summaryrefslogtreecommitdiff
path: root/usr.sbin
diff options
context:
space:
mode:
authorHenning Brauer <henning@cvs.openbsd.org>2003-11-17 18:57:07 +0000
committerHenning Brauer <henning@cvs.openbsd.org>2003-11-17 18:57:07 +0000
commit66021c48874d524af4d9b1d5807a8e1f3078980b (patch)
tree7ccfcbbc9e45e270b42b5fb132dc6a8f8ad371fb /usr.sbin
parented5b84743439c7f38484022cbfbb2552141d51fc (diff)
merge apache 1.3.29 and mod_ssl 2.8.16
ok brad@
Diffstat (limited to 'usr.sbin')
-rw-r--r--usr.sbin/httpd/Announcement125
-rw-r--r--usr.sbin/httpd/INSTALL32
-rw-r--r--usr.sbin/httpd/conf/httpd.conf-dist47
-rw-r--r--usr.sbin/httpd/conf/mime.types2
-rw-r--r--usr.sbin/httpd/htdocs/manual/cygwin.html6
-rw-r--r--usr.sbin/httpd/htdocs/manual/howto/ssi.html.ja.jis13
-rw-r--r--usr.sbin/httpd/htdocs/manual/install-tpf.html23
-rw-r--r--usr.sbin/httpd/htdocs/manual/install.html.en8
-rw-r--r--usr.sbin/httpd/htdocs/manual/install.html.html8
-rw-r--r--usr.sbin/httpd/htdocs/manual/install.html.ja.jis12
-rw-r--r--usr.sbin/httpd/htdocs/manual/misc/API.html2
-rw-r--r--usr.sbin/httpd/htdocs/manual/misc/FAQ.html3861
-rw-r--r--usr.sbin/httpd/htdocs/manual/mod/core.html.en48
-rw-r--r--usr.sbin/httpd/htdocs/manual/mod/core.html.html48
-rw-r--r--usr.sbin/httpd/htdocs/manual/mod/directives.html.ja.jis7
-rw-r--r--usr.sbin/httpd/htdocs/manual/mod/mod_access.html.en8
-rw-r--r--usr.sbin/httpd/htdocs/manual/mod/mod_access.html.html8
-rw-r--r--usr.sbin/httpd/htdocs/manual/mod/mod_proxy.html118
-rw-r--r--usr.sbin/httpd/htdocs/manual/windows.html.en14
-rw-r--r--usr.sbin/httpd/htdocs/manual/windows.html.ja.jis18
-rw-r--r--usr.sbin/httpd/src/CHANGES44
-rw-r--r--usr.sbin/httpd/src/CHANGES.SSL24
-rw-r--r--usr.sbin/httpd/src/Configure4
-rw-r--r--usr.sbin/httpd/src/include/httpd.h4
-rw-r--r--usr.sbin/httpd/src/main/alloc.c10
-rw-r--r--usr.sbin/httpd/src/main/buff.c21
-rw-r--r--usr.sbin/httpd/src/main/http_core.c4
-rw-r--r--usr.sbin/httpd/src/main/http_main.c22
-rw-r--r--usr.sbin/httpd/src/main/http_request.c8
-rw-r--r--usr.sbin/httpd/src/main/rfc1413.c53
-rw-r--r--usr.sbin/httpd/src/modules/proxy/proxy_ftp.c58
-rw-r--r--usr.sbin/httpd/src/modules/ssl/Makefile.tmpl2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/Makefile.win322
-rw-r--r--usr.sbin/httpd/src/modules/ssl/libssl.module2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/libssl.version2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/mod_ssl.c4
-rw-r--r--usr.sbin/httpd/src/modules/ssl/mod_ssl.h2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_engine_compat.c2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_engine_dh.c2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_engine_ds.c2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_engine_ext.c2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c4
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_engine_io.c2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c21
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_engine_mutex.c2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c5
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_engine_rand.c2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_expr.c2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_expr.h2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_expr_eval.c2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_expr_parse.y2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_expr_scan.l2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_scache.c2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_scache_dbm.c2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_scache_shmcb.c2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_scache_shmht.c2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_util.c2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_util_sdbm.c2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_util_sdbm.h2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.h2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_util_table.c2
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_util_table.h2
-rw-r--r--usr.sbin/httpd/src/modules/standard/mod_include.c2
-rw-r--r--usr.sbin/httpd/src/modules/standard/mod_mime.c4
-rw-r--r--usr.sbin/httpd/src/modules/standard/mod_usertrack.c74
-rw-r--r--usr.sbin/httpd/src/support/ab.c16
-rw-r--r--usr.sbin/httpd/src/support/dbmmanage2
-rw-r--r--usr.sbin/httpd/src/support/suexec.c1
72 files changed, 622 insertions, 4233 deletions
diff --git a/usr.sbin/httpd/Announcement b/usr.sbin/httpd/Announcement
index 2a5adacea8a..08a4435f588 100644
--- a/usr.sbin/httpd/Announcement
+++ b/usr.sbin/httpd/Announcement
@@ -1,59 +1,44 @@
- Apache 1.3.28 Released
+ Apache HTTP Server 1.3.29 Released
- The Apache Software Foundation and The Apache Server Project are
- pleased to announce the release of version 1.3.28 of the Apache HTTP
- Server. This Announcement notes the significant changes in 1.3.28
- as compared to 1.3.27.
+ The Apache Software Foundation and The Apache HTTP Server Project are
+ pleased to announce the release of version 1.3.29 of the Apache HTTP
+ Server ("Apache"). This Announcement notes the significant changes
+ in 1.3.29 as compared to 1.3.28. The Announcement is also available
+ in German from http://www.apache.org/dist/httpd/Announcement.html.de.
This version of Apache is principally a bug and security fix release.
A partial summary of the bug fixes is given at the end of this document.
A full listing of changes can be found in the CHANGES file. Of
- particular note is that 1.3.28 addresses and fixes 3 potential
- security issues:
+ particular note is that 1.3.29 addresses and fixes 1 potential
+ security issue:
- o CAN-2003-0460 (cve.mitre.org): Fix the rotatelogs support program on
- Win32 and OS/2 to ignore special control characters received over the
- pipe. Previously such characters could cause it to quit logging and
- exit. We would like to thank the Hitachi Incident Response team for
- their responsible disclosure of this issue.
+ o CAN-2003-0542 (cve.mitre.org)
+ Fix buffer overflows in mod_alias and mod_rewrite which occurred if
+ one configured a regular expression with more than 9 captures.
- o VU#379828 : The server could crash when going into an infinite loop
- due to too many subsequent internal redirects and nested subrequests.
-
- o Eliminated leaks of several file descriptors to child processes, such
- as CGI scripts.
-
- We consider Apache 1.3.28 to be the best version of Apache 1.3 available
+ We consider Apache 1.3.29 to be the best version of Apache 1.3 available
and we strongly recommend that users of older versions, especially of
the 1.1.x and 1.2.x family, upgrade as soon as possible. No further
releases will be made in the 1.2.x family.
- Apache 1.3.28 is available for download from
+ Apache 1.3.29 is available for download from:
http://httpd.apache.org/download.cgi
- - or -
- http://www.apache.org/dist/httpd/
-
- Please see the CHANGES_1.3 file in the same directory for a full list
- of changes.
-
- Binary distributions are available from
- http://www.apache.org/dist/httpd/binaries/
-
- The source and binary distributions are also available via any of the
- mirrors listed at
+ This service utilizes the network of mirrors listed at:
http://www.apache.org/mirrors/
+ Please consult the CHANGES_1.3 file for a full list of changes.
+
As of Apache 1.3.12 binary distributions contain all standard Apache
modules as shared objects (if supported by the platform) and include
full source code. Installation is easily done by executing the
included install script. See the README.bindist and INSTALL.bindist
files for a complete explanation. Please note that the binary
distributions are only provided for your convenience and current
- distributions for specific platforms are not always available. Win32
+ distributions for specific platforms are not always available. Win32
binary distributions are based on the Microsoft Installer (.MSI)
technology. While development continues to make this installation method
more robust, questions should be directed to the
@@ -66,7 +51,7 @@
In general, Apache 1.3 offers several substantial improvements over
version 1.2, including better performance, reliability and a wider
range of supported platforms, including Windows NT and 2000 (which
- fall under the "Win32" label), OS2, Netware, and TPE threaded
+ fall under the "Win32" label), OS2, Netware, and TPF threaded
platforms.
Apache is the most popular web server in the known universe; over half
@@ -74,7 +59,7 @@
variants.
IMPORTANT NOTE FOR APACHE USERS: Apache 1.3 was designed for Unix OS
- variants. While the ports to non-Unix platforms (such as Win32, Netware
+ variants. While the ports to non-Unix platforms (such as Win32, Netware
or OS2) are of an acceptable quality, Apache 1.3 is not optimized for
these platforms. Security, stability, or performance issues on these
non-Unix ports do not generally apply to the Unix version, due to
@@ -86,64 +71,38 @@
Apache 2.0 for better performance, stability and security on their
platforms.
- Apache 1.3.28 Major changes
+ Apache 1.3.29 Major changes
Security vulnerabilities
- * CAN-2003-0460 (cve.mitre.org): Fix the rotatelogs support program on
- Win32 and OS/2 to ignore special control characters received over the
- pipe. Previously such characters could cause it to quit logging and
- exit. We would like to thank the Hitachi Incident Response team for
- their responsible disclosure of this issue.
-
- * VU#379828 : The server could crash when going into an infinite loop
- due to too many subsequent internal redirects and nested subrequests.
-
- * Eliminated leaks of several file descriptors to child processes, such
- as CGI scripts.
+ * CAN-2003-0542 (cve.mitre.org)
+ Fix buffer overflows in mod_alias and mod_rewrite which occurred if
+ one configured a regular expression with more than 9 captures.
New features
- The main new features in 1.3.28 (compared to 1.3.27) are:
-
- * Added new ap_register_cleanup_ex() API function which allows
- for a "magic" cleanup function to be run at register time
- rather than at cleanup time.
-
- * Improvements to mod_usertrack that allows for a regular (verbose)
- as well as "compact" version of the tracking cookie (the new
- 'CookieFormat' directive), and the ability to prepend a string
- to the cookie via the 'CookiePrefix' directive.
-
New features that relate to specific platforms:
- * Introduce Win32 .pdb diagnostic symbols into the Apache 1.3 build
- (as created in Apache 2.0.45 and later.) which akes debugging and
- analysis of crash dumps and Dr. Watson logs trivial.
-
- * AIX: Change the default accept mechanism from pthread back to
- fcntl.
+ * Enabled RFC1413 ident functionality for both Win32 and
+ NetWare platforms. This also included an alternate thread safe
+ implementation of the socket timout functionality when querying
+ the identd daemon.
Bugs fixed
- The following noteworthy bugs were found in Apache 1.3.27 (or earlier)
- and have been fixed in Apache 1.3.28:
-
- * Make sure the accept mutex is released before calling child exit
- hooks and cleanups.
-
- * Fix mod_rewrite's handling of absolute URIs. The escaping routines
- now work scheme dependent and the query string will only be
- appended if supported by the particular scheme.
-
- * Prevent obscenely large values of precision in ap_vformatter
- from clobbering a buffer.
-
- * Update timeout algorithm in free_proc_chain. If a subprocess
- did not exit immediately, the thread would sleep for 3 seconds
- before checking the subprocess exit status again. In a very
- common case when the subprocess was an HTTP server CGI script,
- the CGI script actually exited a fraction of a second into the 3
- second sleep, which effectively limited the server to serving one
- CGI request every 3 seconds across a persistent connection.
+ The following noteworthy bugs were found in Apache 1.3.28 (or earlier)
+ and have been fixed in Apache 1.3.29:
+
+ * Within ap_bclose(), ap_pclosesocket() is now called consistently
+ for sockets and ap_pclosef() for files. Also, closesocket()
+ is used consistenly to close socket fd's. The previous
+ confusion between socket and file fd's would cause problems
+ with some applications now that we proactively close fd's to
+ prevent leakage. PR 22805.
+
+ * Fixed mod_usertrack to not get false positive matches on the
+ user-tracking cookie's name. PR 16661.
+
+ * Prevent creation of subprocess Zombies when using CGI wrappers
+ such as suEXEC and cgiwrap. PR 21737.
diff --git a/usr.sbin/httpd/INSTALL b/usr.sbin/httpd/INSTALL
index a02df5c15f7..767a0df3f07 100644
--- a/usr.sbin/httpd/INSTALL
+++ b/usr.sbin/httpd/INSTALL
@@ -213,16 +213,20 @@
whether these paths contain ``apache'' or not. Although the
defaults were defined with experience in mind you always should
make sure the paths fit your situation by checking the finally
- chosen paths via the --layout option.
+ chosen paths via the --show-layout option.
Use the --with-layout=[F:]ID option to select a particular installation
- path base-layout. You always _HAVE_ to select a base-layout. There are
- currently two layouts pre-defined in the file config.layout: `Apache' for
- the classical Apache path layout and `GNU' for a path layout conforming
- to the GNU `standards' document. When you want to use your own custom
- layout FOO, either add a corresponding "<Layout FOO>...</Layout>" section
- to config.layout and use --with-layout=FOO or place it into your own
- file, say config.mypaths, and use --with-layout=config.mypaths:FOO.
+ path base-layout. There are many layouts pre-defined in the file
+ config.layout. Except on MacOS(X) configure defaults to the `Apache'
+ classical path layout. You can get an overview of the existing layouts
+ by using the command:
+
+ grep "^<Layout" config.layout
+
+ When you want to use your own custom layout FOO, either add a
+ corresponding "<Layout FOO>...</Layout>" section to config.layout and
+ use --with-layout=FOO or place it into your own file, say config.mypaths,
+ and use --with-layout=config.mypaths:FOO.
Use the --show-layout option to check the final installation path layout
while fiddling with the options above.
@@ -239,9 +243,9 @@
outside the Apache source tree, for instance /path/to/mod_foo.c, or a
path to an already existing C source code file in src/modules/extra/, such
as src/modules/extra/mod_foo.c, in which case no copying will be done.
- The added module this is way is automatically activated and enabled. Use
- this option to automatically include a simple third-party module to the
- Apache build process.
+ The added module is automatically activated and enabled. Use this option
+ to automatically include a simple third-party module to the Apache build
+ process.
Use the --activate-module=FILE option to add an entry for an existing
module object or library file into the configuration file on-the-fly.
@@ -517,8 +521,8 @@
o If you want to be informed about new code releases, bug fixes,
security fixes, general news and information about the Apache server
- subscribe to the apache-announce mailing list as described under
- http://www.apache.org/announcelist.html
+ subscribe to the announcements mailing list as described under
+ http://httpd.apache.org/lists.html#http-announce
o If you want freely available support for running Apache please join the
Apache user community by subscribing at least to the following USENET
@@ -531,7 +535,7 @@
o If you have a concrete bug report for Apache please go to the
Apache Group Bug Database and submit your report:
- http://www.apache.org/bug_report.html
+ http://httpd.apache.org/bug_report.html
o If you want to participate in actively developing Apache please
subscribe to the `dev@httpd.apache.org' mailing list as described at
diff --git a/usr.sbin/httpd/conf/httpd.conf-dist b/usr.sbin/httpd/conf/httpd.conf-dist
index 048baafa92a..fb4ac86a19e 100644
--- a/usr.sbin/httpd/conf/httpd.conf-dist
+++ b/usr.sbin/httpd/conf/httpd.conf-dist
@@ -280,7 +280,7 @@ ServerAdmin you@your.address
# machine always knows itself by this address. If you use Apache strictly for
# local testing and development, you may use 127.0.0.1 as the server name.
#
-#ServerName new.host.name
+#ServerName www.example.com
#
# DocumentRoot: The directory out of which you will serve your
@@ -851,7 +851,7 @@ ServerSignature On
# N.B.: You can redirect to a script or a document using server-side-includes.
#
# 3) external redirects
-#ErrorDocument 402 http://some.other-server.com/subscription_info.html
+#ErrorDocument 402 http://www.example.com/subscription_info.html
# N.B.: Many of the environment variables associated with the original
# request will *not* be available to such a script.
@@ -885,25 +885,25 @@ ServerSignature On
#
# Allow server status reports, with the URL of http://servername/server-status
-# Change the ".your-domain.com" to match your domain to enable.
+# Change the ".example.com" to match your domain to enable.
#
#<Location /server-status>
# SetHandler server-status
# Order deny,allow
# Deny from all
-# Allow from .your-domain.com
+# Allow from .example.com
#</Location>
#
# Allow remote server configuration reports, with the URL of
# http://servername/server-info (requires that mod_info.c be loaded).
-# Change the ".your-domain.com" to match your domain to enable.
+# Change the ".example.com" to match your domain to enable.
#
#<Location /server-info>
# SetHandler server-info
# Order deny,allow
# Deny from all
-# Allow from .your-domain.com
+# Allow from .example.com
#</Location>
#
@@ -918,41 +918,6 @@ ServerSignature On
# ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
#</Location>
-#
-# Proxy Server directives. Uncomment the following lines to
-# enable the proxy server:
-#
-#<IfModule mod_proxy.c>
-# ProxyRequests On
-
-# <Directory proxy:*>
-# Order deny,allow
-# Deny from all
-# Allow from .your-domain.com
-# </Directory>
-
- #
- # Enable/disable the handling of HTTP/1.1 "Via:" headers.
- # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
- # Set to one of: Off | On | Full | Block
- #
-# ProxyVia On
-
- #
- # To enable the cache as well, edit and uncomment the following lines:
- # (no cacheing without CacheRoot)
- #
-# CacheRoot "@@ServerRoot@@/proxy"
-# CacheSize 5
-# CacheGcInterval 4
-# CacheMaxExpire 24
-# CacheLastModifiedFactor 0.1
-# CacheDefaultExpire 1
-# NoCache a-domain.com another-domain.edu joes.garage-sale.com
-
-#</IfModule>
-# End of proxy directives.
-
### Section 3: Virtual Hosts
#
# VirtualHost: If you want to maintain multiple domains/hostnames on your
diff --git a/usr.sbin/httpd/conf/mime.types b/usr.sbin/httpd/conf/mime.types
index c137c4b14c9..30ac6f9705c 100644
--- a/usr.sbin/httpd/conf/mime.types
+++ b/usr.sbin/httpd/conf/mime.types
@@ -243,7 +243,7 @@ application/vnd.motorola.flexsuite.gotap
application/vnd.motorola.flexsuite.kmr
application/vnd.motorola.flexsuite.ttc
application/vnd.motorola.flexsuite.wem
-application/vnd.mozilla.xul+xml
+application/vnd.mozilla.xul+xml xul
application/vnd.ms-artgalry
application/vnd.ms-asf
application/vnd.ms-excel xls
diff --git a/usr.sbin/httpd/htdocs/manual/cygwin.html b/usr.sbin/httpd/htdocs/manual/cygwin.html
index cf134065896..8bc9ac08415 100644
--- a/usr.sbin/httpd/htdocs/manual/cygwin.html
+++ b/usr.sbin/httpd/htdocs/manual/cygwin.html
@@ -181,7 +181,7 @@
DocumentRoot "/usr/local/apache/htdocs"
</pre>
- <p><strong>What about performance?</strong><br/>
+ <p><strong>What about performance?</strong><br />
Apache for Cygwin is not as high-performance as Apache for
Windows on the same hardware.</p>
@@ -222,10 +222,10 @@
The site lists the current release, any more recent development
versions, and information on any mirror sites.</p>
- <p><strong>What about Cygwin Net Distribution binaries?</strong><br/>
+ <p><strong>What about Cygwin Net Distribution binaries?</strong><br />
Apache for Cygwin is also available as pre-compiled binary
package for the Cygwin Net Distribution available at
- <href="http://www.cygwin.com">http://www.cygwin.com</a> and it's
+ <a href="http://www.cygwin.com/">http://www.cygwin.com/</a> and it's
<a href="http://www.cygwin.com/setup.exe"><code>setup.exe</code></a>
installation process.</p>
diff --git a/usr.sbin/httpd/htdocs/manual/howto/ssi.html.ja.jis b/usr.sbin/httpd/htdocs/manual/howto/ssi.html.ja.jis
index 536257637c9..3273f9a7630 100644
--- a/usr.sbin/httpd/htdocs/manual/howto/ssi.html.ja.jis
+++ b/usr.sbin/httpd/htdocs/manual/howto/ssi.html.ja.jis
@@ -7,7 +7,7 @@
<title>Apache $B%A%e!<%H%j%"%k(B: Server Side Includes $BF~Lg(B</title>
</head>
- <!-- English revision: 1.11 -->
+ <!-- English revision: 1.14 -->
<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
<body bgcolor="#ffffff" text="#000000" link="#0000ff"
@@ -112,11 +112,6 @@
</tr>
</table>
- <p>$B$3$NJ8=q$O:G=i!"(BApache Today (http://www.apachetoday.com/)
- $B$K;02s$NO":\5-;v$H$7$F7G:\$5$l$^$7$?!#$3$3$G$O!"(BApcheToday $B$H(B
- Internet.com $B$H$N6(Dj$K$h$j:\$;$F$$$^$9!#(B
- </p>
-
<p>$B$3$N5-;v$O!"DL>o$OC1$K(B SSI $B$H8F$P$l$k(B Server Side Includes
$B$r07$$$^$9!#$3$N5-;v$K$*$$$F$O!"%5!<%P$G$N(B SSI $B$r5v2D$9$k$?$a$N@_Dj$H!"(B
$B8=:_$N(B HTML $B%Z!<%8$KF0E*$J%3%s%F%s%D$r2C$($k$?$a$N$$$/$D$+$N4pK\E*$J(B
@@ -149,8 +144,10 @@
name="configuringyourservertopermitssi">SSI
$B$r5v2D$9$k$?$a$N%5!<%P$N@_Dj(B</a></h2>
- <p>$B%5!<%P$G(B SSI $B$r5v2D$9$k$K$O!"(B<code>httpd.conf</code>
- $B%U%!%$%k$^$?$O(B <code>.htaccess</code>
+ <p>$B%5!<%P$G(B SSI $B$r5v2D$9$k$K$O!"(B<a
+ href="../mod/mod_include.html">mod_include</a>
+ $B$r%$%s%9%H!<%k!"M-8z2=$9$kI,MW$,$"$j$^$9!#$5$i$K!"(B
+ <code>httpd.conf</code> $B%U%!%$%k$^$?$O(B <code>.htaccess</code>
$B%U%!%$%k$K<!$N%G%#%l%/%F%#%V$r;XDj$9$kI,MW$,$"$j$^$9(B:</p>
<pre>
Options +Includes
diff --git a/usr.sbin/httpd/htdocs/manual/install-tpf.html b/usr.sbin/httpd/htdocs/manual/install-tpf.html
index 06ee1972305..604ca4866e4 100644
--- a/usr.sbin/httpd/htdocs/manual/install-tpf.html
+++ b/usr.sbin/httpd/htdocs/manual/install-tpf.html
@@ -119,7 +119,7 @@
<li><b><tt>cd&nbsp;apache_1.3.<em>xx</em>/src/lib</tt></b></li>
<li><b><tt>rm&nbsp;-r&nbsp;expat-lite&nbsp;sdbm</tt></b></li>
<li><b><tt>cd&nbsp;../os</tt></b></li>
- <li><b><tt>rm&nbsp;-r&nbsp;bs2000&nbsp;cygwin&nbsp;mpeix&nbsp;netware&nbsp;os2&nbsp;os390&nbsp;win32</tt></b></li>
+ <li><b><tt>rm -fr bs2000 cygwin mpeix netware os2 os390 unix win32</tt></b></li>
<li><b><tt>cd&nbsp;..</tt></b></li>
</ul>
&nbsp;
@@ -369,6 +369,7 @@
+ configured for TPF platform
+ setting C compiler to c89
+ setting C pre-processor to c89 -E
+ + using "tr [a-z] [A-Z]" to uppercase
+ checking for system header files
+ adding selected modules
+ checking sizeof various data types
@@ -462,20 +463,13 @@
<ul>
<li>
- The following two compilation warnings may or may not occur.
