - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_charset_lite

Description:Specify character set translation or recoding
Status:Extension
Module Identifier:charset_lite_module
Source File:mod_charset_lite.c

Summary

mod_charset_lite allows the server to change the character set of responses before sending them to the client. In an EBCDIC environment, Apache always translates HTTP protocol content (e.g. response headers) from the code page of the Apache process locale to ISO-8859-1, but not the body of responses. In any environment, mod_charset_lite can be used to specify that response bodies should be translated. For example, if files are stored in EBCDIC, then mod_charset_lite can translate them to ISO-8859-1 before sending them to the client.

This module provides a small subset of configuration mechanisms implemented by Russian Apache and its associated mod_charset.

top

Common Problems

Invalid character set names

The character set name parameters of CharsetSourceEnc and CharsetDefault must be acceptable to the translation mechanism used by APR on the system where mod_charset_lite is deployed. These character set names are not standardized and are usually not the same as the corresponding values used in http headers. Currently, APR can only use iconv(3), so you can easily test your character set names using the iconv(1) program, as follows:

iconv -f charsetsourceenc-value -t charsetdefault-value

Mismatch between character set of content and translation rules

If the translation rules don't make sense for the content, translation can fail in various ways, including:

  • The translation mechanism may return a bad return code, and the connection will be aborted.
  • The translation mechanism may silently place special characters (e.g., question marks) in the output buffer when it cannot translate the input buffer.
top

CharsetDefault Directive

Description:Charset to translate into
Syntax:CharsetDefault charset
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Extension
Module:mod_charset_lite

The CharsetDefault directive specifies the charset that content in the associated container should be translated to.

The value of the charset argument must be accepted as a valid character set name by the character set support in APR. Generally, this means that it must be supported by iconv.

Example

<Directory /export/home/trawick/apacheinst/htdocs/convert>
CharsetSourceEnc UTF-16BE
CharsetDefault ISO-8859-1
 </Directory>

top

CharsetOptions Directive

Description:Configures charset translation behavior
Syntax:CharsetOptions option [option] ...
Default:CharsetOptions DebugLevel=0 NoImplicitAdd
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Extension
Module:mod_charset_lite

The CharsetOptions directive configures certain behaviors of mod_charset_lite. Option can be one of

DebugLevel=n
The DebugLevel keyword allows you to specify the level of debug messages generated by mod_charset_lite. By default, no messages are generated. This is equivalent to DebugLevel=0. With higher numbers, more debug messages are generated, and server performance will be degraded. The actual meanings of the numeric values are described with the definitions of the DBGLVL_ constants near the beginning of mod_charset_lite.c.
ImplicitAdd | NoImplicitAdd
The ImplicitAdd keyword specifies that mod_charset_lite should implicitly insert its filter when the configuration specifies that the character set of content should be translated. If the filter chain is explicitly configured using the AddOutputFilter directive, NoImplicitAdd should be specified so that mod_charset_lite doesn't add its filter.
TranslateAllMimeTypes | NoTranslateAllMimeTypes
Normally, mod_charset_lite will only perform translation on a small subset of possible mimetypes. When the TranslateAllMimeTypes keyword is specified for a given configuration section, translation is performed without regard for mimetype.
top

CharsetSourceEnc Directive

Description:Source charset of files
Syntax:CharsetSourceEnc charset
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Extension
Module:mod_charset_lite

The CharsetSourceEnc directive specifies the source charset of files in the associated container.

The value of the charset argument must be accepted as a valid character set name by the character set support in APR. Generally, this means that it must be supported by iconv.

Example

<Directory /export/home/trawick/apacheinst/htdocs/convert>
CharsetSourceEnc UTF-16BE
CharsetDefault ISO-8859-1
 </Directory>

The character set names in this example work with the iconv translation support in Solaris 8.

mod/mod_dav.html100644 0 0 35564 11256637772 11340 0ustar 0 0 mod_dav - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_dav

Description:Distributed Authoring and Versioning (WebDAV) functionality
Status:Extension
Module Identifier:dav_module
Source File:mod_dav.c

Summary

This module provides class 1 and class 2 WebDAV ('Web-based Distributed Authoring and Versioning') functionality for Apache. This extension to the HTTP protocol allows creating, moving, copying, and deleting resources and collections on a remote web server.

top

Enabling WebDAV

To enable mod_dav, add the following to a container in your httpd.conf file:

Dav On

This enables the DAV file system provider, which is implemented by the mod_dav_fs module. Therefore, that module must be compiled into the server or loaded at runtime using the LoadModule directive.

In addition, a location for the DAV lock database must be specified in the global section of your httpd.conf file using the DavLockDB directive:

DavLockDB /usr/local/apache2/var/DavLock

The directory containing the lock database file must be writable by the User and Group under which Apache is running.

You may wish to add a <Limit> clause inside the <Location> directive to limit access to DAV-enabled locations. If you want to set the maximum amount of bytes that a DAV client can send at one request, you have to use the LimitXMLRequestBody directive. The "normal" LimitRequestBody directive has no effect on DAV requests.

Full Example

DavLockDB /usr/local/apache2/var/DavLock

<Location /foo>
Order Allow,Deny
Allow from all
Dav On

AuthType Basic
AuthName DAV
AuthUserFile user.passwd

<LimitExcept GET OPTIONS>
Require user admin
 </LimitExcept>
 </Location>

mod_dav is a descendent of Greg Stein's mod_dav for Apache 1.3. More information about the module is available from that site.

top

Security Issues

Since DAV access methods allow remote clients to manipulate files on the server, you must take particular care to assure that your server is secure before enabling mod_dav.

Any location on the server where DAV is enabled should be protected by authentication. The use of HTTP Basic Authentication is not recommended. You should use at least HTTP Digest Authentication, which is provided by the mod_auth_digest module. Nearly all WebDAV clients support this authentication method. An alternative is Basic Authentication over an SSL enabled connection.

In order for mod_dav to manage files, it must be able to write to the directories and files under its control using the User and Group under which Apache is running. New files created will also be owned by this User and Group. For this reason, it is important to control access to this account. The DAV repository is considered private to Apache; modifying files outside of Apache (for example using FTP or filesystem-level tools) should not be allowed.

mod_dav may be subject to various kinds of denial-of-service attacks. The LimitXMLRequestBody directive can be used to limit the amount of memory consumed in parsing large DAV requests. The DavDepthInfinity directive can be used to prevent PROPFIND requests on a very large repository from consuming large amounts of memory. Another possible denial-of-service attack involves a client simply filling up all available disk space with many large files. There is no direct way to prevent this in Apache, so you should avoid giving DAV access to untrusted users.

top

Complex Configurations

One common request is to use mod_dav to manipulate dynamic files (PHP scripts, CGI scripts, etc). This is difficult because a GET request will always run the script, rather than downloading its contents. One way to avoid this is to map two different URLs to the content, one of which will run the script, and one of which will allow it to be downloaded and manipulated with DAV.

Alias /phparea /home/gstein/php_files
Alias /php-source /home/gstein/php_files
<Location /php-source> DAV On
ForceType text/plain
 </Location>

With this setup, http://example.com/phparea can be used to access the output of the PHP scripts, and http://example.com/php-source can be used with a DAV client to manipulate them.

top

Dav Directive

Description:Enable WebDAV HTTP methods
Syntax:Dav On|Off|provider-name
Default:Dav Off
Context:directory
Status:Extension
Module:mod_dav

Use the Dav directive to enable the WebDAV HTTP methods for the given container:

<Location /foo>
Dav On
 </Location>

The value On is actually an alias for the default provider filesystem which is served by the mod_dav_fs module. Note, that once you have DAV enabled for some location, it cannot be disabled for sublocations. For a complete configuration example have a look at the section above.

Do not enable WebDAV until you have secured your server. Otherwise everyone will be able to distribute files on your system.
top

DavDepthInfinity Directive

Description:Allow PROPFIND, Depth: Infinity requests
Syntax:DavDepthInfinity on|off
Default:DavDepthInfinity off
Context:server config, virtual host, directory
Status:Extension
Module:mod_dav

Use the DavDepthInfinity directive to allow the processing of PROPFIND requests containing the header 'Depth: Infinity'. Because this type of request could constitute a denial-of-service attack, by default it is not allowed.

top

DavMinTimeout Directive

Description:Minimum amount of time the server holds a lock on a DAV resource
Syntax:DavMinTimeout seconds
Default:DavMinTimeout 0
Context:server config, virtual host, directory
Status:Extension
Module:mod_dav

When a client requests a DAV resource lock, it can also specify a time when the lock will be automatically removed by the server. This value is only a request, and the server can ignore it or inform the client of an arbitrary value.

Use the DavMinTimeout directive to specify, in seconds, the minimum lock timeout to return to a client. Microsoft Web Folders defaults to a timeout of 120 seconds; the DavMinTimeout can override this to a higher value (like 600 seconds) to reduce the chance of the client losing the lock due to network latency.

Example

<Location /MSWord>
DavMinTimeout 600
 </Location>

mod/mod_dav_fs.html100644 0 0 12647 11256637772 12025 0ustar 0 0 mod_dav_fs - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_dav_fs

Description:filesystem provider for mod_dav
Status:Extension
Module Identifier:dav_fs_module
Source File:mod_dav_fs.c

Summary

This module requires the service of mod_dav. It acts as a support module for mod_dav and provides access to resources located in the server's file system. The formal name of this provider is filesystem. mod_dav backend providers will be invoked by using the Dav directive:

Example

Dav filesystem

Since filesystem is the default provider for mod_dav, you may simply use the value On instead.

Directives

See also

top

DavLockDB Directive

Description:Location of the DAV lock database
Syntax:DavLockDB file-path
Context:server config, virtual host
Status:Extension
Module:mod_dav_fs

Use the DavLockDB directive to specify the full path to the lock database, excluding an extension. If the path is not absolute, it will be taken relative to ServerRoot. The implementation of mod_dav_fs uses a SDBM database to track user locks.

Example

DavLockDB var/DavLock

The directory containing the lock database file must be writable by the User and Group under which Apache is running. For security reasons, you should create a directory for this purpose rather than changing the permissions on an existing directory. In the above example, Apache will create files in the var/ directory under the ServerRoot with the base filename DavLock and extension name chosen by the server.

mod/mod_dav_lock.html100644 0 0 14266 11256637772 12344 0ustar 0 0 mod_dav_lock - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_dav_lock

Description:generic locking module for mod_dav
Status:Extension
Module Identifier:dav_lock_module
Source File:mod_dav_lock.c
Compatibility:Available in version 2.1 and later

Summary

This module implements a generic locking API which can be used by any backend provider of mod_dav. It requires at least the service of mod_dav. But without a backend provider which makes use of it, it's useless and should not be loaded into the server. A sample backend module which actually utilizes mod_dav_lock is mod_dav_svn, the subversion provider module.

Note that mod_dav_fs does not need this generic locking module, because it uses its own more specialized version.

In order to make mod_dav_lock functional, you just have to specify the location of the lock database using the DavGenericLockDB directive described below.

Developer's Note

In order to retrieve the pointer to the locking provider function, you have to use the ap_lookup_provider API with the arguments dav-lock, generic, and 0.

Directives

See also

top

DavGenericLockDB Directive

Description:Location of the DAV lock database
Syntax:DavGenericLockDB file-path
Context:server config, virtual host, directory
Status:Extension
Module:mod_dav_lock

Use the DavGenericLockDB directive to specify the full path to the lock database, excluding an extension. If the path is not absolute, it will be interpreted relative to ServerRoot. The implementation of mod_dav_lock uses a SDBM database to track user locks.

Example

DavGenericLockDB var/DavLock

The directory containing the lock database file must be writable by the User and Group under which Apache is running. For security reasons, you should create a directory for this purpose rather than changing the permissions on an existing directory. In the above example, Apache will create files in the var/ directory under the ServerRoot with the base filename DavLock and an extension added by the server.

mod/mod_dbd.html100644 0 0 45352 11256637772 11313 0ustar 0 0 mod_dbd - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_dbd

Description:Manages SQL database connections
Status:Extension
Module Identifier:dbd_module
Source File:mod_dbd.c
Compatibility:Version 2.1 and later

Summary

mod_dbd manages SQL database connections using APR. It provides database connections on request to modules requiring SQL database functions, and takes care of managing databases with optimal efficiency and scalability for both threaded and non-threaded MPMs. For details, see the APR website and this overview of the Apache DBD Framework by its original developer.

top

Connection Pooling

This module manages database connections, in a manner optimised for the platform. On non-threaded platforms, it provides a persistent connection in the manner of classic LAMP (Linux, Apache, Mysql, Perl/PHP/Python). On threaded platform, it provides an altogether more scalable and efficient connection pool, as described in this article at ApacheTutor. Note that mod_dbd supersedes the modules presented in that article.

top

Apache DBD API

mod_dbd exports five functions for other modules to use. The API is as follows:

typedef struct {
    apr_dbd_t *handle;
    apr_dbd_driver_t *driver;
    apr_hash_t *prepared;
} ap_dbd_t;

/* Export functions to access the database */

/* acquire a connection that MUST be explicitly closed.
 * Returns NULL on error
 */
AP_DECLARE(ap_dbd_t*) ap_dbd_open(apr_pool_t*, server_rec*);

/* release a connection acquired with ap_dbd_open */
AP_DECLARE(void) ap_dbd_close(server_rec*, ap_dbd_t*);

/* acquire a connection that will have the lifetime of a request
 * and MUST NOT be explicitly closed.  Return NULL on error.
 * This is the preferred function for most applications.
 */
AP_DECLARE(ap_dbd_t*) ap_dbd_acquire(request_rec*);

/* acquire a connection that will have the lifetime of a connection
 * and MUST NOT be explicitly closed.  Return NULL on error.
 */
AP_DECLARE(ap_dbd_t*) ap_dbd_cacquire(request_rec*);

/* Prepare a statement for use by a client module */
AP_DECLARE(void) ap_dbd_prepare(server_rec*, const char*, const char*);

/* Also export them as optional functions for modules that prefer it */
APR_DECLARE_OPTIONAL_FN(ap_dbd_t*, ap_dbd_open, (apr_pool_t*, server_rec*));
APR_DECLARE_OPTIONAL_FN(void, ap_dbd_close, (server_rec*, ap_dbd_t*));
APR_DECLARE_OPTIONAL_FN(ap_dbd_t*, ap_dbd_acquire, (request_rec*));
APR_DECLARE_OPTIONAL_FN(ap_dbd_t*, ap_dbd_cacquire, (conn_rec*));
APR_DECLARE_OPTIONAL_FN(void, ap_dbd_prepare, (server_rec*, const char*, const char*));
top

SQL Prepared Statements

mod_dbd supports SQL prepared statements on behalf of modules that may wish to use them. Each prepared statement must be assigned a name (label), and they are stored in a hash: the prepared field of an ap_dbd_t. Hash entries are of type apr_dbd_prepared_t and can be used in any of the apr_dbd prepared statement SQL query or select commands.

It is up to dbd user modules to use the prepared statements and document what statements can be specified in httpd.conf, or to provide their own directives and use ap_dbd_prepare.

top

SECURITY WARNING

Any web/database application needs to secure itself against SQL injection attacks. In most cases, Apache DBD is safe, because applications use prepared statements, and untrusted inputs are only ever used as data. Of course, if you use it via third-party modules, you should ascertain what precautions they may require.

However, the FreeTDS driver is inherently unsafe. The underlying library doesn't support prepared statements, so the driver emulates them, and the untrusted input is merged into the SQL statement.

It can be made safe by untainting all inputs: a process inspired by Perl's taint checking. Each input is matched against a regexp, and only the match is used, according to the Perl idiom:

  $untrusted =~ /([a-z]+)/;
  $trusted = $1;

To use this, the untainting regexps must be included in the prepared statements configured. The regexp follows immediately after the % in the prepared statement, and is enclosed in curly brackets {}. For example, if your application expects alphanumeric input, you can use:

"SELECT foo FROM bar WHERE input = %s"

with other drivers, and suffer nothing worse than a failed query. But with FreeTDS you'd need:

"SELECT foo FROM bar WHERE input = %{([A-Za-z0-9]+)}s"

Now anything that doesn't match the regexp's $1 match is discarded, so the statement is safe.

An alternative to this may be the third-party ODBC driver, which offers the security of genuine prepared statements.

top

DBDExptime Directive

Description:Keepalive time for idle connections
Syntax:DBDExptime time-in-seconds
Default:DBDExptime 300
Context:server config, virtual host
Status:Extension
Module:mod_dbd

Set the time to keep idle connections alive when the number of connections specified in DBDKeep has been exceeded (threaded platforms only).

top

DBDKeep Directive

Description:Maximum sustained number of connections
Syntax:DBDKeep number
Default:DBDKeep 2
Context:server config, virtual host
Status:Extension
Module:mod_dbd

Set the maximum number of connections per process to be sustained, other than for handling peak demand (threaded platforms only).

top

DBDMax Directive

Description:Maximum number of connections
Syntax:DBDMax number
Default:DBDMax 10
Context:server config, virtual host
Status:Extension
Module:mod_dbd

Set the hard maximum number of connections per process (threaded platforms only).

top

DBDMin Directive

Description:Minimum number of connections
Syntax:DBDMin number
Default:DBDMin 1
Context:server config, virtual host
Status:Extension
Module:mod_dbd

Set the minimum number of connections per process (threaded platforms only).

top

DBDParams Directive

Description:Parameters for database connection
Syntax:DBDParams param1=value1[,param2=value2]
Context:server config, virtual host
Status:Extension
Module:mod_dbd

As required by the underlying driver. Typically this will be used to pass whatever cannot be defaulted amongst username, password, database name, hostname and port number for connection.

Connection string parameters for current drivers include:

FreeTDS (for MSSQL and SyBase - see SECURITY note)
username, password, appname, dbname, host, charset, lang, server
MySQL
host, port, user, pass, dbname, sock, flags, fldsz, group, reconnect
ODBC
datasource, user, password, connect, ctimeout, stimeout, access, txmode, bufsize
Oracle
user, pass, dbname, server
PostgreSQL
The connection string is passed straight through to PQconnectdb
SQLite2
The connection string is split on a colon, and part1:part2 is used as sqlite_open(part1, atoi(part2), NULL)
SQLite3
The connection string is passed straight through to sqlite3_open
top

DBDPersist Directive

Description:Whether to use persistent connections
Syntax:DBDPersist On|Off
Context:server config, virtual host
Status:Extension
Module:mod_dbd

If set to Off, persistent and pooled connections are disabled. A new database connection is opened when requested by a client, and closed immediately on release. This option is for debugging and low-usage servers.

The default is to enable a pool of persistent connections (or a single LAMP-style persistent connection in the case of a non-threaded server), and should almost always be used in operation.

Prior to version 2.2.2, this directive accepted only the values 0 and 1 instead of Off and On, respectively.

top

DBDPrepareSQL Directive

Description:Define an SQL prepared statement
Syntax:DBDPrepareSQL "SQL statement" label
Context:server config, virtual host
Status:Extension
Module:mod_dbd

For modules such as authentication that repeatedly use a single SQL statement, optimum performance is achieved by preparing the statement at startup rather than every time it is used. This directive prepares an SQL statement and assigns it a label.

top

DBDriver Directive

Description:Specify an SQL driver
Syntax:DBDriver name
Context:server config, virtual host
Status:Extension
Module:mod_dbd

Selects an apr_dbd driver by name. The driver must be installed on your system (on most systems, it will be a shared object or dll). For example, DBDriver mysql will select the MySQL driver in apr_dbd_mysql.so.

mod/mod_deflate.html100644 0 0 50237 11256637772 12164 0ustar 0 0 mod_deflate - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_deflate

Description:Compress content before it is delivered to the client
Status:Extension
Module Identifier:deflate_module
Source File:mod_deflate.c

Summary

The mod_deflate module provides the DEFLATE output filter that allows output from your server to be compressed before being sent to the client over the network.

top

Sample Configurations

This is a simple sample configuration for the impatient.

Compress only a few types

AddOutputFilterByType DEFLATE text/html text/plain text/xml

The following configuration, while resulting in more compressed content, is also much more complicated. Do not use this unless you fully understand all the configuration details.

Compress everything except images

<Location />
# Insert filter
SetOutputFilter DEFLATE

# Netscape 4.x has some problems...
BrowserMatch ^Mozilla/4 gzip-only-text/html

# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4\.0[678] no-gzip

# MSIE masquerades as Netscape, but it is fine
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
# Don't compress images
SetEnvIfNoCase Request_URI \
\.(?:gif|jpe?g|png)$ no-gzip dont-vary
# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
 </Location>

top

Enabling Compression

Output Compression

Compression is implemented by the DEFLATE filter. The following directive will enable compression for documents in the container where it is placed:

SetOutputFilter DEFLATE

Some popular browsers cannot handle compression of all content so you may want to set the gzip-only-text/html note to 1 to only allow html files to be compressed (see below). If you set this to anything but 1 it will be ignored.

If you want to restrict the compression to particular MIME types in general, you may use the AddOutputFilterByType directive. Here is an example of enabling compression only for the html files of the Apache documentation:

<Directory "/your-server-root/manual">
AddOutputFilterByType DEFLATE text/html
 </Directory>

For browsers that have problems even with compression of all file types, use the BrowserMatch directive to set the no-gzip note for that particular browser so that no compression will be performed. You may combine no-gzip with gzip-only-text/html to get the best results. In that case the former overrides the latter. Take a look at the following excerpt from the configuration example defined in the section above:

BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

At first we probe for a User-Agent string that indicates a Netscape Navigator version of 4.x. These versions cannot handle compression of types other than text/html. The versions 4.06, 4.07 and 4.08 also have problems with decompressing html files. Thus, we completely turn off the deflate filter for them.

The third BrowserMatch directive fixes the guessed identity of the user agent, because the Microsoft Internet Explorer identifies itself also as "Mozilla/4" but is actually able to handle requested compression. Therefore we match against the additional string "MSIE" (\b means "word boundary") in the User-Agent Header and turn off the restrictions defined before.

Note

The DEFLATE filter is always inserted after RESOURCE filters like PHP or SSI. It never touches internal subrequests.

Note

There is a environment variable force-gzip, set via SetEnv, which will ignore the accept-encoding setting of your browser and will send compressed output.

Output Decompression

The mod_deflate module also provides a filter for inflating/uncompressing a gzip compressed response body. In order to activate this feature you have to insert the INFLATE filter into the outputfilter chain using SetOutputFilter or AddOutputFilter, for example:

<Location /dav-area>
ProxyPass http://example.com/
SetOutputFilter INFLATE
 </Location>

This Example will uncompress gzip'ed output from example.com, so other filters can do further processing with it.

Input Decompression

The mod_deflate module also provides a filter for decompressing a gzip compressed request body . In order to activate this feature you have to insert the DEFLATE filter into the input filter chain using SetInputFilter or AddInputFilter, for example:

<Location /dav-area>
SetInputFilter DEFLATE
 </Location>

Now if a request contains a Content-Encoding: gzip header, the body will be automatically decompressed. Few browsers have the ability to gzip request bodies. However, some special applications actually do support request compression, for instance some WebDAV clients.

Note on Content-Length

If you evaluate the request body yourself, don't trust the Content-Length header! The Content-Length header reflects the length of the incoming data from the client and not the byte count of the decompressed data stream.

top

Dealing with proxy servers

The mod_deflate module sends a Vary: Accept-Encoding HTTP response header to alert proxies that a cached response should be sent only to clients that send the appropriate Accept-Encoding request header. This prevents compressed content from being sent to a client that will not understand it.

If you use some special exclusions dependent on, for example, the User-Agent header, you must manually configure an addition to the Vary header to alert proxies of the additional restrictions. For example, in a typical configuration where the addition of the DEFLATE filter depends on the User-Agent, you should add:

Header append Vary User-Agent

If your decision about compression depends on other information than request headers (e.g. HTTP version), you have to set the Vary header to the value *. This prevents compliant proxies from caching entirely.

Example

Header set Vary *

top

DeflateBufferSize Directive

Description:Fragment size to be compressed at one time by zlib
Syntax:DeflateBufferSize value
Default:DeflateBufferSize 8096
Context:server config, virtual host
Status:Extension
Module:mod_deflate

The DeflateBufferSize directive specifies the size in bytes of the fragments that zlib should compress at one time.

top

DeflateCompressionLevel Directive

Description:How much compression do we apply to the output
Syntax:DeflateCompressionLevel value
Default:Zlib's default
Context:server config, virtual host
Status:Extension
Module:mod_deflate
Compatibility:This directive is available since Apache 2.0.45

The DeflateCompressionLevel directive specifies what level of compression should be used, the higher the value, the better the compression, but the more CPU time is required to achieve this.

The value must between 1 (less compression) and 9 (more compression).

top

DeflateFilterNote Directive

Description:Places the compression ratio in a note for logging
Syntax:DeflateFilterNote [type] notename
Context:server config, virtual host
Status:Extension
Module:mod_deflate
Compatibility:type is available since Apache 2.0.45

The DeflateFilterNote directive specifies that a note about compression ratios should be attached to the request. The name of the note is the value specified for the directive. You can use that note for statistical purposes by adding the value to your access log.

Example

DeflateFilterNote ratio

LogFormat '"%r" %b (%{ratio}n) "%{User-agent}i"' deflate
CustomLog logs/deflate_log deflate

If you want to extract more accurate values from your logs, you can use the type argument to specify the type of data left as note for logging. type can be one of:

Input
Store the byte count of the filter's input stream in the note.
Output
Store the byte count of the filter's output stream in the note.
Ratio
Store the compression ratio (output/input * 100) in the note. This is the default, if the type argument is omitted.

Thus you may log it this way:

Accurate Logging

DeflateFilterNote Input instream
DeflateFilterNote Output outstream
DeflateFilterNote Ratio ratio

LogFormat '"%r" %{outstream}n/%{instream}n (%{ratio}n%%)' deflate
CustomLog logs/deflate_log deflate

See also

top

DeflateMemLevel Directive

Description:How much memory should be used by zlib for compression
Syntax:DeflateMemLevel value
Default:DeflateMemLevel 9
Context:server config, virtual host
Status:Extension
Module:mod_deflate

The DeflateMemLevel directive specifies how much memory should be used by zlib for compression (a value between 1 and 9).

top

DeflateWindowSize Directive

Description:Zlib compression window size
Syntax:DeflateWindowSize value
Default:DeflateWindowSize 15
Context:server config, virtual host
Status:Extension
Module:mod_deflate

The DeflateWindowSize directive specifies the zlib compression window size (a value between 1 and 15). Generally, the higher the window size, the higher can the compression ratio be expected.

mod/mod_dir.html100644 0 0 22307 11256637772 11333 0ustar 0 0 mod_dir - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_dir

Description:Provides for "trailing slash" redirects and serving directory index files
Status:Base
Module Identifier:dir_module
Source File:mod_dir.c

Summary

The index of a directory can come from one of two sources:

  • A file written by the user, typically called index.html. The DirectoryIndex directive sets the name of this file. This is controlled by mod_dir.
  • Otherwise, a listing generated by the server. This is provided by mod_autoindex.

The two functions are separated so that you can completely remove (or replace) automatic index generation should you want to.

A "trailing slash" redirect is issued when the server receives a request for a URL http://servername/foo/dirname where dirname is a directory. Directories require a trailing slash, so mod_dir issues a redirect to http://servername/foo/dirname/.

top

DirectoryIndex Directive

Description:List of resources to look for when the client requests a directory
Syntax:DirectoryIndex local-url [local-url] ...
Default:DirectoryIndex index.html
Context:server config, virtual host, directory, .htaccess
Override:Indexes
Status:Base
Module:mod_dir

The DirectoryIndex directive sets the list of resources to look for, when the client requests an index of the directory by specifying a / at the end of the directory name. Local-url is the (%-encoded) URL of a document on the server relative to the requested directory; it is usually the name of a file in the directory. Several URLs may be given, in which case the server will return the first one that it finds. If none of the resources exist and the Indexes option is set, the server will generate its own listing of the directory.

Example

DirectoryIndex index.html

then a request for http://myserver/docs/ would return http://myserver/docs/index.html if it exists, or would list the directory if it did not.

Note that the documents do not need to be relative to the directory;

DirectoryIndex index.html index.txt /cgi-bin/index.pl

would cause the CGI script /cgi-bin/index.pl to be executed if neither index.html or index.txt existed in a directory.

top

DirectorySlash Directive

Description:Toggle trailing slash redirects on or off
Syntax:DirectorySlash On|Off
Default:DirectorySlash On
Context:server config, virtual host, directory, .htaccess
Override:Indexes
Status:Base
Module:mod_dir
Compatibility:Available in version 2.0.51 and later

The DirectorySlash directive determines, whether mod_dir should fixup URLs pointing to a directory or not.

Typically if a user requests a resource without a trailing slash, which points to a directory, mod_dir redirects him to the same resource, but with trailing slash for some good reasons:

  • The user is finally requesting the canonical URL of the resource
  • mod_autoindex works correctly. Since it doesn't emit the path in the link, it would point to the wrong path.
  • DirectoryIndex will be evaluated only for directories requested with trailing slash.
  • Relative URL references inside html pages will work correctly.

Well, if you don't want this effect and the reasons above don't apply to you, you can turn off the redirect with:

# see security warning below!
<Location /some/path>
DirectorySlash Off
SetHandler some-handler
 </Location>

Security Warning

Turning off the trailing slash redirect may result in an information disclosure. Consider a situation where mod_autoindex is active (Options +Indexes) and DirectoryIndex is set to a valid resource (say, index.html) and there's no other special handler defined for that URL. In this case a request with a trailing slash would show the index.html file. But a request without trailing slash would list the directory contents.

mod/mod_disk_cache.html100644 0 0 26225 11256637772 12635 0ustar 0 0 mod_disk_cache - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_disk_cache

Description:Content cache storage manager keyed to URIs
Status:Extension
Module Identifier:disk_cache_module
Source File:mod_disk_cache.c

Summary

mod_disk_cache implements a disk based storage manager. It is primarily of use in conjunction with mod_cache.

Content is stored in and retrieved from the cache using URI based keys. Content with access protection is not cached.

htcacheclean can be used to maintain the cache size at a maximum level.

Note:

mod_disk_cache requires the services of mod_cache.

Note:

mod_disk_cache uses the sendfile feature to serve files from the cache when supported by the platform, and when enabled with EnableSendfile. However, per-directory and .htaccess configuration of EnableSendfile are ignored by mod_disk_cache as the corresponding settings are not available to the module when a request is being served from the cache.

top

CacheDirLength Directive

Description:The number of characters in subdirectory names
Syntax:CacheDirLength length
Default:CacheDirLength 2
Context:server config, virtual host
Status:Extension
Module:mod_disk_cache

The CacheDirLength directive sets the number of characters for each subdirectory name in the cache hierarchy.

The result of CacheDirLevels* CacheDirLength must not be higher than 20.

CacheDirLength 4

top

CacheDirLevels Directive

Description:The number of levels of subdirectories in the cache.
Syntax:CacheDirLevels levels
Default:CacheDirLevels 3
Context:server config, virtual host
Status:Extension
Module:mod_disk_cache

The CacheDirLevels directive sets the number of subdirectory levels in the cache. Cached data will be saved this many directory levels below the CacheRoot directory.