- They should be ignored:<br />
- <br />
- util_uri.c:&nbsp;&nbsp;&nbsp;<tt>Function argument
- assignment between types "unsigned char*" and "const
- unsigned char*" is not allowed.</tt>
- <br />
+ The following compilation warning may or may not occur.
+ It should be ignored:<br />
<br />
main/http_main.c:&nbsp;&nbsp;&nbsp;
<tt>Infinite loop detected in function child_main.
Program may not stop.</tt>
<br />
- <br />
-
</li>
<li>If during compilation you get a warning about a
@@ -598,14 +592,12 @@
<li>
Using either TFTP or FTP, transfer the configuration file,
icons, and web pages to your TPF system. A typical
- directory structure for Apache is as follows:<br />
-<pre>
-<tt> /usr/local/apache/conf
+ directory structure for Apache is as follows:
+<pre><tt> /usr/local/apache/conf
/usr/local/apache/logs
/usr/local/apache/icons
/usr/local/apache/htdocs
-</tt>
-</pre>
+</tt></pre>
All gif, jpg, and zip files should be transferred as
binary; the configuration file and html pages should be
transferred as text.&nbsp;<br />
@@ -670,7 +662,6 @@
<tt><b>http://<i>xx.xx.xx.xx</i></b></tt>
&nbsp;&nbsp;&nbsp;(where <i>xx.xx.xx.xx</i> is your IP
address)</li>
-
</ol>
<a id="visualage" name="visualage"></a>
diff --git a/usr.sbin/httpd/htdocs/manual/install.html.en b/usr.sbin/httpd/htdocs/manual/install.html.en
index 207d64ca5c5..67558688dd0 100644
--- a/usr.sbin/httpd/htdocs/manual/install.html.en
+++ b/usr.sbin/httpd/htdocs/manual/install.html.en
@@ -56,13 +56,7 @@
<h2><a id="download" name="download">Downloading Apache</a></h2>
<p>You may download the latest version of Apache either directly from the
- Apache web site, at <a
- href="http://www.apache.org/dist/httpd/">http://www.apache.org/dist/httpd/</a>,
- or from one of the many mirror sites, listed at <a
- href="http://www.apache.org/dyn/closer.cgi">http://www.apache.org/dyn/closer.cgi</a>.
- These sites will list the current release, and more recent beta releases,
- and have links to older versions, and binary distributions for a variety
- of platforms.</p>
+ <a href="http://httpd.apache.org/download.cgi">Download Page</a>.</p>
<h2><a id="intro" name="intro">Introduction</a></h2>
diff --git a/usr.sbin/httpd/htdocs/manual/install.html.html b/usr.sbin/httpd/htdocs/manual/install.html.html
index 3352a08fbed..256b94a71ad 100644
--- a/usr.sbin/httpd/htdocs/manual/install.html.html
+++ b/usr.sbin/httpd/htdocs/manual/install.html.html
@@ -58,13 +58,7 @@
<h2><a id="download" name="download">Downloading Apache</a></h2>
<p>You may download the latest version of Apache either directly from the
- Apache web site, at <a
- href="http://www.apache.org/dist/httpd/">http://www.apache.org/dist/httpd/</a>,
- or from one of the many mirror sites, listed at <a
- href="http://www.apache.org/dyn/closer.cgi">http://www.apache.org/dyn/closer.cgi</a>.
- These sites will list the current release, and more recent beta releases,
- and have links to older versions, and binary distributions for a variety
- of platforms.</p>
+ <a href="http://httpd.apache.org/download.cgi">Download Page</a>.</p>
<h2><a id="intro" name="intro">Introduction</a></h2>
diff --git a/usr.sbin/httpd/htdocs/manual/install.html.ja.jis b/usr.sbin/httpd/htdocs/manual/install.html.ja.jis
index 70eff7bbd66..26170b179bf 100644
--- a/usr.sbin/httpd/htdocs/manual/install.html.ja.jis
+++ b/usr.sbin/httpd/htdocs/manual/install.html.ja.jis
@@ -7,7 +7,7 @@
<title>Compiling and Installing Apache</title>
</head>
- <!-- English revision: 1.39 -->
+ <!-- English revision: 1.40 -->
<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
<body bgcolor="#ffffff" text="#000000" link="#0000ff" vlink="#000080"
alink="#ff0000">
@@ -56,13 +56,9 @@
<h2><a id="download" name="download">Apache $B$N%@%&%s%m!<%I(B</a></h2>
- <p>Apache $B$N:G?7HG$O(B Apache $B%&%'%V%5%$%H(B <a
- href="http://www.apache.org/dist/httpd/">http://www.apache.org/dist/httpd/</a>
- $B$^$?$O(B <a href="http://www.apache.org/dyn/closer.cgi"
- >http://www.apache.org/dyn/closer.cgi</a>
- $B$K%j%9%H$5$l$?B?$/$N%_%i!<%5%$%H$+$iD>@\%@%&%s%m!<%I$9$k$3$H$b=PMh$^$9!#(B
- $B$3$l$i$N%5%$%H$K$O8=:_$N%j%j!<%9HG$d:G?7$N%Y!<%?HG!"8E$$%P!<%8%g%s$X$N%j%s%/!"(B
- $B$$$m$$$m$J%W%i%C%H%[!<%`MQ$N%P%$%J%jG[I[$,%j%9%H$5$l$^$9!#(B</p>
+ <p>Apache $B$N:G?7HG$O(B <a
+ href="http://httpd.apache.org/download.cgi">Download Page</a>
+ $B$+$iD>@\%@%&%s%m!<%I$9$k$3$H$,=PMh$^$9!#(B</p>
<h2><a id="intro" name="intro">$BF3F~(B</a></h2>
diff --git a/usr.sbin/httpd/htdocs/manual/misc/API.html b/usr.sbin/httpd/htdocs/manual/misc/API.html
index a5ad83840f7..15ed67c12ba 100644
--- a/usr.sbin/httpd/htdocs/manual/misc/API.html
+++ b/usr.sbin/httpd/htdocs/manual/misc/API.html
@@ -496,7 +496,7 @@ int default_handler (request_rec *r)
if (r-&gt;method_number != M_GET) return DECLINED;
if (r-&gt;finfo.st_mode == 0) return NOT_FOUND;
- if ((errstatus = ap_set_content_length (r, r-&gt;finfo.st_size)) {
+ if ((errstatus = ap_set_content_length (r, r-&gt;finfo.st_size))) {
return errstatus;
}
diff --git a/usr.sbin/httpd/htdocs/manual/misc/FAQ.html b/usr.sbin/httpd/htdocs/manual/misc/FAQ.html
index e25fe07b58d..ac9d65b5f75 100644
--- a/usr.sbin/httpd/htdocs/manual/misc/FAQ.html
+++ b/usr.sbin/httpd/htdocs/manual/misc/FAQ.html
@@ -6,7 +6,7 @@
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Apache Server Frequently Asked Questions</title>
-
+ <!--#set var="FAQMASTER" value="YES" -->
</head>
<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
@@ -86,3886 +86,27 @@
<ol type="A">
-
-
-
-
-
-
-
-
-
-
- <li value="1">
- <strong>Background</strong>
-
- <ol>
- <li><a href="#what">What is Apache?</a></li>
-
- <li><a href="#why">How and why was Apache
- created?</a></li>
-
- <li><a href="#name">Why the name "Apache"?</a></li>
-
- <li><a href="#compare">OK, so how does Apache compare to
- other servers?</a></li>
-
- <li><a href="#tested">How thoroughly tested is
- Apache?</a></li>
-
- <li><a href="#future">What are the future plans for
- Apache?</a></li>
-
- <li><a href="#support">Whom do I contact for
- support?</a></li>
-
- <li><a href="#more">Is there any more information on
- Apache?</a></li>
-
- <li><a href="#where">Where can I get Apache?</a></li>
-
- <li><a href="#logo">May I use the Apache logo on my
- product or Web site?</a></li>
- </ol>
- </li>
-
-
-
-
- </body>
-</html>
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li value="2">
- <strong>General Technical Questions</strong>
-
- <ol>
- <li><a href="#what2do">"Why can't I ...? Why won't ...
- work?" What to do in case of problems</a></li>
-
- <li><a href="#compatible">How compatible is Apache with
- my existing NCSA 1.3 setup?</a></li>
-
- <li><a href="#year2000">Is Apache Year 2000
- compliant?</a></li>
-
- <li><a href="#submit_patch">How do I submit a patch to
- the Apache Group?</a></li>
-
- <li><a href="#domination">Why has Apache stolen my
- favourite site's Internet address?</a></li>
-
- <li><a href="#apspam">Why am I getting spam mail from the
- Apache site?</a></li>
-
- <li><a href="#redist">May I include the Apache software
- on a CD or other package I'm distributing?</a></li>
-
- <li><a href="#zoom">What's the best hardware/operating
- system/... How do I get the most out of my Apache Web
- server?</a></li>
-
- <li><a href="#regex">What are "regular
- expressions"?</a></li>
-
- <li><a href="#binaries">Why isn't there a binary for my
- platform?</a></li>
- </ol>
- </li>
-
-
-
-
- </body>
-</html>
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li value="3">
- <strong>Building Apache</strong>
-
- <ol>
- <li><a href="#bind8.1">Why do I get an error about an
- undefined reference to "<samp>__inet_ntoa</samp>" or
- other <samp>__inet_*</samp> symbols?</a></li>
-
- <li><a href="#cantbuild">Why won't Apache compile with my
- system's <samp>cc</samp>?</a></li>
-
- <li><a href="#linuxiovec">Why do I get complaints about
- redefinition of "<code>struct iovec</code>" when
- compiling under Linux?</a></li>
-
- <li><a href="#broken-gcc">I'm using gcc and I get some
- compilation errors, what is wrong?</a></li>
-
- <li><a href="#glibc-crypt">I'm using RedHat Linux 5.0, or
- some other <samp>glibc</samp>-based Linux system, and I
- get errors with the <code>crypt</code> function when I
- attempt to build Apache 1.2.</a></li>
- </ol>
- </li>
-
-
-
-
- </body>
-</html>
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li value="4">
- <strong>Error Log Messages and Problems Starting
- Apache</strong>
-
- <ol>
- <li><a href="#setgid">Why do I get "<samp>setgid: Invalid
- argument</samp>" at startup?</a></li>
-
- <li><a href="#nodelay">Why am I getting "<samp>httpd:
- could not set socket option TCP_NODELAY</samp>" in my
- error log?</a></li>
-
- <li><a href="#peerreset">Why am I getting
- "<samp>connection reset by peer</samp>" in my error
- log?</a></li>
-
- <li><a href="#wheres-the-dump">The errorlog says Apache
- dumped core, but where's the dump file?</a></li>
-
- <li><a href="#linux-shmget">When I run it under Linux I
- get "shmget: function not found", what should I
- do?</a></li>
-
- <li><a href="#nfslocking">Server hangs, or fails to
- start, and/or error log fills with "<samp>fcntl:
- F_SETLKW: No record locks available</samp>" or similar
- messages</a></li>
-
- <li><a href="#aixccbug">Why am I getting "<samp>Expected
- &lt;/Directory&gt; but saw &lt;/Directory&gt;</samp>"
- when I try to start Apache?</a></li>
-
- <li><a href="#redhat">I'm using RedHat Linux and I have
- problems with httpd dying randomly or not restarting
- properly</a></li>
-
- <li><a href="#stopping">I upgraded from an Apache version
- earlier than 1.2.0 and suddenly I have problems with
- Apache dying randomly or not restarting properly</a></li>
-
- <li><a href="#setservername">When I try to start Apache
- from a DOS window, I get a message like "<samp>Cannot
- determine host name. Use ServerName directive to set it
- manually.</samp>" What does this mean?</a></li>
-
- <li><a href="#ws2_32dll">When I try to start Apache for
- Windows, I get a message like "<samp>Unable To Locate
- WS2_32.DLL...</samp>". What should I do?</a></li>
-
- <li><a href="#WSADuplicateSocket">Apache for Windows does
- not start. Error log contains this message "<samp>[crit]
- (10045) The attempted operation is not supported for the
- type of object referenced: Parent: WSADuplicateSocket
- failed for socket ###</samp>". What does this
- mean?</a></li>
-
- <li><a href="#err1067">When I try to start Apache on
- Windows, I get a message like "<code>System error 1067
- has occurred. The process terminated
- unexpectedly.</code>" What does this mean?</a></li>
-
- <li><a href="#suseFDN">On a SuSE Linux system, I try and
- configure access control using basic authentication.
- Although I follow the example exactly, authentication
- fails, and an error message "<code>admin: not a valid
- FDN: ....</code>" is logged.</a></li>
-
- <li><a href="#codered">Why do I have weird entries in my
- logs asking for <code>default.ida</code> and
- <code>cmd.exe</code>?</a></li>
-
- <li><a href="#restart">Why am I getting server restart
- messages periodically, when I did not restart the
- server?</a></li>
-
- <li><a href="#modulemagic">Why am I getting &quot;module
- <em>module-name</em> is not compatible with this version of
- Apache&quot; messages in my error log?</a></li>
-
- </ol>
- </li>
-
-
-
-
- </body>
-</html>
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li value="5">
- <strong>Configuration Questions</strong>
-
- <ol>
- <li><a href="#fdlim">Why can't I run more than
- &lt;<em>n</em>&gt; virtual hosts?</a></li>
-
- <li><a href="#freebsd-setsize">Can I increase
- <samp>FD_SETSIZE</samp> on FreeBSD?</a></li>
-
- <li><a href="#errordoc401">Why doesn't my
- <code>ErrorDocument 401</code> work?</a></li>
-
- <li><a href="#cookies1">Why does Apache send a cookie on
- every response?</a></li>
-
- <li><a href="#cookies2">Why don't my cookies work, I even
- compiled in <samp>mod_cookies</samp>?</a></li>
-
- <li><a href="#jdk1-and-http1.1">Why do my Java app[let]s
- give me plain text when I request an URL from an Apache
- server?</a></li>
-
- <li><a href="#midi">How do I get Apache to send a MIDI
- file so the browser can play it?</a></li>
-
- <li><a href="#addlog">How do I add browsers and referrers
- to my logs?</a></li>
-
- <li><a href="#set-servername">Why does accessing
- directories only work when I include the trailing "/"
- (<em>e.g.</em>,&nbsp;<samp>http://foo.domain.com/~user/</samp>)
- but not when I omit it
- (<em>e.g.</em>,&nbsp;<samp>http://foo.domain.com/~user</samp>)?</a></li>
-
- <li><a href="#no-info-directives">Why doesn't mod_info
- list any directives?</a></li>
-
- <li><a href="#namevhost">I upgraded to Apache 1.3 and now
- my virtual hosts don't work!</a></li>
-
- <li><a href="#redhat-htm">I'm using RedHat Linux and my
- .htm files are showing up as HTML source rather than
- being formatted!</a></li>
-
- <li><a href="#htaccess-work">My <code>.htaccess</code>
- files are being ignored.</a></li>
-
- <li><a href="#forbidden">Why do I get a
- "<samp>Forbidden</samp>" message whenever I try to access
- a particular directory?</a></li>
-
- <li><a href="#malfiles">Why do I get a
- "<samp>Forbidden/You don't have permission to access / on
- this server</samp>" message whenever I try to access my
- server?</a></li>
-
- <li><a href="#ie-ignores-mime">Why do my files appear
- correctly in Internet Explorer, but show up as source or
- trigger a save window with Netscape; or, Why doesn't
- Internet Explorer render my text/plain document
- correctly?</a></li>
-
- <li><a href="#canonical-hostnames">My site is accessible
- under many different hostnames; how do I redirect clients
- so that they see only a single name?</a></li>
-
- <li><a href="#firewall">Why can I access my website from the
- server or from my local network, but I can't access it from
- elsewhere on the Internet?</a></li>
-
- <li><a href="#indexes">How do I turn automatic directory listings
- on or off?</a></li>
-
- <li><a href="#options">Why do my Options directives not have
- the desired effect?</a></li>
-
- <li><a href="#serverheader">How can I change the information
- that Apache returns about itself in the headers?</a></li>
-
- <li><a href="#proxyscan">Why do I see requests for other sites
- appearing in my log files?</a></li>
-
- </ol>
- </li>
-
-
-
-
- </body>
-</html>
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li value="6">
- <strong>Dynamic Content (CGI and SSI)</strong>
-
- <ol>
- <li><a href="#CGIoutsideScriptAlias">How do I enable CGI
- execution in directories other than the
- ScriptAlias?</a></li>
-
- <li><a href="#premature-script-headers">What does it mean
- when my CGIs fail with "<samp>Premature end of script
- headers</samp>"?</a></li>
-
- <li><a href="#POSTnotallowed">Why do I keep getting
- "Method Not Allowed" for form POST requests?</a></li>
-
- <li><a href="#nph-scripts">How can I get my script's
- output without Apache buffering it? Why doesn't my server
- push work?</a></li>
-
- <li><a href="#cgi-spec">Where can I find the "CGI
- specification"?</a></li>
-
- <li><a href="#fastcgi">Why isn't FastCGI included with
- Apache any more?</a></li>
-
- <li><a href="#ssi-part-i">How do I enable SSI (parsed
- HTML)?</a></li>
-
- <li><a href="#ssi-part-ii">Why don't my parsed files get
- cached?</a></li>
-
- <li><a href="#ssi-part-iii">How can I have my script
- output parsed?</a></li>
-
- <li><a href="#ssi-part-iv">SSIs don't work for
- VirtualHosts and/or user home directories</a></li>
-
- <li><a href="#errordocssi">How can I use
- <code>ErrorDocument</code> and SSI to simplify customized
- error messages?</a></li>
-
- <li><a href="#remote-user-var">Why is the environment
- variable <samp>REMOTE_USER</samp> not set?</a></li>
-
- <li><a href="#user-cgi">How do I allow each of my user
- directories to have a cgi-bin directory?</a></li>
- </ol>
- </li>
-
-
-
-
- </body>
-</html>
-
-
-
-
-
-
-
-
-
-
-
-
- <li value="7">
- <strong>Authentication and Access Restrictions</strong>
-
- <ol>
- <li><a href="#dnsauth">Why isn't restricting access by
- host or domain name working correctly?</a></li>
-
- <li><a href="#user-authentication">How do I set up Apache
- to require a username and password to access certain
- documents?</a></li>
-
- <li><a href="#remote-auth-only">How do I set up Apache to
- allow access to certain documents only if a site is
- either a local site <em>or</em> the user supplies a
- password and username?</a></li>
-
- <li><a href="#authauthoritative">Why does my
- authentication give me a server error?</a></li>
-
- <li><a href="#auth-on-same-machine">Do I have to keep the
- (mSQL) authentication information on the same
- machine?</a></li>
-
- <li><a href="#msql-slow">Why is my mSQL authentication
- terribly slow?</a></li>
-
- <li><a href="#passwdauth">Can I use my
- <samp>/etc/passwd</samp> file for Web page
- authentication?</a></li>
-
- <li><a href="#prompted-twice">Why does Apache ask for my
- password twice before serving a file?</a></li>
-
- <li><a href="#image-theft">How can I prevent people from
- "stealing" the images from my web site?</a></li>
-
- </ol>
- </li>
-
-
- </body>
-</html>
-
-
-
-
-
-
-
-
-
-
-
-
- <li value="8">
- <strong>URL Rewriting</strong>
-
- <ol>
- <li><a href="#rewrite-more-config">Where can I find
- mod_rewrite rulesets which already solve particular
- URL-related problems?</a></li>
-
- <li><a href="#rewrite-article">Where can I find any
- published information about URL-manipulations and
- mod_rewrite?</a></li>
-
- <li><a href="#rewrite-complexity">Why is mod_rewrite so
- difficult to learn and seems so complicated?</a></li>
-
- <li><a href="#rewrite-dontwork">What can I do if my
- RewriteRules don't work as expected?</a></li>
-
- <li><a href="#rewrite-prefixdocroot">Why don't some of my
- URLs get prefixed with DocumentRoot when using
- mod_rewrite?</a></li>
-
- <li><a href="#rewrite-nocase">How can I make all my URLs
- case-insensitive with mod_rewrite?</a></li>
-
- <li><a href="#rewrite-virthost">Why are RewriteRules in
- my VirtualHost parts ignored?</a></li>
-
- <li><a href="#rewrite-envwhitespace">How can I use
- strings with whitespaces in RewriteRule's ENV
- flag?</a></li>
- </ol>
- </li>
-
-
- </body>
-</html>
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li value="9">
- <strong>Features</strong>
-
- <ol>
- <li><a href="#proxy">Does or will Apache act as a Proxy
- server?</a></li>
-
- <li><a href="#multiviews">What are "multiviews"?</a></li>
-
- <li><a href="#putsupport">Why can't I publish to my
- Apache server using PUT on Netscape Gold and other
- programs?</a></li>
-
- <li><a href="#SSL-i">Why doesn't Apache include
- SSL?</a></li>
-
- <li><a href="#footer">How can I attach a footer to my
- documents without using SSI?</a></li>
-
- <li><a href="#search">Does Apache include a search
- engine?</a></li>
-
- <li><a href="#rotate">How can I rotate my log
- files?</a></li>
-
- <li><a href="#conditional-logging">How do I keep certain
- requests from appearing in my logs?</a></li>
-
- <li><a href="#dbinteg">Does Apache include any sort of
- database integration?</a></li>
-
- <li><a href="#asp">Can I use Active Server Pages (ASP)
- with Apache?</a></li>
-
- <li><a href="#java">Does Apache come with Java
- support?</a></li>
- </ol>
- </li>
-
-
- </body>
-</html>
-
-
</ol>
<hr />
<h2>The Answers</h2>
-
-
-
-
-
-
-
-
-
-
-
-
- <h3>A. Background</h3>
-
- <ol>
- <li>
- <a id="what" name="what"><strong>What is
- Apache?</strong></a>
-
- <p>The Apache httpd server</p>
-
- <ul>
- <li>is a powerful, flexible, HTTP/1.1 compliant web
- server</li>
-
- <li>implements the latest protocols, including HTTP/1.1
- (RFC2616)</li>
-
- <li>is highly configurable and extensible with
- third-party modules</li>
-
- <li>can be customised by writing 'modules' using the
- Apache module API</li>
-
- <li>provides full source code and comes with an
- unrestrictive license</li>
-
- <li>runs on Windows NT/9x, Netware 5.x and above, OS/2, and most
- versions of Unix, as well as several other operating
- systems</li>
-
- <li>is actively being developed</li>
-
- <li>encourages user feedback through new ideas, bug
- reports and patches</li>
-
- <li>
- implements many frequently requested features,
- including:<br />
- <br />
-
-
- <dl>
- <dt>DBM databases for authentication</dt>
-
- <dd>allows you to easily set up password-protected
- pages with enormous numbers of authorized users,
- without bogging down the server.</dd>
-
- <dt>Customized responses to errors and problems</dt>
-
- <dd>Allows you to set up files, or even CGI scripts,
- which are returned by the server in response to
- errors and problems, e.g. setup a script to intercept
- <strong>500 Server Error</strong>s and perform
- on-the-fly diagnostics for both users and
- yourself.</dd>
-
- <dt>Multiple DirectoryIndex directives</dt>
-
- <dd>Allows you to say <code>DirectoryIndex index.html
- index.cgi</code>, which instructs the server to
- either send back <code>index.html</code> or run
- <code>index.cgi</code> when a directory URL is
- requested, whichever it finds in the directory.</dd>
-
- <dt>Unlimited flexible URL rewriting and
- aliasing</dt>
-
- <dd>Apache has no fixed limit on the numbers of
- Aliases and Redirects which may be declared in the
- config files. In addition, a powerful rewriting
- engine can be used to solve most URL manipulation
- problems.</dd>
-
- <dt>Content negotiation</dt>
-
- <dd>i.e. the ability to automatically serve clients
- of varying sophistication and HTML level compliance,
- with documents which offer the best representation of
- information that the client is capable of
- accepting.</dd>
-
- <dt>Virtual Hosts</dt>
-
- <dd>A much requested feature, sometimes known as
- multi-homed servers. This allows the server to
- distinguish between requests made to different IP
- addresses or names (mapped to the same machine).