The result of CacheDirLevels* CacheDirLength must not be higher than 20.

CacheDirLevels 5

top

CacheMaxFileSize Directive

Description:The maximum size (in bytes) of a document to be placed in the cache
Syntax:CacheMaxFileSize bytes
Default:CacheMaxFileSize 1000000
Context:server config, virtual host
Status:Extension
Module:mod_disk_cache

The CacheMaxFileSize directive sets the maximum size, in bytes, for a document to be considered for storage in the cache.

CacheMaxFileSize 64000

top

CacheMinFileSize Directive

Description:The minimum size (in bytes) of a document to be placed in the cache
Syntax:CacheMinFileSize bytes
Default:CacheMinFileSize 1
Context:server config, virtual host
Status:Extension
Module:mod_disk_cache

The CacheMinFileSize directive sets the minimum size, in bytes, for a document to be considered for storage in the cache.

CacheMinFileSize 64

top

CacheRoot Directive

Description:The directory root under which cache files are stored
Syntax:CacheRoot directory
Context:server config, virtual host
Status:Extension
Module:mod_disk_cache

The CacheRoot directive defines the name of the directory on the disk to contain cache files. If the mod_disk_cache module has been loaded or compiled in to the Apache server, this directive must be defined. Failing to provide a value for CacheRoot will result in a configuration file processing error. The CacheDirLevels and CacheDirLength directives define the structure of the directories under the specified root directory.

CacheRoot c:/cacheroot

mod/mod_dumpio.html100644 0 0 16527 11256637772 12061 0ustar 0 0 mod_dumpio - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_dumpio

Description:Dumps all I/O to error log as desired.
Status:Extension
Module Identifier:dumpio_module
Source File:mod_dumpio.c

Summary

mod_dumpio allows for the logging of all input received by Apache and/or all output sent by Apache to be logged (dumped) to the error.log file.

The data logging is done right after SSL decoding (for input) and right before SSL encoding (for output). As can be expected, this can produce extreme volumes of data, and should only be used when debugging problems.

top

Enabling dumpio Support

To enable the module, it should be compiled and loaded in to your running Apache configuration. Logging can then be enabled or disabled via the below directives.

top

DumpIOInput Directive

Description:Dump all input data to the error log
Syntax:DumpIOInput On|Off
Default:DumpIOInput Off
Context:server config
Status:Extension
Module:mod_dumpio
Compatibility:DumpIOInput is only available in Apache 2.1.3 and later.

Enable dumping of all input.

Example

DumpIOInput On

top

DumpIOLogLevel Directive

Description:Controls the logging level of the DumpIO output
Syntax:DumpIOLogLevel level
Default:DumpIOLogLevel debug
Context:server config
Status:Extension
Module:mod_dumpio
Compatibility:DumpIOLogLevel is only available in Apache 2.2.4 and later.

Enable dumping of all output at a specific LogLevel level.

Example

DumpIOLogLevel notice

Compatibility

Prior to 2.2.4 mod_dumpio would only dump to the log when LogLevel was set to debug
top

DumpIOOutput Directive

Description:Dump all output data to the error log
Syntax:DumpIOOutput On|Off
Default:DumpIOOutput Off
Context:server config
Status:Extension
Module:mod_dumpio
Compatibility:DumpIOOutput is only available in Apache 2.1.3 and later.

Enable dumping of all output.

Example

DumpIOOutput On

mod/mod_echo.html100644 0 0 7647 11256637772 11465 0ustar 0 0 mod_echo - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_echo

Description:A simple echo server to illustrate protocol modules
Status:Experimental
Module Identifier:echo_module
Source File:mod_echo.c
Compatibility:Available in Apache 2.0 and later

Summary

This module provides an example protocol module to illustrate the concept. It provides a simple echo server. Telnet to it and type stuff, and it will echo it.

Directives

top

ProtocolEcho Directive

Description:Turn the echo server on or off
Syntax:ProtocolEcho On|Off
Default:ProtocolEcho Off
Context:server config, virtual host
Status:Experimental
Module:mod_echo
Compatibility:ProtocolEcho is only available in 2.0 and later.

The ProtocolEcho directive enables or disables the echo server.

Example

ProtocolEcho On

mod/mod_env.html100644 0 0 14660 11256637772 11350 0ustar 0 0 mod_env - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_env

Description:Modifies the environment which is passed to CGI scripts and SSI pages
Status:Base
Module Identifier:env_module
Source File:mod_env.c

Summary

This module allows for control of the environment that will be provided to CGI scripts and SSI pages. Environment variables may be passed from the shell which invoked the httpd process. Alternatively, environment variables may be set or unset within the configuration process.

top

PassEnv Directive

Description:Passes environment variables from the shell
Syntax:PassEnv env-variable [env-variable] ...
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_env

Specifies one or more environment variables to pass to CGI scripts and SSI pages from the environment of the shell which invoked the httpd process.

Example

PassEnv LD_LIBRARY_PATH

top

SetEnv Directive

Description:Sets environment variables
Syntax:SetEnv env-variable value
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_env

Sets an environment variable, which is then passed on to CGI scripts and SSI pages.

Example

SetEnv SPECIAL_PATH /foo/bin

top

UnsetEnv Directive

Description:Removes variables from the environment
Syntax:UnsetEnv env-variable [env-variable] ...
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_env

Removes one or more environment variables from those passed on to CGI scripts and SSI pages.

Example

UnsetEnv LD_LIBRARY_PATH

mod/mod_example.html100644 0 0 16735 11256637772 12220 0ustar 0 0 mod_example - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_example

Description:Illustrates the Apache module API
Status:Experimental
Module Identifier:example_module
Source File:mod_example.c

Summary

Some files in the modules/experimental directory under the Apache distribution directory tree are provided as an example to those that wish to write modules that use the Apache API.

The main file is mod_example.c, which illustrates all the different callback mechanisms and call syntaxes. By no means does an add-on module need to include routines for all of the callbacks - quite the contrary!

The example module is an actual working module. If you link it into your server, enable the "example-handler" handler for a location, and then browse to that location, you will see a display of some of the tracing the example module did as the various callbacks were made.

top

Compiling the example module

To include the example module in your server, follow the steps below:

  1. Run configure with --enable-example option.
  2. Make the server (run "make").

To add another module of your own:

  1. cp modules/experimental/mod_example.c modules/new_module/mod_myexample.c
  2. Modify the file.
  3. Create modules/new_module/config.m4.
    1. Add APACHE_MODPATH_INIT(new_module).
    2. Copy APACHE_MODULE line with "example" from modules/experimental/config.m4.
    3. Replace the first argument "example" with myexample.
    4. Replace the second argument with brief description of your module. It will be used in configure --help.
    5. If your module needs additional C compiler flags, linker flags or libraries, add them to CFLAGS, LDFLAGS and LIBS accordingly. See other config.m4 files in modules directory for examples.
    6. Add APACHE_MODPATH_FINISH.
  4. Create module/new_module/Makefile.in. If your module doesn't need special build instructions, all you need to have in that file is include $(top_srcdir)/build/special.mk.
  5. Run ./buildconf from the top-level directory.
  6. Build the server with --enable-myexample
top

Using the mod_example Module

To activate the example module, include a block similar to the following in your httpd.conf file:

<Location /example-info>
SetHandler example-handler
</Location>

As an alternative, you can put the following into a .htaccess file and then request the file "test.example" from that location:

AddHandler example-handler .example

After reloading/restarting your server, you should be able to browse to this location and see the brief display mentioned earlier.

top

Example Directive

Description:Demonstration directive to illustrate the Apache module API
Syntax:Example
Context:server config, virtual host, directory, .htaccess
Status:Experimental
Module:mod_example

The Example directive just sets a demonstration flag which the example module's content handler displays. It takes no arguments. If you browse to an URL to which the example content-handler applies, you will get a display of the routines within the module and how and in what order they were called to service the document request. The effect of this directive one can observe under the point "Example directive declared here: YES/NO".

mod/mod_expires.html100644 0 0 31133 11256637772 12231 0ustar 0 0 mod_expires - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_expires

Description:Generation of Expires and Cache-Control HTTP headers according to user-specified criteria
Status:Extension
Module Identifier:expires_module
Source File:mod_expires.c

Summary

This module controls the setting of the Expires HTTP header and the max-age directive of the Cache-Control HTTP header in server responses. The expiration date can set to be relative to either the time the source file was last modified, or to the time of the client access.

These HTTP headers are an instruction to the client about the document's validity and persistence. If cached, the document may be fetched from the cache rather than from the source until this time has passed. After that, the cache copy is considered "expired" and invalid, and a new copy must be obtained from the source.

To modify Cache-Control directives other than max-age (see RFC 2616 section 14.9), you can use the Header directive.

top

Alternate Interval Syntax

The ExpiresDefault and ExpiresByType directives can also be defined in a more readable syntax of the form:

ExpiresDefault "<base> [plus] {<num> <type>}*"
ExpiresByType type/encoding "<base> [plus] {<num> <type>}*"

where <base> is one of:

  • access
  • now (equivalent to 'access')
  • modification

The plus keyword is optional. <num> should be an integer value [acceptable to atoi()], and <type> is one of:

  • years
  • months
  • weeks
  • days
  • hours
  • minutes
  • seconds

For example, any of the following directives can be used to make documents expire 1 month after being accessed, by default:

ExpiresDefault "access plus 1 month"
ExpiresDefault "access plus 4 weeks"
ExpiresDefault "access plus 30 days"

The expiry time can be fine-tuned by adding several '<num> <type>' clauses:

ExpiresByType text/html "access plus 1 month 15 days 2 hours"
ExpiresByType image/gif "modification plus 5 hours 3 minutes"

Note that if you use a modification date based setting, the Expires header will not be added to content that does not come from a file on disk. This is due to the fact that there is no modification time for such content.

top

ExpiresActive Directive

Description:Enables generation of Expires headers
Syntax:ExpiresActive On|Off
Context:server config, virtual host, directory, .htaccess
Override:Indexes
Status:Extension
Module:mod_expires

This directive enables or disables the generation of the Expires and Cache-Control headers for the document realm in question. (That is, if found in an .htaccess file, for instance, it applies only to documents generated from that directory.) If set to Off, the headers will not be generated for any document in the realm (unless overridden at a lower level, such as an .htaccess file overriding a server config file). If set to On, the headers will be added to served documents according to the criteria defined by the ExpiresByType and ExpiresDefault directives (q.v.).

Note that this directive does not guarantee that an Expires or Cache-Control header will be generated. If the criteria aren't met, no header will be sent, and the effect will be as though this directive wasn't even specified.

top

ExpiresByType Directive

Description:Value of the Expires header configured by MIME type
Syntax:ExpiresByType MIME-type <code>seconds
Context:server config, virtual host, directory, .htaccess
Override:Indexes
Status:Extension
Module:mod_expires

This directive defines the value of the Expires header and the max-age directive of the Cache-Control header generated for documents of the specified type (e.g., text/html). The second argument sets the number of seconds that will be added to a base time to construct the expiration date. The Cache-Control: max-age is calculated by subtracting the request time from the expiration date and expressing the result in seconds.

The base time is either the last modification time of the file, or the time of the client's access to the document. Which should be used is specified by the <code> field; M means that the file's last modification time should be used as the base time, and A means the client's access time should be used.

The difference in effect is subtle. If M is used, all current copies of the document in all caches will expire at the same time, which can be good for something like a weekly notice that's always found at the same URL. If A is used, the date of expiration is different for each client; this can be good for image files that don't change very often, particularly for a set of related documents that all refer to the same images (i.e., the images will be accessed repeatedly within a relatively short timespan).

Example:

# enable expirations
ExpiresActive On
# expire GIF images after a month in the client's cache
ExpiresByType image/gif A2592000
# HTML documents are good for a week from the
# time they were changed
ExpiresByType text/html M604800

Note that this directive only has effect if ExpiresActive On has been specified. It overrides, for the specified MIME type only, any expiration date set by the ExpiresDefault directive.

You can also specify the expiration time calculation using an alternate syntax, described earlier in this document.

top

ExpiresDefault Directive

Description:Default algorithm for calculating expiration time
Syntax:ExpiresDefault <code>seconds
Context:server config, virtual host, directory, .htaccess
Override:Indexes
Status:Extension
Module:mod_expires

This directive sets the default algorithm for calculating the expiration time for all documents in the affected realm. It can be overridden on a type-by-type basis by the ExpiresByType directive. See the description of that directive for details about the syntax of the argument, and the alternate syntax description as well.

mod/mod_ext_filter.html100644 0 0 42354 11256637772 12726 0ustar 0 0 mod_ext_filter - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_ext_filter

Description:Pass the response body through an external program before delivery to the client
Status:Extension
Module Identifier:ext_filter_module
Source File:mod_ext_filter.c

Summary

mod_ext_filter presents a simple and familiar programming model for filters. With this module, a program which reads from stdin and writes to stdout (i.e., a Unix-style filter command) can be a filter for Apache. This filtering mechanism is much slower than using a filter which is specially written for the Apache API and runs inside of the Apache server process, but it does have the following benefits:

  • the programming model is much simpler
  • any programming/scripting language can be used, provided that it allows the program to read from standard input and write to standard output
  • existing programs can be used unmodified as Apache filters

Even when the performance characteristics are not suitable for production use, mod_ext_filter can be used as a prototype environment for filters.

Directives

Topics

See also

top

Examples

Generating HTML from some other type of response

# mod_ext_filter directive to define a filter
# to HTML-ize text/c files using the external
# program /usr/bin/enscript, with the type of
# the result set to text/html
ExtFilterDefine c-to-html mode=output \
intype=text/c outtype=text/html \
cmd="/usr/bin/enscript --color -W html -Ec -o - -"
<Directory "/export/home/trawick/apacheinst/htdocs/c">
# core directive to cause the new filter to
# be run on output
SetOutputFilter c-to-html

# mod_mime directive to set the type of .c
# files to text/c
AddType text/c .c

# mod_ext_filter directive to set the debug
# level just high enough to see a log message
# per request showing the configuration in force
ExtFilterOptions DebugLevel=1
 </Directory>

Implementing a content encoding filter

Note: this gzip example is just for the purposes of illustration. Please refer to mod_deflate for a practical implementation.

# mod_ext_filter directive to define the external filter
ExtFilterDefine gzip mode=output cmd=/bin/gzip

<Location /gzipped>
# core directive to cause the gzip filter to be
# run on output
SetOutputFilter gzip

# mod_header directive to add
# "Content-Encoding: gzip" header field
Header set Content-Encoding gzip
 </Location>

Slowing down the server

# mod_ext_filter directive to define a filter
# which runs everything through cat; cat doesn't
# modify anything; it just introduces extra pathlength
# and consumes more resources
ExtFilterDefine slowdown mode=output cmd=/bin/cat \
preservescontentlength
<Location />
# core directive to cause the slowdown filter to
# be run several times on output
#
SetOutputFilter slowdown;slowdown;slowdown
 </Location>

Using sed to replace text in the response

# mod_ext_filter directive to define a filter which
# replaces text in the response
#
ExtFilterDefine fixtext mode=output intype=text/html \
cmd="/bin/sed s/verdana/arial/g"
<Location />
# core directive to cause the fixtext filter to
# be run on output
SetOutputFilter fixtext
 </Location>

Tracing another filter

# Trace the data read and written by mod_deflate
# for a particular client (IP 192.168.1.31)
# experiencing compression problems.
# This filter will trace what goes into mod_deflate.
ExtFilterDefine tracebefore \
cmd="/bin/tracefilter.pl /tmp/tracebefore" \
EnableEnv=trace_this_client
# This filter will trace what goes after mod_deflate.
# Note that without the ftype parameter, the default
# filter type of AP_FTYPE_RESOURCE would cause the
# filter to be placed *before* mod_deflate in the filter
# chain. Giving it a numeric value slightly higher than
# AP_FTYPE_CONTENT_SET will ensure that it is placed
# after mod_deflate.
ExtFilterDefine traceafter \
cmd="/bin/tracefilter.pl /tmp/traceafter" \
EnableEnv=trace_this_client ftype=21
<Directory /usr/local/docs>
SetEnvIf Remote_Addr 192.168.1.31 trace_this_client
SetOutputFilter tracebefore;deflate;traceafter
 </Directory>

Here is the filter which traces the data:

#!/usr/local/bin/perl -w
use strict;

open(SAVE, ">$ARGV[0]")
or die "can't open $ARGV[0]: $?";
while (<STDIN>) {
print SAVE $_;
print $_;
 }

close(SAVE);

top

ExtFilterDefine Directive

Description:Define an external filter
Syntax:ExtFilterDefine filtername parameters
Context:server config
Status:Extension
Module:mod_ext_filter

The ExtFilterDefine directive defines the characteristics of an external filter, including the program to run and its arguments.

filtername specifies the name of the filter being defined. This name can then be used in SetOutputFilter directives. It must be unique among all registered filters. At the present time, no error is reported by the register-filter API, so a problem with duplicate names isn't reported to the user.

Subsequent parameters can appear in any order and define the external command to run and certain other characteristics. The only required parameter is cmd=. These parameters are:

cmd=cmdline
The cmd= keyword allows you to specify the external command to run. If there are arguments after the program name, the command line should be surrounded in quotation marks (e.g., cmd="/bin/mypgm arg1 arg2".) Normal shell quoting is not necessary since the program is run directly, bypassing the shell. Program arguments are blank-delimited. A backslash can be used to escape blanks which should be part of a program argument. Any backslashes which are part of the argument must be escaped with backslash themselves. In addition to the standard CGI environment variables, DOCUMENT_URI, DOCUMENT_PATH_INFO, and QUERY_STRING_UNESCAPED will also be set for the program.
mode=mode
Use mode=output (the default) for filters which process the response. Use mode=input for filters which process the request. mode=input is available in Apache 2.1 and later.
intype=imt
This parameter specifies the internet media type (i.e., MIME type) of documents which should be filtered. By default, all documents are filtered. If intype= is specified, the filter will be disabled for documents of other types.
outtype=imt
This parameter specifies the internet media type (i.e., MIME type) of filtered documents. It is useful when the filter changes the internet media type as part of the filtering operation. By default, the internet media type is unchanged.
PreservesContentLength
The PreservesContentLength keyword specifies that the filter preserves the content length. This is not the default, as most filters change the content length. In the event that the filter doesn't modify the length, this keyword should be specified.
ftype=filtertype
This parameter specifies the numeric value for filter type that the filter should be registered as. The default value, AP_FTYPE_RESOURCE, is sufficient in most cases. If the filter needs to operate at a different point in the filter chain than resource filters, then this parameter will be necessary. See the AP_FTYPE_foo definitions in util_filter.h for appropriate values.
disableenv=env
This parameter specifies the name of an environment variable which, if set, will disable the filter.
enableenv=env
This parameter specifies the name of an environment variable which must be set, or the filter will be disabled.
top

ExtFilterOptions Directive

Description:Configure mod_ext_filter options
Syntax:ExtFilterOptions option [option] ...
Default:ExtFilterOptions DebugLevel=0 NoLogStderr
Context:directory
Status:Extension
Module:mod_ext_filter

The ExtFilterOptions directive specifies special processing options for mod_ext_filter. Option can be one of

DebugLevel=n
The DebugLevel keyword allows you to specify the level of debug messages generated by mod_ext_filter. By default, no debug messages are generated. This is equivalent to DebugLevel=0. With higher numbers, more debug messages are generated, and server performance will be degraded. The actual meanings of the numeric values are described with the definitions of the DBGLVL_ constants near the beginning of mod_ext_filter.c.

Note: The core directive LogLevel should be used to cause debug messages to be stored in the Apache error log.

LogStderr | NoLogStderr
The LogStderr keyword specifies that messages written to standard error by the external filter program will be saved in the Apache error log. NoLogStderr disables this feature.
Onfail=[abort|remove] (new in httpd version 2.2.12).
Determines how to proceed if the external filter program cannot be started. With abort (the default value) the request will be aborted. With remove, the filter is removed and the request continues without it.

Example

ExtFilterOptions LogStderr DebugLevel=0

Messages written to the filter's standard error will be stored in the Apache error log. No debug messages will be generated by mod_ext_filter.

mod/mod_file_cache.html100644 0 0 27402 11256637772 12620 0ustar 0 0 mod_file_cache - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_file_cache

Description:Caches a static list of files in memory
Status:Experimental
Module Identifier:file_cache_module
Source File:mod_file_cache.c

Summary

This module should be used with care. You can easily create a broken site using mod_file_cache, so read this document carefully.

Caching frequently requested files that change very infrequently is a technique for reducing server load. mod_file_cache provides two techniques for caching frequently requested static files. Through configuration directives, you can direct mod_file_cache to either open then mmap() a file, or to pre-open a file and save the file's open file handle. Both techniques reduce server load when processing requests for these files by doing part of the work (specifically, the file I/O) for serving the file when the server is started rather than during each request.

Notice: You cannot use this for speeding up CGI programs or other files which are served by special content handlers. It can only be used for regular files which are usually served by the Apache core content handler.

This module is an extension of and borrows heavily from the mod_mmap_static module in Apache 1.3.

top

Using mod_file_cache

mod_file_cache caches a list of statically configured files via MMapFile or CacheFile directives in the main server configuration.

Not all platforms support both directives. You will receive an error message in the server error log if you attempt to use an unsupported directive. If given an unsupported directive, the server will start but the file will not be cached. On platforms that support both directives, you should experiment with both to see which works best for you.

MMapFile Directive

The MMapFile directive of mod_file_cache maps a list of statically configured files into memory through the system call mmap(). This system call is available on most modern Unix derivates, but not on all. There are sometimes system-specific limits on the size and number of files that can be mmap()ed, experimentation is probably the easiest way to find out.

This mmap()ing is done once at server start or restart, only. So whenever one of the mapped files changes on the filesystem you have to restart the server (see the Stopping and Restarting documentation). To reiterate that point: if the files are modified in place without restarting the server you may end up serving requests that are completely bogus. You should update files by unlinking the old copy and putting a new copy in place. Most tools such as rdist and mv do this. The reason why this modules doesn't take care of changes to the files is that this check would need an extra stat() every time which is a waste and against the intent of I/O reduction.

CacheFile Directive

The CacheFile directive of mod_file_cache opens an active handle or file descriptor to the file (or files) listed in the configuration directive and places these open file handles in the cache. When the file is requested, the server retrieves the handle from the cache and passes it to the sendfile() (or TransmitFile() on Windows), socket API.

This file handle caching is done once at server start or restart, only. So whenever one of the cached files changes on the filesystem you have to restart the server (see the Stopping and Restarting documentation). To reiterate that point: if the files are modified in place without restarting the server you may end up serving requests that are completely bogus. You should update files by unlinking the old copy and putting a new copy in place. Most tools such as rdist and mv do this.

Note

Don't bother asking for a directive which recursively caches all the files in a directory. Try this instead... See the Include directive, and consider this command:

find /www/htdocs -type f -print \
| sed -e 's/.*/mmapfile &/' > /www/conf/mmap.conf

top

CacheFile Directive

Description:Cache a list of file handles at startup time
Syntax:CacheFile file-path [file-path] ...
Context:server config
Status:Experimental
Module:mod_file_cache

The CacheFile directive opens handles to one or more files (given as whitespace separated arguments) and places these handles into the cache at server startup time. Handles to cached files are automatically closed on a server shutdown. When the files have changed on the filesystem, the server should be restarted to re-cache them.

Be careful with the file-path arguments: They have to literally match the filesystem path Apache's URL-to-filename translation handlers create. We cannot compare inodes or other stuff to match paths through symbolic links etc. because that again would cost extra stat() system calls which is not acceptable. This module may or may not work with filenames rewritten by mod_alias or mod_rewrite.

Example

CacheFile /usr/local/apache/htdocs/index.html

top

MMapFile Directive

Description:Map a list of files into memory at startup time
Syntax:MMapFile file-path [file-path] ...
Context:server config
Status:Experimental
Module:mod_file_cache

The MMapFile directive maps one or more files (given as whitespace separated arguments) into memory at server startup time. They are automatically unmapped on a server shutdown. When the files have changed on the filesystem at least a HUP or USR1 signal should be send to the server to re-mmap() them.

Be careful with the file-path arguments: They have to literally match the filesystem path Apache's URL-to-filename translation handlers create. We cannot compare inodes or other stuff to match paths through symbolic links etc. because that again would cost extra stat() system calls which is not acceptable. This module may or may not work with filenames rewritten by mod_alias or mod_rewrite.

Example

MMapFile /usr/local/apache/htdocs/index.html

mod/mod_filter.html100644 0 0 61465 11256637772 12052 0ustar 0 0 mod_filter - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_filter

Description:Context-sensitive smart filter configuration module
Status:Base
Module Identifier:filter_module
Source File:mod_filter.c
Compatibility:Version 2.1 and later

Summary

This module enables smart, context-sensitive configuration of output content filters. For example, apache can be configured to process different content-types through different filters, even when the content-type is not known in advance (e.g. in a proxy).

mod_filter works by introducing indirection into the filter chain. Instead of inserting filters in the chain, we insert a filter harness which in turn dispatches conditionally to a filter provider. Any content filter may be used as a provider to mod_filter; no change to existing filter modules is required (although it may be possible to simplify them).

top

Smart Filtering

In the traditional filtering model, filters are inserted unconditionally using AddOutputFilter and family. Each filter then needs to determine whether to run, and there is little flexibility available for server admins to allow the chain to be configured dynamically.

mod_filter by contrast gives server administrators a great deal of flexibility in configuring the filter chain. In fact, filters can be inserted based on any Request Header, Response Header or Environment Variable. This generalises the limited flexibility offered by AddOutputFilterByType, and fixes it to work correctly with dynamic content, regardless of the content generator. The ability to dispatch based on Environment Variables offers the full flexibility of configuration with mod_rewrite to anyone who needs it.

top

Filter Declarations, Providers and Chains

[This image displays the traditional filter model]
Figure 1: The traditional filter model

In the traditional model, output filters are a simple chain from the content generator (handler) to the client. This works well provided the filter chain can be correctly configured, but presents problems when the filters need to be configured dynamically based on the outcome of the handler.

[This image shows the mod_filter model]
Figure 2: The mod_filter model

mod_filter works by introducing indirection into the filter chain. Instead of inserting filters in the chain, we insert a filter harness which in turn dispatches conditionally to a filter provider. Any content filter may be used as a provider to mod_filter; no change to existing filter modules is required (although it may be possible to simplify them). There can be multiple providers for one filter, but no more than one provider will run for any single request.

A filter chain comprises any number of instances of the filter harness, each of which may have any number of providers. A special case is that of a single provider with unconditional dispatch: this is equivalent to inserting the provider filter directly into the chain.

top

Configuring the Chain

There are three stages to configuring a filter chain with mod_filter. For details of the directives, see below.

Declare Filters
The FilterDeclare directive declares a filter, assigning it a name and filter type. Required only if the filter is not the default type AP_FTYPE_RESOURCE.
Register Providers
The FilterProvider directive registers a provider with a filter. The filter may have been declared with FilterDeclare; if not, FilterProvider will implicitly declare it with the default type AP_FTYPE_RESOURCE. The provider must have been registered with ap_register_output_filter by some module. The remaining arguments to FilterProvider are a dispatch criterion and a match string. The former may be an HTTP request or response header, an environment variable, or the Handler used by this request. The latter is matched to it for each request, to determine whether this provider will be used to implement the filter for this request.
Configure the Chain
The above directives build components of a smart filter chain, but do not configure it to run. The FilterChain directive builds a filter chain from smart filters declared, offering the flexibility to insert filters at the beginning or end of the chain, remove a filter, or clear the chain.
top

Examples

Server side Includes (SSI)
A simple case of using mod_filter in place of AddOutputFilterByType

FilterDeclare SSI
FilterProvider SSI INCLUDES resp=Content-Type $text/html
FilterChain SSI

Server side Includes (SSI)
The same as the above but dispatching on handler (classic SSI behaviour; .shtml files get processed).

FilterProvider SSI INCLUDES Handler server-parsed
FilterChain SSI

Emulating mod_gzip with mod_deflate
Insert INFLATE filter only if "gzip" is NOT in the Accept-Encoding header. This filter runs with ftype CONTENT_SET.

FilterDeclare gzip CONTENT_SET
FilterProvider gzip inflate req=Accept-Encoding !$gzip
FilterChain gzip

Image Downsampling
Suppose we want to downsample all web images, and have filters for GIF, JPEG and PNG.

FilterProvider unpack jpeg_unpack Content-Type $image/jpeg
FilterProvider unpack gif_unpack Content-Type $image/gif
FilterProvider unpack png_unpack Content-Type $image/png

FilterProvider downsample downsample_filter Content-Type $image
FilterProtocol downsample "change=yes"

FilterProvider repack jpeg_pack Content-Type $image/jpeg
FilterProvider repack gif_pack Content-Type $image/gif
FilterProvider repack png_pack Content-Type $image/png
<Location /image-filter>
FilterChain unpack downsample repack
 </Location>

top

Protocol Handling

Historically, each filter is responsible for ensuring that whatever changes it makes are correctly represented in the HTTP response headers, and that it does not run when it would make an illegal change. This imposes a burden on filter authors to re-implement some common functionality in every filter:

  • Many filters will change the content, invalidating existing content tags, checksums, hashes, and lengths.
  • Filters that require an entire, unbroken response in input need to ensure they don't get byteranges from a backend.
  • Filters that transform output in a filter need to ensure they don't violate a Cache-Control: no-transform header from the backend.
  • Filters may make responses uncacheable.

mod_filter aims to offer generic handling of these details of filter implementation, reducing the complexity required of content filter modules. This is work-in-progress; the FilterProtocol implements some of this functionality for back-compatibility with Apache 2.0 modules. For httpd 2.1 and later, the ap_register_output_filter_protocol and ap_filter_protocol API enables filter modules to declare their own behaviour.

At the same time, mod_filter should not interfere with a filter that wants to handle all aspects of the protocol. By default (i.e. in the absence of any FilterProtocol directives), mod_filter will leave the headers untouched.

At the time of writing, this feature is largely untested, as modules in common use are designed to work with 2.0. Modules using it should test it carefully.

top

FilterChain Directive

Description:Configure the filter chain
Syntax:FilterChain [+=-@!]filter-name ...
Context:server config, virtual host, directory, .htaccess
Override:Options
Status:Base
Module:mod_filter

This configures an actual filter chain, from declared filters. FilterChain takes any number of arguments, each optionally preceded with a single-character control that determines what to do:

+filter-name
Add filter-name to the end of the filter chain
@filter-name
Insert filter-name at the start of the filter chain
-filter-name
Remove filter-name from the filter chain
=filter-name
Empty the filter chain and insert filter-name
!
Empty the filter chain
filter-name
Equivalent to +filter-name
top

FilterDeclare Directive

Description:Declare a smart filter
Syntax:FilterDeclare filter-name [type]
Context:server config, virtual host, directory, .htaccess
Override:Options
Status:Base
Module:mod_filter

This directive declares an output filter together with a header or environment variable that will determine runtime configuration. The first argument is a filter-name for use in FilterProvider, FilterChain and FilterProtocol directives.

The final (optional) argument is the type of filter, and takes values of ap_filter_type - namely RESOURCE (the default), CONTENT_SET, PROTOCOL, TRANSCODE, CONNECTION or NETWORK.

top

FilterProtocol Directive

Description:Deal with correct HTTP protocol handling
Syntax:FilterProtocol filter-name [provider-name] proto-flags
Context:server config, virtual host, directory, .htaccess
Override:Options
Status:Base
Module:mod_filter

This directs mod_filter to deal with ensuring the filter doesn't run when it shouldn't, and that the HTTP response headers are correctly set taking into account the effects of the filter.

There are two forms of this directive. With three arguments, it applies specifically to a filter-name and a provider-name for that filter. With two arguments it applies to a filter-name whenever the filter runs any provider.

proto-flags is one or more of

change=yes
The filter changes the content, including possibly the content length
change=1:1
The filter changes the content, but will not change the content length
byteranges=no
The filter cannot work on byteranges and requires complete input
proxy=no
The filter should not run in a proxy context
proxy=transform
The filter transforms the response in a manner incompatible with the HTTP Cache-Control: no-transform header.
cache=no
The filter renders the output uncacheable (eg by introducing randomised content changes)
top

FilterProvider Directive

Description:Register a content filter
Syntax:FilterProvider filter-name provider-name [req|resp|env]=dispatch match
Context:server config, virtual host, directory, .htaccess
Override:Options
Status:Base
Module:mod_filter

This directive registers a provider for the smart filter. The provider will be called if and only if the match declared here matches the value of the header or environment variable declared as dispatch.

provider-name must have been registered by loading a module that registers the name with ap_register_output_filter.

The dispatch argument is a string with optional req=, resp= or env= prefix causing it to dispatch on (respectively) the request header, response header, or environment variable named. In the absence of a prefix, it defaults to a response header. A special case is the word handler, which causes mod_filter to dispatch on the content handler.

The match argument specifies a match that will be applied to the filter's dispatch criterion. The match may be a string match (exact match or substring), a regex, an integer (greater, lessthan or equals), or unconditional. The first characters of the match argument determines this:

First, if the first character is an exclamation mark (!), this reverses the rule, so the provider will be used if and only if the match fails.

Second, it interprets the first character excluding any leading ! as follows:

CharacterDescription
(none)exact match
$substring match
/regex match (delimited by a second /)
=integer equality
<integer less-than
<=integer less-than or equal
>integer greater-than
>=integer greater-than or equal
*Unconditional match
top

FilterTrace Directive

Description:Get debug/diagnostic information from mod_filter
Syntax:FilterTrace filter-name level
Context:server config, virtual host, directory
Status:Base
Module:mod_filter

This directive generates debug information from mod_filter. It is designed to help test and debug providers (filter modules), although it may also help with mod_filter itself.

The debug output depends on the level set:

0 (default)
No debug information is generated.
1
mod_filter will record buckets and brigades passing through the filter to the error log, before the provider has processed them. This is similar to the information generated by mod_diagnostics.
2 (not yet implemented)
Will dump the full data passing through to a tempfile before the provider. For single-user debug only; this will not support concurrent hits.
mod/mod_headers.html100644 0 0 55320 11256637772 12171 0ustar 0 0 mod_headers - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_headers

Description:Customization of HTTP request and response headers
Status:Extension
Module Identifier:headers_module
Source File:mod_headers.c

Summary

This module provides directives to control and modify HTTP request and response headers. Headers can be merged, replaced or removed.

top

Order of Processing

The directives provided by mod_headers can occur almost anywhere within the server configuration, and can be limited in scope by enclosing them in configuration sections.

Order of processing is important and is affected both by the order in the configuration file and by placement in configuration sections. These two directives have a different effect if reversed:

RequestHeader append MirrorID "mirror 12"
RequestHeader unset MirrorID

This way round, the MirrorID header is not set. If reversed, the MirrorID header is set to "mirror 12".

top

Early and Late Processing

mod_headers can be applied either early or late in the request. The normal mode is late, when Request Headers are set immediately before running the content generator and Response Headers just as the response is sent down the wire. Always use Late mode in an operational server.

Early mode is designed as a test/debugging aid for developers. Directives defined using the early keyword are set right at the beginning of processing the request. This means they can be used to simulate different requests and set up test cases, but it also means that headers may be changed at any time by other modules before generating a Response.

Because early directives are processed before the request path's configuration is traversed, early headers can only be set in a main server or virtual host context. Early directives cannot depend on a request path, so they will fail in contexts such as <Directory> or <Location>.

top

Examples

  1. Copy all request headers that begin with "TS" to the response headers:

    Header echo ^TS

  2. Add a header, MyHeader, to the response including a timestamp for when the request was received and how long it took to begin serving the request. This header can be used by the client to intuit load on the server or in isolating bottlenecks between the client and the server.

    Header set MyHeader "%D %t"

    results in this header being added to the response:

    MyHeader: D=3775428 t=991424704447256

  3. Say hello to Joe

    Header set MyHeader "Hello Joe. It took %D microseconds \
    for Apache to serve this request."

    results in this header being added to the response:

    MyHeader: Hello Joe. It took D=3775428 microseconds for Apache to serve this request.

  4. Conditionally send MyHeader on the response if and only if header MyRequestHeader is present on the request. This is useful for constructing headers in response to some client stimulus. Note that this example requires the services of the mod_setenvif module.

    SetEnvIf MyRequestHeader myvalue HAVE_MyRequestHeader
    Header set MyHeader "%D %t mytext" env=HAVE_MyRequestHeader

    If the header MyRequestHeader: myvalue is present on the HTTP request, the response will contain the following header:

    MyHeader: D=3775428 t=991424704447256 mytext

  5. Enable DAV to work with Apache running HTTP through SSL hardware (problem description) by replacing https: with http: in the Destination header:

    RequestHeader edit Destination ^https: http: early

  6. Set the same header value under multiple non-exclusive conditions, but do not duplicate the value in the final header. If all of the following conditions applied to a request (i.e., if the CGI, NO_CACHE and NO_STORE environment variables all existed for the request):

    Header merge Cache-Control no-cache env=CGI
    Header merge Cache-Control no-cache env=NO_CACHE
    Header merge Cache-Control no-store env=NO_STORE

    then the response would contain the following header:

    Cache-Control: no-cache, no-store

    If append was used instead of merge, then the response would contain the following header:

    Cache-Control: no-cache, no-cache, no-store

top

Header Directive

Description:Configure HTTP response headers
Syntax:Header [condition] set|append|merge|add|unset|echo|edit header [value] [early|env=[!]variable]
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Extension
Module:mod_headers
Compatibility:The merge argument is available in version 2.2.9 and later. The edit argument is available in version 2.2.4 and later.

This directive can replace, merge or remove HTTP response headers. The header is modified just after the content handler and output filters are run, allowing outgoing headers to be modified.

The optional condition can be either onsuccess or always. It determines, which internal header table should be operated on. onsuccess stands for 2xx status codes and always for all status codes (including 2xx). Especially if you want to unset headers set by certain modules, you should try out, which table is affected.

The action it performs is determined by the second argument. This can be one of the following values:

set
The response header is set, replacing any previous header with this name. The value may be a format string.
append
The response header is appended to any existing header of the same name. When a new value is merged onto an existing header it is separated from the existing header with a comma. This is the HTTP standard way of giving a header multiple values.
merge
The response header is appended to any existing header of the same name, unless the value to be appended already appears in the header's comma-delimited list of values. When a new value is merged onto an existing header it is separated from the existing header with a comma. This is the HTTP standard way of giving a header multiple values. Values are compared in a case sensitive manner, and after all format specifiers have been processed. Values in double quotes are considered different from otherwise identical unquoted values. Available in version 2.2.9 and later.
add
The response header is added to the existing set of headers, even if this header already exists. This can result in two (or more) headers having the same name. This can lead to unforeseen consequences, and in general set, append or merge should be used instead.
unset
The response header of this name is removed, if it exists. If there are multiple headers of the same name, all will be removed. value must be omitted.
echo
Request headers with this name are echoed back in the response headers. header may be a regular expression. value must be omitted.
edit
If this request header exists, its value is transformed according to a regular expression search-and-replace. The value argument is a regular expression, and the replacement is a replacement string, which may contain backreferences. Available in version 2.2.4 and later.

This argument is followed by a header name, which can include the final colon, but it is not required. Case is ignored for set, append, merge, add, unset and edit. The header name for echo is case sensitive and may be a regular expression.

For set, append, merge and add a value is specified as the third argument. If value contains spaces, it should be surrounded by double quotes. value may be a character string, a string containing format specifiers or a combination of both. The following format specifiers are supported in value:

FormatDescription
%% The percent sign
%t The time the request was received in Universal Coordinated Time since the epoch (Jan. 1, 1970) measured in microseconds. The value is preceded by t=.
%D The time from when the request was received to the time the headers are sent on the wire. This is a measure of the duration of the request. The value is preceded by D=. The value is measured in microseconds.
%{FOOBAR}e The contents of the environment variable FOOBAR.
%{FOOBAR}s The contents of the SSL environment variable FOOBAR, if mod_ssl is enabled.

Note

The %s format specifier is only available in Apache 2.1 and later; it can be used instead of %e to avoid the overhead of enabling SSLOptions +StdEnvVars. If SSLOptions +StdEnvVars must be enabled anyway for some other reason, %e will be more efficient than %s.

For edit there is both a value argument which is a regular expression, and an additional replacement string.

The Header directive may be followed by an an additional argument, which may be used to specify conditions under which the action will be taken, or may be the keyword early to specify early processing. If the environment variable specified in the env=... argument exists (or if the environment variable does not exist and env=!... is specified) then the action specified by the Header directive will take effect. Otherwise, the directive will have no effect on the request.

Except in early mode, the Header directives are processed just before the response is sent to the network. These means that it is possible to set and/or override most headers, except for those headers added by the header filter.

top

RequestHeader Directive

Description:Configure HTTP request headers
Syntax:RequestHeader set|append|merge|add|unset|edit header [value] [replacement] [early|env=[!]variable]
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Extension
Module:mod_headers
Compatibility:The merge argument is available in version 2.2.9 and later. The edit argument is available in version 2.2.4 and later.

This directive can replace, merge, change or remove HTTP request headers. The header is modified just before the content handler is run, allowing incoming headers to be modified. The action it performs is determined by the first argument. This can be one of the following values:

set
The request header is set, replacing any previous header with this name
append
The request header is appended to any existing header of the same name. When a new value is merged onto an existing header it is separated from the existing header with a comma. This is the HTTP standard way of giving a header multiple values.
merge
The response header is appended to any existing header of the same name, unless the value to be appended already appears in the existing header's comma-delimited list of values. When a new value is merged onto an existing header it is separated from the existing header with a comma. This is the HTTP standard way of giving a header multiple values. Values are compared in a case sensitive manner, and after all format specifiers have been processed. Values in double quotes are considered different from otherwise identical unquoted values. Available in version 2.2.9 and later.
add
The request header is added to the existing set of headers, even if this header already exists. This can result in two (or more) headers having the same name. This can lead to unforeseen consequences, and in general set, append or merge should be used instead.
unset
The request header of this name is removed, if it exists. If there are multiple headers of the same name, all will be removed. value must be omitted.
edit
If this request header exists, its value is transformed according to a regular expression search-and-replace. The value argument is a regular expression, and the replacement is a replacement string, which may contain backreferences. Available in version 2.2.4 and later.

This argument is followed by a header name, which can include the final colon, but it is not required. Case is ignored. For set, append, merge and add a value is given as the third argument. If a value contains spaces, it should be surrounded by double quotes. For unset, no value should be given. value may be a character string, a string containing format specifiers or a combination of both. The supported format specifiers are the same as for the Header, please have a look there for details. For edit both a value and a replacement are required, and are a regular expression and a replacement string respectively.

The RequestHeader directive may be followed by an additional argument, which may be used to specify conditions under which the action will be taken, or may be the keyword early to specify early processing. If the environment variable specified in the env=... argument exists (or if the environment variable does not exist and env=!... is specified) then the action specified by the RequestHeader directive will take effect. Otherwise, the directive will have no effect on the request.

Except in early mode, the RequestHeader directive is processed just before the request is run by its handler in the fixup phase. This should allow headers generated by the browser, or by Apache input filters to be overridden or modified.

mod/mod_ident.html100644 0 0 14315 11256637772 11660 0ustar 0 0 mod_ident - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_ident

Description:RFC 1413 ident lookups
Status:Extension
Module Identifier:ident_module
Source File:mod_ident.c
Compatibility:Available in Apache 2.1 and later

Summary

This module queries an RFC 1413 compatible daemon on a remote host to look up the owner of a connection.

top

IdentityCheck Directive

Description:Enables logging of the RFC 1413 identity of the remote user
Syntax:IdentityCheck On|Off
Default:IdentityCheck Off
Context:server config, virtual host, directory
Status:Extension
Module:mod_ident
Compatibility:Moved out of core in Apache 2.1

This directive enables RFC 1413-compliant logging of the remote user name for each connection, where the client machine runs identd or something similar. This information is logged in the access log using the %...l format string.

The information should not be trusted in any way except for rudimentary usage tracking.

Note that this can cause serious latency problems accessing your server since every request requires one of these lookups to be performed. When firewalls or proxy servers are involved, each lookup might possibly fail and add a latency duration as defined by the IdentityCheckTimeout directive to each hit. So in general this is not very useful on public servers accessible from the Internet.

top

IdentityCheckTimeout Directive

Description:Determines the timeout duration for ident requests
Syntax:IdentityCheckTimeout seconds
Default:IdentityCheckTimeout 30
Context:server config, virtual host, directory
Status:Extension
Module:mod_ident

This directive specifies the timeout duration of an ident request. The default value of 30 seconds is recommended by RFC 1413, mainly because of possible network latency. However, you may want to adjust the timeout value according to your local network speed.

mod/mod_imagemap.html100644 0 0 43020 11256637772 12330 0ustar 0 0 mod_imagemap - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_imagemap

Description:Server-side imagemap processing
Status:Base
Module Identifier:imagemap_module
Source File:mod_imagemap.c

Summary

This module processes .map files, thereby replacing the functionality of the imagemap CGI program. Any directory or document type configured to use the handler imap-file (using either AddHandler or SetHandler) will be processed by this module.

The following directive will activate files ending with .map as imagemap files:

AddHandler imap-file map

Note that the following is still supported:

AddType application/x-httpd-imap map

However, we are trying to phase out "magic MIME types" so we are deprecating this method.

top

New Features

The imagemap module adds some new features that were not possible with previously distributed imagemap programs.

  • URL references relative to the Referer: information.
  • Default <base> assignment through a new map directive base.
  • No need for imagemap.conf file.
  • Point references.
  • Configurable generation of imagemap menus.
top

Imagemap File

The lines in the imagemap files can have one of several formats:

directive value [x,y ...]
directive value "Menu text" [x,y ...]
directive value x,y ... "Menu text"

The directive is one of base, default, poly, circle, rect, or point. The value is an absolute or relative URL, or one of the special values listed below. The coordinates are x,y pairs separated by whitespace. The quoted text is used as the text of the link if a imagemap menu is generated. Lines beginning with '#' are comments.

Imagemap File Directives

There are six directives allowed in the imagemap file. The directives can come in any order, but are processed in the order they are found in the imagemap file.

base Directive

Has the effect of <base href="value"> . The non-absolute URLs of the map-file are taken relative to this value. The base directive overrides ImapBase as set in a .htaccess file or in the server configuration files. In the absence of an ImapBase configuration directive, base defaults to http://server_name/.

base_uri is synonymous with base. Note that a trailing slash on the URL is significant.

default Directive
The action taken if the coordinates given do not fit any of the poly, circle or rect directives, and there are no point directives. Defaults to nocontent in the absence of an ImapDefault configuration setting, causing a status code of 204 No Content to be returned. The client should keep the same page displayed.
poly Directive
Takes three to one-hundred points, and is obeyed if the user selected coordinates fall within the polygon defined by these points.
circle
Takes the center coordinates of a circle and a point on the circle. Is obeyed if the user selected point is with the circle.
rect Directive
Takes the coordinates of two opposing corners of a rectangle. Obeyed if the point selected is within this rectangle.
point Directive
Takes a single point. The point directive closest to the user selected point is obeyed if no other directives are satisfied. Note that default will not be followed if a point directive is present and valid coordinates are given.

Values

The values for each of the directives can be any of the following:

a URL

The URL can be relative or absolute URL. Relative URLs can contain '..' syntax and will be resolved relative to the base value.

base itself will not be resolved according to the current value. A statement base mailto: will work properly, though.

map
Equivalent to the URL of the imagemap file itself. No coordinates are sent with this, so a menu will be generated unless ImapMenu is set to none.
menu
Synonymous with map.
referer
Equivalent to the URL of the referring document. Defaults to http://servername/ if no Referer: header was present.
nocontent
Sends a status code of 204 No Content, telling the client to keep the same page displayed. Valid for all but base.
error
Fails with a 500 Server Error. Valid for all but base, but sort of silly for anything but default.

Coordinates

0,0 200,200
A coordinate consists of an x and a y value separated by a comma. The coordinates are separated from each other by whitespace. To accommodate the way Lynx handles imagemaps, should a user select the coordinate 0,0, it is as if no coordinate had been selected.

Quoted Text

"Menu Text"

After the value or after the coordinates, the line optionally may contain text within double quotes. This string is used as the text for the link if a menu is generated:

<a href="http://example.com/">Menu text</a>

If no quoted text is present, the name of the link will be used as the text:

<a href="http://example.com/">http://example.com</a>

If you want to use double quotes within this text, you have to write them as &quot;.

top

Example Mapfile

#Comments are printed in a 'formatted' or 'semiformatted' menu.
#And can contain html tags. <hr>
base referer
poly map "Could I have a menu, please?" 0,0 0,10 10,10 10,0
rect .. 0,0 77,27 "the directory of the referer"
circle http://www.inetnebr.example.com/lincoln/feedback/ 195,0 305,27
rect another_file "in same directory as referer" 306,0 419,27
point http://www.zyzzyva.example.com/ 100,100
point http://www.tripod.example.com/ 200,200
rect mailto:nate@tripod.example.com 100,150 200,0 "Bugs?"

top

Referencing your mapfile

HTML example

<a href="/maps/imagemap1.map">
<img ismap src="/images/imagemap1.gif">
 </a>

XHTML example

<a href="/maps/imagemap1.map">
<img ismap="ismap" src="/images/imagemap1.gif" />
 </a>

top

ImapBase Directive

Description:Default base for imagemap files
Syntax:ImapBase map|referer|URL
Default:ImapBase http://servername/
Context:server config, virtual host, directory, .htaccess
Override:Indexes
Status:Base
Module:mod_imagemap

The ImapBase directive sets the default base used in the imagemap files. Its value is overridden by a base directive within the imagemap file. If not present, the base defaults to http://servername/.

See also

top

ImapDefault Directive

Description:Default action when an imagemap is called with coordinates that are not explicitly mapped
Syntax:ImapDefault error|nocontent|map|referer|URL
Default:ImapDefault nocontent
Context:server config, virtual host, directory, .htaccess
Override:Indexes
Status:Base
Module:mod_imagemap

The ImapDefault directive sets the default default used in the imagemap files. Its value is overridden by a default directive within the imagemap file. If not present, the default action is nocontent, which means that a 204 No Content is sent to the client. In this case, the client should continue to display the original page.

top

ImapMenu Directive

Description:Action if no coordinates are given when calling an imagemap
Syntax:ImapMenu none|formatted|semiformatted|unformatted
Context:server config, virtual host, directory, .htaccess
Override:Indexes
Status:Base
Module:mod_imagemap

The ImapMenu directive determines the action taken if an imagemap file is called without valid coordinates.

none
If ImapMenu is none, no menu is generated, and the default action is performed.
formatted
A formatted menu is the simplest menu. Comments in the imagemap file are ignored. A level one header is printed, then an hrule, then the links each on a separate line. The menu has a consistent, plain look close to that of a directory listing.
semiformatted
In the semiformatted menu, comments are printed where they occur in the imagemap file. Blank lines are turned into HTML breaks. No header or hrule is printed, but otherwise the menu is the same as a formatted menu.
unformatted
Comments are printed, blank lines are ignored. Nothing is printed that does not appear in the imagemap file. All breaks and headers must be included as comments in the imagemap file. This gives you the most flexibility over the appearance of your menus, but requires you to treat your map files as HTML instead of plaintext.
mod/mod_include.html100644 0 0 126034 11256637772 12222 0ustar 0 0 mod_include - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_include

Description:Server-parsed html documents (Server Side Includes)
Status:Base
Module Identifier:include_module
Source File:mod_include.c
Compatibility:Implemented as an output filter since Apache 2.0

Summary

This module provides a filter which will process files before they are sent to the client. The processing is controlled by specially formatted SGML comments, referred to as elements. These elements allow conditional text, the inclusion of other files or programs, as well as the setting and printing of environment variables.

top

Enabling Server-Side Includes

Server Side Includes are implemented by the INCLUDES filter. If documents containing server-side include directives are given the extension .shtml, the following directives will make Apache parse them and assign the resulting document the mime type of text/html:

AddType text/html .shtml
AddOutputFilter INCLUDES .shtml

The following directive must be given for the directories containing the shtml files (typically in a <Directory> section, but this directive is also valid in .htaccess files if AllowOverride Options is set):

Options +Includes

For backwards compatibility, the server-parsed handler also activates the INCLUDES filter. As well, Apache will activate the INCLUDES filter for any document with mime type text/x-server-parsed-html or text/x-server-parsed-html3 (and the resulting output will have the mime type text/html).

For more information, see our Tutorial on Server Side Includes.

top

PATH_INFO with Server Side Includes

Files processed for server-side includes no longer accept requests with PATH_INFO (trailing pathname information) by default. You can use the AcceptPathInfo directive to configure the server to accept requests with PATH_INFO.

top

Basic Elements

The document is parsed as an HTML document, with special commands embedded as SGML comments. A command has the syntax:

<!--#element attribute=value attribute=value ... -->

The value will often be enclosed in double quotes, but single quotes (') and backticks (`) are also possible. Many commands only allow a single attribute-value pair. Note that the comment terminator (-->) should be preceded by whitespace to ensure that it isn't considered part of an SSI token. Note that the leading <!--# is one token and may not contain any whitespaces.

The allowed elements are listed in the following table:

ElementDescription
config configure output formats
echo print variables
exec execute external programs
fsize print size of a file
flastmod print last modification time of a file
include include a file
printenv print all available variables
set set a value of a variable

SSI elements may be defined by modules other than mod_include. In fact, the exec element is provided by mod_cgi, and will only be available if this module is loaded.

The config Element

This command controls various aspects of the parsing. The valid attributes are:

echomsg (Apache 2.1 and later)
The value is a message that is sent back to the client if the echo element attempts to echo an undefined variable. This overrides any SSIUndefinedEcho directives.
errmsg
The value is a message that is sent back to the client if an error occurs while parsing the document. This overrides any SSIErrorMsg directives.
sizefmt
The value sets the format to be used when displaying the size of a file. Valid values are bytes for a count in bytes, or abbrev for a count in Kb or Mb as appropriate, for example a size of 1024 bytes will be printed as "1K".
timefmt
The value is a string to be used by the strftime(3) library routine when printing dates.

The echo Element

This command prints one of the include variables defined below. If the variable is unset, the result is determined by the SSIUndefinedEcho directive. Any dates printed are subject to the currently configured timefmt.

Attributes:

var
The value is the name of the variable to print.
encoding

Specifies how Apache should encode special characters contained in the variable before outputting them. If set to none, no encoding will be done. If set to url, then URL encoding (also known as %-encoding; this is appropriate for use within URLs in links, etc.) will be performed. At the start of an echo element, the default is set to entity, resulting in entity encoding (which is appropriate in the context of a block-level HTML element, e.g. a paragraph of text). This can be changed by adding an encoding attribute, which will remain in effect until the next encoding attribute is encountered or the element ends, whichever comes first.

The encoding attribute must precede the corresponding var attribute to be effective, and only special characters as defined in the ISO-8859-1 character encoding will be encoded. This encoding process may not have the desired result if a different character encoding is in use.

In order to avoid cross-site scripting issues, you should always encode user supplied data.

The exec Element

The exec command executes a given shell command or CGI script. It requires mod_cgi to be present in the server. If Options IncludesNOEXEC is set, this command is completely disabled. The valid attributes are:

cgi

The value specifies a (%-encoded) URL-path to the CGI script. If the path does not begin with a slash (/), then it is taken to be relative to the current document. The document referenced by this path is invoked as a CGI script, even if the server would not normally recognize it as such. However, the directory containing the script must be enabled for CGI scripts (with ScriptAlias or Options ExecCGI).

The CGI script is given the PATH_INFO and query string (QUERY_STRING) of the original request from the client; these cannot be specified in the URL path. The include variables will be available to the script in addition to the standard CGI environment.

Example

<!--#exec cgi="/cgi-bin/example.cgi" -->

If the script returns a Location: header instead of output, then this will be translated into an HTML anchor.

The include virtual element should be used in preference to exec cgi. In particular, if you need to pass additional arguments to a CGI program, using the query string, this cannot be done with exec cgi, but can be done with include virtual, as shown here:

<!--#include virtual="/cgi-bin/example.cgi?argument=value" -->

cmd

The server will execute the given string using /bin/sh. The include variables are available to the command, in addition to the usual set of CGI variables.

The use of #include virtual is almost always prefered to using either #exec cgi or #exec cmd. The former (#include virtual) uses the standard Apache sub-request mechanism to include files or scripts. It is much better tested and maintained.

In addition, on some platforms, like Win32, and on unix when using suexec, you cannot pass arguments to a command in an exec directive, or otherwise include spaces in the command. Thus, while the following will work under a non-suexec configuration on unix, it will not produce the desired result under Win32, or when running suexec:

<!--#exec cmd="perl /path/to/perlscript arg1 arg2" -->

The fsize Element

This command prints the size of the specified file, subject to the sizefmt format specification. Attributes:

file
The value is a path relative to the directory containing the current document being parsed.
virtual
The value is a (%-encoded) URL-path. If it does not begin with a slash (/) then it is taken to be relative to the current document. Note, that this does not print the size of any CGI output, but the size of the CGI script itself.

The flastmod Element

This command prints the last modification date of the specified file, subject to the timefmt format specification. The attributes are the same as for the fsize command.

The include Element

This command inserts the text of another document or file into the parsed file. Any included file is subject to the usual access control. If the directory containing the parsed file has Options IncludesNOEXEC set, then only documents with a text MIME-type (text/plain, text/html etc.) will be included. Otherwise CGI scripts are invoked as normal using the complete URL given in the command, including any query string.

An attribute defines the location of the document; the inclusion is done for each attribute given to the include command. The valid attributes are:

file
The value is a path relative to the directory containing the current document being parsed. It cannot contain ../, nor can it be an absolute path. Therefore, you cannot include files that are outside of the document root, or above the current document in the directory structure. The virtual attribute should always be used in preference to this one.
virtual

The value is a (%-encoded) URL-path. The URL cannot contain a scheme or hostname, only a path and an optional query string. If it does not begin with a slash (/) then it is taken to be relative to the current document.

A URL is constructed from the attribute, and the output the server would return if the URL were accessed by the client is included in the parsed output. Thus included files can be nested.

If the specified URL is a CGI program, the program will be executed and its output inserted in place of the directive in the parsed file. You may include a query string in a CGI url:

<!--#include virtual="/cgi-bin/example.cgi?argument=value" -->

include virtual should be used in preference to exec cgi to include the output of CGI programs into an HTML document.

The printenv Element

This prints out a listing of all existing variables and their values. Special characters are entity encoded (see the echo element for details) before being output. There are no attributes.

Example

<!--#printenv -->

The set Element

This sets the value of a variable. Attributes:

var
The name of the variable to set.
value
The value to give a variable.

Example

<!--#set var="category" value="help" -->

top

Include Variables

In addition to the variables in the standard CGI environment, these are available for the echo command, for if and elif, and to any program invoked by the document.

DATE_GMT
The current date in Greenwich Mean Time.
DATE_LOCAL
The current date in the local time zone.
DOCUMENT_NAME
The filename (excluding directories) of the document requested by the user.
DOCUMENT_URI
The (%-decoded) URL path of the document requested by the user. Note that in the case of nested include files, this is not the URL for the current document. Note also that if the URL is modified internally (e.g. by an alias or directoryindex), the modified URL is shown.
LAST_MODIFIED
The last modification date of the document requested by the user.
QUERY_STRING_UNESCAPED
If a query string is present, this variable contains the (%-decoded) query string, which is escaped for shell usage (special characters like & etc. are preceded by backslashes).
top

Variable Substitution

Variable substitution is done within quoted strings in most cases where they may reasonably occur as an argument to an SSI directive. This includes the config, exec, flastmod, fsize, include, echo, and set directives, as well as the arguments to conditional operators. You can insert a literal dollar sign into the string using backslash quoting:

<!--#if expr="$a = \$test" -->

If a variable reference needs to be substituted in the middle of a character sequence that might otherwise be considered a valid identifier in its own right, it can be disambiguated by enclosing the reference in braces, a la shell substitution:

<!--#set var="Zed" value="${REMOTE_HOST}_${REQUEST_METHOD}" -->

This will result in the Zed variable being set to "X_Y" if REMOTE_HOST is "X" and REQUEST_METHOD is "Y".

The below example will print "in foo" if the DOCUMENT_URI is /foo/file.html, "in bar" if it is /bar/file.html and "in neither" otherwise:

<!--#if expr='"$DOCUMENT_URI" = "/foo/file.html"' -->
in foo
 <!--#elif expr='"$DOCUMENT_URI" = "/bar/file.html"' -->
in bar
 <!--#else -->
in neither
 <!--#endif -->

top

Flow Control Elements

The basic flow control elements are:

<!--#if expr="test_condition" -->
<!--#elif expr="test_condition" -->
<!--#else -->
<!--#endif -->

The if element works like an if statement in a programming language. The test condition is evaluated and if the result is true, then the text until the next elif, else or endif element is included in the output stream.

The elif or else statements are used to put text into the output stream if the original test_condition was false. These elements are optional.

The endif element ends the if element and is required.

test_condition is one of the following:

string
true if string is not empty
-A string

true if the URL represented by the string is accessible by configuration, false otherwise. This test only has an effect if SSIEnableAccess is on. This is useful where content on a page is to be hidden from users who are not authorized to view the URL, such as a link to that URL. Note that the URL is only tested for whether access would be granted, not whether the URL exists.

Example

<!--#if expr="-A /private" -->
Click <a href="/private">here</a> to access private information.
 <!--#endif -->

string1 = string2
string1 == string2
string1 != string2

Compare string1 with string2. If string2 has the form /string2/ then it is treated as a regular expression. Regular expressions are implemented by the PCRE engine and have the same syntax as those in perl 5. Note that == is just an alias for = and behaves exactly the same way.