- Apache also offers dynamically configurable
- mass-virtual hosting.</dd>
-
- <dt>Configurable Reliable Piped Logs</dt>
-
- <dd>You can configure Apache to generate logs in the
- format that you want. In addition, on most Unix
- architectures, Apache can send log files to a pipe,
- allowing for log rotation, hit filtering, real-time
- splitting of multiple vhosts into separate logs, and
- asynchronous DNS resolving on the fly.</dd>
- </dl>
- </li>
- </ul>
- <hr />
- </li>
-
- <li>
- <a id="why" name="why"><strong>How and why was Apache
- created?</strong></a>
-
- <p>The <a
- href="http://httpd.apache.org/ABOUT_APACHE.html">About
- Apache</a> document explains how the Apache project evolved
- from its beginnings as an outgrowth of the NCSA httpd
- project to its current status as one of the fastest, most
- efficient, and most functional web servers in
- existence.</p>
- <hr />
- </li>
-
- <li>
- <a id="name" name="name"><strong>Why the name
- "Apache"?</strong></a>
-
- <p>The name 'Apache' was chosen from respect for
- the Native American Indian tribe of Apache (Ind&eacute;),
- <a href="http://www.indians.org/welker/apache.htm">well-known
- for their superior skills in warfare strategy and their
- inexhaustible endurance</a>. For more information on the
- Apache Nation, we suggest searching
- <a href="http://www.google.com/search?q=Apache+Nation">Google</a>,
- <a href="http://www.northernlight.com/nlquery.fcg?qr=Apache+Nation"
- >Northernlight</a>, or
- <a href="http://www.alltheweb.com/cgi-bin/asearch?query=Apache+Nation"
- >AllTheWeb</a>.</p>
-
- <p>Secondarily, and more popularly (though incorrectly) accepted,
- it's a considered cute name which stuck. Apache is "<strong>A
- PA</strong>t<strong>CH</strong>y server". It was based on
- some existing code and a series of "patch files".</p>
-
- <hr />
- </li>
-
- <li>
- <a id="compare" name="compare"><strong>OK, so how does
- Apache compare to other servers?</strong></a>
-
- <p>For an independent assessment, see <a
- href="http://webcompare.internet.com/">Web
- Compare</a>.</p>
-
- <p>Apache has been shown to be substantially faster, more
- stable, and more feature-full than many other web servers.
- Although certain commercial servers have claimed to surpass
- Apache's speed (it has not been demonstrated that any of
- these "benchmarks" are a good way of measuring WWW server
- speed at any rate), we feel that it is better to have a
- mostly-fast free server than an extremely-fast server that
- costs thousands of dollars. Apache is run on sites that get
- millions of hits per day, and they have experienced no
- performance difficulties.</p>
- <hr />
- </li>
-
- <li>
- <a id="tested" name="tested"><strong>How thoroughly tested
- is Apache?</strong></a>
-
- <p>Apache is run on over 6 million Internet servers (as of
- February 2000). It has been tested thoroughly by both
- developers and users. The Apache Group maintains rigorous
- standards before releasing new versions of their server,
- and our server runs without a hitch on over one half of all
- WWW servers available on the Internet. When bugs do show
- up, we release patches and new versions as soon as they are
- available.</p>
- <hr />
- </li>
-
- <li>
- <a id="future" name="future"><strong>What are the future
- plans for Apache?</strong></a>
-
- <ul>
- <li>to continue to be an "open source" no-charge-for-use
- HTTP server,</li>
-
- <li>to keep up with advances in HTTP protocol and web
- developments in general,</li>
-
- <li>to collect suggestions for fixes/improvements from
- its users,</li>
-
- <li>to respond to needs of large volume providers as well
- as occasional users.</li>
- </ul>
- <hr />
- </li>
-
- <li>
- <a id="support" name="support"><strong>Whom do I contact
- for support?</strong></a>
-
- <p>There is no official support for Apache. None of the
- developers want to be swamped by a flood of trivial
- questions that can be resolved elsewhere. Bug reports and
- suggestions should be sent <em>via</em> <a
- href="http://httpd.apache.org/bug_report.html">the bug
- report page</a>. Other questions should be directed to the
- <a href="http://httpd.apache.org/userslist.html">Apache HTTP
- Server Users List</a> or the
- <a
- href="news:comp.infosystems.www.servers.unix">comp.infosystems.www.servers.unix</a>
- or <a
- href="news:comp.infosystems.www.servers.ms-windows">comp.infosystems.www.servers.ms-windows</a>
- newsgroup (as appropriate for the platform you use), where
- some of the Apache team lurk, in the company of many other
- httpd gurus who should be able to help.</p>
-
- <p>Commercial support for Apache is, however, available
- from a number of third parties.</p>
- <hr />
- </li>
-
- <li>
- <a id="more" name="more"><strong>Is there any more
- information available on Apache?</strong></a>
-
- <p>Indeed there is. See the main <a
- href="http://httpd.apache.org/">Apache web site</a>. There
- is also a regular electronic publication called <a
- href="http://www.apacheweek.com/" rel="Help"><cite>Apache
- Week</cite></a> available. Links to relevant <cite>Apache
- Week</cite> articles are included below where appropriate.
- There are also some <a
- href="http://httpd.apache.org/info/apache_books.html">Apache-specific
- books</a> available.</p>
- <hr />
- </li>
-
- <li>
- <a id="where" name="where"><strong>Where can I get
- Apache?</strong></a>
-
- <p>You can find out how to download the source for Apache
- at the project's <a href="http://httpd.apache.org/">main
- web page</a>.</p>
- <hr />
- </li>
-
- <li>
- <a id="logo" name="logo"><b>May I use the Apache logo on my
- product or Web site?</b></a>
-
- <p>You may <b>NOT</b> use any original artwork from the
- Apache Software Foundation, nor make or use modified
- versions of such artwork, except under the following
- conditions:</p>
-
- <ul>
- <li>You may use the <a
- href="../../apache_pb.gif">'Powered by Apache'
- graphic</a> on a Web site that is being served by the
- Apache HTTP server software.</li>
-
- <li>You may use the aforementioned 'Powered by Apache'
- graphic or the <a
- href="http://www.apache.org/images/asf_logo.gif">
- Apache Software Foundation logo</a> in product
- description and promotional material <b>IF and ONLY
- IF</b> such use can in no way be interpreted as anything
- other than an attribution. Using the Apache name and
- artwork in a manner that implies endorsement of a product
- or service is <b>strictly forbidden</b>.</li>
- </ul>
- <hr />
- </li>
- </ol>
-
-
- </body>
-</html>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <h3>B. General Technical Questions</h3>
-
- <ol>
- <li>
- <a id="what2do" name="what2do"><strong>"Why can't I ...?
- Why won't ... work?" What to do in case of
- problems</strong></a>
-
- <p>If you are having trouble with your Apache server
- software, you should take the following steps:</p>
-
- <ol>
- <li>
- <strong>Check the errorlog!</strong>
-
- <p>Apache tries to be helpful when it encounters a
- problem. In many cases, it will provide some details by
- writing one or messages to the server error log.
- Sometimes this is enough for you to diagnose &amp; fix
- the problem yourself (such as file permissions or the
- like). The default location of the error log is
- <samp>/usr/local/apache/logs/error_log</samp>, but see
- the <a
- href="../mod/core.html#errorlog"><samp>ErrorLog</samp></a>
- directive in your config files for the location on your
- server.</p>
- </li>
-
- <li>
- <strong>Check the <a
- href="http://httpd.apache.org/docs/misc/FAQ.html">FAQ</a>!</strong>
-
-
- <p>The latest version of the Apache Frequently-Asked
- Questions list can always be found at the main Apache
- web site.</p>
- </li>
-
- <li>
- <strong>Check the Apache bug database</strong>
-
- <p>Most problems that get reported to The Apache Group
- are recorded in the <a
- href="http://bugs.apache.org/">bug database</a>.
- <em><strong>Please</strong> check the existing reports,
- open <strong>and</strong> closed, before adding
- one.</em> If you find that your issue has already been
- reported, please <em>don't</em> add a "me, too" report.
- If the original report isn't closed yet, we suggest
- that you check it periodically. You might also consider
- contacting the original submitter, because there may be
- an email exchange going on about the issue that isn't
- getting recorded in the database.</p>
- </li>
-
- <li>
- <strong>Ask in a user support group.</strong>
-
- <p>A lot of common problems never make it to the bug
- database because there's already high Q&amp;A traffic
- about them in the <a
- href="http://httpd.apache.org/userslist.html">Users
- mailing list</a> or <a
- href="news:comp.infosystems.www.servers.unix"><samp>comp.infosystems.www.servers.unix</samp></a>
- and related newsgroups. These newsgroups are also
- available via <a
- href="http://groups.google.com/groups?group=comp.infosystems.www.servers">
- Google</a>. Many Apache users, and some of the developers,
- can be found roaming their virtual halls, so it is suggested
- that you seek wisdom there. The chances are good that
- you'll get a faster answer there than from the bug
- database, even if you <em>don't</em> see your question
- already posted.</p>
- </li>
-
- <li>
- <strong>If all else fails, report the problem in the
- bug database</strong>
-
- <p>If you've gone through those steps above that are
- appropriate and have obtained no relief, then please
- <em>do</em> let The Apache Group know about the problem
- by <a
- href="http://httpd.apache.org/bug_report.html">logging
- a bug report</a>.</p>
-
- <p>If your problem involves the server crashing and
- generating a core dump, please include a backtrace (if
- possible). As an example,</p>
-
- <dl>
- <dd><code># cd <em>ServerRoot</em><br />
- # dbx httpd core<br />
- (dbx) where</code></dd>
- </dl>
-
- <p>(Substitute the appropriate locations for your
- <samp>ServerRoot</samp> and your <samp>httpd</samp> and
- <samp>core</samp> files. You may have to use
- <code>gdb</code> instead of <code>dbx</code>.)</p>
- </li>
- </ol>
- <hr />
- </li>
-
- <li>
- <a id="compatible" name="compatible"><strong>How compatible
- is Apache with my existing NCSA 1.3 setup?</strong></a>
-
- <p>Apache attempts to offer all the features and
- configuration options of NCSA httpd 1.3, as well as many of
- the additional features found in NCSA httpd 1.4 and NCSA
- httpd 1.5.</p>
-
- <p>NCSA httpd appears to be moving toward adding
- experimental features which are not generally required at
- the moment. Some of the experiments will succeed while
- others will inevitably be dropped. The Apache philosophy is
- to add what's needed as and when it is needed.</p>
-
- <p>Friendly interaction between Apache and NCSA developers
- should ensure that fundamental feature enhancements stay
- consistent between the two servers for the foreseeable
- future.</p>
- <hr />
- </li>
-
- <li>
- <a id="year2000" name="year2000"><strong>Is Apache Year
- 2000 compliant?</strong></a>
-
- <p>Yes, Apache is Year 2000 compliant.</p>
-
- <p>Apache internally never stores years as two digits. On
- the HTTP protocol level RFC1123-style addresses are
- generated which is the only format a HTTP/1.1-compliant
- server should generate. To be compatible with older
- applications Apache recognizes ANSI C's
- <code>asctime()</code> and RFC850-/RFC1036-style date
- formats, too. The <code>asctime()</code> format uses
- four-digit years, but the RFC850 and RFC1036 date formats
- only define a two-digit year. If Apache sees such a date
- with a value less than 70 it assumes that the century is
- <samp>20</samp> rather than <samp>19</samp>.</p>
-
- <p>Although Apache is Year 2000 compliant, you may still
- get problems if the underlying OS has problems with dates
- past year 2000 (<em>e.g.</em>, OS calls which accept or
- return year numbers). Most (UNIX) systems store dates
- internally as signed 32-bit integers which contain the
- number of seconds since 1<sup>st</sup> January 1970, so the
- magic boundary to worry about is the year 2038 and not
- 2000. But modern operating systems shouldn't cause any
- trouble at all.</p>
-
- <p>Users of Apache 1.2.x should upgrade to a current
- version of Apache 1.3 (see <a
- href="../new_features_1_3.html#misc">year-2000 improvements
- in Apache 1.3</a> for details).</p>
-
- <p>The Apache HTTP Server project is an open-source
- software product of the Apache Software Foundation. The
- project and the Foundation <b>cannot</b> offer legal
- assurances regarding any suitability of the software for
- your application. There are several commercial Apache
- support organizations and derivative server products
- available that may be able to stand behind the software and
- provide you with any assurances you may require. You may
- find links to some of these vendors at <samp>&lt;<a
- href="http://www.apache.org/info/support.cgi">http://www.apache.org/info/support.cgi</a>&gt;</samp>.</p>
-
- <p>The Apache HTTP server software is distributed with the
- following disclaimer, found in the software license:</p>
-<pre>
- THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY
- EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE GROUP OR
- ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- OF THE POSSIBILITY OF SUCH DAMAGE.
-
-</pre>
- <hr />
- </li>
-
- <li>
- <a id="submit_patch" name="submit_patch"><strong>How do I
- submit a patch to the Apache Group?</strong></a>
-
- <p>The Apache Group encourages patches from outside
- developers. There are 2 main "types" of patches: small
- bugfixes and general improvements. Bugfixes should be
- submitting using the Apache <a
- href="http://httpd.apache.org/bug_report.html">bug report
- page</a>. Improvements, modifications, and additions should
- follow the instructions below.</p>
-
- <p>In general, the first course of action is to be a member
- of the <samp>dev@httpd.apache.org</samp> mailing list. This
- indicates to the Group that you are closely following the
- latest Apache developments. Your patch file should be
- generated using either '<code>diff&nbsp;-c</code>' or
- '<code>diff&nbsp;-u</code>' against the latest CVS tree. To
- submit your patch, send email to
- <samp>dev@httpd.apache.org</samp> with a
- <samp>Subject:</samp> line that starts with
- <samp>[PATCH]</samp> and includes a general description of
- the patch. In the body of the message, the patch should be
- clearly described and then included at the end of the
- message. If the patch-file is long, you can note a URL to
- the file instead of the file itself. Use of MIME
- enclosures/attachments should be avoided.</p>
-
- <p>Be prepared to respond to any questions about your
- patches and possibly defend your code. If your patch
- results in a lot of discussion, you may be asked to submit
- an updated patch that incorporates all changes and
- suggestions.</p>
- <hr />
- </li>
-
- <li>
- <a id="domination" name="domination"><strong>Why has Apache
- stolen my favourite site's Internet address?</strong></a>
-
- <p>The simple answer is: "It hasn't." This misconception is
- usually caused by the site in question having migrated to
- the Apache Web server software, but not having migrated the
- site's content yet. When Apache is installed, the default
- page that gets installed tells the Webmaster the
- installation was successful. The expectation is that this
- default page will be replaced with the site's real content.
- If it doesn't, complain to the Webmaster, not to the Apache
- project -- we just make the software and aren't responsible
- for what people do (or don't do) with it.</p>
- <hr />
- </li>
-
- <li>
- <a id="apspam" name="apspam"><strong>Why am I getting spam
- mail from the Apache site?</strong></a>
-
- <p>The short answer is: "You aren't." Usually when someone
- thinks the Apache site is originating spam, it's because
- they've traced the spam to a Web site, and the Web site
- says it's using Apache. See the <a
- href="#domination">previous FAQ entry</a> for more details
- on this phenomenon.</p>
-
- <p>No marketing spam originates from the Apache site. The
- only mail that comes from the site goes only to addresses
- that have been <em>requested</em> to receive the mail.</p>
- <hr />
- </li>
-
- <li>
- <a id="redist" name="redist"><strong>May I include the
- Apache software on a CD or other package I'm
- distributing?</strong></a>
-
- <p>The detailed answer to this question can be found in the
- Apache license, which is included in the Apache
- distribution in the file <code>LICENSE</code>. You can also
- find it on the Web at <samp>&lt;<a
- href="http://www.apache.org/LICENSE.txt">http://www.apache.org/LICENSE.txt</a>&gt;</samp>.</p>
- <hr />
- </li>
-
- <li>
- <a id="zoom" name="zoom"><strong>What's the best
- hardware/operating system/... How do I get the most out of
- my Apache Web server?</strong></a>
-
- <p>Check out Dean Gaudet's <a
- href="perf-tuning.html">performance tuning page</a>.</p>
- <hr />
- </li>
-
- <li>
- <a id="regex" name="regex"><strong>What are "regular
- expressions"?</strong></a>
-
- <p>Regular expressions are a way of describing a pattern -
- for example, "all the words that begin with the letter A"
- or "every 10-digit phone number" or even "Every sentence
- with two commas in it, and no capital letter Q". Regular
- expressions (aka "regex"s) are useful in Apache because
- they let you apply certain attributes against collections
- of files or resources in very flexible ways - for example,
- all .gif and .jpg files under any "images" directory could
- be written as /\/images\/.*(jpg|gif)$/.</p>
-
- <p>The best overview around is probably the one which comes
- with Perl. We implement a simple subset of Perl's regex
- support, but it's still a good way to learn what they mean.
- You can start by going to the <a
- href="http://www.perl.com/doc/manual/html/pod/perlre.html">CPAN
- page on regular expressions</a>, and branching out from
- there.</p> <hr />
- </li>
-
- <li>
- <a id="binaries" name="binaries"><b>Why isn't there a
- binary for my platform?</b></a>
-
- <p>The developers make sure that the software builds and
- works correctly on the platforms available to them; this
- does <i>not</i> necessarily mean that <i>your</i> platform
- is one of them. In addition, the Apache HTTP server project
- is primarily source oriented, meaning that distributing
- valid and buildable source code is the purpose of a
- release, not making sure that there is a binary package for
- all of the supported platforms.</p>
-
- <p>If you don't see a kit for your platform listed in the
- binary distribution area (&lt;URL:<a
- href="http://httpd.apache.org/dist/httpd/binaries/">http://httpd.apache.org/dist/httpd/binaries/</a>&gt;),
- it means either that the platform isn't available to any of
- the developers, or that they just haven't gotten around to
- preparing a binary for it. As this is a voluntary project,
- they are under no obligation to do so. Users are encouraged
- and expected to build the software themselves.</p>
-
- <p>The sole exception to these practices is the Windows
- package. Unlike most Unix and Unix-like platforms, Windows
- systems do not come with a bundled software development
- environment, so we <i>do</i> prepare binary kits for
- Windows when we make a release. Again, however, it's a
- voluntary thing and only a limited number of the developers
- have the capability to build the InstallShield package, so
- the Windows release may lag somewhat behind the source
- release. This lag should be no more than a few days at
- most.</p>
- <hr />
- </li>
- </ol>
- </body>
-</html>
-
-
-
-
-
-
-
-
-
-
-
-
-
- <h3>C. Building Apache</h3>
-
- <ol>
- <li>
- <a id="bind8.1" name="bind8.1"><strong>Why do I get an
- error about an undefined reference to
- "<samp>__inet_ntoa</samp>" or other <samp>__inet_*</samp>
- symbols?</strong></a>
-
- <p>If you have installed <a
- href="http://www.isc.org/bind.html">BIND-8</a> then this is
- normally due to a conflict between your include files and
- your libraries. BIND-8 installs its include files and
- libraries <code>/usr/local/include/</code> and
- <code>/usr/local/lib/</code>, while the resolver that comes
- with your system is probably installed in
- <code>/usr/include/</code> and <code>/usr/lib/</code>. If
- your system uses the header files in
- <code>/usr/local/include/</code> before those in
- <code>/usr/include/</code> but you do not use the new
- resolver library, then the two versions will conflict.</p>
-
- <p>To resolve this, you can either make sure you use the
- include files and libraries that came with your system or
- make sure to use the new include files and libraries.
- Adding <code>-lbind</code> to the
- <code>EXTRA_LDFLAGS</code> line in your
- <samp>Configuration</samp> file, then re-running
- <samp>Configure</samp>, should resolve the problem. (Apache
- versions 1.2.* and earlier use <code>EXTRA_LFLAGS</code>
- instead.)</p>
-
- <p><strong>Note:</strong>As of BIND 8.1.1, the bind
- libraries and files are installed under
- <samp>/usr/local/bind</samp> by default, so you should not
- run into this problem. Should you want to use the bind
- resolvers you'll have to add the following to the
- respective lines:</p>
-
- <dl>
- <dd><code>EXTRA_CFLAGS=-I/usr/local/bind/include<br />
- EXTRA_LDFLAGS=-L/usr/local/bind/lib<br />
- EXTRA_LIBS=-lbind</code></dd>
- </dl>
- <hr />
- </li>
-
- <li>
- <a id="cantbuild" name="cantbuild"><strong>Why won't Apache
- compile with my system's <samp>cc</samp>?</strong></a>
-
- <p>If the server won't compile on your system, it is
- probably due to one of the following causes:</p>
-
- <ul>
- <li><strong>The <samp>Configure</samp> script doesn't
- recognize your system environment.</strong><br />
- This might be either because it's completely unknown or
- because the specific environment (include files, OS
- version, <em>et cetera</em>) isn't explicitly handled. If
- this happens, you may need to port the server to your OS
- yourself.</li>
-
- <li><strong>Your system's C compiler is
- garbage.</strong><br />
- Some operating systems include a default C compiler that
- is either not ANSI C-compliant or suffers from other
- deficiencies. The usual recommendation in cases like this
- is to acquire, install, and use <samp>gcc</samp>.</li>
-
- <li><strong>Your <samp>include</samp> files may be
- confused.</strong><br />
- In some cases, we have found that a compiler
- installation or system upgrade has left the C header
- files in an inconsistent state. Make sure that your
- include directory tree is in sync with the compiler and
- the operating system.</li>
-
- <li><strong>Your operating system or compiler may be out
- of revision.</strong><br />
- Software vendors (including those that develop operating
- systems) issue new releases for a reason; sometimes to
- add functionality, but more often to fix bugs that have
- been discovered. Try upgrading your compiler and/or your
- operating system.</li>
- </ul>
-
- <p>The Apache Group tests the ability to build the server
- on many different platforms. Unfortunately, we can't test
- all of the OS platforms there are. If you have verified
- that none of the above issues is the cause of your problem,
- and it hasn't been reported before, please submit a <a
- href="http://httpd.apache.org/bug_report.html">problem
- report</a>. Be sure to include <em>complete</em> details,
- such as the compiler &amp; OS versions and exact error
- messages.</p>
- <hr />
- </li>
-
- <li>
- <a id="linuxiovec" name="linuxiovec"><strong>Why do I get
- complaints about redefinition of "<code>struct
- iovec</code>" when compiling under Linux?</strong></a>
-
- <p>This is a conflict between your C library includes and
- your kernel includes. You need to make sure that the
- versions of both are matched properly. There are two
- workarounds, either one will solve the problem:</p>
-
- <ul>
- <li>Remove the definition of <code>struct iovec</code>
- from your C library includes. It is located in
- <code>/usr/include/sys/uio.h</code>.
- <strong>Or,</strong></li>
-
- <li>Add <code>-DNO_WRITEV</code> to the
- <code>EXTRA_CFLAGS</code> line in your
- <samp>Configuration</samp> and reconfigure/rebuild. This
- hurts performance and should only be used as a last
- resort.</li>
- </ul>
- <hr />
- </li>
-
- <li>
- <a id="broken-gcc" name="broken-gcc"><strong>I'm using gcc
- and I get some compilation errors, what is
- wrong?</strong></a>
-
- <p>GCC parses your system header files and produces a
- modified subset which it uses for compiling. This behavior
- ties GCC tightly to the version of your operating system.