If you are matching positive (= or ==), you can capture grouped parts of the regular expression. The captured parts are stored in the special variables $1 .. $9.

Example

<!--#if expr="$QUERY_STRING = /^sid=([a-zA-Z0-9]+)/" -->
<!--#set var="session" value="$1" -->
 <!--#endif -->

string1 < string2
string1 <= string2
string1 > string2
string1 >= string2
Compare string1 with string2. Note, that strings are compared literally (using strcmp(3)). Therefore the string "100" is less than "20".
( test_condition )
true if test_condition is true
! test_condition
true if test_condition is false
test_condition1 && test_condition2
true if both test_condition1 and test_condition2 are true
test_condition1 || test_condition2
true if either test_condition1 or test_condition2 is true

"=" and "!=" bind more tightly than "&&" and "||". "!" binds most tightly. Thus, the following are equivalent:

<!--#if expr="$a = test1 && $b = test2" -->
<!--#if expr="($a = test1) && ($b = test2)" -->

The boolean operators && and || share the same priority. So if you want to bind such an operator more tightly, you should use parentheses.

Anything that's not recognized as a variable or an operator is treated as a string. Strings can also be quoted: 'string'. Unquoted strings can't contain whitespace (blanks and tabs) because it is used to separate tokens such as variables. If multiple strings are found in a row, they are concatenated using blanks. So,

string1    string2 results in string1 string2

and

'string1    string2' results in string1    string2.

Optimization of Boolean Expressions

If the expressions become more complex and slow down processing significantly, you can try to optimize them according to the evaluation rules:

  • Expressions are evaluated from left to right
  • Binary boolean operators (&& and ||) are short circuited wherever possible. In conclusion with the rule above that means, mod_include evaluates at first the left expression. If the left result is sufficient to determine the end result, processing stops here. Otherwise it evaluates the right side and computes the end result from both left and right results.
  • Short circuit evaluation is turned off as long as there are regular expressions to deal with. These must be evaluated to fill in the backreference variables ($1 .. $9).

If you want to look how a particular expression is handled, you can recompile mod_include using the -DDEBUG_INCLUDE compiler option. This inserts for every parsed expression tokenizer information, the parse tree and how it is evaluated into the output sent to the client.

Escaping slashes in regex strings

All slashes which are not intended to act as delimiters in your regex must be escaped. This is regardless of their meaning to the regex engine.

top

SSIEnableAccess Directive

Description:Enable the -A flag during conditional flow control processing.
Syntax:SSIEnableAccess on|off
Default:SSIEnableAccess off
Context:directory, .htaccess
Status:Base
Module:mod_include

The SSIEnableAccess directive controls whether the -A test is enabled during conditional flow control processing. SSIEnableAccess can take on the following values:

off
<!--#if expr="-A /foo"--> will be interpreted as a series of string and regular expression tokens, the -A has no special meaning.
on
<!--#if expr="-A /foo"--> will evaluate to false if the URL /foo is inaccessible by configuration, or true otherwise.
top

SSIEndTag Directive

Description:String that ends an include element
Syntax:SSIEndTag tag
Default:SSIEndTag "-->"
Context:server config, virtual host
Status:Base
Module:mod_include
Compatibility:Available in version 2.0.30 and later.

This directive changes the string that mod_include looks for to mark the end of an include element.

Example

SSIEndTag "%>"

See also

top

SSIErrorMsg Directive

Description:Error message displayed when there is an SSI error
Syntax:SSIErrorMsg message
Default:SSIErrorMsg "[an error occurred while processing this directive]"
Context:server config, virtual host, directory, .htaccess
Override:All
Status:Base
Module:mod_include
Compatibility:Available in version 2.0.30 and later.

The SSIErrorMsg directive changes the error message displayed when mod_include encounters an error. For production servers you may consider changing the default error message to "<!-- Error -->" so that the message is not presented to the user.

This directive has the same effect as the <!--#config errmsg=message --> element.

Example

SSIErrorMsg "<!-- Error -->"

top

SSIStartTag Directive

Description:String that starts an include element
Syntax:SSIStartTag tag
Default:SSIStartTag "<!--#"
Context:server config, virtual host
Status:Base
Module:mod_include
Compatibility:Available in version 2.0.30 and later.

This directive changes the string that mod_include looks for to mark an include element to process.

You may want to use this option if you have 2 servers parsing the output of a file each processing different commands (possibly at different times).

Example

SSIStartTag "<%"
SSIEndTag "%>"

The example given above, which also specifies a matching SSIEndTag, will allow you to use SSI directives as shown in the example below:

SSI directives with alternate start and end tags

<%printenv %>

See also

top

SSITimeFormat Directive

Description:Configures the format in which date strings are displayed
Syntax:SSITimeFormat formatstring
Default:SSITimeFormat "%A, %d-%b-%Y %H:%M:%S %Z"
Context:server config, virtual host, directory, .htaccess
Override:All
Status:Base
Module:mod_include
Compatibility:Available in version 2.0.30 and later.

This directive changes the format in which date strings are displayed when echoing DATE environment variables. The formatstring is as in strftime(3) from the C standard library.

This directive has the same effect as the <!--#config timefmt=formatstring --> element.

Example

SSITimeFormat "%R, %B %d, %Y"

The above directive would cause times to be displayed in the format "22:26, June 14, 2002".

top

SSIUndefinedEcho Directive

Description:String displayed when an unset variable is echoed
Syntax:SSIUndefinedEcho string
Default:SSIUndefinedEcho "(none)"
Context:server config, virtual host, directory, .htaccess
Override:All
Status:Base
Module:mod_include
Compatibility:Available in version 2.0.34 and later.

This directive changes the string that mod_include displays when a variable is not set and "echoed".

Example

SSIUndefinedEcho "<!-- undef -->"

top

XBitHack Directive

Description:Parse SSI directives in files with the execute bit set
Syntax:XBitHack on|off|full
Default:XBitHack off
Context:server config, virtual host, directory, .htaccess
Override:Options
Status:Base
Module:mod_include

The XBitHack directive controls the parsing of ordinary html documents. This directive only affects files associated with the MIME-type text/html. XBitHack can take on the following values:

off
No special treatment of executable files.
on
Any text/html file that has the user-execute bit set will be treated as a server-parsed html document.
full
As for on but also test the group-execute bit. If it is set, then set the Last-modified date of the returned file to be the last modified time of the file. If it is not set, then no last-modified date is sent. Setting this bit allows clients and proxies to cache the result of the request.

Note

You would not want to use the full option, unless you assure the group-execute bit is unset for every SSI script which might #include a CGI or otherwise produces different output on each hit (or could potentially change on subsequent requests).

mod/mod_info.html100644 0 0 24226 11256637772 11512 0ustar 0 0 mod_info - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_info

Description:Provides a comprehensive overview of the server configuration
Status:Extension
Module Identifier:info_module
Source File:mod_info.c

Summary

To configure mod_info, add the following to your httpd.conf file.

<Location /server-info>
SetHandler server-info
 </Location>

You may wish to use mod_authz_host inside the <Location> directive to limit access to your server configuration information:

<Location /server-info>
SetHandler server-info
Order deny,allow
Deny from all
Allow from yourcompany.com
 </Location>

Once configured, the server information is obtained by accessing http://your.host.example.com/server-info

top

Security Issues

Once mod_info is loaded into the server, its handler capability is available in all configuration files, including per-directory files (e.g., .htaccess). This may have security-related ramifications for your site.

In particular, this module can leak sensitive information from the configuration directives of other Apache modules such as system paths, usernames/passwords, database names, etc. Therefore, this module should only be used in a controlled environment and always with caution.

You will probably want to use mod_authz_host to limit access to your server configuration information.

Access control

<Location /server-info>
SetHandler server-info
Order allow,deny
# Allow access from server itself
Allow from 127.0.0.1
# Additionally, allow access from local workstation
Allow from 192.168.1.17
 </Location>

top

Selecting the information shown

By default, the server information includes a list of all enabled modules, and for each module, a description of the directives understood by that module, the hooks implemented by that module, and the relevant directives from the current configuration.

Other views of the configuration information are available by appending a query to the server-info request. For example, http://your.host.example.com/server-info?config will show all configuration directives.

?<module-name>
Only information relevant to the named module
?config
Just the configuration directives, not sorted by module
?hooks
Only the list of Hooks each module is attached to
?list
Only a simple list of enabled modules
?server
Only the basic server information
top

Known Limitations

mod_info provides its information by reading the parsed configuration, rather than reading the original configuration file. There are a few limitations as a result of the way the parsed configuration tree is created:

  • Directives which are executed immediately rather than being stored in the parsed configuration are not listed. These include ServerRoot, LoadModule, and LoadFile.
  • Directives which control the configuration file itself, such as Include, <IfModule> and <IfDefine> are not listed, but the included configuration directives are.
  • Comments are not listed. (This may be considered a feature.)
  • Configuration directives from .htaccess files are not listed (since they do not form part of the permanent server configuration).
  • Container directives such as <Directory> are listed normally, but mod_info cannot figure out the line number for the closing </Directory>.
  • Directives generated by third party modules such as mod_perl might not be listed.
top

AddModuleInfo Directive

Description:Adds additional information to the module information displayed by the server-info handler
Syntax:AddModuleInfo module-name string
Context:server config, virtual host
Status:Extension
Module:mod_info
Compatibility:Apache 1.3 and above

This allows the content of string to be shown as HTML interpreted, Additional Information for the module module-name. Example:

AddModuleInfo mod_deflate.c 'See <a \
href="http://www.apache.org/docs/2.2/mod/mod_deflate.html">\
http://www.apache.org/docs/2.2/mod/mod_deflate.html</a>'

mod/mod_isapi.html100644 0 0 47633 11256637772 11673 0ustar 0 0 mod_isapi - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_isapi

Description:ISAPI Extensions within Apache for Windows
Status:Base
Module Identifier:isapi_module
Source File:mod_isapi.c
Compatibility:Win32 only

Summary

This module implements the Internet Server extension API. It allows Internet Server extensions (e.g. ISAPI .dll modules) to be served by Apache for Windows, subject to the noted restrictions.

ISAPI extension modules (.dll files) are written by third parties. The Apache Group does not author these modules, so we provide no support for them. Please contact the ISAPI's author directly if you are experiencing problems running their ISAPI extension. Please do not post such problems to Apache's lists or bug reporting pages.

top

Usage

In the server configuration file, use the AddHandler directive to associate ISAPI files with the isapi-handler handler, and map it to them with their file extensions. To enable any .dll file to be processed as an ISAPI extension, edit the httpd.conf file and add the following line:

AddHandler isapi-handler .dll

In older versions of the Apache server, isapi-isa was the proper handler name, rather than isapi-handler. For compatibility, configurations may continue using isapi-isa through all versions of Apache prior to 2.3.0.

There is no capability within the Apache server to leave a requested module loaded. However, you may preload and keep a specific module loaded by using the following syntax in your httpd.conf:

ISAPICacheFile c:/WebWork/Scripts/ISAPI/mytest.dll

Whether or not you have preloaded an ISAPI extension, all ISAPI extensions are governed by the same permissions and restrictions as CGI scripts. That is, Options ExecCGI must be set for the directory that contains the ISAPI .dll file.

Review the Additional Notes and the Programmer's Journal for additional details and clarification of the specific ISAPI support offered by mod_isapi.

top

Additional Notes

Apache's ISAPI implementation conforms to all of the ISAPI 2.0 specification, except for some "Microsoft-specific" extensions dealing with asynchronous I/O. Apache's I/O model does not allow asynchronous reading and writing in a manner that the ISAPI could access. If an ISA tries to access unsupported features, including async I/O, a message is placed in the error log to help with debugging. Since these messages can become a flood, the directive ISAPILogNotSupported Off exists to quiet this noise.

Some servers, like Microsoft IIS, load the ISAPI extension into the server and keep it loaded until memory usage is too high, or unless configuration options are specified. Apache currently loads and unloads the ISAPI extension each time it is requested, unless the ISAPICacheFile directive is specified. This is inefficient, but Apache's memory model makes this the most effective method. Many ISAPI modules are subtly incompatible with the Apache server, and unloading these modules helps to ensure the stability of the server.

Also, remember that while Apache supports ISAPI Extensions, it does not support ISAPI Filters. Support for filters may be added at a later date, but no support is planned at this time.

top

Programmer's Journal

If you are programming Apache 2.0 mod_isapi modules, you must limit your calls to ServerSupportFunction to the following directives:

HSE_REQ_SEND_URL_REDIRECT_RESP
Redirect the user to another location.
This must be a fully qualified URL (e.g. http://server/location).
HSE_REQ_SEND_URL
Redirect the user to another location.
This cannot be a fully qualified URL, you are not allowed to pass the protocol or a server name (e.g. simply /location).
This redirection is handled by the server, not the browser.

Warning

In their recent documentation, Microsoft appears to have abandoned the distinction between the two HSE_REQ_SEND_URL functions. Apache continues to treat them as two distinct functions with different requirements and behaviors.

HSE_REQ_SEND_RESPONSE_HEADER
Apache accepts a response body following the header if it follows the blank line (two consecutive newlines) in the headers string argument. This body cannot contain NULLs, since the headers argument is NULL terminated.
HSE_REQ_DONE_WITH_SESSION
Apache considers this a no-op, since the session will be finished when the ISAPI returns from processing.
HSE_REQ_MAP_URL_TO_PATH
Apache will translate a virtual name to a physical name.
HSE_APPEND_LOG_PARAMETER
This logged message may be captured in any of the following logs:

The first option, the %{isapi-parameter}n component, is always available and preferred.

HSE_REQ_IS_KEEP_CONN
Will return the negotiated Keep-Alive status.
HSE_REQ_SEND_RESPONSE_HEADER_EX
Will behave as documented, although the fKeepConn flag is ignored.
HSE_REQ_IS_CONNECTED
Will report false if the request has been aborted.

Apache returns FALSE to any unsupported call to ServerSupportFunction, and sets the GetLastError value to ERROR_INVALID_PARAMETER.

ReadClient retrieves the request body exceeding the initial buffer (defined by ISAPIReadAheadBuffer). Based on the ISAPIReadAheadBuffer setting (number of bytes to buffer prior to calling the ISAPI handler) shorter requests are sent complete to the extension when it is invoked. If the request is longer, the ISAPI extension must use ReadClient to retrieve the remaining request body.

WriteClient is supported, but only with the HSE_IO_SYNC flag or no option flag (value of 0). Any other WriteClient request will be rejected with a return value of FALSE, and a GetLastError value of ERROR_INVALID_PARAMETER.

GetServerVariable is supported, although extended server variables do not exist (as defined by other servers.) All the usual Apache CGI environment variables are available from GetServerVariable, as well as the ALL_HTTP and ALL_RAW values.

Apache 2.0 mod_isapi supports additional features introduced in later versions of the ISAPI specification, as well as limited emulation of async I/O and the TransmitFile semantics. Apache also supports preloading ISAPI .dlls for performance, neither of which were not available under Apache 1.3 mod_isapi.

top

ISAPIAppendLogToErrors Directive

Description:Record HSE_APPEND_LOG_PARAMETER requests from ISAPI extensions to the error log
Syntax:ISAPIAppendLogToErrors on|off
Default:ISAPIAppendLogToErrors off
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_isapi

Record HSE_APPEND_LOG_PARAMETER requests from ISAPI extensions to the server error log.

top

ISAPIAppendLogToQuery Directive

Description:Record HSE_APPEND_LOG_PARAMETER requests from ISAPI extensions to the query field
Syntax:ISAPIAppendLogToQuery on|off
Default:ISAPIAppendLogToQuery on
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_isapi

Record HSE_APPEND_LOG_PARAMETER requests from ISAPI extensions to the query field (appended to the CustomLog %q component).

top

ISAPICacheFile Directive

Description:ISAPI .dll files to be loaded at startup
Syntax:ISAPICacheFile file-path [file-path] ...
Context:server config, virtual host
Status:Base
Module:mod_isapi

Specifies a space-separated list of file names to be loaded when the Apache server is launched, and remain loaded until the server is shut down. This directive may be repeated for every ISAPI .dll file desired. The full path name of each file should be specified. If the path name is not absolute, it will be treated relative to ServerRoot.

top

ISAPIFakeAsync Directive

Description:Fake asynchronous support for ISAPI callbacks
Syntax:ISAPIFakeAsync on|off
Default:ISAPIFakeAsync off
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_isapi

While set to on, asynchronous support for ISAPI callbacks is simulated.

top

ISAPILogNotSupported Directive

Description:Log unsupported feature requests from ISAPI extensions
Syntax:ISAPILogNotSupported on|off
Default:ISAPILogNotSupported off
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_isapi

Logs all requests for unsupported features from ISAPI extensions in the server error log. This may help administrators to track down problems. Once set to on and all desired ISAPI modules are functioning, it should be set back to off.

top

ISAPIReadAheadBuffer Directive

Description:Size of the Read Ahead Buffer sent to ISAPI extensions
Syntax:ISAPIReadAheadBuffer size
Default:ISAPIReadAheadBuffer 49152
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_isapi

Defines the maximum size of the Read Ahead Buffer sent to ISAPI extensions when they are initially invoked. All remaining data must be retrieved using the ReadClient callback; some ISAPI extensions may not support the ReadClient function. Refer questions to the ISAPI extension's author.

mod/mod_ldap.html100644 0 0 107131 11256637772 11514 0ustar 0 0 mod_ldap - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_ldap

Description:LDAP connection pooling and result caching services for use by other LDAP modules
Status:Extension
Module Identifier:ldap_module
Source File:util_ldap.c
Compatibility:Available in version 2.0.41 and later

Summary

This module was created to improve the performance of websites relying on backend connections to LDAP servers. In addition to the functions provided by the standard LDAP libraries, this module adds an LDAP connection pool and an LDAP shared memory cache.

To enable this module, LDAP support must be compiled into apr-util. This is achieved by adding the --with-ldap flag to the configure script when building Apache.

SSL/TLS support is dependant on which LDAP toolkit has been linked to APR. As of this writing, APR-util supports: OpenLDAP SDK (2.x or later), Novell LDAP SDK, Mozilla LDAP SDK, native Solaris LDAP SDK (Mozilla based), native Microsoft LDAP SDK, or the iPlanet (Netscape) SDK. See the APR website for details.

top

Example Configuration

The following is an example configuration that uses mod_ldap to increase the performance of HTTP Basic authentication provided by mod_authnz_ldap.

# Enable the LDAP connection pool and shared
# memory cache. Enable the LDAP cache status
# handler. Requires that mod_ldap and mod_authnz_ldap
# be loaded. Change the "yourdomain.example.com" to
# match your domain.

LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600

<Location /ldap-status>
SetHandler ldap-status
Order deny,allow
Deny from all
Allow from yourdomain.example.com
AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one
AuthzLDAPAuthoritative off
Require valid-user
 </Location>

top

LDAP Connection Pool

LDAP connections are pooled from request to request. This allows the LDAP server to remain connected and bound ready for the next request, without the need to unbind/connect/rebind. The performance advantages are similar to the effect of HTTP keepalives.

On a busy server it is possible that many requests will try and access the same LDAP server connection simultaneously. Where an LDAP connection is in use, Apache will create a new connection alongside the original one. This ensures that the connection pool does not become a bottleneck.

There is no need to manually enable connection pooling in the Apache configuration. Any module using this module for access to LDAP services will share the connection pool.

top

LDAP Cache

For improved performance, mod_ldap uses an aggressive caching strategy to minimize the number of times that the LDAP server must be contacted. Caching can easily double or triple the throughput of Apache when it is serving pages protected with mod_authnz_ldap. In addition, the load on the LDAP server will be significantly decreased.

mod_ldap supports two types of LDAP caching during the search/bind phase with a search/bind cache and during the compare phase with two operation caches. Each LDAP URL that is used by the server has its own set of these three caches.

The Search/Bind Cache

The process of doing a search and then a bind is the most time-consuming aspect of LDAP operation, especially if the directory is large. The search/bind cache is used to cache all searches that resulted in successful binds. Negative results (i.e., unsuccessful searches, or searches that did not result in a successful bind) are not cached. The rationale behind this decision is that connections with invalid credentials are only a tiny percentage of the total number of connections, so by not caching invalid credentials, the size of the cache is reduced.

mod_ldap stores the username, the DN retrieved, the password used to bind, and the time of the bind in the cache. Whenever a new connection is initiated with the same username, mod_ldap compares the password of the new connection with the password in the cache. If the passwords match, and if the cached entry is not too old, mod_ldap bypasses the search/bind phase.

The search and bind cache is controlled with the LDAPCacheEntries and LDAPCacheTTL directives.

Operation Caches

During attribute and distinguished name comparison functions, mod_ldap uses two operation caches to cache the compare operations. The first compare cache is used to cache the results of compares done to test for LDAP group membership. The second compare cache is used to cache the results of comparisons done between distinguished names.

The behavior of both of these caches is controlled with the LDAPOpCacheEntries and LDAPOpCacheTTL directives.

Monitoring the Cache

mod_ldap has a content handler that allows administrators to monitor the cache performance. The name of the content handler is ldap-status, so the following directives could be used to access the mod_ldap cache information:

<Location /server/cache-info>
SetHandler ldap-status
 </Location>

By fetching the URL http://servername/cache-info, the administrator can get a status report of every cache that is used by mod_ldap cache. Note that if Apache does not support shared memory, then each httpd instance has its own cache, so reloading the URL will result in different information each time, depending on which httpd instance processes the request.

top

Using SSL/TLS

The ability to create an SSL and TLS connections to an LDAP server is defined by the directives LDAPTrustedGlobalCert, LDAPTrustedClientCert and LDAPTrustedMode. These directives specify the CA and optional client certificates to be used, as well as the type of encryption to be used on the connection (none, SSL or TLS/STARTTLS).

# Establish an SSL LDAP connection on port 636. Requires that
# mod_ldap and mod_authnz_ldap be loaded. Change the
# "yourdomain.example.com" to match your domain.

LDAPTrustedGlobalCert CA_DER /certs/certfile.der

<Location /ldap-status>
SetHandler ldap-status
Order deny,allow
Deny from all
Allow from yourdomain.example.com
AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one
AuthzLDAPAuthoritative off
Require valid-user
 </Location>

# Establish a TLS LDAP connection on port 389. Requires that
# mod_ldap and mod_authnz_ldap be loaded. Change the
# "yourdomain.example.com" to match your domain.

LDAPTrustedGlobalCert CA_DER /certs/certfile.der

<Location /ldap-status>
SetHandler ldap-status
Order deny,allow
Deny from all
Allow from yourdomain.example.com
AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one TLS
AuthzLDAPAuthoritative off
Require valid-user
 </Location>

top

SSL/TLS Certificates

The different LDAP SDKs have widely different methods of setting and handling both CA and client side certificates.

If you intend to use SSL or TLS, read this section CAREFULLY so as to understand the differences between configurations on the different LDAP toolkits supported.

Netscape/Mozilla/iPlanet SDK

CA certificates are specified within a file called cert7.db. The SDK will not talk to any LDAP server whose certificate was not signed by a CA specified in this file. If client certificates are required, an optional key3.db file may be specified with an optional password. The secmod file can be specified if required. These files are in the same format as used by the Netscape Communicator or Mozilla web browsers. The easiest way to obtain these files is to grab them from your browser installation.

Client certificates are specified per connection using the LDAPTrustedClientCert directive by referring to the certificate "nickname". An optional password may be specified to unlock the certificate's private key.

The SDK supports SSL only. An attempt to use STARTTLS will cause an error when an attempt is made to contact the LDAP server at runtime.

# Specify a Netscape CA certificate file
LDAPTrustedGlobalCert CA_CERT7_DB /certs/cert7.db
# Specify an optional key3.db file for client certificate support
LDAPTrustedGlobalCert CERT_KEY3_DB /certs/key3.db
# Specify the secmod file if required
LDAPTrustedGlobalCert CA_SECMOD /certs/secmod
<Location /ldap-status>
SetHandler ldap-status
Order deny,allow
Deny from all
Allow from yourdomain.example.com
LDAPTrustedClientCert CERT_NICKNAME <nickname> [password]
AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one
AuthzLDAPAuthoritative off
Require valid-user
 </Location>

Novell SDK

One or more CA certificates must be specified for the Novell SDK to work correctly. These certificates can be specified as binary DER or Base64 (PEM) encoded files.

Note: Client certificates are specified globally rather than per connection, and so must be specified with the LDAPTrustedGlobalCert directive as below. Trying to set client certificates via the LDAPTrustedClientCert directive will cause an error to be logged when an attempt is made to connect to the LDAP server..

The SDK supports both SSL and STARTTLS, set using the LDAPTrustedMode parameter. If an ldaps:// URL is specified, SSL mode is forced, override this directive.

# Specify two CA certificate files
LDAPTrustedGlobalCert CA_DER /certs/cacert1.der
LDAPTrustedGlobalCert CA_BASE64 /certs/cacert2.pem
# Specify a client certificate file and key
LDAPTrustedGlobalCert CERT_BASE64 /certs/cert1.pem
LDAPTrustedGlobalCert KEY_BASE64 /certs/key1.pem [password]
# Do not use this directive, as it will throw an error
#LDAPTrustedClientCert CERT_BASE64 /certs/cert1.pem

OpenLDAP SDK

One or more CA certificates must be specified for the OpenLDAP SDK to work correctly. These certificates can be specified as binary DER or Base64 (PEM) encoded files.

Client certificates are specified per connection using the LDAPTrustedClientCert directive.

The documentation for the SDK claims to support both SSL and STARTTLS, however STARTTLS does not seem to work on all versions of the SDK. The SSL/TLS mode can be set using the LDAPTrustedMode parameter. If an ldaps:// URL is specified, SSL mode is forced. The OpenLDAP documentation notes that SSL (ldaps://) support has been deprecated to be replaced with TLS, although the SSL functionality still works.

# Specify two CA certificate files
LDAPTrustedGlobalCert CA_DER /certs/cacert1.der
LDAPTrustedGlobalCert CA_BASE64 /certs/cacert2.pem
<Location /ldap-status>
SetHandler ldap-status
Order deny,allow
Deny from all
Allow from yourdomain.example.com
LDAPTrustedClientCert CERT_BASE64 /certs/cert1.pem
LDAPTrustedClientCert KEY_BASE64 /certs/key1.pem
AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one
AuthzLDAPAuthoritative off
Require valid-user
 </Location>

Solaris SDK

SSL/TLS for the native Solaris LDAP libraries is not yet supported. If required, install and use the OpenLDAP libraries instead.

Microsoft SDK

SSL/TLS certificate configuration for the native Microsoft LDAP libraries is done inside the system registry, and no configuration directives are required.

Both SSL and TLS are supported by using the ldaps:// URL format, or by using the LDAPTrustedMode directive accordingly.

Note: The status of support for client certificates is not yet known for this toolkit.

top

LDAPCacheEntries Directive

Description:Maximum number of entries in the primary LDAP cache
Syntax:LDAPCacheEntries number
Default:LDAPCacheEntries 1024
Context:server config
Status:Extension
Module:mod_ldap

Specifies the maximum size of the primary LDAP cache. This cache contains successful search/binds. Set it to 0 to turn off search/bind caching. The default size is 1024 cached searches.

top

LDAPCacheTTL Directive

Description:Time that cached items remain valid
Syntax:LDAPCacheTTL seconds
Default:LDAPCacheTTL 600
Context:server config
Status:Extension
Module:mod_ldap

Specifies the time (in seconds) that an item in the search/bind cache remains valid. The default is 600 seconds (10 minutes).

top

LDAPConnectionTimeout Directive

Description:Specifies the socket connection timeout in seconds
Syntax:LDAPConnectionTimeout seconds
Context:server config
Status:Extension
Module:mod_ldap

Specifies the timeout value (in seconds) in which the module will attempt to connect to the LDAP server. If a connection is not successful with the timeout period, either an error will be returned or the module will attempt to connect to a secondary LDAP server if one is specified. The default is 10 seconds.

top

LDAPOpCacheEntries Directive

Description:Number of entries used to cache LDAP compare operations
Syntax:LDAPOpCacheEntries number
Default:LDAPOpCacheEntries 1024
Context:server config
Status:Extension
Module:mod_ldap

This specifies the number of entries mod_ldap will use to cache LDAP compare operations. The default is 1024 entries. Setting it to 0 disables operation caching.

top

LDAPOpCacheTTL Directive

Description:Time that entries in the operation cache remain valid
Syntax:LDAPOpCacheTTL seconds
Default:LDAPOpCacheTTL 600
Context:server config
Status:Extension
Module:mod_ldap

Specifies the time (in seconds) that entries in the operation cache remain valid. The default is 600 seconds.

top

LDAPSharedCacheFile Directive

Description:Sets the shared memory cache file
Syntax:LDAPSharedCacheFile directory-path/filename
Context:server config
Status:Extension
Module:mod_ldap

Specifies the directory path and file name of the shared memory cache file. If not set, anonymous shared memory will be used if the platform supports it.

top

LDAPSharedCacheSize Directive

Description:Size in bytes of the shared-memory cache
Syntax:LDAPSharedCacheSize bytes
Default:LDAPSharedCacheSize 102400
Context:server config
Status:Extension
Module:mod_ldap

Specifies the number of bytes to allocate for the shared memory cache. The default is 100kb. If set to 0, shared memory caching will not be used.

top

LDAPTrustedClientCert Directive

Description:Sets the file containing or nickname referring to a per connection client certificate. Not all LDAP toolkits support per connection client certificates.
Syntax:LDAPTrustedClientCert type directory-path/filename/nickname [password]
Context:server config, virtual host, directory, .htaccess
Status:Extension
Module:mod_ldap

It specifies the directory path, file name or nickname of a per connection client certificate used when establishing an SSL or TLS connection to an LDAP server. Different locations or directories may have their own independant client certificate settings. Some LDAP toolkits (notably Novell) do not support per connection client certificates, and will throw an error on LDAP server connection if you try to use this directive (Use the LDAPTrustedGlobalCert directive instead for Novell client certificates - See the SSL/TLS certificate guide above for details). The type specifies the kind of certificate parameter being set, depending on the LDAP toolkit being used. Supported types are:

  • CERT_DER - binary DER encoded client certificate
  • CERT_BASE64 - PEM encoded client certificate
  • CERT_NICKNAME - Client certificate "nickname" (Netscape SDK)
  • KEY_DER - binary DER encoded private key
  • KEY_BASE64 - PEM encoded private key
top

LDAPTrustedGlobalCert Directive

Description:Sets the file or database containing global trusted Certificate Authority or global client certificates
Syntax:LDAPTrustedGlobalCert type directory-path/filename [password]
Context:server config
Status:Extension
Module:mod_ldap

It specifies the directory path and file name of the trusted CA certificates and/or system wide client certificates mod_ldap should use when establishing an SSL or TLS connection to an LDAP server. Note that all certificate information specified using this directive is applied globally to the entire server installation. Some LDAP toolkits (notably Novell) require all client certificates to be set globally using this directive. Most other toolkits require clients certificates to be set per Directory or per Location using LDAPTrustedClientCert. If you get this wrong, an error may be logged when an attempt is made to contact the LDAP server, or the connection may silently fail (See the SSL/TLS certificate guide above for details). The type specifies the kind of certificate parameter being set, depending on the LDAP toolkit being used. Supported types are:

  • CA_DER - binary DER encoded CA certificate
  • CA_BASE64 - PEM encoded CA certificate
  • CA_CERT7_DB - Netscape cert7.db CA certificate database file
  • CA_SECMOD - Netscape secmod database file
  • CERT_DER - binary DER encoded client certificate
  • CERT_BASE64 - PEM encoded client certificate
  • CERT_KEY3_DB - Netscape key3.db client certificate database file
  • CERT_NICKNAME - Client certificate "nickname" (Netscape SDK)
  • CERT_PFX - PKCS#12 encoded client certificate (Novell SDK)
  • KEY_DER - binary DER encoded private key
  • KEY_BASE64 - PEM encoded private key
  • KEY_PFX - PKCS#12 encoded private key (Novell SDK)
top

LDAPTrustedMode Directive

Description:Specifies the SSL/TLS mode to be used when connecting to an LDAP server.
Syntax:LDAPTrustedMode type
Context:server config, virtual host
Status:Extension
Module:mod_ldap

The following modes are supported:

  • NONE - no encryption
  • SSL - ldaps:// encryption on default port 636
  • TLS - STARTTLS encryption on default port 389

Not all LDAP toolkits support all the above modes. An error message will be logged at runtime if a mode is not supported, and the connection to the LDAP server will fail.

If an ldaps:// URL is specified, the mode becomes SSL and the setting of LDAPTrustedMode is ignored.

top

LDAPVerifyServerCert Directive

Description:Force server certificate verification
Syntax:LDAPVerifyServerCert On|Off
Default:LDAPVerifyServerCert On
Context:server config
Status:Extension
Module:mod_ldap

Specifies whether to force the verification of a server certificate when establishing an SSL connection to the LDAP server.

mod/mod_log_config.html100644 0 0 64102 11256637772 12662 0ustar 0 0 mod_log_config - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_log_config

Description:Logging of the requests made to the server
Status:Base
Module Identifier:log_config_module
Source File:mod_log_config.c

Summary

This module provides for flexible logging of client requests. Logs are written in a customizable format, and may be written directly to a file, or to an external program. Conditional logging is provided so that individual requests may be included or excluded from the logs based on characteristics of the request.

Three directives are provided by this module: TransferLog to create a log file, LogFormat to set a custom format, and CustomLog to define a log file and format in one step. The TransferLog and CustomLog directives can be used multiple times in each server to cause each request to be logged to multiple files.

top

Custom Log Formats

The format argument to the LogFormat and CustomLog directives is a string. This string is used to log each request to the log file. It can contain literal characters copied into the log files and the C-style control characters "\n" and "\t" to represent new-lines and tabs. Literal quotes and back-slashes should be escaped with back-slashes.

The characteristics of the request itself are logged by placing "%" directives in the format string, which are replaced in the log file by the values as follows:

Format String Description
%% The percent sign
%a Remote IP-address
%A Local IP-address
%B Size of response in bytes, excluding HTTP headers.
%b Size of response in bytes, excluding HTTP headers. In CLF format, i.e. a '-' rather than a 0 when no bytes are sent.
%{Foobar}C The contents of cookie Foobar in the request sent to the server.
%D The time taken to serve the request, in microseconds.
%{FOOBAR}e The contents of the environment variable FOOBAR
%f Filename
%h Remote host
%H The request protocol
%{Foobar}i The contents of Foobar: header line(s) in the request sent to the server. Changes made by other modules (e.g. mod_headers) affect this.
%k Number of keepalive requests handled on this connection. Interesting if KeepAlive is being used, so that, for example, a '1' means the first keepalive request after the initial one, '2' the second, etc...; otherwise this is always 0 (indicating the initial request).
%l Remote logname (from identd, if supplied). This will return a dash unless mod_ident is present and IdentityCheck is set On.
%m The request method
%{Foobar}n The contents of note Foobar from another module.
%{Foobar}o The contents of Foobar: header line(s) in the reply.
%p The canonical port of the server serving the request
%{format}p The canonical port of the server serving the request or the server's actual port or the client's actual port. Valid formats are canonical, local, or remote.
%P The process ID of the child that serviced the request.
%{format}P The process ID or thread id of the child that serviced the request. Valid formats are pid, tid, and hextid. hextid requires APR 1.2.0 or higher.
%q The query string (prepended with a ? if a query string exists, otherwise an empty string)
%r First line of request
%s Status. For requests that got internally redirected, this is the status of the *original* request --- %>s for the last.
%t Time the request was received (standard english format)
%{format}t The time, in the form given by format, which should be in strftime(3) format. (potentially localized)
%T The time taken to serve the request, in seconds.
%u Remote user (from auth; may be bogus if return status (%s) is 401)
%U The URL path requested, not including any query string.
%v The canonical ServerName of the server serving the request.
%V The server name according to the UseCanonicalName setting.
%X Connection status when response is completed:
X = connection aborted before the response completed.
+ = connection may be kept alive after the response is sent.
- = connection will be closed after the response is sent.

(This directive was %c in late versions of Apache 1.3, but this conflicted with the historical ssl %{var}c syntax.)

%I Bytes received, including request and headers, cannot be zero. You need to enable mod_logio to use this.
%O Bytes sent, including headers, cannot be zero. You need to enable mod_logio to use this.

Modifiers

Particular items can be restricted to print only for responses with specific HTTP status codes by placing a comma-separated list of status codes immediately following the "%". For example, "%400,501{User-agent}i" logs User-agent on 400 errors and 501 errors only. For other status codes, the literal string "-" will be logged. The status code list may be preceded by a "!" to indicate negation: "%!200,304,302{Referer}i" logs Referer on all requests that do not return one of the three specified codes.

The modifiers "<" and ">" can be used for requests that have been internally redirected to choose whether the original or final (respectively) request should be consulted. By default, the % directives %s, %U, %T, %D, and %r look at the original request while all others look at the final request. So for example, %>s can be used to record the final status of the request and %<u can be used to record the original authenticated user on a request that is internally redirected to an unauthenticated resource.

Some Notes

For security reasons, starting with version 2.0.46, non-printable and other special characters in %r, %i and %o are escaped using \xhh sequences, where hh stands for the hexadecimal representation of the raw byte. Exceptions from this rule are " and \, which are escaped by prepending a backslash, and all whitespace characters, which are written in their C-style notation (\n, \t, etc). In versions prior to 2.0.46, no escaping was performed on these strings so you had to be quite careful when dealing with raw log files.

In httpd 2.0, unlike 1.3, the %b and %B format strings do not represent the number of bytes sent to the client, but simply the size in bytes of the HTTP response (which will differ, for instance, if the connection is aborted, or if SSL is used). The %O format provided by mod_logio will log the actual number of bytes sent over the network.

Examples

Some commonly used log format strings are:

Common Log Format (CLF)
"%h %l %u %t \"%r\" %>s %b"
Common Log Format with Virtual Host
"%v %h %l %u %t \"%r\" %>s %b"
NCSA extended/combined log format
"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
Referer log format
"%{Referer}i -> %U"
Agent (Browser) log format
"%{User-agent}i"
top

Security Considerations

See the security tips document for details on why your security could be compromised if the directory where logfiles are stored is writable by anyone other than the user that starts the server.

top

BufferedLogs Directive

Description:Buffer log entries in memory before writing to disk
Syntax:BufferedLogs On|Off
Default:BufferedLogs Off
Context:server config
Status:Base
Module:mod_log_config
Compatibility:Available in versions 2.0.41 and later.

The BufferedLogs directive causes mod_log_config to store several log entries in memory and write them together to disk, rather than writing them after each request. On some systems, this may result in more efficient disk access and hence higher performance. It may be set only once for the entire server; it cannot be configured per virtual-host.

This directive is experimental and should be used with caution.
top

CookieLog Directive

Description:Sets filename for the logging of cookies
Syntax:CookieLog filename
Context:server config, virtual host
Status:Base
Module:mod_log_config
Compatibility:This directive is deprecated.

The CookieLog directive sets the filename for logging of cookies. The filename is relative to the ServerRoot. This directive is included only for compatibility with mod_cookies, and is deprecated.

top

CustomLog Directive

Description:Sets filename and format of log file
Syntax:CustomLog file|pipe format|nickname [env=[!]environment-variable]
Context:server config, virtual host
Status:Base
Module:mod_log_config

The CustomLog directive is used to log requests to the server. A log format is specified, and the logging can optionally be made conditional on request characteristics using environment variables.

The first argument, which specifies the location to which the logs will be written, can take one of the following two types of values:

file
A filename, relative to the ServerRoot.
pipe
The pipe character "|", followed by the path to a program to receive the log information on its standard input.

Security:

If a program is used, then it will be run as the user who started httpd. This will be root if the server was started by root; be sure that the program is secure.

Note

When entering a file path on non-Unix platforms, care should be taken to make sure that only forward slashed are used even though the platform may allow the use of back slashes. In general it is a good idea to always use forward slashes throughout the configuration files.

The second argument specifies what will be written to the log file. It can specify either a nickname defined by a previous LogFormat directive, or it can be an explicit format string as described in the log formats section.

For example, the following two sets of directives have exactly the same effect:

# CustomLog with format nickname
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog logs/access_log common

# CustomLog with explicit format string
CustomLog logs/access_log "%h %l %u %t \"%r\" %>s %b"

The third argument is optional and controls whether or not to log a particular request based on the presence or absence of a particular variable in the server environment. If the specified environment variable is set for the request (or is not set, in the case of a 'env=!name' clause), then the request will be logged.

Environment variables can be set on a per-request basis using the mod_setenvif and/or mod_rewrite modules. For example, if you want to record requests for all GIF images on your server in a separate logfile but not in your main log, you can use:

SetEnvIf Request_URI \.gif$ gif-image
CustomLog gif-requests.log common env=gif-image
CustomLog nongif-requests.log common env=!gif-image

Or, to reproduce the behavior of the old RefererIgnore directive, you might use the following:

SetEnvIf Referer example\.com localreferer
CustomLog referer.log referer env=!localreferer

top

LogFormat Directive

Description:Describes a format for use in a log file
Syntax:LogFormat format|nickname [nickname]
Default:LogFormat "%h %l %u %t \"%r\" %>s %b"
Context:server config, virtual host
Status:Base
Module:mod_log_config

This directive specifies the format of the access log file.

The LogFormat directive can take one of two forms. In the first form, where only one argument is specified, this directive sets the log format which will be used by logs specified in subsequent TransferLog directives. The single argument can specify an explicit format as discussed in the custom log formats section above. Alternatively, it can use a nickname to refer to a log format defined in a previous LogFormat directive as described below.

The second form of the LogFormat directive associates an explicit format with a nickname. This nickname can then be used in subsequent LogFormat or CustomLog directives rather than repeating the entire format string. A LogFormat directive that defines a nickname does nothing else -- that is, it only defines the nickname, it doesn't actually apply the format and make it the default. Therefore, it will not affect subsequent TransferLog directives. In addition, LogFormat cannot use one nickname to define another nickname. Note that the nickname should not contain percent signs (%).

Example

LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

top

TransferLog Directive

Description:Specify location of a log file
Syntax:TransferLog file|pipe
Context:server config, virtual host
Status:Base
Module:mod_log_config

This directive has exactly the same arguments and effect as the CustomLog directive, with the exception that it does not allow the log format to be specified explicitly or for conditional logging of requests. Instead, the log format is determined by the most recently specified LogFormat directive which does not define a nickname. Common Log Format is used if no other format has been specified.

Example

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
TransferLog logs/access_log

mod/mod_log_forensic.html100644 0 0 21333 11256637772 13224 0ustar 0 0 mod_log_forensic - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_log_forensic

Description:Forensic Logging of the requests made to the server
Status:Extension
Module Identifier:log_forensic_module
Source File:mod_log_forensic.c
Compatibility:mod_unique_id is no longer required since version 2.1

Summary

This module provides for forensic logging of client requests. Logging is done before and after processing a request, so the forensic log contains two log lines for each request. The forensic logger is very strict, which means:

  • The format is fixed. You cannot modify the logging format at runtime.
  • If it cannot write its data, the child process exits immediately and may dump core (depending on your CoreDumpDirectory configuration).

The check_forensic script, which can be found in the distribution's support directory, may be helpful in evaluating the forensic log output.

top

Forensic Log Format

Each request is logged two times. The first time is before it's processed further (that is, after receiving the headers). The second log entry is written after the request processing at the same time where normal logging occurs.

In order to identify each request, a unique request ID is assigned. This forensic ID can be cross logged in the normal transfer log using the %{forensic-id}n format string. If you're using mod_unique_id, its generated ID will be used.

The first line logs the forensic ID, the request line and all received headers, separated by pipe characters (|). A sample line looks like the following (all on one line):

+yQtJf8CoAB4AAFNXBIEAAAAA|GET /manual/de/images/down.gif HTTP/1.1|Host:localhost%3a8080|User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; rv%3a1.6) Gecko/20040216 Firefox/0.8|Accept:image/png, etc...

The plus character at the beginning indicates that this is the first log line of this request. The second line just contains a minus character and the ID again:

-yQtJf8CoAB4AAFNXBIEAAAAA

The check_forensic script takes as its argument the name of the logfile. It looks for those +/- ID pairs and complains if a request was not completed.

top

Security Considerations

See the security tips document for details on why your security could be compromised if the directory where logfiles are stored is writable by anyone other than the user that starts the server.

top

ForensicLog Directive

Description:Sets filename of the forensic log
Syntax:ForensicLog filename|pipe
Context:server config, virtual host
Status:Extension
Module:mod_log_forensic

The ForensicLog directive is used to log requests to the server for forensic analysis. Each log entry is assigned a unique ID which can be associated with the request using the normal CustomLog directive. mod_log_forensic creates a token called forensic-id, which can be added to the transfer log using the %{forensic-id}n format string.

The argument, which specifies the location to which the logs will be written, can take one of the following two types of values:

filename
A filename, relative to the ServerRoot.
pipe
The pipe character "|", followed by the path to a program to receive the log information on its standard input. The program name can be specified relative to the ServerRoot directive.

Security:

If a program is used, then it will be run as the user who started httpd. This will be root if the server was started by root; be sure that the program is secure or switches to a less privileged user.

Note

When entering a file path on non-Unix platforms, care should be taken to make sure that only forward slashes are used even though the platform may allow the use of back slashes. In general it is a good idea to always use forward slashes throughout the configuration files.

mod/mod_logio.html100644 0 0 10753 11256637772 11670 0ustar 0 0 mod_logio - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_logio

Description:Logging of input and output bytes per request
Status:Extension
Module Identifier:logio_module
Source File:mod_logio.c

Summary

This module provides the logging of input and output number of bytes received/sent per request. The numbers reflect the actual bytes as received on the network, which then takes into account the headers and bodies of requests and responses. The counting is done before SSL/TLS on input and after SSL/TLS on output, so the numbers will correctly reflect any changes made by encryption.

This module requires mod_log_config.

When KeepAlive connections are used with SSL, the overhead of the SSL handshake is reflected in the byte count of the first request on the connection. When per-directory SSL renegotiation occurs, the bytes are associated with the request that triggered the renegotiation.

Directives

This module provides no directives.

Topics

See also

top

Custom Log Formats

This modules adds two new logging directives. The characteristics of the request itself are logged by placing "%" directives in the format string, which are replaced in the log file by the values as follows:

Format String Description
%...I Bytes received, including request and headers, cannot be zero.
%...O Bytes sent, including headers, cannot be zero.

Usually, the functionality is used like this:

Combined I/O log format:
"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %I %O"
mod/mod_mem_cache.html100644 0 0 36450 11256637772 12462 0ustar 0 0 mod_mem_cache - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_mem_cache

Description:Content cache keyed to URIs
Status:Extension
Module Identifier:mem_cache_module
Source File:mod_mem_cache.c

Summary

This module requires the service of mod_cache. It acts as a support module for mod_cache and provides a memory based storage manager. mod_mem_cache can be configured to operate in two modes: caching open file descriptors or caching objects in heap storage. mod_mem_cache is most useful when used to cache locally generated content or to cache backend server content for mod_proxy configured for ProxyPass (aka reverse proxy).

Content is stored in and retrieved from the cache using URI based keys. Content with access protection is not cached.

Note

In most cases mod_disk_cache should be the preferred choice. This is explained further in the Caching Guide. In particular, this module's cache is per-process, which can be partially mitigated by configuring threaded MPMS to use fewer child processes via configuration of larger values for ThreadsPerChild. This module's cache is also limited to storing a single variant (see HTTP Vary: header) of each resource in the cache.
top

MCacheMaxObjectCount Directive

Description:The maximum number of objects allowed to be placed in the cache
Syntax:MCacheMaxObjectCount value
Default:MCacheMaxObjectCount 1009
Context:server config
Status:Extension
Module:mod_mem_cache

The MCacheMaxObjectCount directive sets the maximum number of objects to be cached. The value is used to create the open hash table. If a new object needs to be inserted in the cache and the maximum number of objects has been reached, an object will be removed to allow the new object to be cached. The object to be removed is selected using the algorithm specified by MCacheRemovalAlgorithm.

Example

MCacheMaxObjectCount 13001

top

MCacheMaxObjectSize Directive

Description:The maximum size (in bytes) of a document allowed in the cache
Syntax:MCacheMaxObjectSize bytes
Default:MCacheMaxObjectSize 10000
Context:server config
Status:Extension
Module:mod_mem_cache

The MCacheMaxObjectSize directive sets the maximum allowable size, in bytes, of a document for it to be considered cacheable.

Example

MCacheMaxObjectSize 6400000

Note

The value of MCacheMaxObjectSize must be greater than the value specified by the MCacheMinObjectSize directive.

top

MCacheMaxStreamingBuffer Directive

Description:Maximum amount of a streamed response to buffer in memory before declaring the response uncacheable
Syntax:MCacheMaxStreamingBuffer size_in_bytes
Default:MCacheMaxStreamingBuffer the smaller of 100000 or MCacheMaxObjectSize
Context:server config
Status:Extension
Module:mod_mem_cache

The MCacheMaxStreamingBuffer directive specifies the maximum number of bytes of a streamed response to buffer before deciding that the response is too big to cache. A streamed response is one in which the entire content is not immediately available and in which the Content-Length may not be known. Sources of streaming responses include proxied responses and the output of CGI scripts. By default, a streamed response will not be cached unless it has a Content-Length header. The reason for this is to avoid using a large amount of memory to buffer a partial response that might end up being too large to fit in the cache. The MCacheMaxStreamingBuffer directive allows buffering of streamed responses that don't contain a Content-Length up to the specified maximum amount of space. If the maximum buffer space is reached, the buffered content is discarded and the attempt to cache is abandoned.

Note:

Using a nonzero value for MCacheMaxStreamingBuffer will not delay the transmission of the response to the client. As soon as mod_mem_cache copies a block of streamed content into a buffer, it sends the block on to the next output filter for delivery to the client.

# Enable caching of streamed responses up to 64KB:
MCacheMaxStreamingBuffer 65536

top

MCacheMinObjectSize Directive

Description:The minimum size (in bytes) of a document to be allowed in the cache
Syntax:MCacheMinObjectSize bytes
Default:MCacheMinObjectSize 1
Context:server config
Status:Extension
Module:mod_mem_cache

The MCacheMinObjectSize directive sets the minimum size in bytes of a document for it to be considered cacheable.

Example

MCacheMinObjectSize 10000

top

MCacheRemovalAlgorithm Directive

Description:The algorithm used to select documents for removal from the cache
Syntax:MCacheRemovalAlgorithm LRU|GDSF
Default:MCacheRemovalAlgorithm GDSF
Context:server config
Status:Extension
Module:mod_mem_cache

The MCacheRemovalAlgorithm directive specifies the algorithm used to select documents for removal from the cache. Two choices are available:

LRU (Least Recently Used)
LRU removes the documents that have not been accessed for the longest time.
GDSF (GreadyDual-Size)
GDSF assigns a priority to cached documents based on the cost of a cache miss and the size of the document. Documents with the lowest priority are removed first.

Example

MCacheRemovalAlgorithm GDSF
MCacheRemovalAlgorithm LRU

top

MCacheSize Directive

Description:The maximum amount of memory used by the cache in KBytes
Syntax:MCacheSize KBytes
Default:MCacheSize 100
Context:server config
Status:Extension
Module:mod_mem_cache

The MCacheSize directive sets the maximum amount of memory to be used by the cache, in KBytes (1024-byte units). If a new object needs to be inserted in the cache and the size of the object is greater than the remaining memory, objects will be removed until the new object can be cached. The object to be removed is selected using the algorithm specified by MCacheRemovalAlgorithm.

Example

MCacheSize 700000

Note

The MCacheSize value must be greater than the value specified by the MCacheMaxObjectSize directive.

mod/mod_mime.html100644 0 0 165160 11256637772 11531 0ustar 0 0 mod_mime - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_mime

Description:Associates the requested filename's extensions with the file's behavior (handlers and filters) and content (mime-type, language, character set and encoding)
Status:Base
Module Identifier:mime_module
Source File:mod_mime.c

Summary

This module is used to associate various bits of "meta information" with files by their filename extensions. This information relates the filename of the document to it's mime-type, language, character set and encoding. This information is sent to the browser, and participates in content negotiation, so the user's preferences are respected when choosing one of several possible files to serve. See mod_negotiation for more information about content negotiation.

The directives AddCharset, AddEncoding, AddLanguage and AddType are all used to map file extensions onto the meta-information for that file. Respectively they set the character set, content-encoding, content-language, and MIME-type (content-type) of documents. The directive TypesConfig is used to specify a file which also maps extensions onto MIME types.

In addition, mod_mime may define the handler and filters that originate and process content. The directives AddHandler, AddOutputFilter, and AddInputFilter control the modules or scripts that serve the document. The MultiviewsMatch directive allows mod_negotiation to consider these file extensions to be included when testing Multiviews matches.

While mod_mime associates meta-information with filename extensions, the core server provides directives that are used to associate all the files in a given container (e.g., <Location>, <Directory>, or <Files>) with particular meta-information. These directives include ForceType, SetHandler, SetInputFilter, and SetOutputFilter. The core directives override any filename extension mappings defined in mod_mime.

Note that changing the meta-information for a file does not change the value of the Last-Modified header. Thus, previously cached copies may still be used by a client or proxy, with the previous headers. If you change the meta-information (language, content type, character set or encoding) you may need to 'touch' affected files (updating their last modified date) to ensure that all visitors are receive the corrected content headers.

top

Files with Multiple Extensions

Files can have more than one extension, and the order of the extensions is normally irrelevant. For example, if the file welcome.html.fr maps onto content type text/html and language French then the file welcome.fr.html will map onto exactly the same information. If more than one extension is given that maps onto the same type of meta-information, then the one to the right will be used, except for languages and content encodings. For example, if .gif maps to the MIME-type image/gif and .html maps to the MIME-type text/html, then the file welcome.gif.html will be associated with the MIME-type text/html.

Languages and content encodings are treated accumulative, because one can assign more than one language or encoding to a particular resource. For example, the file welcome.html.en.de will be delivered with Content-Language: en, de and Content-Type: text/html.

Care should be taken when a file with multiple extensions gets associated with both a MIME-type and a handler. This will usually result in the request being handled by the module associated with the handler. For example, if the .imap extension is mapped to the handler imap-file (from mod_imagemap) and the .html extension is mapped to the MIME-type text/html, then the file world.imap.html will be associated with both the imap-file handler and text/html MIME-type. When it is processed, the imap-file handler will be used, and so it will be treated as a mod_imagemap imagemap file.

If you would prefer only the last dot-separated part of the filename to be mapped to a particular piece of meta-data, then do not use the Add* directives. For example, if you wish to have the file foo.html.cgi processed as a CGI script, but not the file bar.cgi.html, then instead of using AddHandler cgi-script .cgi, use

Configure handler based on final extension only

<FilesMatch \.cgi$> SetHandler cgi-script </FilesMatch>

top

Content encoding

A file of a particular MIME-type can additionally be encoded a particular way to simplify transmission over the Internet. While this usually will refer to compression, such as gzip, it can also refer to encryption, such a pgp or to an encoding such as UUencoding, which is designed for transmitting a binary file in an ASCII (text) format.

The HTTP/1.1 RFC, section 14.11 puts it this way:

The Content-Encoding entity-header field is used as a modifier to the media-type. When present, its value indicates what additional content codings have been applied to the entity-body, and thus what decoding mechanisms must be applied in order to obtain the media-type referenced by the Content-Type header field. Content-Encoding is primarily used to allow a document to be compressed without losing the identity of its underlying media type.

By using more than one file extension (see section above about multiple file extensions), you can indicate that a file is of a particular type, and also has a particular encoding.

For example, you may have a file which is a Microsoft Word document, which is pkzipped to reduce its size. If the .doc extension is associated with the Microsoft Word file type, and the .zip extension is associated with the pkzip file encoding, then the file Resume.doc.zip would be known to be a pkzip'ed Word document.

Apache sends a Content-encoding header with the resource, in order to tell the client browser about the encoding method.

Content-encoding: pkzip

top

Character sets and languages

In addition to file type and the file encoding, another important piece of information is what language a particular document is in, and in what character set the file should be displayed. For example, the document might be written in the Vietnamese alphabet, or in Cyrillic, and should be displayed as such. This information, also, is transmitted in HTTP headers.

The character set, language, encoding and mime type are all used in the process of content negotiation (See mod_negotiation) to determine which document to give to the client, when there are alternative documents in more than one character set, language, encoding or mime type. All filename extensions associations created with AddCharset, AddEncoding, AddLanguage and AddType directives (and extensions listed in the MimeMagicFile) participate in this select process. Filename extensions that are only associated using the AddHandler, AddInputFilter or AddOutputFilter directives may be included or excluded from matching by using the MultiviewsMatch directive.

Charset

To convey this further information, Apache optionally sends a Content-Language header, to specify the language that the document is in, and can append additional information onto the Content-Type header to indicate the particular character set that should be used to correctly render the information.

Content-Language: en, fr
Content-Type: text/plain; charset=ISO-8859-1

The language specification is the two-letter abbreviation for the language. The charset is the name of the particular character set which should be used.

top

AddCharset Directive

Description:Maps the given filename extensions to the specified content charset
Syntax:AddCharset charset extension [extension] ...
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_mime

The AddCharset directive maps the given filename extensions to the specified content charset. charset is the MIME charset parameter of filenames containing extension. This mapping is added to any already in force, overriding any mappings that already exist for the same extension.

Example

AddLanguage ja .ja
AddCharset EUC-JP .euc
AddCharset ISO-2022-JP .jis
AddCharset SHIFT_JIS .sjis

Then the document xxxx.ja.jis will be treated as being a Japanese document whose charset is ISO-2022-JP (as will the document xxxx.jis.ja). The AddCharset directive is useful for both to inform the client about the character encoding of the document so that the document can be interpreted and displayed appropriately, and for content negotiation, where the server returns one from several documents based on the client's charset preference.

The extension argument is case-insensitive and can be specified with or without a leading dot. Filenames may have multiple extensions and the extension argument will be compared against each of them.

See also

top

AddEncoding Directive

Description:Maps the given filename extensions to the specified encoding type
Syntax:AddEncoding MIME-enc extension [extension] ...
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_mime

The AddEncoding directive maps the given filename extensions to the specified encoding type. MIME-enc is the MIME encoding to use for documents containing the extension. This mapping is added to any already in force, overriding any mappings that already exist for the same extension.

Example

AddEncoding x-gzip .gz
AddEncoding x-compress .Z

This will cause filenames containing the .gz extension to be marked as encoded using the x-gzip encoding, and filenames containing the .Z extension to be marked as encoded with x-compress.

Old clients expect x-gzip and x-compress, however the standard dictates that they're equivalent to gzip and compress respectively. Apache does content encoding comparisons by ignoring any leading x-. When responding with an encoding Apache will use whatever form (i.e., x-foo or foo) the client requested. If the client didn't specifically request a particular form Apache will use the form given by the AddEncoding directive. To make this long story short, you should always use x-gzip and x-compress for these two specific encodings. More recent encodings, such as deflate should be specified without the x-.

The extension argument is case-insensitive and can be specified with or without a leading dot. Filenames may have multiple extensions and the extension argument will be compared against each of them.

top

AddHandler Directive

Description:Maps the filename extensions to the specified handler
Syntax:AddHandler handler-name extension [extension] ...
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_mime

Files having the name extension will be served by the specified handler-name. This mapping is added to any already in force, overriding any mappings that already exist for the same extension. For example, to activate CGI scripts with the file extension .cgi, you might use:

AddHandler cgi-script .cgi

Once that has been put into your httpd.conf file, any file containing the .cgi extension will be treated as a CGI program.

The extension argument is case-insensitive and can be specified with or without a leading dot. Filenames may have multiple extensions and the extension argument will be compared against each of them.

See also

top

AddInputFilter Directive

Description:Maps filename extensions to the filters that will process client requests
Syntax:AddInputFilter filter[;filter...] extension [extension] ...
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_mime
Compatibility:AddInputFilter is only available in Apache 2.0.26 and later.

AddInputFilter maps the filename extension extension to the filters which will process client requests and POST input when they are received by the server. This is in addition to any filters defined elsewhere, including the SetInputFilter directive. This mapping is merged over any already in force, overriding any mappings that already exist for the same extension.

If more than one filter is specified, they must be separated by semicolons in the order in which they should process the content. The filter is case-insensitive.

The extension argument is case-insensitive and can be specified with or without a leading dot. Filenames may have multiple extensions and the extension argument will be compared against each of them.

See also

top

AddLanguage Directive

Description:Maps the given filename extension to the specified content language
Syntax:AddLanguage MIME-lang extension [extension] ...
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_mime

The AddLanguage directive maps the given filename extension to the specified content language. MIME-lang is the MIME language of filenames containing extension. This mapping is added to any already in force, overriding any mappings that already exist for the same extension.

Example

AddEncoding x-compress .Z
AddLanguage en .en
AddLanguage fr .fr

Then the document xxxx.en.Z will be treated as being a compressed English document (as will the document xxxx.Z.en). Although the content language is reported to the client, the browser is unlikely to use this information. The AddLanguage directive is more useful for content negotiation, where the server returns one from several documents based on the client's language preference.

If multiple language assignments are made for the same extension, the last one encountered is the one that is used. That is, for the case of:

AddLanguage en .en
AddLanguage en-gb .en
AddLanguage en-us .en

documents with the extension .en would be treated as being en-us.

The extension argument is case-insensitive and can be specified with or without a leading dot. Filenames may have multiple extensions and the extension argument will be compared against each of them.

See also

top

AddOutputFilter Directive

Description:Maps filename extensions to the filters that will process responses from the server
Syntax:AddOutputFilter filter[;filter...] extension [extension] ...
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_mime
Compatibility:AddOutputFilter is only available in Apache 2.0.26 and later.

The AddOutputFilter directive maps the filename extension extension to the filters which will process responses from the server before they are sent to the client. This is in addition to any filters defined elsewhere, including SetOutputFilter and AddOutputFilterByType directive. This mapping is merged over any already in force, overriding any mappings that already exist for the same extension.