- So, for example, if you were running IRIX 5.3 when you
- built GCC and then upgrade to IRIX 6.2 later, you will have
- to rebuild GCC. Similarly for Solaris 2.4, 2.5, or 2.5.1
- when you upgrade to 2.6. Sometimes you can type "gcc -v"
- and it will tell you the version of the operating system it
- was built against.</p>
-
- <p>If you fail to do this, then it is very likely that
- Apache will fail to build. One of the most common errors is
- with <code>readv</code>, <code>writev</code>, or
- <code>uio.h</code>. This is <strong>not</strong> a bug with
- Apache. You will need to re-install GCC.</p>
- <hr />
- </li>
-
- <li>
- <a id="glibc-crypt" name="glibc-crypt"><strong>I'm using
- RedHat Linux 5.0, or some other <samp>glibc</samp>-based
- Linux system, and I get errors with the <code>crypt</code>
- function when I attempt to build Apache 1.2.</strong></a>
-
- <p><samp>glibc</samp> puts the <code>crypt</code> function
- into a separate library. Edit your
- <code>src/Configuration</code> file and set this:</p>
-
- <dl>
- <dd><code>EXTRA_LIBS=-lcrypt</code></dd>
- </dl>
-
- <p>Then re-run <samp>src/Configure</samp> and re-execute
- the make.</p>
- <hr />
- </li>
- </ol>
- </body>
-</html>
-
-
-
-
-
-
-
-
-
-
-
-
-
- <h3>D. Error Log Messages and Problems Starting Apache</h3>
-
- <ol>
- <li>
- <a id="setgid" name="setgid"><strong>Why do I get
- "<samp>setgid: Invalid argument</samp>" at
- startup?</strong></a>
-
- <p>Your <a
- href="../mod/core.html#group"><samp>Group</samp></a>
- directive (probably in <samp>conf/httpd.conf</samp>) needs
- to name a group that actually exists in the
- <samp>/etc/group</samp> file (or your system's equivalent).
- This problem is also frequently seen when a negative number
- is used in the <code>Group</code> directive (<em>e.g.</em>,
- "<code>Group&nbsp;#-1</code>"). Using a group name -- not
- group number -- found in your system's group database
- should solve this problem in all cases.</p>
- <hr />
- </li>
-
- <li>
- <a id="nodelay" name="nodelay"><strong>Why am I getting
- "<samp>httpd: could not set socket option
- TCP_NODELAY</samp>" in my error log?</strong></a>
-
- <p>This message almost always indicates that the client
- disconnected before Apache reached the point of calling
- <code>setsockopt()</code> for the connection. It shouldn't
- occur for more than about 1% of the requests your server
- handles, and it's advisory only in any case.</p>
- <hr />
- </li>
-
- <li>
- <a id="peerreset" name="peerreset"><strong>Why am I getting
- "<samp>connection reset by peer</samp>" in my error
- log?</strong></a>
-
- <p>This is a normal message and nothing about which to be
- alarmed. It simply means that the client canceled the
- connection before it had been completely set up - such as
- by the end-user pressing the "Stop" button. People's
- patience being what it is, sites with response-time
- problems or slow network links may experience this more
- than high capacity ones or those with large pipes to the
- network.</p>
- <hr />
- </li>
-
- <li>
- <a id="wheres-the-dump" name="wheres-the-dump"><strong>The
- errorlog says Apache dumped core, but where's the dump
- file?</strong></a>
-
- <p>In Apache version 1.2, the error log message about
- dumped core includes the directory where the dump file
- should be located. However, many Unixes do not allow a
- process that has called <code>setuid()</code> to dump core
- for security reasons; the typical Apache setup has the
- server started as root to bind to port 80, after which it
- changes UIDs to a non-privileged user to serve
- requests.</p>
-
- <p>Dealing with this is extremely operating
- system-specific, and may require rebuilding your system
- kernel. Consult your operating system documentation or
- vendor for more information about whether your system does
- this and how to bypass it. If there <em>is</em> a
- documented way of bypassing it, it is recommended that you
- bypass it only for the <samp>httpd</samp> server process if
- possible.</p>
-
- <p>The canonical location for Apache's core-dump files is
- the <a href="../mod/core.html#serverroot">ServerRoot</a>
- directory. As of Apache version 1.3, the location can be
- set <em>via</em> the <a
- href="../mod/core.html#coredumpdirectory"><samp>CoreDumpDirectory</samp></a>
- directive to a different directory. Make sure that this
- directory is writable by the user the server runs as (as
- opposed to the user the server is <em>started</em> as).</p>
- <hr />
- </li>
-
- <li>
- <a id="linux-shmget" name="linux-shmget"><strong>When I run
- it under Linux I get "shmget: function not found", what
- should I do?</strong></a>
-
- <p>Your kernel has been built without SysV IPC support. You
- will have to rebuild the kernel with that support enabled
- (it's under the "General Setup" submenu). Documentation for
- kernel building is beyond the scope of this FAQ; you should
- consult the <a
- href="http://www.redhat.com/mirrors/LDP/HOWTO/Kernel-HOWTO.html">
- Kernel HOWTO</a>, or the documentation provided with your
- distribution, or a <a
- href="http://www.redhat.com/mirrors/LDP/HOWTO/META-FAQ.html">
- Linux newsgroup/mailing list</a>. As a last-resort
- workaround, you can comment out the
- <code>#define&nbsp;USE_SHMGET_SCOREBOARD</code> definition
- in the <samp>LINUX</samp> section of
- <samp>src/conf.h</samp> and rebuild the server (prior to
- 1.3b4, simply removing
- <code>#define&nbsp;HAVE_SHMGET</code> would have sufficed).
- This will produce a server which is slower and less
- reliable.</p>
- <hr />
- </li>
-
- <li>
- <a id="nfslocking" name="nfslocking"><strong>Server hangs,
- or fails to start, and/or error log fills with
- "<samp>fcntl: F_SETLKW: No record locks available</samp>"
- or similar messages</strong></a>
-
- <p>These are symptoms of a fine locking problem, which
- usually means that the server is trying to use a
- synchronization file on an NFS filesystem.</p>
-
- <p>Because of its parallel-operation model, the Apache Web
- server needs to provide some form of synchronization when
- accessing certain resources. One of these synchronization
- methods involves taking out locks on a file, which means
- that the filesystem whereon the lockfile resides must
- support locking. In many cases this means it <em>can't</em>
- be kept on an NFS-mounted filesystem.</p>
-
- <p>To cause the Web server to work around the NFS locking
- limitations, include a line such as the following in your
- server configuration files:</p>
-
- <dl>
- <dd><code>LockFile /var/run/apache-lock</code></dd>
- </dl>
-
- <p>The directory should not be generally writable
- (<em>e.g.</em>, don't use <samp>/var/tmp</samp>). See the
- <a
- href="../mod/core.html#lockfile"><samp>LockFile</samp></a>
- documentation for more information.</p>
- <hr />
- </li>
-
- <li>
- <a id="aixccbug" name="aixccbug"><strong>Why am I getting
- "<samp>Expected &lt;/Directory&gt; but saw
- &lt;/Directory&gt;</samp>" when I try to start
- Apache?</strong></a>
-
- <p>This is a known problem with certain versions of the AIX
- C compiler. IBM are working on a solution, and the issue is
- being tracked by <a
- href="http://bugs.apache.org/index/full/2312">problem
- report #2312</a>.</p>
- <hr />
- </li>
-
- <li>
- <a id="redhat" name="redhat"><strong>I'm using RedHat Linux
- and I have problems with httpd dying randomly or not
- restarting properly</strong></a>
-
- <p>RedHat Linux versions 4.x (and possibly earlier) RPMs
- contain various nasty scripts which do not stop or restart
- Apache properly. These can affect you even if you're not
- running the RedHat supplied RPMs.</p>
-
- <p>If you're using the default install then you're probably
- running Apache 1.1.3, which is outdated. From RedHat's ftp
- site you can pick up a more recent RPM for Apache 1.2.x.
- This will solve one of the problems.</p>
-
- <p>If you're using a custom built Apache rather than the
- RedHat RPMs then you should <code>rpm -e apache</code>. In
- particular you want the mildly broken
- <code>/etc/logrotate.d/apache</code> script to be removed,
- and you want the broken <code>/etc/rc.d/init.d/httpd</code>
- (or <code>httpd.init</code>) script to be removed. The
- latter is actually fixed by the apache-1.2.5 RPMs but if
- you're building your own Apache then you probably don't
- want the RedHat files.</p>
-
- <p>We can't stress enough how important it is for folks,
- <em>especially vendors</em> to follow the <a
- href="../stopping.html">stopping Apache directions</a>
- given in our documentation. In RedHat's defense, the broken
- scripts were necessary with Apache 1.1.x because the Linux
- support in 1.1.x was very poor, and there were various race
- conditions on all platforms. None of this should be
- necessary with Apache 1.2 and later.</p>
- <hr />
- </li>
-
- <li>
- <a id="stopping" name="stopping"><strong>I upgraded from an
- Apache version earlier than 1.2.0 and suddenly I have
- problems with Apache dying randomly or not restarting
- properly</strong></a>
-
- <p>You should read <a href="#redhat">the previous note</a>
- about problems with RedHat installations. It is entirely
- likely that your installation has start/stop/restart
- scripts which were built for an earlier version of Apache.
- Versions earlier than 1.2.0 had various race conditions
- that made it necessary to use <code>kill -9</code> at times
- to take out all the httpd servers. But that should not be
- necessary any longer. You should follow the <a
- href="../stopping.html">directions on how to stop and
- restart Apache</a>.</p>
-
- <p>As of Apache 1.3 there is a script
- <code>src/support/apachectl</code> which, after a bit of
- customization, is suitable for starting, stopping, and
- restarting your server.</p>
- <hr />
- </li>
-
- <li>
- <a id="setservername" name="setservername"><b>When I try to
- start Apache from a DOS window, I get a message like
- "<samp>Cannot determine host name. Use ServerName directive
- to set it manually.</samp>" What does this mean?</b></a>
-
- <p>It means what it says; the Apache software can't
- determine the hostname of your system. Edit your
- <samp>conf\httpd.conf</samp> file, look for the string
- "ServerName", and make sure there's an uncommented
- directive such as</p>
-
- <dl>
- <dd><code>ServerName localhost</code></dd>
- </dl>
-
- <p>or</p>
-
- <dl>
- <dd><code>ServerName www.foo.com</code></dd>
- </dl>
-
- <p>in the file. Correct it if there one there with wrong
- information, or add one if you don't already have one.</p>
-
- <p>Also, make sure that your Windows system has DNS
- enabled. See the TCP/IP setup component of the Networking
- or Internet Options control panel.</p>
-
- <p>After verifying that DNS is enabled and that you have a
- valid hostname in your <samp>ServerName</samp> directive,
- try to start the server again.</p>
- <hr />
- </li>
-
- <li>
- <a id="ws2_32dll" name="ws2_32dll"><b>When I try to start
- Apache for Windows, I get a message like "<samp>Unable To
- Locate WS2_32.DLL...</samp>". What should I do?</b></a>
-
- <p>Short answer: You need to install Winsock 2, available
- from <a
- href="http://www.microsoft.com/windows95/downloads/">http://www.microsoft.com/windows95/downloads/</a></p>
-
- <p>Detailed answer: Prior to version 1.3.9, Apache for
- Windows used Winsock 1.1. Beginning with version 1.3.9,
- Apache began using Winsock 2 features (specifically,
- WSADuplicateSocket()). WS2_32.DLL implements the Winsock 2
- API. Winsock 2 ships with Windows NT 4.0 and Windows 98.
- Some of the earlier releases of Windows 95 did not include
- Winsock 2.</p>
- <hr />
- </li>
-
- <li>
- <a id="WSADuplicateSocket"
- name="WSADuplicateSocket"><b>Apache for Windows does not
- start. Error log contains this message: "<samp>[crit]
- (10045) The attempted operation is not supported for the
- type of object referenced: Parent: WSADuplicateSocket
- failed for socket ###</samp>". What does this mean?</b></a>
-
-
- <p>We have seen this problem when Apache is run on systems
- along with Virtual Private Networking clients like Aventail
- Connect. Aventail Connect is a Layered Service Provider
- (LSP) that inserts itself, as a "shim," between the Winsock
- 2 API and Window's native Winsock 2 implementation. The
- Aventail Connect shim does not implement
- WSADuplicateSocket, which is the cause of the failure.</p>
-
- <p>The shim is not unloaded when Aventail Connect is shut
- down. Once observed, the problem persists until the shim is
- either explicitly unloaded or the machine is rebooted.
- Another potential solution (not tested) is to add
- <code>apache.exe</code> to the Aventail "Connect Exclusion
- List".</p>
-
- <p>Apache is affected in a similar way by <em>any</em>
- firewall program that isn't correctly configured. Assure
- you exclude your Apache server ports (usually port 80) from
- the list of ports to block. Refer to your firewall
- program's documentation for the how-to.</p>
- <hr />
- </li>
-
- <li>
- <a id="err1067" name="err1067"><b>When I try to start
- Apache on Windows, I get a message like "<code>System error
- 1067 has occurred. The process terminated
- unexpectedly</code>." What does this mean?</b></a>
-
- <p>This message means that the Web server was unable to
- start correctly for one reason or another. To find out why,
- execute the following commands in a DOS window:</p>
-<pre>
- c:
- cd "\Program Files\Apache Group\Apache"
- apache
-
-</pre>
-
- <p>(If you don't get the prompt back, hit Control-C to
- cause Apache to exit.)</p>
-
- <p>The error you see will probably be one of those
- preceding this question in the FAQ.</p>
-
- <p>As of Apache 1.3.14, first check the Windows NT Event
- Log for Application errors using the Windows NT/2000 Event
- Viewer program. Any errors that occur prior to opening the
- Apache error log will be stored here, if Apache is run as a
- Service on NT or 2000. As with any error, also check your
- Apache error log.</p>
- <hr />
- </li>
-
- <li><a id="suseFDN" name="suseFDN"><b>On a SuSE Linux system, I try and
- configure access control using basic authentication.
- Although I follow the example exactly, authentication
- fails, and an error message "<code>admin: not a valid
- FDN: ....</code>" is logged.</b></a>
-
- <p>
- In the SuSE distribution, additional 3rd party authentication
- modules have been added and activated by default. These modules
- interfere with the Apache standard modules and cause Basic
- authentication to fail. Our recommendation is to comment all
- those modules in <code>/etc/httpd/suse_addmodule.conf</code>
- and <code>/etc/httpd/suse_loadmodule.conf</code> which are not
- actually required for running your server.
- </p><hr />
- </li>
-
- <li><a id="codered" name="codered"><b>Why do I have weird entries in my
- logs asking for <code>default.ida</code> and
- <code>cmd.exe</code>?</b></a>
-
- <p>The host requesting pages from your website and creating
- those entries is a Windows machine running IIS that has been
- infected by an Internet worm such as Nimda or Code Red. You
- can safely ignore these error messages as they do not affect
- Apache. ApacheWeek has an <a
- href="http://www.apacheweek.com/features/codered">article</a>
- with more information.</p><hr />
- </li>
-
- <li><a id="restart" name="restart"><b>Why am I getting server restart
- messages periodically, when I did not restart the server?</b></a>
-
- <p>Problem: You are noticing restart messages in your error log,
- periodically, when you know you did not restart the server
- yourself:</p>
-
-<pre>
-[Thu Jun 6 04:02:01 2002] [notice] SIGHUP received. Attempting to restart
-[Thu Jun 6 04:02:02 2002] [notice] Apache configured -- resuming normal operations
-</pre>
-
- <p>Check your cron jobs to see when/if your server logs are being
- rotated. Compare the time of rotation to the error message time.
- If they are the same, you can somewhat safely assume that the
- restart is due to your server logs being rotated.</p><hr />
- </li>
-
- <li><a id="modulemagic" name="modulemagic"><b>Why am I getting
- &quot;module <em>module-name</em> is not compatible with this version
- of Apache&quot; messages in my error log?</b></a>
-
- <p>Module Magic Number (MMN) is a constant defined in Apache
- source that is associated with binary compatibility of
- modules. It is changed when internal Apache structures,
- function calls and other significant parts of API change in
- such a way that binary compatibility cannot be guaranteed any
- more. On MMN change, all third party modules have to be at
- least recompiled, sometimes even slightly changed in order
- to work with the new version of Apache.</p>
-
- <p>If you're getting the above error messages, contact the
- vendor of the module for the new binary, or compile it if
- you have access to the source code.</p><hr />
- </li>
-
- </ol>
-
-
- </body>
-</html>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <h3>E. Configuration Questions</h3>
-
- <ol>
- <li>
- <a id="fdlim" name="fdlim"><strong>Why can't I run more
- than &lt;<em>n</em>&gt; virtual hosts?</strong></a>
-
- <p>You are probably running into resource limitations in
- your operating system. The most common limitation is the
- <em>per</em>-process limit on <strong>file
- descriptors</strong>, which is almost always the cause of
- problems seen when adding virtual hosts. Apache often does
- not give an intuitive error message because it is normally
- some library routine (such as <code>gethostbyname()</code>)
- which needs file descriptors and doesn't complain
- intelligibly when it can't get them.</p>
-
- <p>Each log file requires a file descriptor, which means
- that if you are using separate access and error logs for
- each virtual host, each virtual host needs two file
- descriptors. Each <a
- href="../mod/core.html#listen"><samp>Listen</samp></a>
- directive also needs a file descriptor.</p>
-
- <p>Typical values for &lt;<em>n</em>&gt; that we've seen
- are in the neighborhood of 128 or 250. When the server
- bumps into the file descriptor limit, it may dump core with
- a SIGSEGV, it might just hang, or it may limp along and
- you'll see (possibly meaningful) errors in the error log.
- One common problem that occurs when you run into a file
- descriptor limit is that CGI scripts stop being executed
- properly.</p>
-
- <p>As to what you can do about this:</p>
-
- <ol>
- <li>Reduce the number of <a
- href="../mod/core.html#listen"><samp>Listen</samp></a>
- directives. If there are no other servers running on the
- machine on the same port then you normally don't need any
- Listen directives at all. By default Apache listens to
- all addresses on port 80.</li>
-
- <li>Reduce the number of log files. You can use <a
- href="../mod/mod_log_config.html"><samp>mod_log_config</samp></a>
- to log all requests to a single log file while including
- the name of the virtual host in the log file. You can
- then write a script to split the logfile into separate
- files later if necessary. Such a script is provided with
- the Apache 1.3 distribution in the
- <samp>src/support/split-logfile</samp> file.</li>
-
- <li>
- Increase the number of file descriptors available to
- the server (see your system's documentation on the
- <code>limit</code> or <code>ulimit</code> commands).
- For some systems, information on how to do this is
- available in the <a href="perf.html">performance
- hints</a> page. There is a specific note for <a
- href="#freebsd-setsize">FreeBSD</a> below.
-
- <p>For Windows 95, try modifying your
- <samp>C:\CONFIG.SYS</samp> file to include a line
- like</p>
-
- <dl>
- <dd><code>FILES=300</code></dd>
- </dl>
-
- <p>Remember that you'll need to reboot your Windows 95
- system in order for the new value to take effect.</p>
- </li>
-
- <li>"Don't do that" - try to run with fewer virtual
- hosts</li>
-
- <li>Spread your operation across multiple server
- processes (using <a
- href="../mod/core.html#listen"><samp>Listen</samp></a>
- for example, but see the first point) and/or ports.</li>
- </ol>
-
- <p>Since this is an operating-system limitation, there's
- not much else available in the way of solutions.</p>
-
- <p>As of 1.2.1 we have made attempts to work around various
- limitations involving running with many descriptors. <a
- href="descriptors.html">More information is
- available.</a></p>
- <hr />
- </li>
-
- <li>
- <a id="freebsd-setsize" name="freebsd-setsize"><strong>Can
- I increase <samp>FD_SETSIZE</samp> on FreeBSD?</strong></a>
-
-
- <p>On versions of FreeBSD before 3.0, the
- <samp>FD_SETSIZE</samp> define defaults to 256. This means
- that you will have trouble usefully using more than 256
- file descriptors in Apache. This can be increased, but
- doing so can be tricky.</p>
-
- <p>If you are using a version prior to 2.2, you need to
- recompile your kernel with a larger
- <samp>FD_SETSIZE</samp>. This can be done by adding a line
- such as:</p>
-
- <dl>
- <dd><code>options FD_SETSIZE <em>nnn</em></code></dd>
- </dl>
-
- <p>to your kernel config file. Starting at version 2.2,
- this is no longer necessary.</p>
-
- <p>If you are using a version of 2.1-stable from after
- 1997/03/10 or 2.2 or 3.0-current from before 1997/06/28,
- there is a limit in the resolver library that prevents it
- from using more file descriptors than what
- <samp>FD_SETSIZE</samp> is set to when libc is compiled. To
- increase this, you have to recompile libc with a higher
- <samp>FD_SETSIZE</samp>.</p>
-
- <p>In FreeBSD 3.0, the default <samp>FD_SETSIZE</samp> has
- been increased to 1024 and the above limitation in the
- resolver library has been removed.</p>
-
- <p>After you deal with the appropriate changes above, you
- can increase the setting of <samp>FD_SETSIZE</samp> at
- Apache compilation time by adding
- "<samp>-DFD_SETSIZE=<em>nnn</em></samp>" to the
- <samp>EXTRA_CFLAGS</samp> line in your
- <samp>Configuration</samp> file.</p>
- <hr />
- </li>
-
- <li>
- <a id="errordoc401" name="errordoc401"><strong>Why doesn't
- my <code>ErrorDocument 401</code> work?</strong></a>
-
- <p>You need to use it with a URL in the form
- "<samp>/foo/bar</samp>" and not one with a method and
- hostname such as "<samp>http://host/foo/bar</samp>". See
- the <a
- href="../mod/core.html#errordocument"><samp>ErrorDocument</samp></a>
- documentation for details. This was incorrectly documented
- in the past.</p>
- <hr />
- </li>
-
- <li>
- <a id="cookies1" name="cookies1"><strong>Why does Apache
- send a cookie on every response?</strong></a>
-
- <p>Apache does <em>not</em> automatically send a cookie on
- every response, unless you have re-compiled it with the <a
- href="../mod/mod_usertrack.html"><samp>mod_usertrack</samp></a>
- module, and specifically enabled it with the <a
- href="../mod/mod_usertrack.html#cookietracking"><samp>CookieTracking</samp></a>
- directive. This module has been in Apache since version
- 1.2. This module may help track users, and uses cookies to
- do this. If you are not using the data generated by
- <samp>mod_usertrack</samp>, do not compile it into
- Apache.</p>
- <hr />
- </li>
-
- <li>
- <a id="cookies2" name="cookies2"><strong>Why don't my
- cookies work, I even compiled in
- <samp>mod_cookies</samp>?</strong></a>
-
- <p>Firstly, you do <em>not</em> need to compile in
- <samp>mod_cookies</samp> in order for your scripts to work
- (see the <a href="#cookies1">previous question</a> for more
- about <samp>mod_cookies</samp>). Apache passes on your
- <samp>Set-Cookie</samp> header fine, with or without this
- module. If cookies do not work it will be because your
- script does not work properly or your browser does not use
- cookies or is not set-up to accept them.</p>
- <hr />
- </li>
-
- <li>
- <a id="jdk1-and-http1.1"
- name="jdk1-and-http1.1"><strong>Why do my Java app[let]s
- give me plain text when I request an URL from an Apache
- server?</strong></a>
-
- <p>As of version 1.2, Apache is an HTTP/1.1 (HyperText
- Transfer Protocol version 1.1) server. This fact is
- reflected in the protocol version that's included in the
- response headers sent to a client when processing a
- request. Unfortunately, low-level Web access classes
- included in the Java Development Kit (JDK) version 1.0.2
- expect to see the version string "HTTP/1.0" and do not
- correctly interpret the "HTTP/1.1" value Apache is sending
- (this part of the response is a declaration of what the
- server can do rather than a declaration of the dialect of
- the response). The result is that the JDK methods do not
- correctly parse the headers, and include them with the
- document content by mistake.</p>
-
- <p>This is definitely a bug in the JDK 1.0.2 foundation
- classes from Sun, and it has been fixed in version 1.1.