For example, the following configuration will process all .shtml files for server-side includes and will then compress the output using mod_deflate.

AddOutputFilter INCLUDES;DEFLATE shtml

If more than one filter is specified, they must be separated by semicolons in the order in which they should process the content. The filter argument is case-insensitive.

The extension argument is case-insensitive and can be specified with or without a leading dot. Filenames may have multiple extensions and the extension argument will be compared against each of them.

See also

top

AddType Directive

Description:Maps the given filename extensions onto the specified content type
Syntax:AddType MIME-type extension [extension] ...
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_mime

The AddType directive maps the given filename extensions onto the specified content type. MIME-type is the MIME type to use for filenames containing extension. This mapping is added to any already in force, overriding any mappings that already exist for the same extension. This directive can be used to add mappings not listed in the MIME types file (see the TypesConfig directive).

Example

AddType image/gif .gif

It is recommended that new MIME types be added using the AddType directive rather than changing the TypesConfig file.

The extension argument is case-insensitive and can be specified with or without a leading dot. Filenames may have multiple extensions and the extension argument will be compared against each of them.

See also

top

DefaultLanguage Directive

Description:Sets all files in the given scope to the specified language
Syntax:DefaultLanguage MIME-lang
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_mime

The DefaultLanguage directive tells Apache that all files in the directive's scope (e.g., all files covered by the current <Directory> container) that don't have an explicit language extension (such as .fr or .de as configured by AddLanguage) should be considered to be in the specified MIME-lang language. This allows entire directories to be marked as containing Dutch content, for instance, without having to rename each file. Note that unlike using extensions to specify languages, DefaultLanguage can only specify a single language.

If no DefaultLanguage directive is in force, and a file does not have any language extensions as configured by AddLanguage, then that file will be considered to have no language attribute.

Example

DefaultLanguage en

See also

top

ModMimeUsePathInfo Directive

Description:Tells mod_mime to treat path_info components as part of the filename
Syntax:ModMimeUsePathInfo On|Off
Default:ModMimeUsePathInfo Off
Context:directory
Status:Base
Module:mod_mime
Compatibility:Available in Apache 2.0.41 and later

The ModMimeUsePathInfo directive is used to combine the filename with the path_info URL component to apply mod_mime's directives to the request. The default value is Off - therefore, the path_info component is ignored.

This directive is recommended when you have a virtual filesystem.

Example

ModMimeUsePathInfo On

If you have a request for /bar/foo.shtml where /bar is a Location and ModMimeUsePathInfo is On, mod_mime will treat the incoming request as /bar/foo.shtml and directives like AddOutputFilter INCLUDES .shtml will add the INCLUDES filter to the request. If ModMimeUsePathInfo is not set, the INCLUDES filter will not be added.

See also

top

MultiviewsMatch Directive

Description:The types of files that will be included when searching for a matching file with MultiViews
Syntax:MultiviewsMatch Any|NegotiatedOnly|Filters|Handlers [Handlers|Filters]
Default:MultiviewsMatch NegotiatedOnly
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_mime
Compatibility:Available in Apache 2.0.26 and later.

MultiviewsMatch permits three different behaviors for mod_negotiation's Multiviews feature. Multiviews allows a request for a file, e.g. index.html, to match any negotiated extensions following the base request, e.g. index.html.en, index.html.fr, or index.html.gz.

The NegotiatedOnly option provides that every extension following the base name must correlate to a recognized mod_mime extension for content negotation, e.g. Charset, Content-Type, Language, or Encoding. This is the strictest implementation with the fewest unexpected side effects, and is the default behavior.

To include extensions associated with Handlers and/or Filters, set the MultiviewsMatch directive to either Handlers, Filters, or both option keywords. If all other factors are equal, the smallest file will be served, e.g. in deciding between index.html.cgi of 500 bytes and index.html.pl of 1000 bytes, the .cgi file would win in this example. Users of .asis files might prefer to use the Handler option, if .asis files are associated with the asis-handler.

You may finally allow Any extensions to match, even if mod_mime doesn't recognize the extension. This was the behavior in Apache 1.3, and can cause unpredicatable results, such as serving .old or .bak files the webmaster never expected to be served.

For example, the following configuration will allow handlers and filters to participate in Multviews, but will exclude unknown files:

MultiviewsMatch Handlers Filters

See also

top

RemoveCharset Directive

Description:Removes any character set associations for a set of file extensions
Syntax:RemoveCharset extension [extension] ...
Context:virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_mime
Compatibility:RemoveCharset is only available in Apache 2.0.24 and later.

The RemoveCharset directive removes any character set associations for files with the given extensions. This allows .htaccess files in subdirectories to undo any associations inherited from parent directories or the server config files.

The extension argument is case-insensitive and can be specified with or without a leading dot.

Example

RemoveCharset .html .shtml

top

RemoveEncoding Directive

Description:Removes any content encoding associations for a set of file extensions
Syntax:RemoveEncoding extension [extension] ...
Context:virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_mime

The RemoveEncoding directive removes any encoding associations for files with the given extensions. This allows .htaccess files in subdirectories to undo any associations inherited from parent directories or the server config files. An example of its use might be:

/foo/.htaccess:

AddEncoding x-gzip .gz
AddType text/plain .asc
<Files *.gz.asc>
RemoveEncoding .gz
 </Files>

This will cause foo.gz to be marked as being encoded with the gzip method, but foo.gz.asc as an unencoded plaintext file.

Note

RemoveEncoding directives are processed after any AddEncoding directives, so it is possible they may undo the effects of the latter if both occur within the same directory configuration.

The extension argument is case-insensitive and can be specified with or without a leading dot.

top

RemoveHandler Directive

Description:Removes any handler associations for a set of file extensions
Syntax:RemoveHandler extension [extension] ...
Context:virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_mime

The RemoveHandler directive removes any handler associations for files with the given extensions. This allows .htaccess files in subdirectories to undo any associations inherited from parent directories or the server config files. An example of its use might be:

/foo/.htaccess:

AddHandler server-parsed .html

/foo/bar/.htaccess:

RemoveHandler .html

This has the effect of returning .html files in the /foo/bar directory to being treated as normal files, rather than as candidates for parsing (see the mod_include module).

The extension argument is case-insensitive and can be specified with or without a leading dot.

top

RemoveInputFilter Directive

Description:Removes any input filter associations for a set of file extensions
Syntax:RemoveInputFilter extension [extension] ...
Context:virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_mime
Compatibility:RemoveInputFilter is only available in Apache 2.0.26 and later.

The RemoveInputFilter directive removes any input filter associations for files with the given extensions. This allows .htaccess files in subdirectories to undo any associations inherited from parent directories or the server config files.

The extension argument is case-insensitive and can be specified with or without a leading dot.

See also

top

RemoveLanguage Directive

Description:Removes any language associations for a set of file extensions
Syntax:RemoveLanguage extension [extension] ...
Context:virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_mime
Compatibility:RemoveLanguage is only available in Apache 2.0.24 and later.

The RemoveLanguage directive removes any language associations for files with the given extensions. This allows .htaccess files in subdirectories to undo any associations inherited from parent directories or the server config files.

The extension argument is case-insensitive and can be specified with or without a leading dot.

top

RemoveOutputFilter Directive

Description:Removes any output filter associations for a set of file extensions
Syntax:RemoveOutputFilter extension [extension] ...
Context:virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_mime
Compatibility:RemoveOutputFilter is only available in Apache 2.0.26 and later.

The RemoveOutputFilter directive removes any output filter associations for files with the given extensions. This allows .htaccess files in subdirectories to undo any associations inherited from parent directories or the server config files.

The extension argument is case-insensitive and can be specified with or without a leading dot.

Example

RemoveOutputFilter shtml

See also

top

RemoveType Directive

Description:Removes any content type associations for a set of file extensions
Syntax:RemoveType extension [extension] ...
Context:virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_mime

The RemoveType directive removes any MIME type associations for files with the given extensions. This allows .htaccess files in subdirectories to undo any associations inherited from parent directories or the server config files. An example of its use might be:

/foo/.htaccess:

RemoveType .cgi

This will remove any special handling of .cgi files in the /foo/ directory and any beneath it, causing the files to be treated as being of the DefaultType.

Note

RemoveType directives are processed after any AddType directives, so it is possible they may undo the effects of the latter if both occur within the same directory configuration.

The extension argument is case-insensitive and can be specified with or without a leading dot.

top

TypesConfig Directive

Description:The location of the mime.types file
Syntax:TypesConfig file-path
Default:TypesConfig conf/mime.types
Context:server config
Status:Base
Module:mod_mime

The TypesConfig directive sets the location of the MIME types configuration file. File-path is relative to the ServerRoot. This file sets the default list of mappings from filename extensions to content types. Most administrators use the provided mime.types file, which associates common filename extensions with IANA registered content types. The current list is maintained at http://www.iana.org/assignments/media-types/index.html. This simplifies the httpd.conf file by providing the majority of media-type definitions, and may be overridden by AddType directives as needed. You should not edit the mime.types file, because it may be replaced when you upgrade your server.

The file contains lines in the format of the arguments to an AddType directive:

MIME-type [extension] ...

The case of the extension does not matter. Blank lines, and lines beginning with a hash character (#) are ignored.

Please do not send requests to the Apache HTTP Server Project to add any new entries in the distributed mime.types file unless (1) they are already registered with IANA, and (2) they use widely accepted, non-conflicting filename extensions across platforms. category/x-subtype requests will be automatically rejected, as will any new two-letter extensions as they will likely conflict later with the already crowded language and character set namespace.

See also

mod/mod_mime_magic.html100644 0 0 32371 11256637772 12646 0ustar 0 0 mod_mime_magic - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_mime_magic

Description:Determines the MIME type of a file by looking at a few bytes of its contents
Status:Extension
Module Identifier:mime_magic_module
Source File:mod_mime_magic.c

Summary

This module determines the MIME type of files in the same way the Unix file(1) command works: it looks at the first few bytes of the file. It is intended as a "second line of defense" for cases that mod_mime can't resolve.

This module is derived from a free version of the file(1) command for Unix, which uses "magic numbers" and other hints from a file's contents to figure out what the contents are. This module is active only if the magic file is specified by the MimeMagicFile directive.

top

Format of the Magic File

The contents of the file are plain ASCII text in 4-5 columns. Blank lines are allowed but ignored. Commented lines use a hash mark (#). The remaining lines are parsed for the following columns:

ColumnDescription
1 byte number to begin checking from
">" indicates a dependency upon the previous non-">" line
2

type of data to match

byte single character
short machine-order 16-bit integer
long machine-order 32-bit integer
string arbitrary-length string
date long integer date (seconds since Unix epoch/1970)
beshort big-endian 16-bit integer
belong big-endian 32-bit integer
bedate big-endian 32-bit integer date
leshort little-endian 16-bit integer
lelong little-endian 32-bit integer
ledate little-endian 32-bit integer date
3 contents of data to match
4 MIME type if matched
5 MIME encoding if matched (optional)

For example, the following magic file lines would recognize some audio formats:

# Sun/NeXT audio data
0      string      .snd
>12    belong      1       audio/basic
>12    belong      2       audio/basic
>12    belong      3       audio/basic
>12    belong      4       audio/basic
>12    belong      5       audio/basic
>12    belong      6       audio/basic
>12    belong      7       audio/basic
>12    belong     23       audio/x-adpcm

Or these would recognize the difference between *.doc files containing Microsoft Word or FrameMaker documents. (These are incompatible file formats which use the same file suffix.)

# Frame
0  string  \<MakerFile        application/x-frame
0  string  \<MIFFile          application/x-frame
0  string  \<MakerDictionary  application/x-frame
0  string  \<MakerScreenFon   application/x-frame
0  string  \<MML              application/x-frame
0  string  \<Book             application/x-frame
0  string  \<Maker            application/x-frame

# MS-Word
0  string  \376\067\0\043            application/msword
0  string  \320\317\021\340\241\261  application/msword
0  string  \333\245-\0\0\0           application/msword

An optional MIME encoding can be included as a fifth column. For example, this can recognize gzipped files and set the encoding for them.

# gzip (GNU zip, not to be confused with
#       [Info-ZIP/PKWARE] zip archiver)

0  string  \037\213  application/octet-stream  x-gzip
top

Performance Issues

This module is not for every system. If your system is barely keeping up with its load or if you're performing a web server benchmark, you may not want to enable this because the processing is not free.

However, an effort was made to improve the performance of the original file(1) code to make it fit in a busy web server. It was designed for a server where there are thousands of users who publish their own documents. This is probably very common on intranets. Many times, it's helpful if the server can make more intelligent decisions about a file's contents than the file name allows ...even if just to reduce the "why doesn't my page work" calls when users improperly name their own files. You have to decide if the extra work suits your environment.

top

Notes

The following notes apply to the mod_mime_magic module and are included here for compliance with contributors' copyright restrictions that require their acknowledgment.

mod_mime_magic: MIME type lookup via file magic numbers
Copyright (c) 1996-1997 Cisco Systems, Inc.

This software was submitted by Cisco Systems to the Apache Group in July 1997. Future revisions and derivatives of this source code must acknowledge Cisco Systems as the original contributor of this module. All other licensing and usage conditions are those of the Apache Group.

Some of this code is derived from the free version of the file command originally posted to comp.sources.unix. Copyright info for that program is included below as required.

- Copyright (c) Ian F. Darwin, 1987. Written by Ian F. Darwin.

This software is not subject to any license of the American Telephone and Telegraph Company or of the Regents of the University of California.

Permission is granted to anyone to use this software for any purpose on any computer system, and to alter it and redistribute it freely, subject to the following restrictions:

  1. The author is not responsible for the consequences of use of this software, no matter how awful, even if they arise from flaws in it.
  2. The origin of this software must not be misrepresented, either by explicit claim or by omission. Since few users ever read sources, credits must appear in the documentation.
  3. Altered versions must be plainly marked as such, and must not be misrepresented as being the original software. Since few users ever read sources, credits must appear in the documentation.
  4. This notice may not be removed or altered.

For compliance with Mr Darwin's terms: this has been very significantly modified from the free "file" command.

  • all-in-one file for compilation convenience when moving from one version of Apache to the next.
  • Memory allocation is done through the Apache API's pool structure.
  • All functions have had necessary Apache API request or server structures passed to them where necessary to call other Apache API routines. (i.e., usually for logging, files, or memory allocation in itself or a called function.)
  • struct magic has been converted from an array to a single-ended linked list because it only grows one record at a time, it's only accessed sequentially, and the Apache API has no equivalent of realloc().
  • Functions have been changed to get their parameters from the server configuration instead of globals. (It should be reentrant now but has not been tested in a threaded environment.)
  • Places where it used to print results to stdout now saves them in a list where they're used to set the MIME type in the Apache request record.
  • Command-line flags have been removed since they will never be used here.
top

MimeMagicFile Directive

Description:Enable MIME-type determination based on file contents using the specified magic file
Syntax:MimeMagicFile file-path
Context:server config, virtual host
Status:Extension
Module:mod_mime_magic

The MimeMagicFile directive can be used to enable this module, the default file is distributed at conf/magic. Non-rooted paths are relative to the ServerRoot. Virtual hosts will use the same file as the main server unless a more specific setting is used, in which case the more specific setting overrides the main server's file.

Example

MimeMagicFile conf/magic

mod/mod_negotiation.html100644 0 0 40565 11256637772 13103 0ustar 0 0 mod_negotiation - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_negotiation

Description:Provides for content negotiation
Status:Base
Module Identifier:negotiation_module
Source File:mod_negotiation.c

Summary

Content negotiation, or more accurately content selection, is the selection of the document that best matches the clients capabilities, from one of several available documents. There are two implementations of this.

  • A type map (a file with the handler type-map) which explicitly lists the files containing the variants.
  • A MultiViews search (enabled by the MultiViews Options), where the server does an implicit filename pattern match, and choose from amongst the results.
top

Type maps

A type map has a format similar to RFC822 mail headers. It contains document descriptions separated by blank lines, with lines beginning with a hash character ('#') treated as comments. A document description consists of several header records; records may be continued on multiple lines if the continuation lines start with spaces. The leading space will be deleted and the lines concatenated. A header record consists of a keyword name, which always ends in a colon, followed by a value. Whitespace is allowed between the header name and value, and between the tokens of value. The headers allowed are:

Content-Encoding:
The encoding of the file. Apache only recognizes encodings that are defined by an AddEncoding directive. This normally includes the encodings x-compress for compress'd files, and x-gzip for gzip'd files. The x- prefix is ignored for encoding comparisons.
Content-Language:
The language(s) of the variant, as an Internet standard language tag (RFC 1766). An example is en, meaning English. If the variant contains more than one language, they are separated by a comma.
Content-Length:
The length of the file, in bytes. If this header is not present, then the actual length of the file is used.
Content-Type:
The MIME media type of the document, with optional parameters. Parameters are separated from the media type and from one another by a semi-colon, with a syntax of name=value. Common parameters include:
level
an integer specifying the version of the media type. For text/html this defaults to 2, otherwise 0.
qs
a floating-point number with a value in the range 0.0 to 1.0, indicating the relative 'quality' of this variant compared to the other available variants, independent of the client's capabilities. For example, a jpeg file is usually of higher source quality than an ascii file if it is attempting to represent a photograph. However, if the resource being represented is ascii art, then an ascii file would have a higher source quality than a jpeg file. All qs values are therefore specific to a given resource.

Example

Content-Type: image/jpeg; qs=0.8

URI:
uri of the file containing the variant (of the given media type, encoded with the given content encoding). These are interpreted as URLs relative to the map file; they must be on the same server (!), and they must refer to files to which the client would be granted access if they were to be requested directly.
Body:
New in Apache 2.0, the actual content of the resource may be included in the type-map file using the Body header. This header must contain a string that designates a delimiter for the body content. Then all following lines in the type map file will be considered part of the resource body until the delimiter string is found.

Example:

Body:----xyz----
<html>
<body>
<p>Content of the page.</p>
</body>
</html>
----xyz----

top

MultiViews

A MultiViews search is enabled by the MultiViews Options. If the server receives a request for /some/dir/foo and /some/dir/foo does not exist, then the server reads the directory looking for all files named foo.*, and effectively fakes up a type map which names all those files, assigning them the same media types and content-encodings it would have if the client had asked for one of them by name. It then chooses the best match to the client's requirements, and returns that document.

The MultiViewsMatch directive configures whether Apache will consider files that do not have content negotiation meta-information assigned to them when choosing files.

top

CacheNegotiatedDocs Directive

Description:Allows content-negotiated documents to be cached by proxy servers
Syntax:CacheNegotiatedDocs On|Off
Default:CacheNegotiatedDocs Off
Context:server config, virtual host
Status:Base
Module:mod_negotiation
Compatibility:The syntax changed in version 2.0.

If set, this directive allows content-negotiated documents to be cached by proxy servers. This could mean that clients behind those proxys could retrieve versions of the documents that are not the best match for their abilities, but it will make caching more efficient.

This directive only applies to requests which come from HTTP/1.0 browsers. HTTP/1.1 provides much better control over the caching of negotiated documents, and this directive has no effect in responses to HTTP/1.1 requests.

Prior to version 2.0, CacheNegotiatedDocs did not take an argument; it was turned on by the presence of the directive by itself.

top

ForceLanguagePriority Directive

Description:Action to take if a single acceptable document is not found
Syntax:ForceLanguagePriority None|Prefer|Fallback [Prefer|Fallback]
Default:ForceLanguagePriority Prefer
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_negotiation
Compatibility:Available in version 2.0.30 and later

The ForceLanguagePriority directive uses the given LanguagePriority to satisfy negotation where the server could otherwise not return a single matching document.

ForceLanguagePriority Prefer uses LanguagePriority to serve a one valid result, rather than returning an HTTP result 300 (MULTIPLE CHOICES) when there are several equally valid choices. If the directives below were given, and the user's Accept-Language header assigned en and de each as quality .500 (equally acceptable) then the first matching variant, en, will be served.

LanguagePriority en fr de
ForceLanguagePriority Prefer

ForceLanguagePriority Fallback uses LanguagePriority to serve a valid result, rather than returning an HTTP result 406 (NOT ACCEPTABLE). If the directives below were given, and the user's Accept-Language only permitted an es language response, but such a variant isn't found, then the first variant from the LanguagePriority list below will be served.

LanguagePriority en fr de
ForceLanguagePriority Fallback

Both options, Prefer and Fallback, may be specified, so either the first matching variant from LanguagePriority will be served if more than one variant is acceptable, or first available document will be served if none of the variants matched the client's acceptable list of languages.

See also

top

LanguagePriority Directive

Description:The precendence of language variants for cases where the client does not express a preference
Syntax:LanguagePriority MIME-lang [MIME-lang] ...
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Base
Module:mod_negotiation

The LanguagePriority sets the precedence of language variants for the case where the client does not express a preference, when handling a MultiViews request. The list of MIME-lang are in order of decreasing preference.

Example:

LanguagePriority en fr de

For a request for foo.html, where foo.html.fr and foo.html.de both existed, but the browser did not express a language preference, then foo.html.fr would be returned.

Note that this directive only has an effect if a 'best' language cannot be determined by any other means or the ForceLanguagePriority directive is not None. In general, the client determines the language preference, not the server.

See also

mod/mod_nw_ssl.html100644 0 0 14164 11256637772 12064 0ustar 0 0 mod_nw_ssl - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_nw_ssl

Description:Enable SSL encryption for NetWare
Status:Base
Module Identifier:nwssl_module
Source File:mod_nw_ssl.c
Compatibility:NetWare only

Summary

This module enables SSL encryption for a specified port. It takes advantage of the SSL encryption functionality that is built into the NetWare operating system.

top

NWSSLTrustedCerts Directive

Description:List of additional client certificates
Syntax:NWSSLTrustedCerts filename [filename] ...
Context:server config
Status:Base
Module:mod_nw_ssl

Specifies a list of client certificate files (DER format) that are used when creating a proxied SSL connection. Each client certificate used by a server must be listed separately in its own .der file.

top

NWSSLUpgradeable Directive

Description:Allows a connection to be upgraded to an SSL connection upon request
Syntax:NWSSLUpgradeable [IP-address:]portnumber
Context:server config
Status:Base
Module:mod_nw_ssl

Allow a connection that was created on the specified address and/or port to be upgraded to an SSL connection upon request from the client. The address and/or port must have already be defined previously with a Listen directive.

top

SecureListen Directive

Description:Enables SSL encryption for the specified port
Syntax:SecureListen [IP-address:]portnumber Certificate-Name [MUTUAL]
Context:server config
Status:Base
Module:mod_nw_ssl

Specifies the port and the eDirectory based certificate name that will be used to enable SSL encryption. An optional third parameter also enables mutual authentication.

mod/mod_proxy.html100644 0 0 253061 11256637772 11761 0ustar 0 0 mod_proxy - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_proxy

Description:HTTP/1.1 proxy/gateway server
Status:Extension
Module Identifier:proxy_module
Source File:mod_proxy.c

Summary

Warning

Do not enable proxying with ProxyRequests until you have secured your server. Open proxy servers are dangerous both to your network and to the Internet at large.

This module implements a proxy/gateway for Apache. It implements proxying capability for AJP13 (Apache JServe Protocol version 1.3), FTP, CONNECT (for SSL), HTTP/0.9, HTTP/1.0, and HTTP/1.1. The module can be configured to connect to other proxy modules for these and other protocols.

Apache's proxy features are divided into several modules in addition to mod_proxy: mod_proxy_http, mod_proxy_ftp, mod_proxy_ajp, mod_proxy_balancer, and mod_proxy_connect. Thus, if you want to use one or more of the particular proxy functions, load mod_proxy and the appropriate module(s) into the server (either statically at compile-time or dynamically via the LoadModule directive).

In addition, extended features are provided by other modules. Caching is provided by mod_cache and related modules. The ability to contact remote servers using the SSL/TLS protocol is provided by the SSLProxy* directives of mod_ssl. These additional modules will need to be loaded and configured to take advantage of these features.

top

Forward Proxies and Reverse Proxies/Gateways

Apache can be configured in both a forward and reverse proxy (also known as gateway) mode.

An ordinary forward proxy is an intermediate server that sits between the client and the origin server. In order to get content from the origin server, the client sends a request to the proxy naming the origin server as the target and the proxy then requests the content from the origin server and returns it to the client. The client must be specially configured to use the forward proxy to access other sites.

A typical usage of a forward proxy is to provide Internet access to internal clients that are otherwise restricted by a firewall. The forward proxy can also use caching (as provided by mod_cache) to reduce network usage.

The forward proxy is activated using the ProxyRequests directive. Because forward proxies allow clients to access arbitrary sites through your server and to hide their true origin, it is essential that you secure your server so that only authorized clients can access the proxy before activating a forward proxy.

A reverse proxy (or gateway), by contrast, appears to the client just like an ordinary web server. No special configuration on the client is necessary. The client makes ordinary requests for content in the name-space of the reverse proxy. The reverse proxy then decides where to send those requests, and returns the content as if it was itself the origin.

A typical usage of a reverse proxy is to provide Internet users access to a server that is behind a firewall. Reverse proxies can also be used to balance load among several back-end servers, or to provide caching for a slower back-end server. In addition, reverse proxies can be used simply to bring several servers into the same URL space.

A reverse proxy is activated using the ProxyPass directive or the [P] flag to the RewriteRule directive. It is not necessary to turn ProxyRequests on in order to configure a reverse proxy.

top

Basic Examples

The examples below are only a very basic idea to help you get started. Please read the documentation on the individual directives.

In addition, if you wish to have caching enabled, consult the documentation from mod_cache.

Forward Proxy

ProxyRequests On
ProxyVia On

<Proxy *>
Order deny,allow
Deny from all
Allow from internal.example.com
 </Proxy>

Reverse Proxy

ProxyRequests Off

<Proxy *>
Order deny,allow
Allow from all
 </Proxy>

ProxyPass /foo http://foo.example.com/bar
ProxyPassReverse /foo http://foo.example.com/bar

top

Controlling access to your proxy

You can control who can access your proxy via the <Proxy> control block as in the following example:

<Proxy *>
Order Deny,Allow
Deny from all
Allow from 192.168.0
 </Proxy>

For more information on access control directives, see mod_authz_host.

Strictly limiting access is essential if you are using a forward proxy (using the ProxyRequests directive). Otherwise, your server can be used by any client to access arbitrary hosts while hiding his or her true identity. This is dangerous both for your network and for the Internet at large. When using a reverse proxy (using the ProxyPass directive with ProxyRequests Off), access control is less critical because clients can only contact the hosts that you have specifically configured.

top

Slow Startup

If you're using the ProxyBlock directive, hostnames' IP addresses are looked up and cached during startup for later match test. This may take a few seconds (or more) depending on the speed with which the hostname lookups occur.

top

Intranet Proxy

An Apache proxy server situated in an intranet needs to forward external requests through the company's firewall (for this, configure the ProxyRemote directive to forward the respective scheme to the firewall proxy). However, when it has to access resources within the intranet, it can bypass the firewall when accessing hosts. The NoProxy directive is useful for specifying which hosts belong to the intranet and should be accessed directly.

Users within an intranet tend to omit the local domain name from their WWW requests, thus requesting "http://somehost/" instead of http://somehost.example.com/. Some commercial proxy servers let them get away with this and simply serve the request, implying a configured local domain. When the ProxyDomain directive is used and the server is configured for proxy service, Apache can return a redirect response and send the client to the correct, fully qualified, server address. This is the preferred method since the user's bookmark files will then contain fully qualified hosts.

top

Protocol Adjustments

For circumstances where mod_proxy is sending requests to an origin server that doesn't properly implement keepalives or HTTP/1.1, there are two environment variables that can force the request to use HTTP/1.0 with no keepalive. These are set via the SetEnv directive.

These are the force-proxy-request-1.0 and proxy-nokeepalive notes.

<Location /buggyappserver/>
ProxyPass http://buggyappserver:7001/foo/
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
 </Location>

top

Request Bodies

Some request methods such as POST include a request body. The HTTP protocol requires that requests which include a body either use chunked transfer encoding or send a Content-Length request header. When passing these requests on to the origin server, mod_proxy_http will always attempt to send the Content-Length. But if the body is large and the original request used chunked encoding, then chunked encoding may also be used in the upstream request. You can control this selection using environment variables. Setting proxy-sendcl ensures maximum compatibility with upstream servers by always sending the Content-Length, while setting proxy-sendchunked minimizes resource usage by using chunked encoding.

top

Reverse Proxy Request Headers

When acting in a reverse-proxy mode (using the ProxyPass directive, for example), mod_proxy_http adds several request headers in order to pass information to the origin server. These headers are:

X-Forwarded-For
The IP address of the client.
X-Forwarded-Host
The original host requested by the client in the Host HTTP request header.
X-Forwarded-Server
The hostname of the proxy server.

Be careful when using these headers on the origin server, since they will contain more than one (comma-separated) value if the original request already contained one of these headers. For example, you can use %{X-Forwarded-For}i in the log format string of the origin server to log the original clients IP address, but you may get more than one address if the request passes through several proxies.

See also the ProxyPreserveHost and ProxyVia directives, which control other request headers.

top

AllowCONNECT Directive

Description:Ports that are allowed to CONNECT through the proxy
Syntax:AllowCONNECT port [port] ...
Default:AllowCONNECT 443 563
Context:server config, virtual host
Status:Extension
Module:mod_proxy

The AllowCONNECT directive specifies a list of port numbers to which the proxy CONNECT method may connect. Today's browsers use this method when a https connection is requested and proxy tunneling over HTTP is in effect.

By default, only the default https port (443) and the default snews port (563) are enabled. Use the AllowCONNECT directive to override this default and allow connections to the listed ports only.

Note that you'll need to have mod_proxy_connect present in the server in order to get the support for the CONNECT at all.

top

BalancerMember Directive

Description:Add a member to a load balancing group
Syntax:BalancerMember [balancerurl] url [key=value [key=value ...]]
Context:directory
Status:Extension
Module:mod_proxy
Compatibility:BalancerMember is only available in Apache 2.2 and later.

This directive adds a member to a load balancing group. It could be used within a <Proxy balancer://...> container directive, and can take any of the key value pairs available to ProxyPass directives.

The balancerurl is only needed when not in <Proxy balancer://...> container directive. It corresponds to the url of a balancer defined in ProxyPass directive.

top

NoProxy Directive

Description:Hosts, domains, or networks that will be connected to directly
Syntax:NoProxy host [host] ...
Context:server config, virtual host
Status:Extension
Module:mod_proxy

This directive is only useful for Apache proxy servers within intranets. The NoProxy directive specifies a list of subnets, IP addresses, hosts and/or domains, separated by spaces. A request to a host which matches one or more of these is always served directly, without forwarding to the configured ProxyRemote proxy server(s).

Example

ProxyRemote * http://firewall.example.com:81
NoProxy .example.com 192.168.112.0/21

The host arguments to the NoProxy directive are one of the following type list:

Domain

A Domain is a partially qualified DNS domain name, preceded by a period. It represents a list of hosts which logically belong to the same DNS domain or zone (i.e., the suffixes of the hostnames are all ending in Domain).

Examples

.com .apache.org.

To distinguish Domains from Hostnames (both syntactically and semantically; a DNS domain can have a DNS A record, too!), Domains are always written with a leading period.

Note

Domain name comparisons are done without regard to the case, and Domains are always assumed to be anchored in the root of the DNS tree, therefore two domains .ExAmple.com and .example.com. (note the trailing period) are considered equal. Since a domain comparison does not involve a DNS lookup, it is much more efficient than subnet comparison.

SubNet

A SubNet is a partially qualified internet address in numeric (dotted quad) form, optionally followed by a slash and the netmask, specified as the number of significant bits in the SubNet. It is used to represent a subnet of hosts which can be reached over a common network interface. In the absence of the explicit net mask it is assumed that omitted (or zero valued) trailing digits specify the mask. (In this case, the netmask can only be multiples of 8 bits wide.) Examples:

192.168 or 192.168.0.0
the subnet 192.168.0.0 with an implied netmask of 16 valid bits (sometimes used in the netmask form 255.255.0.0)
192.168.112.0/21
the subnet 192.168.112.0/21 with a netmask of 21 valid bits (also used in the form 255.255.248.0)

As a degenerate case, a SubNet with 32 valid bits is the equivalent to an IPAddr, while a SubNet with zero valid bits (e.g., 0.0.0.0/0) is the same as the constant _Default_, matching any IP address.

IPAddr

A IPAddr represents a fully qualified internet address in numeric (dotted quad) form. Usually, this address represents a host, but there need not necessarily be a DNS domain name connected with the address.

Example

192.168.123.7

Note

An IPAddr does not need to be resolved by the DNS system, so it can result in more effective apache performance.

Hostname

A Hostname is a fully qualified DNS domain name which can be resolved to one or more IPAddrs via the DNS domain name service. It represents a logical host (in contrast to Domains, see above) and must be resolvable to at least one IPAddr (or often to a list of hosts with different IPAddrs).

Examples

prep.ai.example.com
www.apache.org

Note

In many situations, it is more effective to specify an IPAddr in place of a Hostname since a DNS lookup can be avoided. Name resolution in Apache can take a remarkable deal of time when the connection to the name server uses a slow PPP link.

Hostname comparisons are done without regard to the case, and Hostnames are always assumed to be anchored in the root of the DNS tree, therefore two hosts WWW.ExAmple.com and www.example.com. (note the trailing period) are considered equal.

See also

top

<Proxy> Directive

Description:Container for directives applied to proxied resources
Syntax:<Proxy wildcard-url> ...</Proxy>
Context:server config, virtual host
Status:Extension
Module:mod_proxy

Directives placed in <Proxy> sections apply only to matching proxied content. Shell-style wildcards are allowed.

For example, the following will allow only hosts in yournetwork.example.com to access content via your proxy server:

<Proxy *>
Order Deny,Allow
Deny from all
Allow from yournetwork.example.com
 </Proxy>

The following example will process all files in the foo directory of example.com through the INCLUDES filter when they are sent through the proxy server:

<Proxy http://example.com/foo/*>
SetOutputFilter INCLUDES
 </Proxy>

top

ProxyBadHeader Directive

Description:Determines how to handle bad header lines in a response
Syntax:ProxyBadHeader IsError|Ignore|StartBody
Default:ProxyBadHeader IsError
Context:server config, virtual host
Status:Extension
Module:mod_proxy
Compatibility:Available in Apache 2.0.44 and later

The ProxyBadHeader directive determines the behaviour of mod_proxy if it receives syntactically invalid header lines (i.e. containing no colon). The following arguments are possible:

IsError
Abort the request and end up with a 502 (Bad Gateway) response. This is the default behaviour.
Ignore
Treat bad header lines as if they weren't sent.
StartBody
When receiving the first bad header line, finish reading the headers and treat the remainder as body. This helps to work around buggy backend servers which forget to insert an empty line between the headers and the body.
top

ProxyBlock Directive

Description:Words, hosts, or domains that are banned from being proxied
Syntax:ProxyBlock *|word|host|domain [word|host|domain] ...
Context:server config, virtual host
Status:Extension
Module:mod_proxy

The ProxyBlock directive specifies a list of words, hosts and/or domains, separated by spaces. HTTP, HTTPS, and FTP document requests to sites whose names contain matched words, hosts or domains are blocked by the proxy server. The proxy module will also attempt to determine IP addresses of list items which may be hostnames during startup, and cache them for match test as well. That may slow down the startup time of the server.

Example

ProxyBlock joes-garage.com some-host.co.uk rocky.wotsamattau.edu

rocky.wotsamattau.edu would also be matched if referenced by IP address.

Note that wotsamattau would also be sufficient to match wotsamattau.edu.

Note also that

ProxyBlock *

blocks connections to all sites.

top

ProxyDomain Directive

Description:Default domain name for proxied requests
Syntax:ProxyDomain Domain
Context:server config, virtual host
Status:Extension
Module:mod_proxy

This directive is only useful for Apache proxy servers within intranets. The ProxyDomain directive specifies the default domain which the apache proxy server will belong to. If a request to a host without a domain name is encountered, a redirection response to the same host with the configured Domain appended will be generated.

Example

ProxyRemote * http://firewall.example.com:81
NoProxy .example.com 192.168.112.0/21
ProxyDomain .example.com

top

ProxyErrorOverride Directive

Description:Override error pages for proxied content
Syntax:ProxyErrorOverride On|Off
Default:ProxyErrorOverride Off
Context:server config, virtual host
Status:Extension
Module:mod_proxy
Compatibility:Available in version 2.0 and later

This directive is useful for reverse-proxy setups, where you want to have a common look and feel on the error pages seen by the end user. This also allows for included files (via mod_include's SSI) to get the error code and act accordingly (default behavior would display the error page of the proxied server, turning this on shows the SSI Error message).

This directive does not affect the processing of informational (1xx), normal success (2xx), or redirect (3xx) responses.

top

ProxyFtpDirCharset Directive

Description:Define the character set for proxied FTP listings
Syntax:ProxyFtpDirCharset character set
Default:ProxyFtpDirCharset ISO-8859-1
Context:server config, virtual host, directory
Status:Extension
Module:mod_proxy
Compatibility:Available in Apache 2.2.7 and later

The ProxyFtpDirCharset directive defines the character set to be set for FTP directory listings in HTML generated by mod_proxy_ftp.

top

ProxyIOBufferSize Directive

Description:Determine size of internal data throughput buffer
Syntax:ProxyIOBufferSize bytes
Default:ProxyIOBufferSize 8192
Context:server config, virtual host
Status:Extension
Module:mod_proxy

The ProxyIOBufferSize directive adjusts the size of the internal buffer, which is used as a scratchpad for the data between input and output. The size must be less or equal 8192.

In almost every case there's no reason to change that value.

top

<ProxyMatch> Directive

Description:Container for directives applied to regular-expression-matched proxied resources
Syntax:<ProxyMatch regex> ...</ProxyMatch>
Context:server config, virtual host
Status:Extension
Module:mod_proxy

The <ProxyMatch> directive is identical to the <Proxy> directive, except it matches URLs using regular expressions.

top

ProxyMaxForwards Directive

Description:Maximium number of proxies that a request can be forwarded through
Syntax:ProxyMaxForwards number
Default:ProxyMaxForwards -1
Context:server config, virtual host
Status:Extension
Module:mod_proxy
Compatibility:Available in Apache 2.0 and later; default behaviour changed in 2.2.7

The ProxyMaxForwards directive specifies the maximum number of proxies through which a request may pass, if there's no Max-Forwards header supplied with the request. This may be set to prevent infinite proxy loops, or a DoS attack.

Example

ProxyMaxForwards 15

Note that setting ProxyMaxForwards is a violation of the HTTP/1.1 protocol (RFC2616), which forbids a Proxy setting Max-Forwards if the Client didn't set it. Earlier Apache versions would always set it. A negative ProxyMaxForwards value, including the default -1, gives you protocol-compliant behaviour, but may leave you open to loops.

top

ProxyPass Directive

Description:Maps remote servers into the local server URL-space
Syntax:ProxyPass [path] !|url [key=value key=value ...]] [nocanon] [interpolate]
Context:server config, virtual host, directory
Status:Extension
Module:mod_proxy

This directive allows remote servers to be mapped into the space of the local server; the local server does not act as a proxy in the conventional sense, but appears to be a mirror of the remote server. The local server is often called a reverse proxy or gateway. The path is the name of a local virtual path; url is a partial URL for the remote server and cannot include a query string.

The ProxyRequests directive should usually be set off when using ProxyPass.

Suppose the local server has address http://example.com/; then

ProxyPass /mirror/foo/ http://backend.example.com/

will cause a local request for http://example.com/mirror/foo/bar to be internally converted into a proxy request to http://backend.example.com/bar.

If the first argument ends with a trailing /, the second argument should also end with a trailing / and vice versa. Otherwise the resulting requests to the backend may miss some needed slashes and do not deliver the expected results.

The ! directive is useful in situations where you don't want to reverse-proxy a subdirectory, e.g.

ProxyPass /mirror/foo/i !
ProxyPass /mirror/foo http://backend.example.com

will proxy all requests to /mirror/foo to backend.example.com except requests made to /mirror/foo/i.

Note

Order is important: exclusions must come before the general ProxyPass directive.

As of Apache 2.1, the ability to use pooled connections to a backend server is available. Using the key=value parameters it is possible to tune this connection pooling. The default for a Hard Maximum for the number of connections is the number of threads per process in the active MPM. In the Prefork MPM, this is always 1, while with the Worker MPM it is controlled by the ThreadsPerChild.

Setting min will determine how many connections will always be open to the backend server. Upto the Soft Maximum or smax number of connections will be created on demand. Any connections above smax are subject to a time to live or ttl. Apache will never create more than the Hard Maximum or max connections to the backend server.

ProxyPass /example http://backend.example.com smax=5 max=20 ttl=120 retry=300

Parameter Default Description
min 0 Minimum number of connections that will always be open to the backend server.
max 1...n Hard Maximum number of connections that will be allowed to the backend server. The default for a Hard Maximum for the number of connections is the number of threads per process in the active MPM. In the Prefork MPM, this is always 1, while with the Worker MPM it is controlled by the ThreadsPerChild. Apache will never create more than the Hard Maximum connections to the backend server.
smax max Upto the Soft Maximum number of connections will be created on demand. Any connections above smax are subject to a time to live or ttl.
acquire - If set this will be the maximum time to wait for a free connection in the connection pool, in milliseconds. If there are no free connections in the pool the Apache will return SERVER_BUSY status to the client.
connectiontimeout timeout Connect timeout in seconds. The number of seconds Apache waits for the creation of a connection to the backend to complete. By adding a postfix of ms the timeout can be also set in milliseconds.
disablereuse Off This parameter should be used when you want to force mod_proxy to immediately close a connection to the backend after being used, and thus, disable its persistent connection and pool for that backend. This helps in various situations where a firewall between Apache and the backend server (regardless of protocol) tends to silently drop connections or when backends themselves may be under round- robin DNS. To disable connection pooling reuse, set this property value to On.
flushpackets off Determines whether the proxy module will auto-flush the output brigade after each "chunk" of data. 'off' means that it will flush only when needed, 'on' means after each chunk is sent and 'auto' means poll/wait for a period of time and flush if no input has been received for 'flushwait' milliseconds. Currently this is in effect only for AJP.
flushwait 10 The time to wait for additional input, in milliseconds, before flushing the output brigade if 'flushpackets' is 'auto'.
keepalive Off This parameter should be used when you have a firewall between your Apache and the backend server, who tend to drop inactive connections. This flag will tell the Operating System to send KEEP_ALIVE messages on inactive connections (interval depends on global OS settings, generally 120ms), and thus prevent the firewall to drop the connection. To enable keepalive set this property value to On.
lbset 0 Sets the load balancer cluster set that the worker is a member of. The load balancer will try all members of a lower numbered lbset before trying higher numbered ones.
ping 0 Ping property tells webserver to send a CPING request on ajp13 connection before forwarding a request. The parameter is the delay in seconds to wait for the CPONG reply. This features has been added to avoid problem with hung and busy Tomcat's and require ajp13 ping/pong support which has been implemented on Tomcat 3.3.2+, 4.1.28+ and 5.0.13+. This will increase the network traffic during the normal operation which could be an issue, but it will lower the traffic in case some of the cluster nodes are down or busy. Currently this has an effect only for AJP. By adding a postfix of ms the delay can be also set in milliseconds.
loadfactor 1 Worker load factor. Used with BalancerMember. It is a number between 1 and 100 and defines the normalized weighted load applied to the worker.
redirect - Redirection Route of the worker. This value is usually set dynamically to enable safe removal of the node from the cluster. If set all requests without session id will be redirected to the BalancerMember that has route parametar equal as this value.
retry 60 Connection pool worker retry timeout in seconds. If the connection pool worker to the backend server is in the error state, Apache will not forward any requests to that server until the timeout expires. This enables to shut down the backend server for maintenance, and bring it back online later. A value of 0 means always retry workers in an error state with no timeout.
route - Route of the worker when used inside load balancer. The route is a value appended to session id.
status - Single letter value defining the initial status of this worker: 'D' is disabled, 'S' is stopped, 'I' is ignore-errors, 'H' is hot-standby and 'E' is in an error state. Status can be set (which is the default) by prepending with '+' or cleared by prepending with '-'. Thus, a setting of 'S-E' sets this worker to Stopped and clears the in-error flag.
timeout ProxyTimeout Connection timeout in seconds. The number of seconds Apache waits for data sent by / to the backend.
ttl - Time To Live for the inactive connections above the smax connections in seconds. Apache will close all connections that has not been used inside that time period.

If the Proxy directive scheme starts with the balancer:// (eg: balancer://cluster/, any path information is ignored) then a virtual worker that does not really communicate with the backend server will be created. Instead it is responsible for the management of several "real" workers. In that case the special set of parameters can be add to this virtual worker. See mod_proxy_balancer for more information about how the balancer works.

Parameter Default Description
lbmethod byrequests Balancer load-balance method. Select the load-balancing scheduler method to use. Either byrequests, to perform weighted request counting, bytraffic, to perform weighted traffic byte count balancing, or bybusyness, to perform pending request balancing. Default is byrequests.
maxattempts 1 Maximum number of failover attempts before giving up.
nofailover Off If set to On the session will break if the worker is in error state or disabled. Set this value to On if backend servers do not support session replication.
stickysession - Balancer sticky session name. The value is usually set to something like JSESSIONID or PHPSESSIONID, and it depends on the backend application server that support sessions. If the backend application server uses different name for cookies and url encoded id (like servlet containers) use | to to separate them. The first part is for the cookie the second for the path.
scolonpathdelim Off If set to On the semi-colon character ';' will be used as an additional sticky session path deliminator/separator. This is mainly used to emulate mod_jk's behavior when dealing with paths such as JSESSIONID=6736bcf34;foo=aabfa
timeout 0 Balancer timeout in seconds. If set this will be the maximum time to wait for a free worker. Default is not to wait.

A sample balancer setup

ProxyPass /special-area http://special.example.com/ smax=5 max=10
ProxyPass / balancer://mycluster/ stickysession=JSESSIONID|jsessionid nofailover=On
<Proxy balancer://mycluster>
BalancerMember http://1.2.3.4:8009
BalancerMember http://1.2.3.5:8009 smax=10
# Less powerful server, don't send as many requests there
BalancerMember http://1.2.3.6:8009 smax=1 loadfactor=20
 </Proxy>

Setting up a hot-standby, that will only be used if no other members are available

ProxyPass / balancer://hotcluster/
<Proxy balancer://hotcluster>
BalancerMember http://1.2.3.4:8009 loadfactor=1
BalancerMember http://1.2.3.5:8009 loadfactor=2
# The below is the hot standby
BalancerMember http://1.2.3.6:8009 status=+H
ProxySet lbmethod=bytraffic </Proxy>

Normally, mod_proxy will canonicalise ProxyPassed URLs. But this may be incompatible with some backends, particularly those that make use of PATH_INFO. The optional nocanon keyword suppresses this, and passes the URL path "raw" to the backend. Note that may affect the security of your backend, as it removes the normal limited protection against URL-based attacks provided by the proxy.

The optional interpolate keyword (available in httpd 2.2.9 and later), in combination with ProxyPassInterpolateEnv causes the ProxyPass to interpolate environment variables, using the syntax ${VARNAME}. Note that many of the standard CGI-derived environment variables will not exist when this interpolation happens, so you may still have to resort to mod_rewrite for complex rules.

When used inside a <Location> section, the first argument is omitted and the local directory is obtained from the <Location>.

If you require a more flexible reverse-proxy configuration, see the RewriteRule directive with the [P] flag.

top

ProxyPassInterpolateEnv Directive

Description:Enable Environment Variable interpolation in Reverse Proxy configurations
Syntax:ProxyPassInterpolateEnv On|Off
Default:ProxyPassInterpolateEnv Off
Context:server config, virtual host, directory
Status:Extension
Module:mod_proxy
Compatibility:Available in httpd 2.2.9 and later

This directive, together with the interpolate argument to ProxyPass, ProxyPassReverse, ProxyPassReverseCookieDomain and ProxyPassReverseCookiePath enables reverse proxies to be dynamically configured using environment variables, which may be set by another module such as mod_rewrite. It affects the ProxyPass, ProxyPassReverse, ProxyPassReverseCookieDomain, and ProxyPassReverseCookiePath directives, and causes them to substitute the value of an environment variable varname for the string ${varname} in configuration directives.

Keep this turned off (for server performance) unless you need it!

top

ProxyPassMatch Directive

Description:Maps remote servers into the local server URL-space using regular expressions
Syntax:ProxyPassMatch [regex] !|url [key=value [key=value ...]]
Context:server config, virtual host, directory
Status:Extension
Module:mod_proxy
Compatibility:available in Apache 2.2.5 and later

This directive is equivalent to ProxyPass, but makes use of regular expressions, instead of simple prefix matching. The supplied regular expression is matched against the url, and if it matches, the server will substitute any parenthesized matches into the given string and use it as a new url.

Suppose the local server has address http://example.com/; then

ProxyPassMatch ^(/.*\.gif)$ http://backend.example.com$1

will cause a local request for http://example.com/foo/bar.gif to be internally converted into a proxy request to http://backend.example.com/foo/bar.gif.

Note

The URL argument must be parsable as a URL before regexp substitutions (as well as after). This limits the matches you can use. For instance, if we had used

ProxyPassMatch ^(/.*\.gif)$ http://backend.example.com:8000$1

in our previous example, it would fail with a syntax error at server startup. This is a bug (PR 46665 in the ASF bugzilla), and the workaround is to reformulate the match:

ProxyPassMatch ^/(.*\.gif)$ http://backend.example.com:8000/$1

The ! directive is useful in situations where you don't want to reverse-proxy a subdirectory.

top

ProxyPassReverse Directive

Description:Adjusts the URL in HTTP response headers sent from a reverse proxied server
Syntax:ProxyPassReverse [path] url [interpolate]
Context:server config, virtual host, directory
Status:Extension
Module:mod_proxy

This directive lets Apache adjust the URL in the Location, Content-Location and URI headers on HTTP redirect responses. This is essential when Apache is used as a reverse proxy (or gateway) to avoid by-passing the reverse proxy because of HTTP redirects on the backend servers which stay behind the reverse proxy.

Only the HTTP response headers specifically mentioned above will be rewritten. Apache will not rewrite other response headers, nor will it rewrite URL references inside HTML pages. This means that if the proxied content contains absolute URL references, they will by-pass the proxy. A third-party module that will look inside the HTML and rewrite URL references is Nick Kew's mod_proxy_html.

path is the name of a local virtual path. url is a partial URL for the remote server - the same way they are used for the ProxyPass directive.

For example, suppose the local server has address http://example.com/; then

ProxyPass /mirror/foo/ http://backend.example.com/
ProxyPassReverse /mirror/foo/ http://backend.example.com/
ProxyPassReverseCookieDomain backend.example.com public.example.com
ProxyPassReverseCookiePath / /mirror/foo/

will not only cause a local request for the http://example.com/mirror/foo/bar to be internally converted into a proxy request to http://backend.example.com/bar (the functionality ProxyPass provides here). It also takes care of redirects the server backend.example.com sends: when http://backend.example.com/bar is redirected by him to http://backend.example.com/quux Apache adjusts this to http://example.com/mirror/foo/quux before forwarding the HTTP redirect response to the client. Note that the hostname used for constructing the URL is chosen in respect to the setting of the UseCanonicalName directive.

Note that this ProxyPassReverse directive can also be used in conjunction with the proxy pass-through feature (RewriteRule ... [P]) from mod_rewrite because it doesn't depend on a corresponding ProxyPass directive.

The optional interpolate keyword (available in httpd 2.2.9 and later), used together with ProxyPassInterpolateEnv, enables interpolation of environment variables specified using the format ${VARNAME}.

When used inside a <Location> section, the first argument is omitted and the local directory is obtained from the <Location>.

top

ProxyPassReverseCookieDomain Directive

Description:Adjusts the Domain string in Set-Cookie headers from a reverse- proxied server
Syntax:ProxyPassReverseCookieDomain internal-domain public-domain [interpolate]
Context:server config, virtual host, directory
Status:Extension
Module:mod_proxy

Usage is basically similar to ProxyPassReverse, but instead of rewriting headers that are a URL, this rewrites the domain string in Set-Cookie headers.

top

ProxyPassReverseCookiePath Directive

Description:Adjusts the Path string in Set-Cookie headers from a reverse- proxied server
Syntax:ProxyPassReverseCookiePath internal-path public-path [interpolate]
Context:server config, virtual host, directory
Status:Extension
Module:mod_proxy

Usage is basically similar to ProxyPassReverse, but instead of rewriting headers that are a URL, this rewrites the path string in Set-Cookie headers.

top

ProxyPreserveHost Directive

Description:Use incoming Host HTTP request header for proxy request
Syntax:ProxyPreserveHost On|Off
Default:ProxyPreserveHost Off
Context:server config, virtual host
Status:Extension
Module:mod_proxy
Compatibility:Available in Apache 2.0.31 and later.

When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the hostname specified in the ProxyPass line.

This option should normally be turned Off. It is mostly useful in special configurations like proxied mass name-based virtual hosting, where the original Host header needs to be evaluated by the backend server.

top

ProxyReceiveBufferSize Directive

Description:Network buffer size for proxied HTTP and FTP connections
Syntax:ProxyReceiveBufferSize bytes
Default:ProxyReceiveBufferSize 0
Context:server config, virtual host
Status:Extension
Module:mod_proxy

The ProxyReceiveBufferSize directive specifies an explicit (TCP/IP) network buffer size for proxied HTTP and FTP connections, for increased throughput. It has to be greater than 512 or set to 0 to indicate that the system's default buffer size should be used.

Example

ProxyReceiveBufferSize 2048

top

ProxyRemote Directive

Description:Remote proxy used to handle certain requests
Syntax:ProxyRemote match remote-server
Context:server config, virtual host
Status:Extension
Module:mod_proxy

This defines remote proxies to this proxy. match is either the name of a URL-scheme that the remote server supports, or a partial URL for which the remote server should be used, or * to indicate the server should be contacted for all requests. remote-server is a partial URL for the remote server. Syntax:

remote-server = scheme://hostname[:port]

scheme is effectively the protocol that should be used to communicate with the remote server; only http is supported by this module.

Example

ProxyRemote http://goodguys.example.com/ http://mirrorguys.example.com:8000
ProxyRemote * http://cleverproxy.localdomain
ProxyRemote ftp http://ftpproxy.mydomain:8080

In the last example, the proxy will forward FTP requests, encapsulated as yet another HTTP proxy request, to another proxy which can handle them.

This option also supports reverse proxy configuration - a backend webserver can be embedded within a virtualhost URL space even if that server is hidden by another forward proxy.

top

ProxyRemoteMatch Directive

Description:Remote proxy used to handle requests matched by regular expressions
Syntax:ProxyRemoteMatch regex remote-server
Context:server config, virtual host
Status:Extension
Module:mod_proxy

The ProxyRemoteMatch is identical to the ProxyRemote directive, except the first argument is a regular expression match against the requested URL.

top

ProxyRequests Directive

Description:Enables forward (standard) proxy requests
Syntax:ProxyRequests On|Off
Default:ProxyRequests Off
Context:server config, virtual host
Status:Extension
Module:mod_proxy

This allows or prevents Apache from functioning as a forward proxy server. (Setting ProxyRequests to Off does not disable use of the ProxyPass directive.)

In a typical reverse proxy or gateway configuration, this option should be set to Off.

In order to get the functionality of proxying HTTP or FTP sites, you need also mod_proxy_http or mod_proxy_ftp (or both) present in the server.

Warning

Do not enable proxying with ProxyRequests until you have secured your server. Open proxy servers are dangerous both to your network and to the Internet at large.

See also

top

ProxySet Directive

Description:Set various Proxy balancer or member parameters
Syntax:ProxySet url key=value [key=value ...]
Context:directory
Status:Extension
Module:mod_proxy
Compatibility:ProxySet is only available in Apache 2.2 and later.

This directive is used as an alternate method of setting any of the parameters available to Proxy balancers and workers normally done via the ProxyPass directive. If used within a <Proxy balancer url|worker url> container directive, the url argument is not required. As a side effect the respective balancer or worker gets created. This can be useful when doing reverse proxying via a RewriteRule instead of a ProxyPass directive.

<Proxy balancer://hotcluster>
BalancerMember http://www2.example.com:8009 loadfactor=1
BalancerMember http://www3.example.com:8009 loadfactor=2
ProxySet lbmethod=bytraffic
 </Proxy>

<Proxy http://backend>
ProxySet keepalive=On
 </Proxy>

ProxySet balancer://foo lbmethod=bytraffic timeout=15

ProxySet ajp://backend:7001 timeout=15

Warning

Keep in mind that the same parameter key can have a different meaning depending whether it is applied to a balancer or a worker as shown by the two examples above regarding timeout.

top

ProxyStatus Directive

Description:Show Proxy LoadBalancer status in mod_status
Syntax:ProxyStatus Off|On|Full
Default:ProxyStatus Off
Context:server config, virtual host
Status:Extension
Module:mod_proxy
Compatibility:Available in version 2.2 and later

This directive determines whether or not proxy loadbalancer status data is displayed via the mod_status server-status page.

Note

Full is synonymous with On

top

ProxyTimeout Directive

Description:Network timeout for proxied requests
Syntax:ProxyTimeout seconds
Default:Value of Timeout
Context:server config, virtual host
Status:Extension
Module:mod_proxy
Compatibility:Available in Apache 2.0.31 and later

This directive allows a user to specifiy a timeout on proxy requests. This is useful when you have a slow/buggy appserver which hangs, and you would rather just return a timeout and fail gracefully instead of waiting however long it takes the server to return.

top

ProxyVia Directive

Description:Information provided in the Via HTTP response header for proxied requests
Syntax:ProxyVia On|Off|Full|Block
Default:ProxyVia Off
Context:server config, virtual host
Status:Extension
Module:mod_proxy

This directive controls the use of the Via: HTTP header by the proxy. Its intended use is to control the flow of proxy requests along a chain of proxy servers. See RFC 2616 (HTTP/1.1), section 14.45 for an explanation of Via: header lines.

  • If set to Off, which is the default, no special processing is performed. If a request or reply contains a Via: header, it is passed through unchanged.
  • If set to On, each request and reply will get a Via: header line added for the current host.
  • If set to Full, each generated Via: header line will additionally have the Apache server version shown as a Via: comment field.
  • If set to Block, every proxy request will have all its Via: header lines removed. No new Via: header will be generated.
mod/mod_proxy_ajp.html100644 0 0 61772 11256637772 12601 0ustar 0 0 mod_proxy_ajp - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_proxy_ajp

Description:AJP support module for mod_proxy
Status:Extension
Module Identifier:proxy_ajp_module
Source File:mod_proxy_ajp.c
Compatibility:Available in version 2.1 and later

Summary

This module requires the service of mod_proxy. It provides support for the Apache JServ Protocol version 1.3 (hereafter AJP13).

Thus, in order to get the ability of handling AJP13 protocol, mod_proxy and mod_proxy_ajp have to be present in the server.

Warning

Do not enable proxying until you have secured your server. Open proxy servers are dangerous both to your network and to the Internet at large.

top

Overview of the protocol

The AJP13 protocol is packet-oriented. A binary format was presumably chosen over the more readable plain text for reasons of performance. The web server communicates with the servlet container over TCP connections. To cut down on the expensive process of socket creation, the web server will attempt to maintain persistent TCP connections to the servlet container, and to reuse a connection for multiple request/response cycles.

Once a connection is assigned to a particular request, it will not be used for any others until the request-handling cycle has terminated. In other words, requests are not multiplexed over connections. This makes for much simpler code at either end of the connection, although it does cause more connections to be open at once.

Once the web server has opened a connection to the servlet container, the connection can be in one of the following states:

  • Idle
    No request is being handled over this connection.
  • Assigned
    The connecton is handling a specific request.

Once a connection is assigned to handle a particular request, the basic request informaton (e.g. HTTP headers, etc) is sent over the connection in a highly condensed form (e.g. common strings are encoded as integers). Details of that format are below in Request Packet Structure. If there is a body to the request (content-length > 0), that is sent in a separate packet immediately after.

At this point, the servlet container is presumably ready to start processing the request. As it does so, it can send the following messages back to the web server:

  • SEND_HEADERS
    Send a set of headers back to the browser.
  • SEND_BODY_CHUNK
    Send a chunk of body data back to the browser.
  • GET_BODY_CHUNK
    Get further data from the request if it hasn't all been transferred yet. This is necessary because the packets have a fixed maximum size and arbitrary amounts of data can be included the body of a request (for uploaded files, for example). (Note: this is unrelated to HTTP chunked tranfer).
  • END_RESPONSE
    Finish the request-handling cycle.

Each message is accompanied by a differently formatted packet of data. See Response Packet Structures below for details.

top

Basic Packet Structure

There is a bit of an XDR heritage to this protocol, but it differs in lots of ways (no 4 byte alignment, for example).

Byte order: I am not clear about the endian-ness of the individual bytes. I'm guessing the bytes are little-endian, because that's what XDR specifies, and I'm guessing that sys/socket library is magically making that so (on the C side). If anyone with a better knowledge of socket calls can step in, that would be great.

There are four data types in the protocol: bytes, booleans, integers and strings.

Byte
A single byte.
Boolean
A single byte, 1 = true, 0 = false. Using other non-zero values as true (i.e. C-style) may work in some places, but it won't in others.
Integer
A number in the range of 0 to 2^16 (32768). Stored in 2 bytes with the high-order byte first.
String
A variable-sized string (length bounded by 2^16). Encoded with the length packed into two bytes first, followed by the string (including the terminating '\0'). Note that the encoded length does not include the trailing '\0' -- it is like strlen. This is a touch confusing on the Java side, which is littered with odd autoincrement statements to skip over these terminators. I believe the reason this was done was to allow the C code to be extra efficient when reading strings which the servlet container is sending back -- with the terminating \0 character, the C code can pass around references into a single buffer, without copying. if the \0 was missing, the C code would have to copy things out in order to get its notion of a string.