- However, the classes in question are part of the virtual
- machine environment, which means they're part of the Web
- browser (if Java-enabled) or the Java environment on the
- client system - so even if you develop <em>your</em>
- classes with a recent JDK, the eventual users might
- encounter the problem. The classes involved are replaceable
- by vendors implementing the Java virtual machine
- environment, and so even those that are based upon the
- 1.0.2 version may not have this problem.</p>
-
- <p>In the meantime, a workaround is to tell Apache to
- "fake" an HTTP/1.0 response to requests that come from the
- JDK methods; this can be done by including a line such as
- the following in your server configuration files:</p>
-
- <dl>
- <dd><code>BrowserMatch Java1.0 force-response-1.0<br />
- BrowserMatch JDK/1.0 force-response-1.0</code></dd>
- </dl>
-
- <p>More information about this issue can be found in the <a
- href="http://httpd.apache.org/info/jdk-102.html"><cite>Java
- and HTTP/1.1</cite></a> page at the Apache web site.</p>
- <hr />
- </li>
-
- <li>
- <a id="midi" name="midi"><strong>How do I get Apache to
- send a MIDI file so the browser can play it?</strong></a>
-
- <p>Even though the registered MIME type for MIDI files is
- <samp>audio/midi</samp>, some browsers are not set up to
- recognize it as such; instead, they look for
- <samp>audio/x-midi</samp>. There are two things you can do
- to address this:</p>
-
- <ol>
- <li>Configure your browser to treat documents of type
- <samp>audio/midi</samp> correctly. This is the type that
- Apache sends by default. This may not be workable,
- however, if you have many client installations to change,
- or if some or many of the clients are not under your
- control.</li>
-
- <li>
- Instruct Apache to send a different
- <samp>Content-type</samp> header for these files by
- adding the following line to your server's
- configuration files:
-
- <dl>
- <dd><code>AddType audio/x-midi .mid .midi
- .kar</code></dd>
- </dl>
-
- <p>Note that this may break browsers that <em>do</em>
- recognize the <samp>audio/midi</samp> MIME type unless
- they're prepared to also handle
- <samp>audio/x-midi</samp> the same way.</p>
- </li>
- </ol>
- <hr />
- </li>
-
- <li>
- <a id="addlog" name="addlog"><strong>How do I add browsers
- and referrers to my logs?</strong></a>
-
- <p>Apache provides a couple of different ways of doing
- this. The recommended method is to compile the <a
- href="../mod/mod_log_config.html"><samp>mod_log_config</samp></a>
- module into your configuration and use the <a
- href="../mod/mod_log_config.html#customlog"><samp>CustomLog</samp></a>
- directive.</p>
-
- <p>You can either log the additional information in files
- other than your normal transfer log, or you can add them to
- the records already being written. For example:</p>
-
- <p>
- <code>CustomLog&nbsp;logs/access_log&nbsp;"%h&nbsp;%l&nbsp;%u&nbsp;%t&nbsp;\"%r\"&nbsp;%s&nbsp;%b&nbsp;\"%{Referer}i\"&nbsp;\"%{User-Agent}i\""</code></p>
-
- <p>This will add the values of the <samp>User-agent:</samp>
- and <samp>Referer:</samp> headers, which indicate the
- client and the referring page, respectively, to the end of
- each line in the access log.</p>
-
- <p>You may want to check out the <cite>Apache Week</cite>
- article entitled: "<a
- href="http://www.apacheweek.com/features/logfiles"
- rel="Help"><cite>Gathering Visitor Information: Customizing
- Your Logfiles</cite></a>".</p>
- <hr />
- </li>
-
- <li>
- <a id="set-servername" name="set-servername"><strong>Why
- does accessing directories only work when I include the
- trailing "/"
- (<em>e.g.</em>,&nbsp;<samp>http://foo.domain.com/~user/</samp>)
- but not when I omit it
- (<em>e.g.</em>,&nbsp;<samp>http://foo.domain.com/~user</samp>)?</strong></a>
-
-
- <p>When you access a directory without a trailing "/",
- Apache needs to send what is called a redirect to the
- client to tell it to add the trailing slash. If it did not
- do so, relative URLs would not work properly. When it sends
- the redirect, it needs to know the name of the server so
- that it can include it in the redirect. There are two ways
- for Apache to find this out; either it can guess, or you
- can tell it. If your DNS is configured correctly, it can
- normally guess without any problems. If it is not, however,
- then you need to tell it.</p>
-
- <p>Add a <a
- href="../mod/core.html#servername">ServerName</a> directive
- to the config file to tell it what the domain name of the
- server is.</p>
-
- <p>The other thing that can occasionally cause this symptom is a
- misunderstanding of the <a
- href="../mod/mod_alias.html#alias">Alias</a> directive,
- resulting in an alias working with a trailing slash, and not
- without one. The <code>Alias</code> directive is very literal,
- and aliases what you tell it to. Consider the following
- example:</p>
-
- <pre>
- Alias /example/ /home/www/example/
- </pre>
-
- <p>The above directive creates an alias for URLs starting with
- <code>/example/</code>, but does <em>not</em> alias URLs
- starting with <code>/example</code>. That is to say, a URL such
- as <code>http://servername.com/example/</code> will get the
- desired content, but a URL such as
- <code>http://servername.com/example</code> will result in a
- "file not found" error.</p>
-
- <p>The following <code>Alias</code>, on the other hand, will
- work for both cases:</p>
-
- <pre>
- Alias /example /home/www/example
- </pre>
-
- <hr />
- </li>
-
- <li>
- <a id="no-info-directives"
- name="no-info-directives"><strong>Why doesn't mod_info list
- any directives?</strong></a>
-
- <p>The <a
- href="../mod/mod_info.html"><samp>mod_info</samp></a>
- module allows you to use a Web browser to see how your
- server is configured. Among the information it displays is
- the list modules and their configuration directives. The
- "current" values for the directives are not necessarily
- those of the running server; they are extracted from the
- configuration files themselves at the time of the request.
- If the files have been changed since the server was last
- reloaded, the display will not match the values actively in
- use. If the files and the path to the files are not
- readable by the user as which the server is running (see
- the <a href="../mod/core.html#user"><samp>User</samp></a>
- directive), then <samp>mod_info</samp> cannot read them in
- order to list their values. An entry <em>will</em> be made
- in the error log in this event, however.</p>
- <hr />
- </li>
-
- <li>
- <a id="namevhost" name="namevhost"><strong>I upgraded to
- Apache 1.3 and now my virtual hosts don't
- work!</strong></a>
-
- <p>In versions of Apache prior to 1.3b2, there was a lot of
- confusion regarding address-based virtual hosts and
- (HTTP/1.1) name-based virtual hosts, and the rules
- concerning how the server processed
- <samp>&lt;VirtualHost&gt;</samp> definitions were very
- complex and not well documented.</p>
-
- <p>Apache 1.3b2 introduced a new directive, <a
- href="../mod/core.html#namevirtualhost"><samp>NameVirtualHost</samp></a>,
- which simplifies the rules quite a bit. However, changing
- the rules like this means that your existing name-based
- <samp>&lt;VirtualHost&gt;</samp> containers probably won't
- work correctly immediately following the upgrade.</p>
-
- <p>To correct this problem, add the following line to the
- beginning of your server configuration file, before
- defining any virtual hosts:</p>
-
- <dl>
- <dd><code>NameVirtualHost <em>n.n.n.n</em></code></dd>
- </dl>
-
- <p>Replace the "<samp>n.n.n.n</samp>" with the IP address
- to which the name-based virtual host names resolve; if you
- have multiple name-based hosts on multiple addresses,
- repeat the directive for each address.</p>
-
- <p>Make sure that your name-based
- <samp>&lt;VirtualHost&gt;</samp> blocks contain
- <samp>ServerName</samp> and possibly
- <samp>ServerAlias</samp> directives so Apache can be sure
- to tell them apart correctly.</p>
-
- <p>Please see the <a href="../vhosts/">Apache Virtual Host
- documentation</a> for further details about
- configuration.</p>
- <hr />
- </li>
-
- <li>
- <a id="redhat-htm" name="redhat-htm"><strong>I'm using
- RedHat Linux and my .htm files are showing up as HTML
- source rather than being formatted!</strong></a>
-
- <p>RedHat messed up and forgot to put a content type for
- <code>.htm</code> files into <code>/etc/mime.types</code>.
- Edit <code>/etc/mime.types</code>, find the line containing
- <code>html</code> and add <code>htm</code> to it. Then
- restart your httpd server:</p>
-
- <dl>
- <dd><code>kill -HUP `cat /var/run/httpd.pid`</code></dd>
- </dl>
-
- <p>Then <strong>clear your browsers' caches</strong>. (Many
- browsers won't re-examine the content type after they've
- reloaded a page.)</p>
- <hr />
- </li>
-
- <li>
- <a id="htaccess-work" name="htaccess-work"><strong>My
- <code>.htaccess</code> files are being
- ignored.</strong></a>
-
- <p>This is almost always due to your <a
- href="../mod/core.html#allowoverride">AllowOverride</a>
- directive being set incorrectly for the directory in
- question. If it is set to <code>None</code> then .htaccess
- files will not even be looked for. If you do have one that
- is set, then be certain it covers the directory you are
- trying to use the .htaccess file in. This is normally
- accomplished by ensuring it is inside the proper <a
- href="../mod/core.html#directory">Directory</a>
- container.</p>
- <hr />
- </li>
-
- <li>
- <a id="forbidden" name="forbidden"><strong>Why do I get a
- "<samp>Forbidden</samp>" message whenever I try to access a
- particular directory?</strong></a>
-
- <p>This message is generally caused because either</p>
-
- <ul>
- <li>The underlying file system permissions do not allow
- the User/Group under which Apache is running to access
- the necessary files; or</li>
-
- <li>The Apache configuration has some access restrictions
- in place which forbid access to the files.</li>
- </ul>
-
- <p>You can determine which case applies to your situation
- by checking the error log.</p>
-
- <p>In the case where file system permission are at fault,
- remember that not only must the directory and files in
- question be readable, but also all parent directories must
- be at least searchable by the web server in order for the
- content to be accessible.</p>
- <hr />
- </li>
-
- <li>
- <a id="malfiles" name="malfiles"><b>Why do I get a
- "<samp>Forbidden/You don't have permission to access / on
- this server</samp>" message whenever I try to access my
- server?</b></a>
-
- <p>Search your <code>conf/httpd.conf</code> file for this
- exact string: <code>&lt;Files ~&gt;</code>. If you find it,
- that's your problem -- that particular &lt;Files&gt;
- container is malformed. Delete it or replace it with
- <code>&lt;Files ~ "^\.ht"&gt;</code> and restart your
- server and things should work as expected.</p>
-
- <p>This error appears to be caused by a problem with the
- version of linuxconf distributed with Redhat 6.x. It may
- reappear if you use linuxconf again.</p>
-
- <p>If you don't find this string, check out the <a
- href="#forbidden">previous question</a>.</p>
- <hr />
- </li>
-
- <li>
- <a id="ie-ignores-mime" name="ie-ignores-mime"><strong>Why
- do my files appear correctly in Internet Explorer, but show
- up as source or trigger a save window with
- Netscape; or, Why doesn't Internet Explorer render
- my text/plain document correctly?</strong></a>
-
- <p>MS Internet Explorer (MSIE) and Netscape handle mime type
- detection in different ways, and therefore will display the
- document differently. In particular, IE sometimes relies on
- the file extension or the contents of the file to determine
- the mime type. This can happen when the server specifies a
- mime type of <code>application/octet-stream</code> or
- <code>text/plain</code>. This behavior violates the the HTTP
- standard and makes it impossible to deliver plain text
- documents to MSIE clients in some cases. More details are
- available on MSIE's mime type detection behavior in an <a
- href="http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp">
- MSDN article</a> and a <a
- href="http://ppewww.ph.gla.ac.uk/~flavell/www/content-type.html">note</a>
- by Alan J. Flavell.</p>
-
- <p>The best you can do as a server administrator is to
- accurately configure the mime type of your documents by editing
- the <code>mime.types</code> file or using an <a
- href="../mod/mod_mime.html#addtype"><code>AddType</code></a>
- directive in the Apache configuration files. In some cases,
- you may be able to fool MSIE into rendering text/plain documents
- correctly by assuring they have a <code>.txt</code> filename
- extension, but this will not work if MSIE thinks the content
- looks like another file type.
-</p> <hr />
- </li>
- <li>
- <a name="canonical-hostnames"><strong>My site is accessible
- under many different hostnames; how do I redirect clients
- so that they see only a single name?</strong></a>
-
- <p>Many sites map a variety of hostnames to the same content.
- For example, <code>www.example.com</code>,
- <code>example.com</code> and <code>www.example.net</code> may
- all refer to the same site. It is best to make sure that,
- regardless of the name clients use to access the site, they
- will be redirected to a single, canonical hostname. This
- makes the site easier to maintain and assures that there will
- be only one version of the site in proxy caches and search
- engines.</p>
-
- <p>There are two techniques to implement canonical hostnames:</p>
-
- <ol>
- <li>Use <a href="../mod/mod_rewrite.html">mod_rewrite</a>
- as described in the "Canonical Hostnames" section of the
- <a href="rewriteguide.html">URL Rewriting Guide</a>.</li>
-
- <li>Use <a href="../vhosts/name-based.html">name-based
- virtual hosting</a>:
-
-<blockquote><code>
-NameVirtualHost *<br />
-<br />
-&lt;VirtualHost *&gt;<br />
-&nbsp;&nbsp;ServerName www.example.net<br />
-&nbsp;&nbsp;ServerAlias example.com<br />
-&nbsp;&nbsp;Redirect permanent / http://www.example.com/<br />
-&lt;/VirtualHost&gt;<br />
-<br />
-&lt;VirtualHost *&gt;<br />
-&nbsp;&nbsp;ServerName www.example.com<br />
-&nbsp;&nbsp;DocumentRoot /usr/local/apache/htdocs<br />
-&lt;/VirtualHost&gt;
-</code></blockquote>
- </li></ol>
- <hr /></li>
-
- <li><a id="firewall" name="firewall"><strong>Why can I access my
- website from the server or from my local network, but I
- can't access it from elsewhere on the Internet?</strong></a>
-
- <p>There are many possible reasons for this, and almost all
- of them are related to the configuration of your network, not
- the configuration of the Apache HTTP Server. One of the most
- common problems is that a firewall blocks access to the
- default HTTP port 80. In particular, many consumer ISPs
- block access to this port. You can see if this is the case
- by changing any <code>Port</code> and <code>Listen</code>
- directives in <code>httpd.conf</code> to use port 8000 and
- then request your site using
- <code>http://yourhost.example.com:8000/</code>. (Of course,
- a very restrictive firewall may block this port as well.)</p>
-
- <hr /></li>
-
- <li><a id="indexes" name="indexes"><strong>How do I turn automatic
- directory listings on or off?</strong></a>
-
- <p>If a client requests a URL that designates a directory and
- the directory does not contain a filename that matches the <a
- href="../mod/mod_dir.html#directoryindex">DirectoryIndex</a>
- directive, then <a
- href="../mod/mod_autoindex.html">mod_autoindex</a> can be
- configured to present a listing of the directory contents.</p>
-
- <p>To turn on automatic directory indexing, find the
- <a href="../mod/core.html#options">Options</a> directive that
- applies to the directory and add the <code>Indexes</code>
- keyword. For example:</p>
-
- <blockquote><code>
- &lt;Directory /path/to/directory&gt;<br />
- &nbsp;&nbsp;&nbsp;Options +Indexes<br />
- &lt;/Directory&gt;
- </code></blockquote>
-
- <p>To turn off automatic directory indexing, remove
- the <code>Indexes</code> keyword from the appropriate
- <code>Options</code> line. To turn off directory listing
- for a particular subdirectory, you can use
- <code>Options -Indexes</code>. For example:</p>
-
- <blockquote><code>
- &lt;Directory /path/to/directory&gt;<br />
- &nbsp;&nbsp;&nbsp;Options -Indexes<br />
- &lt;/Directory&gt;
- </code></blockquote>
-
- <hr /></li>
-
- <li><a id="options" name="options"><strong>Why do my Options
- directives not have the desired effect?</strong></a>
-
- <p>Directives placed in the configuration files are applied
- in a very particular order, as described by <a
- href="../sections.html">How Directory, Location, and Files
- sections work</a>. In addition, each <a
- href="../mod/core.html#options">Options</a> directive has the
- effect of resetting the options to <code>none</code> before
- adding the specified options (unless only "+" and "-" options
- are used). The consequence is that <code>Options</code> set
- in the main server or virtual host context (outside any
- directory, location, or files section) will usually have no
- effect, because they are overridden by more specific
- <code>Options</code> directives. For example, in the following</p>
-
-<blockquote><code>
-&lt;Directory /usr/local/apache/htdocs&gt;<br />
-&nbsp;&nbsp;&nbsp;&nbsp;Options Indexes<br />
-&lt;/Directory&gt;<br />
-Options Includes ExecCGI<br />
-</code></blockquote>
-
- <p><code>Includes</code> and <code>ExecCGI</code> will be
- <strong>off</strong> in the <code>/usr/local/apache/htdocs</code>
- directory.</p>
-
- <p>You can usually avoid problems by either finding the
- <code>Options</code> directive that already applies to a
- specific directory and changing it, or by putting your
- <code>Options</code> directive inside the most specific possible
- <code>&lt;Directory&gt;</code> section.</p>
-
- <hr /></li>
-
-
- <li><a id="serverheader" name="serverheader"><strong>How can I change
- the information that Apache returns about itself in the
- headers?</strong></a>
-
- <p>When a client connects to Apache, part of the information returned in
- the headers is the name "Apache" Additional information that can be sent
- is the version number, such as "1.3.26", the operating system, and a
- list of non-standard modules you have installed.</p>
-
- <p>For example:</p>
-
-<blockquote><code>
-Server: Apache/1.3.26 (Unix) mod_perl/1.26
-</code></blockquote>
-
- <p>Frequently, people want to remove this information, under the mistaken
- understanding that this will make the system more secure. This is
- probably not the case, as the same exploits will likely be attempted
- regardless of the header information you provide.</p>
-
- <p>There are, however, two answers to this question: the correct answer,
- and the answer that you are probably looking for.</p>
-
- <p>The correct answer to this question is that you should use the
- ServerTokens directive to alter the quantity of information which is
- passed in the headers. Setting this directive to <code>Prod</code> will
- pass the least possible amount of information:</p>
-
-<blockquote><code>
-Server: Apache
-</code></blockquote>
-
- <p>The answer you are probably looking for is how to make Apache lie
- about what what it is, ie send something like:</p>
-
-<blockquote><code>
-Server: Bob's Happy HTTPd Server
-</code></blockquote>
-
- <p>In order to do this, you will need to modify the Apache source code and
- rebuild Apache. This is not advised, as it is almost certain not to
- provide you with the added security you think that you are gaining. The
- exact method of doing this is left as an exercise for the reader, as we
- are not keen on helping you do something that is intrinsically a bad
- idea.</p>
-
- <hr /></li>
-
- <li><a id="proxyscan" name="proxyscan"><strong>Why do I see requests
- for other sites appearing in my log files?</strong></a>
-
- <p>A an access_log entry showing this situation could look
- like this:</p>
-
- <blockquote><code> 63.251.56.142 - -
- [25/Jul/2002:12:48:04 -0700] "GET http://www.yahoo.com/
- HTTP/1.0" 200 1456 </code></blockquote>
-
- <p>The question is: why did a request for
- <code>www.yahoo.com</code> come to your server instead of
- Yahoo's server? And why does the response have a status
- code of 200 (success)?</p>
-
- <p>This is usually the result of malicious clients trying to
- exploit open proxy servers to access a website without
- revealing their true location. If you find entries like this
- in your log, the first thing to do is to make sure you have
- properly configured your server not to proxy for unknown
- clients. If you don't need to provide a proxy server at all,
- you should simply assure that the <a
- href="../mod/mod_proxy.html#proxyrequests">ProxyRequests</a>
- directive is <strong>not</strong> set <code>on</code>.
- If you do need to run a proxy server, then you must ensure
- that you <a href="../mod/mod_proxy.html#access">secure your
- server properly</a> so that only authorized clients can use
- it.</p>
-
- <p>If your server is configured properly, then the attempt to
- proxy through your server will fail. If you see a status
- code of <code>404</code> (file not found) in the log, then
- you know that the request failed. If you see a status code
- of <code>200</code> (success), that does not necessarily mean
- that the attempt to proxy succeeded. RFC2616 section 5.1.2
- mandates that Apache must accept requests with absolute URLs
- in the request-URI, even for non-proxy requests. Since
- Apache has no way to know all the different names that your
- server may be known under, it cannot simply reject hostnames
- it does not recognize. Instead, it will serve requests for
- unknown sites locally by stripping off the hostname and using
- the default server or virtual host. Therefore you can
- compare the size of the file (1456 in the above example) to
- the size of the corresponding file in your default server.
- If they are the same, then the proxy attempt failed, since a
- document from your server was delivered, not a document from
- <code>www.yahoo.com</code>.</p>
-
- <p>If you wish to prevent this type of request entirely, then
- you need to let Apache know what hostnames to accept and what
- hostnames to reject. You do this by configuring name-virtual
- hosts, where the first listed host is the default host that
- will catch and reject unknown hostnames. For example:</p>
-
-<blockquote>
-<pre>
-NameVirtualHost *
-
-&lt;VirtualHost *&gt;
- ServerName default.only
- &lt;Location /&gt;
- Order allow,deny
- Deny from all
- &lt;/Location&gt;
-&lt;/VirtualHost&gt;
-
-&lt;VirtualHost *&gt;
- ServerName realhost1.example.com
- ServerAlias alias1.example.com alias2.example.com
- DocumentRoot /path/to/site1
-&lt;/VirtualHost&gt;
-
-...
-</pre>
-</blockquote>
- <hr /></li>
-
- </ol>
-
-
- </body>
-</html>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <h3>F. Dynamic Content (CGI and SSI)</h3>
-
- <ol>
- <li>
- <a id="CGIoutsideScriptAlias"
- name="CGIoutsideScriptAlias"><strong>How do I enable CGI
- execution in directories other than the
- ScriptAlias?</strong></a>
-
- <p>Apache recognizes all files in a directory named as a <a
- href="../mod/mod_alias.html#scriptalias"><samp>ScriptAlias</samp></a>
- as being eligible for execution rather than processing as
- normal documents. This applies regardless of the file name,
- so scripts in a ScriptAlias directory don't need to be
- named "<samp>*.cgi</samp>" or "<samp>*.pl</samp>" or
- whatever. In other words, <em>all</em> files in a
- ScriptAlias directory are scripts, as far as Apache is
- concerned.</p>
-
- <p>To persuade Apache to execute scripts in other
- locations, such as in directories where normal documents
- may also live, you must tell it how to recognize them - and
- also that it's okay to execute them. For this, you need to
- use something like the <a
- href="../mod/mod_mime.html#addhandler"><samp>AddHandler</samp></a>
- directive.</p>
-
- <ol>
- <li>
- In an appropriate section of your server configuration
- files, add a line such as
-
- <dl>
- <dd><code>AddHandler cgi-script .cgi</code></dd>
- </dl>
-
- <p>The server will then recognize that all files in
- that location (and its logical descendants) that end in
- "<samp>.cgi</samp>" are script files, not
- documents.</p>
- </li>
-
- <li>Make sure that the directory location is covered by
- an <a
- href="../mod/core.html#options"><samp>Options</samp></a>
- declaration that includes the <samp>ExecCGI</samp>
- option.</li>
- </ol>
-
- <p>In some situations, you might not want to actually allow
- all files named "<samp>*.cgi</samp>" to be executable.
- Perhaps all you want is to enable a particular file in a
- normal directory to be executable. This can be
- alternatively accomplished <em>via</em> <a
- href="../mod/mod_rewrite.html"><samp>mod_rewrite</samp></a>
- and the following steps:</p>
-
- <ol>
- <li>
- Locally add to the corresponding <samp>.htaccess</samp>
- file a ruleset similar to this one:
-
- <dl>
- <dd><code>RewriteEngine on<br />
- RewriteBase /~foo/bar/<br />
- RewriteRule ^quux\.cgi$ -
- [T=application/x-httpd-cgi]</code></dd>
- </dl>
- </li>
-
- <li>Make sure that the directory location is covered by
- an <a
- href="../mod/core.html#options"><samp>Options</samp></a>
- declaration that includes the <samp>ExecCGI</samp> and
- <samp>FollowSymLinks</samp> option.</li>
- </ol>
- <hr />
- </li>
-
- <li>
- <a id="premature-script-headers"
- name="premature-script-headers"><strong>What does it mean
- when my CGIs fail with "<samp>Premature end of script
- headers</samp>"?</strong></a>
-
- <p>It means just what it says: the server was expecting a
- complete set of HTTP headers (one or more followed by a
- blank line), and didn't get them.</p>
-
- <p>The most common cause of this problem is the script
- dying before sending the complete set of headers, or
- possibly any at all, to the server. To see if this is the
- case, try running the script standalone from an interactive
- session, rather than as a script under the server. If you
- get error messages, this is almost certainly the cause of
- the "premature end of script headers" message. Even if the
- CGI runs fine from the command line, remember that the
- environment and permissions may be different when running
- under the web server. The CGI can only access resources
- allowed for the <a
- href="../mod/core.html#user"><code>User</code></a> and <a
- href="../mod/core.html#group"><code>Group</code></a>
- specified in your Apache configuration. In addition, the
- environment will not be the same as the one provided on the
- command line, but it can be adjusted using the directives
- provided by <a href="../mod/mod_env.html">mod_env</a>.</p>
-
- <p>The second most common cause of this (aside from people
- not outputting the required headers at all) is a result of
- an interaction with Perl's output buffering. To make Perl
- flush its buffers after each output statement, insert the
- following statements around the <code>print</code> or
- <code>write</code> statements that send your HTTP
- headers:</p>
-
- <dl>
- <dd><code>{<br />
- &nbsp;local ($oldbar) = $|;<br />
- &nbsp;$cfh = select (STDOUT);<br />
- &nbsp;$| = 1;<br />
- &nbsp;#<br />
- &nbsp;# print your HTTP headers here<br />
- &nbsp;#<br />
- &nbsp;$| = $oldbar;<br />
- &nbsp;select ($cfh);<br />
- }</code></dd>
- </dl>
-
- <p>This is generally only necessary when you are calling
- external programs from your script that send output to
- stdout, or if there will be a long delay between the time
- the headers are sent and the actual content starts being
- emitted. To maximize performance, you should turn
- buffer-flushing back <em>off</em> (with <code>$| = 0</code>
- or the equivalent) after the statements that send the
- headers, as displayed above.</p>
-
- <p>If your script isn't written in Perl, do the equivalent
- thing for whatever language you <em>are</em> using
- (<em>e.g.</em>, for C, call <code>fflush()</code> after
- writing the headers).</p>
-
- <p>Another cause for the "premature end of script headers"
- message are the RLimitCPU and RLimitMEM directives. You may
- get the message if the CGI script was killed due to a
- resource limit.</p>
-
- <p>In addition, a configuration problem in <a
- href="../suexec.html">suEXEC</a>, mod_perl, or another
- third party module can often interfere with the execution
- of your CGI and cause the "premature end of script headers"
- message.</p>
- <hr />
- </li>
-
- <li>
- <a id="POSTnotallowed" name="POSTnotallowed"><strong>Why do
- I keep getting "Method Not Allowed" for form POST
- requests?</strong></a>
-
- <p>This is almost always due to Apache not being configured
- to treat the file you are trying to POST to as a CGI
- script. You can not POST to a normal HTML file; the
- operation has no meaning. See the FAQ entry on <a
- href="#CGIoutsideScriptAlias">CGIs outside ScriptAliased
- directories</a> for details on how to configure Apache to
- treat the file in question as a CGI.</p>
- <hr />
- </li>
-
- <li>
- <a id="nph-scripts" name="nph-scripts"><strong>How can I
- get my script's output without Apache buffering it? Why
- doesn't my server push work?</strong></a>
-
- <p>As of Apache 1.3, CGI scripts are essentially not
- buffered. Every time your script does a "flush" to output
- data, that data gets relayed on to the client. Some
- scripting languages, for example Perl, have their own
- buffering for output - this can be disabled by setting the
- <code>$|</code> special variable to 1. Of course this does
- increase the overall number of packets being transmitted,
- which can result in a sense of slowness for the end
- user.</p>
-
- <p>Prior to 1.3, you needed to use "nph-" scripts to
- accomplish non-buffering. Today, the only difference
- between nph scripts and normal scripts is that nph scripts
- require the full HTTP headers to be sent.</p>
- <hr />
- </li>
-
- <li>
- <a id="cgi-spec" name="cgi-spec"><strong>Where can I find
- the "CGI specification"?</strong></a>
-
- <p>The Common Gateway Interface (CGI) specification can be
- found at the original NCSA site &lt; <a
- href="http://hoohoo.ncsa.uiuc.edu/cgi/interface.html"><samp>
- http://hoohoo.ncsa.uiuc.edu/cgi/interface.html</samp></a>&gt;.
- This version hasn't been updated since 1995, and there have
- been some efforts to update it.</p>
-
- <p>A new draft is being worked on with the intent of making
- it an informational RFC; you can find out more about this
- project at &lt;<a
- href="http://web.golux.com/coar/cgi/"><samp>http://web.golux.com/coar/cgi/</samp></a>&gt;.</p>
- <hr />
- </li>
-
- <li>
- <a id="fastcgi" name="fastcgi"><strong>Why isn't FastCGI
- included with Apache any more?</strong></a>
-
- <p>The simple answer is that it was becoming too difficult
- to keep the version being included with Apache synchronized
- with the master copy at the <a
- href="http://www.fastcgi.com/">FastCGI web site</a>. When a
- new version of Apache was released, the version of the
- FastCGI module included with it would soon be out of
- date.</p>
-
- <p>You can still obtain the FastCGI module for Apache from
- the master FastCGI web site.</p>
- <hr />
- </li>
-
- <li>
- <a id="ssi-part-i" name="ssi-part-i"><strong>How do I
- enable SSI (parsed HTML)?</strong></a>
-
- <p>SSI (an acronym for Server-Side Include) directives
- allow static HTML documents to be enhanced at run-time
- (<em>e.g.</em>, when delivered to a client by Apache). The
- format of SSI directives is covered in the <a
- href="../mod/mod_include.html">mod_include manual</a>;
- suffice it to say that Apache supports not only SSI but
- xSSI (eXtended SSI) directives.</p>
-
- <p>Processing a document at run-time is called
- <em>parsing</em> it; hence the term "parsed HTML" sometimes
- used for documents that contain SSI instructions. Parsing
- tends to be resource-consumptive compared to serving static
- files, and is not enabled by default. It can also interfere
- with the cachability of your documents, which can put a
- further load on your server. (See the <a
- href="#ssi-part-ii">next question</a> for more information
- about this.)</p>
-
- <p>To enable SSI processing, you need to</p>
-
- <ul>
- <li>Build your server with the <a
- href="../mod/mod_include.html"><samp>mod_include</samp></a>
- module. This is normally compiled in by default.</li>
-
- <li>Make sure your server configuration files have an <a
- href="../mod/core.html#options"><samp>Options</samp></a>
- directive which permits <samp>Includes</samp>.</li>
-
- <li>
- Make sure that the directory where you want the SSI
- documents to live is covered by the "server-parsed"
- content handler, either explicitly or in some ancestral
- location. That can be done with the following <a
- href="../mod/mod_mime.html#addhandler"><samp>AddHandler</samp></a>
- directive:
-
- <dl>
- <dd><code>AddHandler server-parsed .shtml</code></dd>
- </dl>
-
- <p>This indicates that all files ending in ".shtml" in
- that location (or its descendants) should be parsed.
- Note that using ".html" will cause all normal HTML
- files to be parsed, which may put an inordinate load on
- your server.</p>
- </li>
- </ul>
-
- <p>For additional information, see the <cite>Apache
- Week</cite> article on <a
- href="http://www.apacheweek.com/features/ssi"
- rel="Help"><cite>Using Server Side Includes</cite></a>.</p>
- <hr />
- </li>
-
- <li>
- <a id="ssi-part-ii" name="ssi-part-ii"><strong>Why don't my
- parsed files get cached?</strong></a>
-
- <p>Since the server is performing run-time processing of
- your SSI directives, which may change the content shipped
- to the client, it can't know at the time it starts parsing
- what the final size of the result will be, or whether the
- parsed result will always be the same. This means that it
- can't generate <samp>Content-Length</samp> or
- <samp>Last-Modified</samp> headers. Caches commonly work by
- comparing the <samp>Last-Modified</samp> of what's in the
- cache with that being delivered by the server. Since the
- server isn't sending that header for a parsed document,
- whatever's doing the caching can't tell whether the
- document has changed or not - and so fetches it again to be
- on the safe side.</p>
-
- <p>You can work around this in some cases by causing an
- <samp>Expires</samp> header to be generated. (See the <a
- href="../mod/mod_expires.html"
- rel="Help"><samp>mod_expires</samp></a> documentation for
- more details.) Another possibility is to use the <a
- href="../mod/mod_include.html#xbithack"
- rel="Help"><samp>XBitHack Full</samp></a> mechanism, which
- tells Apache to send (under certain circumstances detailed
- in the XBitHack directive description) a
- <samp>Last-Modified</samp> header based upon the last
- modification time of the file being parsed. Note that this
- may actually be lying to the client if the parsed file
- doesn't change but the SSI-inserted content does; if the
- included content changes often, this can result in stale
- copies being cached.</p>
- <hr />
- </li>
-
- <li>
- <a id="ssi-part-iii" name="ssi-part-iii"><strong>How can I
- have my script output parsed?</strong></a>
-
- <p>So you want to include SSI directives in the output from
- your CGI script, but can't figure out how to do it? The
- short answer is "you can't." This is potentially a security
- liability and, more importantly, it can not be cleanly
- implemented under the current server API. The best
- workaround is for your script itself to do what the SSIs
- would be doing. After all, it's generating the rest of the
- content.</p>
-
- <p>This is a feature The Apache Group hopes to add in the
- next major release after 1.3.</p>
- <hr />
- </li>
-
- <li>
- <a id="ssi-part-iv" name="ssi-part-iv"><strong>SSIs don't
- work for VirtualHosts and/or user home
- directories.</strong></a>
-
- <p>This is almost always due to having some setting in your
- config file that sets "Options Includes" or some other
- setting for your DocumentRoot but not for other
- directories. If you set it inside a Directory section, then
- that setting will only apply to that directory.</p>
- <hr />
- </li>
-
- <li>
- <a id="errordocssi" name="errordocssi"><strong>How can I
- use <code>ErrorDocument</code> and SSI to simplify
- customized error messages?</strong></a>
-
- <p>Have a look at <a href="custom_errordocs.html">this
- document</a>. It shows in example form how you can a
- combination of XSSI and negotiation to tailor a set of
- <code>ErrorDocument</code>s to your personal taste, and
- returning different internationalized error responses based
- on the client's native language.</p>
- <hr />
- </li>
-
- <li>
- <a id="remote-user-var" name="remote-user-var"><strong>Why
- is the environment variable <samp>REMOTE_USER</samp> not
- set?</strong></a>
-
- <p>This variable is set and thus available in SSI or CGI
- scripts <strong>if and only if</strong> the requested
- document was protected by access authentication. For an
- explanation on how to implement these restrictions, see <a
- href="http://www.apacheweek.com/"><cite>Apache
- Week</cite></a>'s articles on <a
- href="http://www.apacheweek.com/features/userauth"><cite>Using
- User Authentication</cite></a> or <a
- href="http://www.apacheweek.com/features/dbmauth"><cite>DBM
- User Authentication</cite></a>.</p>
-
- <p>Hint: When using a CGI script to receive the data of a
- HTML <samp>FORM</samp> notice that protecting the document
- containing the <samp>FORM</samp> is not sufficient to
- provide <samp>REMOTE_USER</samp> to the CGI script. You
- have to protect the CGI script, too. Or alternatively only
- the CGI script (then authentication happens only after
- filling out the form).</p>
- <hr />
- </li>
-
- <li>
- <a id="user-cgi" name="user-cgi"><strong>How do I allow
- each of my user directories to have a cgi-bin
- directory?</strong></a>
-
- <p>Remember that CGI execution does not need to be
- restricted only to cgi-bin directories. You can <a
- href="#CGIoutsideScriptAlias">allow CGI script execution in
- arbitrary parts of your filesystem</a>.</p>
-
- <p>There are many ways to give each user directory a
- cgi-bin directory such that anything requested as
- <samp>http://example.com/~user/cgi-bin/program</samp> will
- be executed as a CGI script. Two alternatives are:</p>
-
- <ol>
- <li>
- Place the cgi-bin directory next to the public_html
- directory:
-
- <dl>
- <dd><code>ScriptAliasMatch ^/~([^/]*)/cgi-bin/(.*)
- /home/$1/cgi-bin/$2</code></dd>
- </dl>
- </li>
-
- <li>
- Place the cgi-bin directory underneath the public_html
- directory:
-
- <dl>
- <dd><code>&lt;Directory
- /home/*/public_html/cgi-bin&gt;<br />
- &nbsp;&nbsp;&nbsp;&nbsp;Options ExecCGI<br />
- &nbsp;&nbsp;&nbsp;&nbsp;SetHandler cgi-script<br />
- &lt;/Directory&gt;</code></dd>
- </dl>
- </li>
- </ol>
- <p>If you are using suexec, the first technique will not work
- because CGI scripts must be stored under the <code>public_html</code>
- directory.</p>
-
- <hr />
- </li>
- </ol>
-
-
- </body>
-</html>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <h3>G. Authentication and Access Restrictions</h3>
-
- <ol>
- <li>
- <a id="dnsauth" name="dnsauth"><strong>Why isn't
- restricting access by host or domain name working
- correctly?</strong></a>
-
- <p>Two of the most common causes of this are:</p>
-
- <ol>
- <li><strong>An error, inconsistency, or unexpected
- mapping in the DNS registration</strong><br />
- This happens frequently: your configuration restricts
- access to <samp>Host.FooBar.Com</samp>, but you can't get
- in from that host. The usual reason for this is that
- <samp>Host.FooBar.Com</samp> is actually an alias for
- another name, and when Apache performs the
- address-to-name lookup it's getting the <em>real</em>
- name, not <samp>Host.FooBar.Com</samp>. You can verify
- this by checking the reverse lookup yourself. The easiest
- way to work around it is to specify the correct host name
- in your configuration.</li>
-
- <li>
- <strong>Inadequate checking and verification in your
- configuration of Apache</strong><br />
- If you intend to perform access checking and
- restriction based upon the client's host or domain
- name, you really need to configure Apache to
- double-check the origin information it's supplied. You
- do this by adding the <samp>-DMAXIMUM_DNS</samp> clause
- to the <samp>EXTRA_CFLAGS</samp> definition in your
- <samp>Configuration</samp> file. For example:
-
- <dl>
- <dd><code>EXTRA_CFLAGS=-DMAXIMUM_DNS</code></dd>
- </dl>
-
- <p>This will cause Apache to be very paranoid about
- making sure a particular host address is
- <em>really</em> assigned to the name it claims to be.
- Note that this <em>can</em> incur a significant
- performance penalty, however, because of all the name
- resolution requests being sent to a nameserver.</p>
- </li>
- </ol>
- <hr />
- </li>
-
- <li>
- <a id="user-authentication"
- name="user-authentication"><strong>How do I set up Apache
- to require a username and password to access certain
- documents?</strong></a>
-
- <p>There are several ways to do this; some of the more
- popular ones are to use the <a
- href="../mod/mod_auth.html">mod_auth</a>, <a
- href="../mod/mod_auth_db.html">mod_auth_db</a>, or <a
- href="../mod/mod_auth_dbm.html">mod_auth_dbm</a>
- modules.</p>
-
- <p>For an explanation on how to implement these
- restrictions, see <a
- href="http://www.apacheweek.com/"><cite>Apache
- Week</cite></a>'s articles on <a
- href="http://www.apacheweek.com/features/userauth"><cite>Using
- User Authentication</cite></a> or <a
- href="http://www.apacheweek.com/features/dbmauth"><cite>DBM
- User Authentication</cite></a>, or see the <a
- href="../howto/auth.html">authentication tutorial</a> in the
- Apache documentation.</p>
- <hr />
- </li>
-
- <li>
- <a id="remote-auth-only"
- name="remote-auth-only"><strong>How do I set up Apache to
- allow access to certain documents only if a site is either
- a local site <em>or</em> the user supplies a password and
- username?</strong></a>
-
- <p>Use the <a href="../mod/core.html#satisfy">Satisfy</a>
- directive, in particular the <code>Satisfy Any</code>
- directive, to require that only one of the access
- restrictions be met. For example, adding the following
- configuration to a <samp>.htaccess</samp> or server
- configuration file would restrict access to people who
- either are accessing the site from a host under domain.com
- or who can supply a valid username and password:</p>
-
- <dl>
- <dd><code>Deny from all<br />
- Allow from .domain.com<br />
- AuthType Basic<br />
- AuthUserFile /usr/local/apache/conf/htpasswd.users<br />
- AuthName "special directory"<br />
- Require valid-user<br />
- Satisfy any</code></dd>
- </dl>
-
- <p>See the <a href="#user-authentication">user
- authentication</a> question and the <a
- href="../mod/mod_access.html">mod_access</a> module for
- details on how the above directives work.</p>
- <hr />
- </li>
-
- <li>
- <a id="authauthoritative"
- name="authauthoritative"><strong>Why does my authentication
- give me a server error?</strong></a>
-
- <p>Under normal circumstances, the Apache access control
- modules will pass unrecognized user IDs on to the next
- access control module in line. Only if the user ID is
- recognized and the password is validated (or not) will it
- give the usual success or "authentication failed"
- messages.</p>
-
- <p>However, if the last access module in line 'declines'
- the validation request (because it has never heard of the
- user ID or because it is not configured), the
- <samp>http_request</samp> handler will give one of the
- following, confusing, errors:</p>
-
- <ul>
- <li><samp>check access</samp></li>
-
- <li><samp>check user. No user file?</samp></li>
-
- <li><samp>check access. No groups file?</samp></li>
- </ul>
-
- <p>This does <em>not</em> mean that you have to add an
- '<samp>AuthUserFile&nbsp;/dev/null</samp>' line as some
- magazines suggest!</p>
-
- <p>The solution is to ensure that at least the last module
- is authoritative and <strong>CONFIGURED</strong>. By
- default, <samp>mod_auth</samp> is authoritative and will
- give an OK/Denied, but only if it is configured with the
- proper <samp>AuthUserFile</samp>. Likewise, if a valid
- group is required. (Remember that the modules are processed
- in the reverse order from that in which they appear in your
- compile-time <samp>Configuration</samp> file.)</p>
-
- <p>A typical situation for this error is when you are using
- the <samp>mod_auth_dbm</samp>, <samp>mod_auth_msql</samp>,
- <samp>mod_auth_mysql</samp>, <samp>mod_auth_anon</samp> or
- <samp>mod_auth_cookie</samp> modules on their own. These
- are by default <strong>not</strong> authoritative, and this
- will pass the buck on to the (non-existent) next
- authentication module when the user ID is not in their
- respective database. Just add the appropriate
- '<samp><em>XXX</em>Authoritative yes</samp>' line to the
- configuration.</p>
-
- <p>In general it is a good idea (though not terribly
- efficient) to have the file-based <samp>mod_auth</samp> a
- module of last resort. This allows you to access the web
- server with a few special passwords even if the databases
- are down or corrupted. This does cost a file
- open/seek/close for each request in a protected area.</p>
- <hr />
- </li>
-
- <li>
- <a id="auth-on-same-machine"
- name="auth-on-same-machine"><strong>Do I have to keep the
- (mSQL) authentication information on the same
- machine?</strong></a>
-
- <p>Some organizations feel very strongly about keeping the
- authentication information on a different machine than the
- webserver. With the <samp>mod_auth_msql</samp>,
- <samp>mod_auth_mysql</samp>, and other SQL modules
- connecting to (R)DBMses this is quite possible. Just
- configure an explicit host to contact.</p>
-
- <p>Be aware that with mSQL and Oracle, opening and closing
- these database connections is very expensive and time
- consuming. You might want to look at the code in the
- <samp>auth_*</samp> modules and play with the compile time
- flags to alleviate this somewhat, if your RDBMS licences
- allow for it.</p>
- <hr />
- </li>
-
- <li>
- <a id="msql-slow" name="msql-slow"><strong>Why is my mSQL
- authentication terribly slow?</strong></a>
-
- <p>You have probably configured the Host by specifying a
- FQHN, and thus the <samp>libmsql</samp> will use a full
- blown TCP/IP socket to talk to the database, rather than a
- fast internal device. The <samp>libmsql</samp>, the mSQL
- FAQ, and the <samp>mod_auth_msql</samp> documentation warn
- you about this. If you have to use different hosts, check
- out the <samp>mod_auth_msql</samp> code for some compile
- time flags which might - or might not - suit you.</p>
- <hr />
- </li>
-
- <li>
- <a id="passwdauth" name="passwdauth"><strong>Can I use my
- <samp>/etc/passwd</samp> file for Web page
- authentication?</strong></a>
-
- <p>Yes, you can - but it's a <strong>very bad
- idea</strong>. Here are some of the reasons:</p>
-
- <ul>
- <li>The Web technology provides no governors on how often
- or how rapidly password (authentication failure) retries
- can be made. That means that someone can hammer away at
- your system's <samp>root</samp> password using the Web,
- using a dictionary or similar mass attack, just as fast
- as the wire and your server can handle the requests. Most
- operating systems these days include attack detection
- (such as <em>n</em> failed passwords for the same account
- within <em>m</em> seconds) and evasion (breaking the
- connection, disabling the account under attack, disabling
- <em>all</em> logins from that source, <em>et
- cetera</em>), but the Web does not.</li>
-
- <li>An account under attack isn't notified (unless the
- server is heavily modified); there's no "You have 19483
- login failures" message when the legitimate owner logs
- in.</li>
-
- <li>Without an exhaustive and error-prone examination of
- the server logs, you can't tell whether an account has
- been compromised. Detecting that an attack has occurred,
- or is in progress, is fairly obvious, though -
- <em>if</em> you look at the logs.</li>
-
- <li>Web authentication passwords (at least for Basic
- authentication) generally fly across the wire, and
- through intermediate proxy systems, in what amounts to
- plain text. "O'er the net we go/Caching all the way;/O
- what fun it is to surf/Giving my password away!"</li>
-
- <li>Since HTTP is stateless, information about the
- authentication is transmitted <em>each and every
- time</em> a request is made to the server. Essentially,
- the client caches it after the first successful access,
- and transmits it without asking for all subsequent
- requests to the same server.</li>
-
- <li>It's relatively trivial for someone on your system to
- put up a page that will steal the cached password from a
- client's cache without them knowing. Can you say
- "password grabber"?</li>
- </ul>
-
- <p>If you still want to do this in light of the above
- disadvantages, the method is left as an exercise for the
- reader. It'll void your Apache warranty, though, and you'll
- lose all accumulated UNIX guru points.</p>
- <hr />
- </li>
-
- <li>
- <a id="prompted-twice" name="prompted-twice"><strong>Why
- does Apache ask for my password twice before serving a
- file?</strong></a>
-
- <p>If the hostname under which you are accessing the server
- is different than the hostname specified in the <a
- href="../mod/core.html#servername"><code>ServerName</code></a>
- directive, then depending on the setting of the <a
- href="../mod/core.html#usecanonicalname"><code>UseCanonicalName</code></a>
- directive, Apache will redirect you to a new hostname when
- constructing self-referential URLs. This happens, for
- example, in the case where you request a directory without
- including the trailing slash.</p>
-
- <p>When this happens, Apache will ask for authentication
- once under the original hostname, perform the redirect, and
- then ask again under the new hostname. For security
- reasons, the browser must prompt again for the password
- when the host name changes.</p>
-
- <p>To eliminate this problem you should</p>
-
- <ol>
- <li>Always use the trailing slash when requesting
- directories;</li>
-
- <li>Change the <code>ServerName</code> to match the name
- you are using in the URL; and/or</li>
-
- <li>Set <code>UseCanonicalName off</code>.</li>
- </ol>
- <hr />
- </li>
-
- <li>
- <a id="image-theft" name="image-theft"><strong>How can I prevent
- people from "stealing" the images from my web site?</strong></a>
-
- <p>The goal here is to prevent people from inlining your images
- directly from their web site, but accessing them only if they
- appear inline in your pages.<p>
-
- <p>This can be accomplished with a combination of SetEnvIf and
- the Deny and Allow directives. However, it is important to
- understand that any access restriction based on the REFERER
- header is intrinsically problematic due to the fact that
- browsers can send an incorrect REFERER, either because they
- want to circumvent your restriction or simply because they don't
- send the right thing (or anything at all).</p>
-
- <p>The following configuration will produce the desired effect
- if the browser passes correct REFERER headers.</p>
-
-<pre>
-SetEnvIf REFERER "www\.mydomain\.com" linked_from_here
-SetEnvIf REFERER "^$" linked_from_here
-
-&lt;Directory /www/images&gt;
- Order deny,allow
- Deny from all
- Allow from env=linked_from_here
-&lt;/Directory&gt;
-</pre>
-
-<p>Further examples can be found in the <a
-href="../env.html#examples">Environment Variables</a> documentation.</p>
-
- <hr />
- </li>
-
-
- </ol>
-
-
- </body>
-</html>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <h3>H. URL Rewriting</h3>
-
- <ol>
- <li>
- <a id="rewrite-more-config"
- name="rewrite-more-config"><strong>Where can I find
- mod_rewrite rulesets which already solve particular
- URL-related problems?</strong></a>
-
- <p>There is a collection of <a
- href="http://www.engelschall.com/pw/apache/rewriteguide/">Practical
- Solutions for URL-Manipulation</a> where you can find all
- typical solutions the author of <a
- href="../mod/mod_rewrite.html"><samp>mod_rewrite</samp></a>
- currently knows of. If you have more interesting rulesets
- which solve particular problems not currently covered in
- this document, send it to <a
- href="mailto:rse@apache.org">Ralf S. Engelschall</a> for
- inclusion. The other webmasters will thank you for avoiding
- the reinvention of the wheel.</p>
- <hr />
- </li>
-
- <li>
- <a id="rewrite-article"
- name="rewrite-article"><strong>Where can I find any
- published information about URL-manipulations and
- mod_rewrite?</strong></a>
-
- <p>There is an article from <a
- href="mailto:rse@apache.org">Ralf S. Engelschall</a> about
- URL-manipulations based on <a
- href="../mod/mod_rewrite.html"><samp>mod_rewrite</samp></a>
- in the "iX Multiuser Multitasking Magazin" issue #12/96.