Packet Size

According to much of the code, the max packet size is 8 * 1024 bytes (8K). The actual length of the packet is encoded in the header.

Packet Headers

Packets sent from the server to the container begin with 0x1234. Packets sent from the container to the server begin with AB (that's the ASCII code for A followed by the ASCII code for B). After those first two bytes, there is an integer (encoded as above) with the length of the payload. Although this might suggest that the maximum payload could be as large as 2^16, in fact, the code sets the maximum to be 8K.

Packet Format (Server->Container)
Byte 0 1 2 3 4...(n+3)
Contents 0x12 0x34 Data Length (n) Data
Packet Format (Container->Server)
Byte 0 1 2 3 4...(n+3)
Contents A B Data Length (n) Data

For most packets, the first byte of the payload encodes the type of message. The exception is for request body packets sent from the server to the container -- they are sent with a standard packet header ( 0x1234 and then length of the packet), but without any prefix code after that.

The web server can send the following messages to the servlet container:

Code Type of Packet Meaning
2 Forward Request Begin the request-processing cycle with the following data
7 Shutdown The web server asks the container to shut itself down.
8 Ping The web server asks the container to take control (secure login phase).
10 CPing The web server asks the container to respond quickly with a CPong.
none Data Size (2 bytes) and corresponding body data.

To ensure some basic security, the container will only actually do the Shutdown if the request comes from the same machine on which it's hosted.

The first Data packet is send immediatly after the Forward Request by the web server.

The servlet container can send the following types of messages to the webserver:

Code Type of Packet Meaning
3 Send Body Chunk Send a chunk of the body from the servlet container to the web server (and presumably, onto the browser).
4 Send Headers Send the response headers from the servlet container to the web server (and presumably, onto the browser).
5 End Response Marks the end of the response (and thus the request-handling cycle).
6 Get Body Chunk Get further data from the request if it hasn't all been transferred yet.
9 CPong Reply The reply to a CPing request

Each of the above messages has a different internal structure, detailed below.

top

Request Packet Structure

For messages from the server to the container of type Forward Request:

AJP13_FORWARD_REQUEST :=
    prefix_code      (byte) 0x02 = JK_AJP13_FORWARD_REQUEST
    method           (byte)
    protocol         (string)
    req_uri          (string)
    remote_addr      (string)
    remote_host      (string)
    server_name      (string)
    server_port      (integer)
    is_ssl           (boolean)
    num_headers      (integer)
    request_headers *(req_header_name req_header_value)
    attributes      *(attribut_name attribute_value)
    request_terminator (byte) OxFF

The request_headers have the following structure: 

req_header_name := 
    sc_req_header_name | (string)  [see below for how this is parsed]

sc_req_header_name := 0xA0xx (integer)

req_header_value := (string)

The attributes are optional and have the following structure:

attribute_name := sc_a_name | (sc_a_req_attribute string)

attribute_value := (string)

Not that the all-important header is content-length, because it determines whether or not the container looks for another packet immediately.

Detailed description of the elements of Forward Request

Request prefix

For all requests, this will be 2. See above for details on other Prefix codes.

Method

The HTTP method, encoded as a single byte:

Command NameCode
OPTIONS1
GET2
HEAD3
POST4
PUT5
DELETE6
TRACE7
PROPFIND8
PROPPATCH9
MKCOL10
COPY11
MOVE12
LOCK13
UNLOCK14
ACL15
REPORT16
VERSION-CONTROL17
CHECKIN18
CHECKOUT19
UNCHECKOUT20
SEARCH21
MKWORKSPACE22
UPDATE23
LABEL24
MERGE25
BASELINE_CONTROL26
MKACTIVITY27

Later version of ajp13, will transport additional methods, even if they are not in this list.

protocol, req_uri, remote_addr, remote_host, server_name, server_port, is_ssl

These are all fairly self-explanatory. Each of these is required, and will be sent for every request.

Headers

The structure of request_headers is the following: First, the number of headers num_headers is encoded. Then, a series of header name req_header_name / value req_header_value pairs follows. Common header names are encoded as integers, to save space. If the header name is not in the list of basic headers, it is encoded normally (as a string, with prefixed length). The list of common headers sc_req_header_nameand their codes is as follows (all are case-sensitive):

NameCode valueCode name
accept0xA001SC_REQ_ACCEPT
accept-charset0xA002SC_REQ_ACCEPT_CHARSET
accept-encoding0xA003SC_REQ_ACCEPT_ENCODING
accept-language0xA004SC_REQ_ACCEPT_LANGUAGE
authorization0xA005SC_REQ_AUTHORIZATION
connection0xA006SC_REQ_CONNECTION
content-type0xA007SC_REQ_CONTENT_TYPE
content-length0xA008SC_REQ_CONTENT_LENGTH
cookie0xA009SC_REQ_COOKIE
cookie20xA00ASC_REQ_COOKIE2
host0xA00BSC_REQ_HOST
pragma0xA00CSC_REQ_PRAGMA
referer0xA00DSC_REQ_REFERER
user-agent0xA00ESC_REQ_USER_AGENT

The Java code that reads this grabs the first two-byte integer and if it sees an '0xA0' in the most significant byte, it uses the integer in the second byte as an index into an array of header names. If the first byte is not 0xA0, it assumes that the two-byte integer is the length of a string, which is then read in.

This works on the assumption that no header names will have length greater than 0x9999 (==0xA000 - 1), which is perfectly reasonable, though somewhat arbitrary.

Note:

The content-length header is extremely important. If it is present and non-zero, the container assumes that the request has a body (a POST request, for example), and immediately reads a separate packet off the input stream to get that body.

Attributes

The attributes prefixed with a ? (e.g. ?context) are all optional. For each, there is a single byte code to indicate the type of attribute, and then its value (string or integer). They can be sent in any order (though the C code always sends them in the order listed below). A special terminating code is sent to signal the end of the list of optional attributes. The list of byte codes is:

InformationCode ValueType Of ValueNote
?context0x01-Not currently implemented
?servlet_path0x02-Not currently implemented
?remote_user0x03String
?auth_type0x04String
?query_string0x05String
?jvm_route0x06String
?ssl_cert0x07String
?ssl_cipher0x08String
?ssl_session0x09String
?req_attribute0x0AStringName (the name of the attribute follows)
?ssl_key_size0x0BInteger
are_done0xFF-request_terminator

The context and servlet_path are not currently set by the C code, and most of the Java code completely ignores whatever is sent over for those fields (and some of it will actually break if a string is sent along after one of those codes). I don't know if this is a bug or an unimplemented feature or just vestigial code, but it's missing from both sides of the connection.

The remote_user and auth_type presumably refer to HTTP-level authentication, and communicate the remote user's username and the type of authentication used to establish their identity (e.g. Basic, Digest).

The query_string, ssl_cert, ssl_cipher, and ssl_session refer to the corresponding pieces of HTTP and HTTPS.

The jvm_route, is used to support sticky sessions -- associating a user's sesson with a particular Tomcat instance in the presence of multiple, load-balancing servers.

Beyond this list of basic attributes, any number of other attributes can be sent via the req_attribute code 0x0A. A pair of strings to represent the attribute name and value are sent immediately after each instance of that code. Environment values are passed in via this method.

Finally, after all the attributes have been sent, the attribute terminator, 0xFF, is sent. This signals both the end of the list of attributes and also then end of the Request Packet.

top

Response Packet Structure

for messages which the container can send back to the server.

AJP13_SEND_BODY_CHUNK :=
  prefix_code   3
  chunk_length  (integer)
  chunk        *(byte)
  chunk_terminator (byte) Ox00

AJP13_SEND_HEADERS :=
  prefix_code       4
  http_status_code  (integer)
  http_status_msg   (string)
  num_headers       (integer)
  response_headers *(res_header_name header_value)

res_header_name :=
    sc_res_header_name | (string)   [see below for how this is parsed]

sc_res_header_name := 0xA0 (byte)

header_value := (string)

AJP13_END_RESPONSE :=
  prefix_code       5
  reuse             (boolean)


AJP13_GET_BODY_CHUNK :=
  prefix_code       6
  requested_length  (integer)

Details:

Send Body Chunk

The chunk is basically binary data, and is sent directly back to the browser.

Send Headers

The status code and message are the usual HTTP things (e.g. 200 and OK). The response header names are encoded the same way the request header names are. See header_encoding above for details about how the codes are distinguished from the strings.
The codes for common headers are:

NameCode value
Content-Type0xA001
Content-Language0xA002
Content-Length0xA003
Date0xA004
Last-Modified0xA005
Location0xA006
Set-Cookie0xA007
Set-Cookie20xA008
Servlet-Engine0xA009
Status0xA00A
WWW-Authenticate0xA00B

After the code or the string header name, the header value is immediately encoded.

End Response

Signals the end of this request-handling cycle. If the reuse flag is true (==1), this TCP connection can now be used to handle new incoming requests. If reuse is false (anything other than 1 in the actual C code), the connection should be closed.

Get Body Chunk

The container asks for more data from the request (If the body was too large to fit in the first packet sent over or when the request is chuncked). The server will send a body packet back with an amount of data which is the minimum of the request_length, the maximum send body size (8186 (8 Kbytes - 6)), and the number of bytes actually left to send from the request body.
If there is no more data in the body (i.e. the servlet container is trying to read past the end of the body), the server will send back an empty packet, which is a body packet with a payload length of 0. (0x12,0x34,0x00,0x00)

mod/mod_proxy_balancer.html100644 0 0 41650 11256637772 13567 0ustar 0 0 mod_proxy_balancer - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_proxy_balancer

Description:mod_proxy extension for load balancing
Status:Extension
Module Identifier:proxy_balancer_module
Source File:mod_proxy_balancer.c
Compatibility:Available in version 2.1 and later

Summary

This module requires the service of mod_proxy. It provides load balancing support for HTTP, FTP and AJP13 protocols

Thus, in order to get the ability of load balancing, mod_proxy and mod_proxy_balancer have to be present in the server.

Warning

Do not enable proxying until you have secured your server. Open proxy servers are dangerous both to your network and to the Internet at large.

top

Load balancer scheduler algorithm

At present, there are 3 load balancer scheduler algorithms available for use: Request Counting, Weighted Traffic Counting and Pending Request Counting. These are controlled via the lbmethod value of the Balancer definition. See the ProxyPass directive for more information.

top

Example of a balancer configuration

Before we dive into the technical details, here's an example of how you might use mod_proxy_balancer to provide load balancing between two back-end servers:

<Proxy balancer://mycluster>
BalancerMember http://192.168.1.50:80
BalancerMember http://192.168.1.51:80
</Proxy>
ProxyPass /test balancer://mycluster/

top

Request Counting Algorithm

Enabled via lbmethod=byrequests, the idea behind this scheduler is that we distribute the requests among the various workers to ensure that each gets their configured share of the number of requests. It works as follows:

lbfactor is how much we expect this worker to work, or the workers's work quota. This is a normalized value representing their "share" of the amount of work to be done.

lbstatus is how urgent this worker has to work to fulfill its quota of work.

The worker is a member of the load balancer, usually a remote host serving one of the supported protocols.

We distribute each worker's work quota to the worker, and then look which of them needs to work most urgently (biggest lbstatus). This worker is then selected for work, and its lbstatus reduced by the total work quota we distributed to all workers. Thus the sum of all lbstatus does not change(*) and we distribute the requests as desired.

If some workers are disabled, the others will still be scheduled correctly.

for each worker in workers
    worker lbstatus += worker lbfactor
    total factor    += worker lbfactor
    if worker lbstatus > candidate lbstatus
        candidate = worker

candidate lbstatus -= total factor

If a balancer is configured as follows:

worker a b c d
lbfactor 25 25 25 25
lbstatus 0 0 0 0

And b gets disabled, the following schedule is produced:

worker a b c d
lbstatus -50 0 25 25
lbstatus -25 0 -25 50
lbstatus 0 0 0 0
(repeat)

That is it schedules: a c d a c d a c d ... Please note that:

worker a b c d
lbfactor 25 25 25 25

Has the exact same behavior as:

worker a b c d
lbfactor 1 1 1 1

This is because all values of lbfactor are normalized with respect to the others. For:

worker a b c
lbfactor 1 4 1

worker b will, on average, get 4 times the requests that a and c will.

The following asymmetric configuration works as one would expect:

worker a b
lbfactor 70 30
 
lbstatus -30 30
lbstatus 40 -40
lbstatus 10 -10
lbstatus -20 20
lbstatus -50 50
lbstatus 20 -20
lbstatus -10 10
lbstatus -40 40
lbstatus 30 -30
lbstatus 0 0
(repeat)

That is after 10 schedules, the schedule repeats and 7 a are selected with 3 b interspersed.

top

Weighted Traffic Counting Algorithm

Enabled via lbmethod=bytraffic, the idea behind this scheduler is very similar to the Request Counting method, with the following changes:

lbfactor is how much traffic, in bytes, we want this worker to handle. This is also a normalized value representing their "share" of the amount of work to be done, but instead of simply counting the number of requests, we take into account the amount of traffic this worker has seen.

If a balancer is configured as follows:

worker a b c
lbfactor 1 2 1

Then we mean that we want b to process twice the amount of bytes than a or c should. It does not necessarily mean that b would handle twice as many requests, but it would process twice the I/O. Thus, the size of the request and response are applied to the weighting and selection algorithm.

top

Pending Request Counting Algorithm

Enabled via lbmethod=bybusyness, this scheduler keeps track of how many requests each worker is assigned at present. A new request is automatically assigned to the worker with the lowest number of active requests. This is useful in the case of workers that queue incoming requests independently of Apache, to ensure that queue length stays even and a request is always given to the worker most likely to service it fastest.

In the case of multiple least-busy workers, the statistics (and weightings) used by the Request Counting method are used to break the tie. Over time, the distribution of work will come to resemble that characteristic of byrequests.

top

Exported Environment Variables

At present there are 6 environment variables exported:

BALANCER_SESSION_STICKY

This is assigned the stickysession value used in the current request. It is the cookie or parameter name used for sticky sessions

BALANCER_SESSION_ROUTE

This is assigned the route parsed from the current request.

BALANCER_NAME

This is assigned the name of the balancer used for the current request. The value is something like balancer://foo.

BALANCER_WORKER_NAME

This is assigned the name of the worker used for the current request. The value is something like http://hostA:1234.

BALANCER_WORKER_ROUTE

This is assigned the route of the worker that will be used for the current request.

BALANCER_ROUTE_CHANGED

This is set to 1 if the session route does not match the worker route (BALANCER_SESSION_ROUTE != BALANCER_WORKER_ROUTE) or the session does not yet have an established route. This can be used to determine when/if the client needs to be sent an updated route when sticky sessions are used.

top

Enabling Balancer Manager Support

This module requires the service of mod_status. Balancer manager enables dynamic update of balancer members. You can use balancer manager to change the balance factor or a particular member, or put it in the off line mode.

Thus, in order to get the ability of load balancer management, mod_status and mod_proxy_balancer have to be present in the server.

To enable load balancer management for browsers from the example.com domain add this code to your httpd.conf configuration file

<Location /balancer-manager>
SetHandler balancer-manager

Order Deny,Allow
Deny from all
Allow from .example.com
</Location>

You can now access load balancer manager by using a Web browser to access the page http://your.server.name/balancer-manager

mod/mod_proxy_connect.html100644 0 0 6775 11256637772 13442 0ustar 0 0 mod_proxy_connect - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_proxy_connect

Description:mod_proxy extension for CONNECT request handling
Status:Extension
Module Identifier:proxy_connect_module
Source File:mod_proxy_connect.c

Summary

This module requires the service of mod_proxy. It provides support for the CONNECT HTTP method. This method is mainly used to tunnel SSL requests through proxy servers.

Thus, in order to get the ability of handling CONNECT requests, mod_proxy and mod_proxy_connect have to be present in the server.

Warning

Do not enable proxying until you have secured your server. Open proxy servers are dangerous both to your network and to the Internet at large.

Directives

This module provides no directives.

See also

mod/mod_proxy_ftp.html100644 0 0 21705 11256637772 12610 0ustar 0 0 mod_proxy_ftp - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_proxy_ftp

Description:FTP support module for mod_proxy
Status:Extension
Module Identifier:proxy_ftp_module
Source File:mod_proxy_ftp.c

Summary

This module requires the service of mod_proxy. It provides support for the proxying FTP sites. Note that FTP support is currently limited to the GET method.

Thus, in order to get the ability of handling FTP proxy requests, mod_proxy and mod_proxy_ftp have to be present in the server.

Warning

Do not enable proxying until you have secured your server. Open proxy servers are dangerous both to your network and to the Internet at large.

top

Why doesn't file type xxx download via FTP?

You probably don't have that particular file type defined as application/octet-stream in your proxy's mime.types configuration file. A useful line can be

application/octet-stream   bin dms lha lzh exe class tgz taz

Alternatively you may prefer to default everything to binary:

DefaultType application/octet-stream
top

How can I force an FTP ASCII download of File xxx?

In the rare situation where you must download a specific file using the FTP ASCII transfer method (while the default transfer is in binary mode), you can override mod_proxy's default by suffixing the request with ;type=a to force an ASCII transfer. (FTP Directory listings are always executed in ASCII mode, however.)

top

How can I do FTP upload?

Currently, only GET is supported for FTP in mod_proxy. You can of course use HTTP upload (POST or PUT) through an Apache proxy.

top

How can I access FTP files outside of my home directory?

An FTP URI is interpreted relative to the home directory of the user who is logging in. Alas, to reach higher directory levels you cannot use /../, as the dots are interpreted by the browser and not actually sent to the FTP server. To address this problem, the so called Squid %2f hack was implemented in the Apache FTP proxy; it is a solution which is also used by other popular proxy servers like the Squid Proxy Cache. By prepending /%2f to the path of your request, you can make such a proxy change the FTP starting directory to / (instead of the home directory). For example, to retrieve the file /etc/motd, you would use the URL:

ftp://user@host/%2f/etc/motd

top

How can I hide the FTP cleartext password in my browser's URL line?

To log in to an FTP server by username and password, Apache uses different strategies. In absense of a user name and password in the URL altogether, Apache sends an anonymous login to the FTP server, i.e.,

user: anonymous
password: apache_proxy@

This works for all popular FTP servers which are configured for anonymous access.

For a personal login with a specific username, you can embed the user name into the URL, like in:

ftp://username@host/myfile

If the FTP server asks for a password when given this username (which it should), then Apache will reply with a 401 (Authorization required) response, which causes the Browser to pop up the username/password dialog. Upon entering the password, the connection attempt is retried, and if successful, the requested resource is presented. The advantage of this procedure is that your browser does not display the password in cleartext (which it would if you had used

ftp://username:password@host/myfile

in the first place).

Note

The password which is transmitted in such a way is not encrypted on its way. It travels between your browser and the Apache proxy server in a base64-encoded cleartext string, and between the Apache proxy and the FTP server as plaintext. You should therefore think twice before accessing your FTP server via HTTP (or before accessing your personal files via FTP at all!) When using unsecure channels, an eavesdropper might intercept your password on its way.

mod/mod_proxy_http.html100644 0 0 16672 11256637772 13005 0ustar 0 0 mod_proxy_http - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_proxy_http

Description:HTTP support module for mod_proxy
Status:Extension
Module Identifier:proxy_http_module
Source File:mod_proxy_http.c

Summary

This module requires the service of mod_proxy. It provides the features used for proxying HTTP requests. mod_proxy_http supports HTTP/0.9, HTTP/1.0 and HTTP/1.1. It does not provide any caching abilities. If you want to set up a caching proxy, you might want to use the additional service of the mod_cache module.

Thus, in order to get the ability of handling HTTP proxy requests, mod_proxy and mod_proxy_http have to be present in the server.

Warning

Do not enable proxying until you have secured your server. Open proxy servers are dangerous both to your network and to the Internet at large.

Directives

This module provides no directives.

Topics

See also

top

Environment Variables

In addition to the configuration directives that control the behaviour of mod_proxy, there are a number of environment variables that control the HTTP protocol provider:

proxy-sendextracrlf
Causes proxy to send an extra CR-LF newline on the end of a request. This is a workaround for a bug in some browsers.
force-proxy-request-1.0
Forces the proxy to send requests to the backend as HTTP/1.0 and disables HTTP/1.1 features.
proxy-nokeepalive
Forces the proxy to close the backend connection after each request.
proxy-chain-auth
If the proxy requires authentication, it will read and consume the proxy authentication credentials sent by the client. With proxy-chain-auth it will also forward the credentials to the next proxy in the chain. This may be necessary if you have a chain of proxies that share authentication information. Security Warning: Do not set this unless you know you need it, as it forwards sensitive information!
proxy-sendcl
HTTP/1.0 required all HTTP requests that include a body (e.g. POST requests) to include a Content-Length header. This environment variable forces the Apache proxy to send this header to the backend server, regardless of what the Client sent to the proxy. It ensures compatibility when proxying for an HTTP/1.0 or unknown backend. However, it may require the entire request to be buffered by the proxy, so it becomes very inefficient for large requests.
proxy-sendchunks or proxy-sendchunked
This is the opposite of proxy-sendcl. It allows request bodies to be sent to the backend using chunked transfer encoding. This allows the request to be efficiently streamed, but requires that the backend server supports HTTP/1.1.
proxy-interim-response
This variable takes values RFC or Suppress. Earlier httpd versions would suppress HTTP interim (1xx) responses sent from the backend. This is technically a violation of the HTTP protocol. In practice, if a backend sends an interim response, it may itself be extending the protocol in a manner we know nothing about, or just broken. So this is now configurable: set proxy-interim-response RFC to be fully protocol compliant, or proxy-interim-response Suppress to suppress interim responses.
proxy-initial-not-pooled
If this variable is set no pooled connection will be reused if the client connection is an initial connection. This avoids the "proxy: error reading status line from remote server" error message caused by the race condition that the backend server closed the pooled connection after the connection check by the proxy and before data sent by the proxy reached the backend. It has to be kept in mind that setting this variable downgrades performance, especially with HTTP/1.0 clients.
mod/mod_proxy_scgi.html100644 0 0 21726 11256637772 12747 0ustar 0 0 mod_proxy_scgi - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_proxy_scgi

Description:SCGI gateway module for mod_proxy
Status:Extension
Module Identifier:proxy_scgi_module
Source File:mod_proxy_scgi.c
Compatibility:Available in version 2.3 and later

Summary

This module requires the service of mod_proxy. It provides support for the SCGI protocol, version 1.

Thus, in order to get the ability of handling the SCGI protocol, mod_proxy and mod_proxy_scgi have to be present in the server.

Warning

Do not enable proxying until you have secured your server. Open proxy servers are dangerous both to your network and to the Internet at large.

top

Examples

Remember, in order to make the following examples work, you have to enable mod_proxy and mod_proxy_scgi.

Simple gateway

ProxyPass /scgi-bin/ scgi://localhost:4000/

The balanced gateway needs mod_proxy_balancer in addition to the already mentioned proxy modules.

Balanced gateway

ProxyPass /scgi-bin/ balancer://somecluster/
<Proxy balancer://somecluster/>
BalancerMember scgi://localhost:4000/
BalancerMember scgi://localhost:4001/
 </Proxy>

top

ProxySCGIInternalRedirect Directive

Description:Enable or disable internal redirect responses from the backend
Syntax:ProxySCGIInternalRedirect On|Off
Default:ProxySCGIInternalRedirect On
Context:server config, virtual host, directory
Status:Extension
Module:mod_proxy_scgi

The ProxySCGIInternalRedirect enables the backend to internally redirect the gateway to a different URL. This feature origins in mod_cgi, which internally redirects the response, if the response status is OK (200) and the response contains a Location header and its value starts with a slash (/). This value is interpreted as a new local URL the apache internally redirects to.

mod_proxy_scgi does the same as mod_cgi in this regard, except that you can turn off the feature.

Example

ProxySCGIInternalRedirect Off

top

ProxySCGISendfile Directive

Description:Enable evaluation of X-Sendfile pseudo response header
Syntax:ProxySCGISendfile On|Off|Headername
Default:ProxySCGISendfile Off
Context:server config, virtual host, directory
Status:Extension
Module:mod_proxy_scgi

The ProxySCGISendfile directive enables the SCGI backend to let files serve directly by the gateway. This is useful performance purposes -- the httpd can use sendfile or other optimizations, which are not possible if the file comes over the backend socket.

The ProxySCGISendfile argument determines the gateway behaviour:

Off
No special handling takes place.
On
The gateway looks for a backend response header called X-Sendfile and interprets the value as filename to serve. The header is removed from the final response headers. This is equivalent to ProxySCGIRequest X-Sendfile.
anything else
Similar to On, but instead of the hardcoded header name the argument is applied as header name.

Example

# Use the default header (X-Sendfile)
ProxySCGISendfile On

# Use a different header
ProxySCGISendfile X-Send-Static

mod/mod_rewrite.html100644 0 0 233473 11256637772 12266 0ustar 0 0 mod_rewrite - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.2

<-

Apache Module mod_rewrite

Description:Provides a rule-based rewriting engine to rewrite requested URLs on the fly
Status:Extension
Module Identifier:rewrite_module
Source File:mod_rewrite.c
Compatibility:Available in Apache 1.3 and later

Summary

This module uses a rule-based rewriting engine (based on a regular-expression parser) to rewrite requested URLs on the fly. It supports an unlimited number of rules and an unlimited number of attached rule conditions for each rule, to provide a really flexible and powerful URL manipulation mechanism. The URL manipulations can depend on various tests, of server variables, environment variables, HTTP headers, or time stamps. Even external database lookups in various formats can be used to achieve highly granular URL matching.

This module operates on the full URLs (including the path-info part) both in per-server context (httpd.conf) and per-directory context (.htaccess) and can generate query-string parts on result. The rewritten result can lead to internal sub-processing, external request redirection or even to an internal proxy throughput.

Further details, discussion, and examples, are provided in the detailed mod_rewrite documentation.

top

Quoting Special Characters

As of Apache 1.3.20, special characters in TestString and Substitution strings can be escaped (that is, treated as normal characters without their usual special meaning) by prefixing them with a slash ('\') character. In other words, you can include an actual dollar-sign character in a Substitution string by using '\$'; this keeps mod_rewrite from trying to treat it as a backreference.

top

Environment Variables

This module keeps track of two additional (non-standard) CGI/SSI environment variables named SCRIPT_URL and SCRIPT_URI. These contain the logical Web-view to the current resource, while the standard CGI/SSI variables SCRIPT_NAME and SCRIPT_FILENAME contain the physical System-view.

Notice: These variables hold the URI/URL as they were initially requested, that is, before any rewriting. This is important to note because the rewriting process is primarily used to rewrite logical URLs to physical pathnames.

Example

SCRIPT_NAME=/sw/lib/w3s/tree/global/u/rse/.www/index.html
SCRIPT_FILENAME=/u/rse/.www/index.html
SCRIPT_URL=/u/rse/
SCRIPT_URI=http://en1.engelschall.com/u/rse/
top

Rewriting in Virtual Hosts

By default, mod_rewrite configuration settings from the main server context are not inherited by virtual hosts. To make the main server settings apply to virtual hosts, you must place the following directives in each <VirtualHost> section:

RewriteEngine On
RewriteOptions Inherit

top

Practical Solutions

For numerous examples of common, and not-so-common, uses for mod_rewrite, see the Rewrite Guide, and the Advanced Rewrite Guide documents.

top

RewriteBase Directive

Description:Sets the base URL for per-directory rewrites
Syntax:RewriteBase URL-path
Default:See usage for information.
Context:directory, .htaccess
Override:FileInfo
Status:Extension
Module:mod_rewrite

The RewriteBase directive explicitly sets the base URL for per-directory rewrites. As you will see below, RewriteRule can be used in per-directory config files (.htaccess). In such a case, it will act locally, stripping the local directory prefix before processing, and applying rewrite rules only to the remainder. When processing is complete, the prefix is automatically added back to the path. The default setting is; RewriteBase physical-directory-path

When a substitution occurs for a new URL, this module has to re-inject the URL into the server processing. To be able to do this it needs to know what the corresponding URL-prefix or URL-base is. By default this prefix is the corresponding filepath itself. However, for most websites, URLs are NOT directly related to physical filename paths, so this assumption will often be wrong! Therefore, you can use the RewriteBase directive to specify the correct URL-prefix.

If your webserver's URLs are not directly related to physical file paths, you will need to use RewriteBase in every .htaccess file where you want to use RewriteRule directives.

For example, assume the following per-directory config file:

#
#  /abc/def/.htaccess -- per-dir config file for directory /abc/def
#  Remember: /abc/def is the physical path of /xyz, i.e., the server
#            has a 'Alias /xyz /abc/def' directive e.g.
#

RewriteEngine On

#  let the server know that we were reached via /xyz and not
#  via the physical path prefix /abc/def
RewriteBase   /xyz

#  now the rewriting rules
RewriteRule   ^oldstuff\.html$  newstuff.html

In the above example, a request to /xyz/oldstuff.html gets correctly rewritten to the physical file /abc/def/newstuff.html.

For Apache Hackers

The following list gives detailed information about the internal processing steps:

Request:
  /xyz/oldstuff.html

Internal Processing:
  /xyz/oldstuff.html     -> /abc/def/oldstuff.html  (per-server Alias)
  /abc/def/oldstuff.html -> /abc/def/newstuff.html  (per-dir    RewriteRule)
  /abc/def/newstuff.html -> /xyz/newstuff.html      (per-dir    RewriteBase)
  /xyz/newstuff.html     -> /abc/def/newstuff.html  (per-server Alias)

Result:
  /abc/def/newstuff.html

This seems very complicated, but is in fact correct Apache internal processing. Because the per-directory rewriting comes late in the process, the rewritten request has to be re-injected into the Apache kernel, as if it were a new request. (See mod_rewrite technical details.) This is not the serious overhead it may seem to be - this re-injection is completely internal to the Apache server (and the same procedure is used by many other operations within Apache).

top

RewriteCond Directive

Description:Defines a condition under which rewriting will take place
Syntax: RewriteCond TestString CondPattern
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Extension
Module:mod_rewrite

The RewriteCond directive defines a rule condition. One or more RewriteCond can precede a RewriteRule directive. The following rule is then only used if both the current state of the URI matches its pattern, and if these conditions are met.

TestString is a string which can contain the following expanded constructs in addition to plain text:

  • RewriteRule backreferences: These are backreferences of the form $N (0 <= N <= 9), which provide access to the grouped parts (in parentheses) of the pattern, from the RewriteRule which is subject to the current set of RewriteCond conditions..
  • RewriteCond backreferences: These are backreferences of the form %N (1 <= N <= 9), which provide access to the grouped parts (again, in parentheses) of the pattern, from the last matched RewriteCond in the current set of conditions.
  • RewriteMap expansions: These are expansions of the form ${mapname:key|default}. See the documentation for RewriteMap for more details.
  • Server-Variables: These are variables of the form %{ NAME_OF_VARIABLE } where NAME_OF_VARIABLE can be