- The german (original) version can be read online at &lt;<a
- href="http://www.heise.de/ix/artikel/9612149/">http://www.heise.de/ix/artikel/9612149/</a>&gt;,
- the English (translated) version can be found at &lt;<a
- href="http://www.heise.de/ix/artikel/E/9612149/">http://www.heise.de/ix/artikel/E/9612149/</a>&gt;.</p>
- <hr />
- </li>
-
- <li>
- <a id="rewrite-complexity"
- name="rewrite-complexity"><strong>Why is mod_rewrite so
- difficult to learn and seems so complicated?</strong></a>
-
- <p>Hmmm... there are a lot of reasons. First, mod_rewrite
- itself is a powerful module which can help you in really
- <strong>all</strong> aspects of URL rewriting, so it can be
- no trivial module per definition. To accomplish its hard
- job it uses software leverage and makes use of a powerful
- regular expression library by Henry Spencer which is an
- integral part of Apache since its version 1.2. And regular
- expressions itself can be difficult to newbies, while
- providing the most flexible power to the advanced
- hacker.</p>
-
- <p>On the other hand mod_rewrite has to work inside the
- Apache API environment and needs to do some tricks to fit
- there. For instance the Apache API as of 1.x really was not
- designed for URL rewriting at the <tt>.htaccess</tt> level
- of processing. Or the problem of multiple rewrites in
- sequence, which is also not handled by the API per design.
- To provide this features mod_rewrite has to do some special
- (but API compliant!) handling which leads to difficult
- processing inside the Apache kernel. While the user usually
- doesn't see anything of this processing, it can be
- difficult to find problems when some of your RewriteRules
- seem not to work.</p>
- <hr />
- </li>
-
- <li>
- <a id="rewrite-dontwork"
- name="rewrite-dontwork"><strong>What can I do if my
- RewriteRules don't work as expected?</strong></a>
-
- <p>Use "<samp>RewriteLog somefile</samp>" and
- "<samp>RewriteLogLevel 9</samp>" and have a precise look at
- the steps the rewriting engine performs. This is really the
- only one and best way to debug your rewriting
- configuration.</p>
- <hr />
- </li>
-
- <li>
- <a id="rewrite-prefixdocroot"
- name="rewrite-prefixdocroot"><strong>Why don't some of my
- URLs get prefixed with DocumentRoot when using
- mod_rewrite?</strong></a>
-
- <p>If the rule starts with <samp>/somedir/...</samp> make
- sure that really no <samp>/somedir</samp> exists on the
- filesystem if you don't want to lead the URL to match this
- directory, <em>i.e.</em>, there must be no root directory
- named <samp>somedir</samp> on the filesystem. Because if
- there is such a directory, the URL will not get prefixed
- with DocumentRoot. This behavior looks ugly, but is really
- important for some other aspects of URL rewriting.</p>
- <hr />
- </li>
-
- <li>
- <a id="rewrite-nocase" name="rewrite-nocase"><strong>How
- can I make all my URLs case-insensitive with
- mod_rewrite?</strong></a>
-
- <p>You can't! The reasons are: first, that, case
- translations for arbitrary length URLs cannot be done
- <em>via</em> regex patterns and corresponding
- substitutions. One needs a per-character pattern like the
- sed/Perl <samp>tr|..|..|</samp> feature. Second, just
- making URLs always upper or lower case does not solve the
- whole problem of case-INSENSITIVE URLs, because URLs
- actually have to be rewritten to the correct case-variant
- for the file residing on the filesystem in order to allow
- Apache to access the file. And the Unix filesystem is
- always case-SENSITIVE.</p>
-
- <p>But there is a module named <code><a
- href="../mod/mod_speling.html">mod_speling.c</a></code> in
- the Apache distribution. Try this module to help correct
- people who use mis-cased URLs.</p>
- <hr />
- </li>
-
- <li>
- <a id="rewrite-virthost"
- name="rewrite-virthost"><strong>Why are RewriteRules in my
- VirtualHost parts ignored?</strong></a>
-
- <p>Because you have to enable the engine for every virtual
- host explicitly due to security concerns. Just add a
- "RewriteEngine on" to your virtual host configuration
- parts.</p>
- <hr />
- </li>
-
- <li>
- <a id="rewrite-envwhitespace"
- name="rewrite-envwhitespace"><strong>How can I use strings
- with whitespaces in RewriteRule's ENV flag?</strong></a>
-
- <p>There is only one ugly solution: You have to surround
- the complete flag argument by quotation marks
- (<samp>"[E=...]"</samp>). Notice: The argument to quote
- here is not the argument to the E-flag, it is the argument
- of the Apache config file parser, <em>i.e.</em>, the third
- argument of the RewriteRule here. So you have to write
- <samp>"[E=any text with whitespaces]"</samp>.</p>
- <hr />
- </li>
- </ol>
-
-
- </body>
-</html>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <h3>I. Features</h3>
-
- <ol>
- <li>
- <a id="proxy" name="proxy"><strong>Does or will Apache act
- as a Proxy server?</strong></a>
-
- <p>Apache version 1.1 and above comes with a <a
- href="../mod/mod_proxy.html">proxy module</a>. If compiled
- in, this will make Apache act as a caching-proxy
- server.</p>
- <hr />
- </li>
-
- <li>
- <a id="multiviews" name="multiviews"><strong>What are
- "multiviews"?</strong></a>
-
- <p>"Multiviews" is the general name given to the Apache
- server's ability to provide language-specific document
- variants in response to a request. This is documented quite
- thoroughly in the <a href="../content-negotiation.html"
- rel="Help">content negotiation</a> description page. In
- addition, <cite>Apache Week</cite> carried an article on
- this subject entitled "<a
- href="http://www.apacheweek.com/features/negotiation"
- rel="Help"><cite>Content Negotiation
- Explained</cite></a>".</p>
- <hr />
- </li>
-
- <li>
- <a id="putsupport" name="putsupport"><strong>Why can't I
- publish to my Apache server using PUT on Netscape Gold and
- other programs?</strong></a>
-
- <p>Because you need to install and configure a script to
- handle the uploaded files. This script is often called a
- "PUT" handler. There are several available, but they may
- have security problems. Using FTP uploads may be easier and
- more secure, at least for now. For more information, see
- the <cite>Apache Week</cite> article <a
- href="http://www.apacheweek.com/features/put"><cite>Publishing
- Pages with PUT</cite></a>.</p>
- <hr />
- </li>
-
- <li>
- <a id="SSL-i" name="SSL-i"><strong>Why doesn't Apache
- include SSL?</strong></a>
-
- <p>SSL (Secure Socket Layer) data transport requires
- encryption, and many governments have restrictions upon the
- import, export, and use of encryption technology. If Apache
- included SSL in the base package, its distribution would
- involve all sorts of legal and bureaucratic issues, and it
- would no longer be freely available. Also, some of the
- technology required to talk to current clients using SSL is
- patented by <a href="http://www.rsa.com/">RSA Data
- Security</a>, who restricts its use without a license.</p>
-
- <p>Some SSL implementations of Apache are available,
- however; see the "<a
- href="http://httpd.apache.org/related_projects.html">related
- projects</a>" page at the main Apache web site.</p>
-
- <p>You can find out more about this topic in the
- <cite>Apache Week</cite> article about <a
- href="http://www.apacheweek.com/features/ssl"
- rel="Help"><cite>Apache and Secure
- Transactions</cite></a>.</p>
- <hr />
- </li>
-
- <li>
- <a id="footer" name="footer"><strong>How can I attach a
- footer to my documents without using SSI?</strong></a>
-
- <p>You can make arbitrary changes to static documents by
- configuring an <a
- href="../mod/mod_actions.html#action">Action</a> which
- launches a CGI script. The CGI is then responsible for
- setting a content-type and delivering the requested
- document (the location of which is passed in the
- <samp>PATH_TRANSLATED</samp> environment variable), along
- with whatever footer is needed.</p>
-
- <p>Busy sites may not want to run a CGI script on every
- request, and should consider using an Apache module to add
- the footer. There are several third party modules available
- through the <a href="http://modules.apache.org/">Apache
- Module Registry</a> which will add footers to documents.
- These include mod_trailer, PHP
- (<samp>php3_auto_append_file</samp>), mod_layout, and
- mod_perl (<samp>Apache::Sandwich</samp>).</p>
- <hr />
- </li>
-
- <li>
- <a id="search" name="search"><strong>Does Apache include a
- search engine?</strong></a>
-
- <p>Apache does not include a search engine, but there are
- many good commercial and free search engines which can be
- used easily with Apache. Some of them are listed on the <a
- href="http://www.searchtools.com/tools/tools.html">Web Site
- Search Tools</a> page. Open source search engines that are
- often used with Apache include <a
- href="http://www.htdig.org/">ht://Dig</a> and <a
- href="http://sunsite.berkeley.edu/SWISH-E/">SWISH-E</a>.</p>
- <hr />
- </li>
-
- <li>
- <a id="rotate" name="rotate"><strong>How can I rotate my
- log files?</strong></a>
-
- <p>The simple answer: by piping the transfer log into an
- appropriate log file rotation utility.</p>
-
- <p>The longer answer: In the src/support/ directory, you
- will find a utility called <a
- href="../programs/rotatelogs.html">rotatelogs</a> which can
- be used like this:</p>
-<pre>
- TransferLog "|/path/to/rotatelogs /path/to/logs/access_log 86400"
-</pre>
-
- <p>to enable daily rotation of the log files.<br />
- A more sophisticated solution of a logfile rotation
- utility is available under the name <code>cronolog</code>
- from Andrew Ford's site at <a
- href="http://www.cronolog.org/">http://www.cronolog.org/</a>.
- It can automatically create logfile subdirectories based on
- time and date, and can have a constant symlink point to the
- rotating logfiles. (As of version 1.6.1, cronolog is
- available under the <a href="../LICENSE">Apache
- License</a>). Use it like this:</p>
-<pre>
- CustomLog "|/path/to/cronolog --symlink=/usr/local/apache/logs/access_log /usr/local/apache/logs/%Y/%m/access_log" combined
-</pre>
- <hr />
- </li>
-
- <li>
- <a id="conditional-logging"
- name="conditional-logging"><strong>How do I keep certain
- requests from appearing in my logs?</strong></a>
-
- <p>The maximum flexibility for removing unwanted
- information from log files is obtained by post-processing
- the logs, or using piped-logs to feed the logs through a
- program which does whatever you want. However, Apache does
- offer the ability to prevent requests from ever appearing
- in the log files. You can do this by using the <a
- href="../mod/mod_setenvif.html#setenvif"><code>SetEnvIf</code></a>
- directive to set an environment variable for certain
- requests and then using the conditional <a
- href="../mod/mod_log_config.html#customlog-conditional"><code>
- CustomLog</code></a> syntax to prevent logging when the
- environment variable is set.</p>
- <hr />
- </li>
-
- <li>
- <a id="dbinteg" name="dbinteg"><b>Does Apache support any
- sort of database integration?</b></a>
-
- <p>No. Apache is a Web (HTTP) server, not an application
- server. The base package does not include any such
- functionality. See the <a href="http://www.php.net/">PHP
- project</a> and the <a
- href="http://perl.apache.org/">mod_perl project</a> for
- examples of modules that allow you to work with databases
- from within the Apache environment.</p>
- <hr />
- </li>
-
- <li>
- <a id="asp" name="asp"><b>Can I use Active Server Pages
- (ASP) with Apache?</b></a>
-
- <p>The base Apache Web server package does not include ASP
- support. However, there are a couple of after-market
- solutions that let you add this functionality; see the <a
- href="http://httpd.apache.org/related_projects.html">related
- projects</a> page to find out more.</p>
- <hr />
- </li>
-
- <li>
- <a id="java" name="java"><b>Does Apache come with Java
- support?</b></a>
-
- <p>The base Apache Web server package does not include
- support for Java, Java Server Pages, Enterprise Java Beans,
- or Java servlets. Those features are available as add-ons
- from the Apache/Java project site, &lt;URL:<a
- href="http://jakarta.apache.org">http://jakarta.apache.org/</a>&gt;.</p>
- <hr />
- </li>
- </ol>
-
-
- </body>
-</html>
-
-
<hr />
<h3 align="CENTER">Apache HTTP Server Version 1.3</h3>
diff --git a/usr.sbin/httpd/htdocs/manual/mod/core.html.en b/usr.sbin/httpd/htdocs/manual/mod/core.html.en
index 448f4788494..17c059c7a58 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/core.html.en
+++ b/usr.sbin/httpd/htdocs/manual/mod/core.html.en
@@ -883,7 +883,8 @@
<a href="directive-dict.html#Syntax"
rel="Help"><strong>Syntax:</strong></a> &lt;Directory
- <em>directory-path</em>&gt; ... &lt;/Directory&gt; <br />
+ <em>directory-path</em>|proxy:<em>url-path</em>&gt;
+ ... &lt;/Directory&gt; <br />
<a href="directive-dict.html#Context"
rel="Help"><strong>Context:</strong></a> server config, virtual
host<br />
@@ -991,12 +992,32 @@
<em>want</em> accessible. See the <a
href="../misc/security_tips.html">Security Tips</a> page for
more details.</strong></p>
- The directory sections typically occur in the access.conf file,
- but they may appear in any configuration file.
&lt;Directory&gt; directives cannot nest, and cannot appear in
a <a href="#limit">&lt;Limit&gt;</a> or <a
href="#limitexcept">&lt;LimitExcept&gt;</a> section.
+ <p>If you have <a href="mod_proxy.html">mod_proxy</a> enabled, you
+ can use the <code>proxy:</code> syntax to apply configuration
+ directives to proxied content. The syntax for this is to specify the
+ proxied URLs to which you wish to apply the configuration, or to
+ specify <code>*</code> to apply to all proxied content:</p>
+
+ <p>To apply to all proxied content:</p>
+
+ <pre>
+ &lt;Directory proxy:*&gt;
+ ... directives here ...
+ &lt;/Directory&gt;
+ </pre>
+
+ <p>To apply to just a subset of proxied content:</p>
+
+ <pre>
+ &lt;Directory proxy:http://www.example.com/&gt;
+ ... directives here ...
+ &lt;/Directory&gt;
+ </pre>
+
<p><strong>See also</strong>: <a href="../sections.html">How
Directory, Location and Files sections work</a> for an
explanation of how these different sections are combined when a
@@ -1963,11 +1984,19 @@ Syntax OK
Require valid-user<br />
&lt;/Limit&gt;</code>
</blockquote>
- The method names listed can be one or more of: GET, POST, PUT,
+ <p>The method names listed can be one or more of: GET, POST, PUT,
DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH,
MKCOL, COPY, MOVE, LOCK, and UNLOCK. <strong>The method name is
case-sensitive.</strong> If GET is used it will also restrict
- HEAD requests. The TRACE method cannot be limited.
+ HEAD requests. The TRACE method cannot be limited.</p>
+
+ <p><strong>Warning:</strong> A <a
+ href="#limitexcept">&lt;LimitExcept&gt;</a> section should
+ always be used in preference to a <a
+ href="#limit">&lt;Limit&gt;</a> section when restricting access,
+ since a <a href="#limitexcept">&lt;LimitExcept&gt;</a> section
+ provides protection against arbitrary methods.</p>
+
<hr />
<h2><a id="limitexcept" name="limitexcept">&lt;LimitExcept&gt;
@@ -2068,9 +2097,7 @@ Syntax OK
<p>This directive specifies the number of <em>bytes</em> from 0
(meaning unlimited) to 2147483647 (2GB) that are allowed in a
- request body. The default value is defined by the compile-time
- constant <code>DEFAULT_LIMIT_REQUEST_BODY</code> (0 as
- distributed).</p>
+ request body.</p>
<p>The LimitRequestBody directive allows the user to set a
limit on the allowed size of an HTTP request message body
@@ -2577,6 +2604,11 @@ Syntax OK
<pre>LogLevel notice</pre>
+ <p><strong>NOTE:</strong> When logging to a regular file messages
+ of the level <code>notice</code> cannot be suppressed and thus are
+ always logged. However, this doesn't apply when logging is done
+ using <code>syslog</code>.</p>
+
<hr />
<h2><a id="maxclients" name="maxclients">MaxClients
diff --git a/usr.sbin/httpd/htdocs/manual/mod/core.html.html b/usr.sbin/httpd/htdocs/manual/mod/core.html.html
index 01ca807474a..894d7beb07b 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/core.html.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/core.html.html
@@ -885,7 +885,8 @@
<a href="directive-dict.html#Syntax"
rel="Help"><strong>Syntax:</strong></a> &lt;Directory
- <em>directory-path</em>&gt; ... &lt;/Directory&gt; <br />
+ <em>directory-path</em>|proxy:<em>url-path</em>&gt;
+ ... &lt;/Directory&gt; <br />
<a href="directive-dict.html#Context"
rel="Help"><strong>Context:</strong></a> server config, virtual
host<br />
@@ -993,12 +994,32 @@
<em>want</em> accessible. See the <a
href="../misc/security_tips.html">Security Tips</a> page for
more details.</strong></p>
- The directory sections typically occur in the access.conf file,
- but they may appear in any configuration file.
&lt;Directory&gt; directives cannot nest, and cannot appear in
a <a href="#limit">&lt;Limit&gt;</a> or <a
href="#limitexcept">&lt;LimitExcept&gt;</a> section.
+ <p>If you have <a href="mod_proxy.html">mod_proxy</a> enabled, you
+ can use the <code>proxy:</code> syntax to apply configuration
+ directives to proxied content. The syntax for this is to specify the
+ proxied URLs to which you wish to apply the configuration, or to
+ specify <code>*</code> to apply to all proxied content:</p>
+
+ <p>To apply to all proxied content:</p>
+
+ <pre>
+ &lt;Directory proxy:*&gt;
+ ... directives here ...
+ &lt;/Directory&gt;
+ </pre>
+
+ <p>To apply to just a subset of proxied content:</p>
+
+ <pre>
+ &lt;Directory proxy:http://www.example.com/&gt;
+ ... directives here ...
+ &lt;/Directory&gt;
+ </pre>
+
<p><strong>See also</strong>: <a href="../sections.html">How
Directory, Location and Files sections work</a> for an
explanation of how these different sections are combined when a
@@ -1965,11 +1986,19 @@ Syntax OK
Require valid-user<br />
&lt;/Limit&gt;</code>
</blockquote>
- The method names listed can be one or more of: GET, POST, PUT,
+ <p>The method names listed can be one or more of: GET, POST, PUT,
DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH,
MKCOL, COPY, MOVE, LOCK, and UNLOCK. <strong>The method name is
case-sensitive.</strong> If GET is used it will also restrict
- HEAD requests. The TRACE method cannot be limited.
+ HEAD requests. The TRACE method cannot be limited.</p>
+
+ <p><strong>Warning:</strong> A <a
+ href="#limitexcept">&lt;LimitExcept&gt;</a> section should
+ always be used in preference to a <a
+ href="#limit">&lt;Limit&gt;</a> section when restricting access,
+ since a <a href="#limitexcept">&lt;LimitExcept&gt;</a> section
+ provides protection against arbitrary methods.</p>
+
<hr />
<h2><a id="limitexcept" name="limitexcept">&lt;LimitExcept&gt;
@@ -2070,9 +2099,7 @@ Syntax OK
<p>This directive specifies the number of <em>bytes</em> from 0
(meaning unlimited) to 2147483647 (2GB) that are allowed in a
- request body. The default value is defined by the compile-time
- constant <code>DEFAULT_LIMIT_REQUEST_BODY</code> (0 as
- distributed).</p>
+ request body.</p>
<p>The LimitRequestBody directive allows the user to set a
limit on the allowed size of an HTTP request message body
@@ -2579,6 +2606,11 @@ Syntax OK
<pre>LogLevel notice</pre>
+ <p><strong>NOTE:</strong> When logging to a regular file messages
+ of the level <code>notice</code> cannot be suppressed and thus are
+ always logged. However, this doesn't apply when logging is done
+ using <code>syslog</code>.</p>
+
<hr />
<h2><a id="maxclients" name="maxclients">MaxClients
diff --git a/usr.sbin/httpd/htdocs/manual/mod/directives.html.ja.jis b/usr.sbin/httpd/htdocs/manual/mod/directives.html.ja.jis
index 5a17a7e1fed..24d9d5489d4 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/directives.html.ja.jis
+++ b/usr.sbin/httpd/htdocs/manual/mod/directives.html.ja.jis
@@ -7,7 +7,7 @@
<title>Apache $B%G%#%l%/%F%#%V(B</title>
</head>
- <!-- English revision: 1.79 -->
+ <!-- English revision: 1.82 -->
<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
<body bgcolor="#ffffff" text="#000000" link="#0000ff"
vlink="#000080" alink="#ff0000">
@@ -180,6 +180,8 @@
<li><a href="mod_proxy.html#cachesize">CacheSize</a></li>
+ <li><a href="core.html#cgicommandargs">CGICommandArgs</a></li>
+
<li><a href="mod_speling.html#checkspelling"
>CheckSpelling</a></li>
@@ -333,6 +335,9 @@
<li><a href="core.html#limitexcept"
>&lt;LimitExcept&gt;</a></li>
+ <li><a href="core.html#limitinternalrecursion"
+ >LimitInternalRecursion</a></li>
+
<li><a href="core.html#limitrequestbody"
>LimitRequestBody</a></li>
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_access.html.en b/usr.sbin/httpd/htdocs/manual/mod/mod_access.html.en
index c8f7b2520db..c5d6db86d98 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_access.html.en
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_access.html.en
@@ -117,10 +117,14 @@
access. Only complete components are matched, so the above
example will match <code>foo.apache.org</code> but it will
not match <code>fooapache.org</code>. This configuration will
- cause the server to perform a reverse DNS lookup on the
+ cause the server to perform a double reverse DNS lookup on the
client IP address, regardless of the setting of the <a
href="core.html#hostnamelookups">HostnameLookups</a>
- directive.</dd>
+ directive. It will do a reverse DNS lookup on the IP address to
+ find the associated hostname, and then do a forward lookup on
+ the hostname to assure that it matches the original IP address.
+ Only if the forward and reverse DNS are consistent and the
+ hostname matches will access be allowed.</dd>
<dt>A full IP address</dt>
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_access.html.html b/usr.sbin/httpd/htdocs/manual/mod/mod_access.html.html
index 37e106318d0..9a5a4eddfac 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_access.html.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_access.html.html
@@ -119,10 +119,14 @@
access. Only complete components are matched, so the above
example will match <code>foo.apache.org</code> but it will
not match <code>fooapache.org</code>. This configuration will
- cause the server to perform a reverse DNS lookup on the
+ cause the server to perform a double reverse DNS lookup on the
client IP address, regardless of the setting of the <a
href="core.html#hostnamelookups">HostnameLookups</a>
- directive.</dd>
+ directive. It will do a reverse DNS lookup on the IP address to
+ find the associated hostname, and then do a forward lookup on
+ the hostname to assure that it matches the original IP address.
+ Only if the forward and reverse DNS are consistent and the
+ hostname matches will access be allowed.</dd>
<dt>A full IP address</dt>
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_proxy.html b/usr.sbin/httpd/htdocs/manual/mod/mod_proxy.html
index 1a31de93967..6e0b7e19c32 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_proxy.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_proxy.html
@@ -102,6 +102,10 @@
topics</a></h2>
<ul>
+ <li><a href="#forwardreverse">Forward and Reverse Proxies</a></li>
+
+ <li><a href="#examples">Basic Examples</a></li>
+
<li><a href="#access">Controlling access to your
proxy</a></li>
@@ -130,6 +134,89 @@
an intranet proxy server?</a></li>
</ul>
+<h2><a name="forwardreverse" id="forwardreverse">Forward and Reverse Proxies</a></h2>
+ <p>Apache can be configured in both a <dfn>forward</dfn> and
+ <dfn>reverse</dfn> proxy mode.</p>
+
+ <p>An ordinary <dfn>forward proxy</dfn> is an intermediate
+ server that sits between the client and the <em>origin
+ server</em>. In order to get content from the origin server,
+ the client sends a request to the proxy naming the origin server
+ as the target and the proxy then requests the content from the
+ origin server and returns it to the client. The client must be
+ specially configured to use the forward proxy to access other
+ sites.</p>
+
+ <p>A typical usage of a forward proxy is to provide Internet
+ access to internal clients that are otherwise restricted by a
+ firewall. The forward proxy can also use caching to reduce
+ network usage.</p>
+
+ <p>The forward proxy is activated using the <code><a
+ href="#proxyrequests">ProxyRequests</a></code> directive.
+ Because forward proxys allow clients to access arbitrary sites
+ through your server and to hide their true origin, it is
+ essential that you <a href="#access">secure your server</a> so
+ that only authorized clients can access the proxy before
+ activating a forward proxy.</p>
+
+ <p>A <dfn>reverse proxy</dfn>, by contrast, appears to the
+ client just like an ordinary web server. No special
+ configuration on the client is necessary. The client makes
+ ordinary requests for content in the name-space of the reverse
+ proxy. The reverse proxy then decides where to send those
+ requests, and returns the content as if it was itself the
+ origin.</p>
+
+ <p>A typical usage of a reverse proxy is to provide Internet
+ users access to a server that is behind a firewall. Reverse
+ proxies can also be used to balance load among several back-end
+ servers, or to provide caching for a slower back-end server.
+ In addition, reverse proxies can be used simply to bring
+ several servers into the same URL space.</p>
+
+ <p>A reverse proxy is activated using the <code><a
+ href="#proxypass">ProxyPass</a></code> directive or the
+ <code>[P]</code> flag to the <code><a
+ href="../mod/mod_rewrite.html#rewriterule">RewriteRule</a></code>
+ directive. It is <strong>not</strong> necessary to turn
+ <code><a href="#proxyrequests">ProxyRequests</a></code> on in
+ order to configure a reverse proxy.</p>
+
+<h2><a name="examples" id="examples">Basic Examples</a></h2>
+
+ <p>The examples below are only a very basic idea to help you
+ get started. Please read the documentation on the individual
+ directives.</p>
+
+ <h3>Forward Proxy</h3><p><code>
+ ProxyRequests On<br />
+ ProxyVia On<br />
+ <br />
+ &lt;Directory proxy:*&gt;<br />
+
+ Order deny,allow<br />
+ Deny from all<br />
+ Allow from internal.example.com<br />
+
+ &lt;/Directory&gt;<br />
+ <br />
+ CacheRoot "/usr/local/apache/proxy"<br />
+ CacheSize 5<br />
+ CacheGcInterval 4<br />
+ CacheMaxExpire 24<br />
+ CacheLastModifiedFactor 0.1<br />
+ CacheDefaultExpire 1<br />
+ NoCache a-domain.com another-domain.edu joes.garage-sale.com
+ </code></p>
+
+ <h3>Reverse Proxy</h3><p><code>
+ ProxyRequests Off<br />
+ <br />
+ ProxyPass /foo http://foo.example.com/bar<br />
+ ProxyPassReverse /foo http://foo.example.com/bar
+ </code></p>
+
<h2><a id="access" name="access">Controlling access to your
proxy</a></h2>
You can control who can access your proxy via the normal
@@ -149,6 +236,18 @@ Allow from yournetwork.example.com
<p>For more information, see <a
href="mod_access.html">mod_access</a>.</p>
+ <p>Strictly limiting access is essential if you are using a
+ forward proxy (using the <code><a
+ href="#proxyrequests">ProxyRequests</a></code> directive).
+ Otherwise, your server can be used by any client to access
+ arbitrary hosts while hiding his or her true identity. This is
+ dangerous both for your network and for the Internet at large.
+ When using a reverse proxy (using the <code><a
+ href="#proxypass">ProxyPass</a></code> directive with
+ <code>ProxyRequests Off</code>), access control is less critical
+ because clients can only contact the hosts that you have
+ specifically configured.</p>
+
<h2><a id="shortname" name="shortname">Using Netscape hostname
shortcuts</a></h2>
There is an optional patch to the proxy module to allow
@@ -201,7 +300,7 @@ application/octet-stream bin dms lha lzh exe class tgz taz
To log in to an FTP server by username and password, Apache
uses different strategies.
In absense of a user name and password in the URL altogether,
- Apache sends an anomymous login to the FTP server, i.e.,
+ Apache sends an anonymous login to the FTP server, i.e.,
<blockquote><code>
user: anonymous<br />
password: apache_proxy@
@@ -262,7 +361,10 @@ application/octet-stream bin dms lha lzh exe class tgz taz
useful for an intranet proxy server?</a></h2>
<p>An Apache proxy server situated in an intranet needs to
- forward external requests through the company's firewall.
+ forward external requests through the company's firewall
+ (for this, configure the <a href="#proxyremote">ProxyRemote</a>
+ directive to forward the respective <em>scheme</em> to
+ the firewall proxy).
However, when it has to access resources within the intranet,
it can bypass the firewall when accessing hosts. The <a
href="#noproxy">NoProxy</a> directive is useful for specifying
@@ -304,7 +406,7 @@ application/octet-stream bin dms lha lzh exe class tgz taz
rel="Help"><strong>Compatibility:</strong></a> ProxyRequests is
only available in Apache 1.1 and later.
- <p>This allows or prevents Apache from functioning as a proxy
+ <p>This allows or prevents Apache from functioning as a forward proxy
server. Setting ProxyRequests to 'off' does not disable use of
the <a href="#proxypass">ProxyPass</a> directive.</p>
@@ -391,10 +493,16 @@ application/octet-stream bin dms lha lzh exe class tgz taz
<pre>
ProxyPass /mirror/foo/ http://foo.com/
</pre>
- will cause a local request for the
+ <p>will cause a local request for the
&lt;<samp>http://wibble.org/mirror/foo/bar</samp>&gt; to be
internally converted into a proxy request to
- &lt;<samp>http://foo.com/bar</samp>&gt;.
+ &lt;<samp>http://foo.com/bar</samp>&gt;.</p>
+
+ <p><strong>Warning:</strong> The <code><a
+ href="#proxyrequests">ProxyRequests</a></code> directive should
+ usually be set <strong>off</strong> when using <code
+ class="directive">ProxyPass</code>.
+
<hr />
<h2><a id="proxypassreverse"
diff --git a/usr.sbin/httpd/htdocs/manual/windows.html.en b/usr.sbin/httpd/htdocs/manual/windows.html.en
index 58d1fab2f8b..55c41352c4f 100644
--- a/usr.sbin/httpd/htdocs/manual/windows.html.en
+++ b/usr.sbin/httpd/htdocs/manual/windows.html.en
@@ -145,16 +145,18 @@
installed on your PC before you can install the Apache runtime
distributions. Windows 2000 and Windows ME are both delivered
with the Microsoft Installer support, others will need to
- download it. Instructions on locating the Microsoft Installer,
+ download it. For more information, visit the main download
+ page at <a
+ href="http://httpd.apache.org/download.cgi">http://httpd.apache.org/download.cgi</a>.
+ Instructions on locating the Microsoft Installer,
as well as the binary distributions of Apache, are found at
- <a href="http://httpd.apache.org/dist/httpd/binaries/win32/"
- >http://httpd.apache.org/dist/httpd/binaries/win32/</a></p>
+ <a href="http://www.apache.org/dyn/closer.cgi/httpd/binaries/win32/"
+ >the win32 download directory on the mirrors.</a></p>
<p>The source code is available in the <code>-src.msi</code>
distribution, or from the
- <a href="http://httpd.apache.org/dist/httpd/"
- >http://httpd.apache.org/dist/httpd/</a>
- distribution directory as a <code>.zip</code> file. If you plan
+ <a href="http://www.apache.org/dyn/closer.cgi/httpd/"
+ >distribution directory</a> as a <code>.zip</code> file. If you plan
on compiling Apache yourself, there is no need to install
either <code>.msi</code> package. The <code>.zip</code> file
contains only source code, with MS-DOS line endings (that is
diff --git a/usr.sbin/httpd/htdocs/manual/windows.html.ja.jis b/usr.sbin/httpd/htdocs/manual/windows.html.ja.jis
index 29bf4157f47..08be47c9dab 100644
--- a/usr.sbin/httpd/htdocs/manual/windows.html.ja.jis
+++ b/usr.sbin/httpd/htdocs/manual/windows.html.ja.jis
@@ -7,7 +7,7 @@
<title>Microsoft Windows $B$G$N(B Apache $B$N;HMQ(B</title>
</head>
- <!-- English revision: 1.57 -->
+ <!-- English revision: 1.58 -->
<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
<body bgcolor="#ffffff" text="#000000" link="#0000ff"
@@ -145,17 +145,19 @@
$B$3$l$i$N%U%!%$%k$O$=$l$>$l$K40A4$J(B Apache $B%i%s%?%$%`$r4^$s$G$$$^$9!#(B
Apache $B%i%s%?%$%`G[I[$r%$%s%9%H!<%k$9$kA0$K(B Microsoft Installer
version 1.10 $B$,(B PC $B$K%$%s%9%H!<%k$5$l$F$$$J$1$l$P$J$j$^$;$s!#(BWindows
- 2000 $B$*$h$S(B Windows Me $B$G$O(B Microsoft Installer $B$,I8=`$G(B
+ 2000 $B5Z$S(B Windows Me $B$G$O(B Microsoft Installer $B$,I8=`$G(B
$B%5%]!<%H$5$l$F$$$^$9$,!"B>$G$O$=$l$r%@%&%s%m!<%I$9$kI,MW$,$"$j$^$9!#(B
+ $B$5$i$J$k>pJs$O%a%$%s$N%@%&%s%m!<%I%Z!<%8(B <a
+ href="http://httpd.apache.org/download.cgi"
+ >http://httpd.apache.org/download.cgi</a> $B$K9T$C$F$/$@$5$$!#(B
Microsoft Installer $B$r8+$D$1$k<j=g$O(B Apache $B$N%P%$%J%jG[I[$HF1MM!"(B
- <a href="http://httpd.apache.org/dist/httpd/binaries/win32/"
- >http://httpd.apache.org/dist/httpd/binaries/win32/</a>
- $B$K8+$D$+$j$^$9(B</p>
+ <a href="http://www.apache.org/dyn/closer.cgi/httpd/binaries/win32/"
+ >$B%_%i!<%5%$%H$N(B win32 $B%@%&%s%m!<%I%G%#%l%/%H%j(B</a>$B$K8+$D$+$j$^$9(B</p>
<p>$B%=!<%9%3!<%I$O(B <code>-src.msi</code> $B$NG[I[$^$?$O(B <a
- href="http://httpd.apache.org/dist/httpd/"
- >http://httpd.apache.org/dist/httpd/</a> $BG[I[%G%#%l%/%H%j$K$"$k(B
- <code>.zip</code> $B%U%!%$%k$+$iF~<j2DG=$G$9!#$b$7(B Apache
+ href="http://www.apache.org/dyn/closer.cgi/httpd/"
+ >$BG[I[%G%#%l%/%H%j(B</a> $B$K$"$k(B <code>.zip</code>
+ $B%U%!%$%k$+$iF~<j2DG=$G$9!#$b$7(B Apache
$B$r<+J,$G%3%s%Q%$%k$9$k$D$b$j$J$i!"(B<code>.msi</code> $B%Q%C%1!<%8$r(B
$B%$%s%9%H!<%k$9$kI,MW$O$^$C$?$/$"$j$^$;$s!#(B<code>.zip</code>
$B%U%!%$%k$O!"(BMS-DOS $B$N2~9T(B (.tar.gz $B$d(B .tar.Z $B$GG[I[$5$l$k(B unix
diff --git a/usr.sbin/httpd/src/CHANGES b/usr.sbin/httpd/src/CHANGES
index fefcb687ce5..f7e44fb99e7 100644
--- a/usr.sbin/httpd/src/CHANGES
+++ b/usr.sbin/httpd/src/CHANGES
@@ -1,9 +1,51 @@
+Changes with Apache 1.3.29
+
+ *) SECURITY: CAN-2003-0542 (cve.mitre.org)
+ Fix buffer overflows in mod_alias and mod_rewrite which occurred if
+ one configured a regular expression with more than 9 captures.
+ [André Malo]
+
+ *) Within ap_bclose(), ap_pclosesocket() is now called consistently
+ for sockets and ap_pclosef() for files. Also, closesocket()
+ is used consistenly to close socket fd's. The previous
+ confusion between socket and file fd's would cause problems
+ with some applications now that we proactively close fd's to
+ prevent leakage. PR 22805
+ [Radu Greab <rgreab@fx.ro>, Jim Jagielski]
+
+ *) If a request fails and the client will be redirected to another URL
+ due to ErrorDocument, see if we need to drop the connection after
+ sending the 302 response. This fixes a problem where Apache treated
+ the body of the failed request as the next request on a keepalive
+ connection. The subsequent 501 error sent to the browser prevented
+ some browsers from fetching the error document. [Jeff Trawick]
+
+ *) Fixed mod_usertrack to not get false positive matches on the
+ user-tracking cookie's name. PR 16661.
+ [Manni Wood <manniwood@planet-save.com>]
+
+ *) Enabled RFC1413 ident functionality for both Win32 and
+ NetWare platforms. This also included an alternate thread safe
+ implementation of the socket timout functionality when querying
+ the identd daemon.
+ [Brad Nicholes, William Rowe]
+
+ *) Prevent creation of subprocess Zombies when using CGI wrappers
+ such as suExec and cgiwrap. PR 21737. [Numerous]
+
+ *) ab: Overlong credentials given via command line no longer clobber
+ the buffer. [André Malo]
+
+ *) Fix ProxyPass for ftp requests - the original code was segfaulting since
+ many of the values were not being filled out in the request_rec.
+ [Tollef Fog Heen <tfheen@debian.org, Thom May]
+
Changes with Apache 1.3.28
*) SECURITY: CAN-2003-0460 (cve.mitre.org)
Fix the rotatelogs support program on Win32 and OS/2 to ignore
special control characters received over the pipe. Previously
- such characters could cause it to quit logging and exit.
+ such characters could cause rotatelogs to quit logging and exit.
[André Malo]
*) Prevent the server from crashing when entering infinite loops. The
diff --git a/usr.sbin/httpd/src/CHANGES.SSL b/usr.sbin/httpd/src/CHANGES.SSL
index 33ad80fd6d9..b844dbcd9f1 100644
--- a/usr.sbin/httpd/src/CHANGES.SSL
+++ b/usr.sbin/httpd/src/CHANGES.SSL
@@ -23,6 +23,30 @@
/ __/ | (_) |
__ |_____(_)___/ ___________________________________________
+ Changes with mod_ssl 2.8.16 (18-Jul-2003 to 01-Nov-2003)
+
+ *) Upgraded to Apache 1.3.29
+
+ *) Avoid memory corruption in certificate handling caused by a heap
+ memory double-freeing situation.
+
+ *) Allow "HTTPS" variable to be passed through by suEXEC.
+
+ *) Clear the OpenSSL error code in pass phrase reading code to
+ workaround the following situation: multiple keys, all with
+ different passphrases -- entering the correct pass phrase at each
+ prompt leads to an OpenSSL error message after the last prompt.
+
+ *) Reverted the recent change where ap_cleanup_for_exec() called
+ ap_kill_alloc_shared(). This caused nasty side-effects in other
+ processes and is not necessary at all (because shared memory
+ segments are not inherited across exec).
+
+ *) mod_ssl was checking the OpenSSL error reason code against
+ SSL_R_HTTP_REQUEST and concluded the result is an SSL error. Since
+ OpenSSL reason codes are not unique, this isn't always the case.
+ It now additionally checks that the library is the SSL library.
+
Changes with mod_ssl 2.8.15 (21-Mar-2003 to 18-Jul-2003)
*) Upgraded to Apache 1.3.28
diff --git a/usr.sbin/httpd/src/Configure b/usr.sbin/httpd/src/Configure
index e971f92a358..d4345035318 100644
--- a/usr.sbin/httpd/src/Configure
+++ b/usr.sbin/httpd/src/Configure
@@ -1,5 +1,5 @@
#!/bin/sh
-# $OpenBSD: Configure,v 1.22 2003/08/21 13:11:33 henning Exp $
+# $OpenBSD: Configure,v 1.23 2003/11/17 18:57:05 henning Exp $
## ====================================================================
## The Apache Software License, Version 1.1
##
@@ -2028,7 +2028,7 @@ if [ "x$using_shlib" = "x1" ] ; then
# select the special subtarget for shared core generation
SUBTARGET=target_shared
# determine additional suffixes for libhttpd.so
- V=1 R=3 P=28
+ V=1 R=3 P=29
if [ "x$SHLIB_SUFFIX_DEPTH" = "x0" ]; then
SHLIB_SUFFIX_LIST=""
fi
diff --git a/usr.sbin/httpd/src/include/httpd.h b/usr.sbin/httpd/src/include/httpd.h
index 2cbd208dc49..3dd3bb44c3b 100644
--- a/usr.sbin/httpd/src/include/httpd.h
+++ b/usr.sbin/httpd/src/include/httpd.h
@@ -461,7 +461,7 @@ extern "C" {
#define SERVER_BASEVENDOR "Apache Group"
#define SERVER_BASEPRODUCT "Apache"
-#define SERVER_BASEREVISION "1.3.28"
+#define SERVER_BASEREVISION "1.3.29"
#define SERVER_BASEVERSION SERVER_BASEPRODUCT "/" SERVER_BASEREVISION
#define SERVER_PRODUCT SERVER_BASEPRODUCT
@@ -485,7 +485,7 @@ API_EXPORT(void) ap_add_config_define(const char *define);
* Always increases along the same track as the source branch.
* For example, Apache 1.4.2 would be '10402100', 2.5b7 would be '20500007'.
*/
-#define APACHE_RELEASE 10328100
+#define APACHE_RELEASE 10329100
#define SERVER_PROTOCOL "HTTP/1.1"
#ifndef SERVER_SUPPORT
diff --git a/usr.sbin/httpd/src/main/alloc.c b/usr.sbin/httpd/src/main/alloc.c
index 1373258458b..7924b619e74 100644
--- a/usr.sbin/httpd/src/main/alloc.c
+++ b/usr.sbin/httpd/src/main/alloc.c
@@ -2014,9 +2014,6 @@ API_EXPORT(void) ap_cleanup_for_exec(void)
cleanup_pool_for_exec(permanent_pool);
ap_unblock_alarms();
#endif /* ndef WIN32 */
-#ifdef EAPI
- ap_kill_alloc_shared();
-#endif
}
API_EXPORT_NONSTD(void) ap_null_cleanup(void *data)
@@ -3095,7 +3092,12 @@ static void free_proc_chain(struct process_chain *procs)
for (p = procs; p; p = p->next) {
if ((p->kill_how == kill_after_timeout)
|| (p->kill_how == kill_only_once)) {
- /* Subprocess may be dead already. Only need the timeout if not. */
+ /*
+ * This is totally bogus, but seems to be the
+ * only portable (as in reliable) way to accomplish
+ * this. Note that this implies an unavoidable
+ * delay.
+ */
ap_os_kill(p->pid, SIGTERM);
need_timeout = 1;
}
diff --git a/usr.sbin/httpd/src/main/buff.c b/usr.sbin/httpd/src/main/buff.c
index ea54a79660e..1ba8923129b 100644
--- a/usr.sbin/httpd/src/main/buff.c
+++ b/usr.sbin/httpd/src/main/buff.c
@@ -1516,7 +1516,6 @@ API_EXPORT(int) ap_bclose(BUFF *fb)
rc1 = ap_bflush(fb);
else
rc1 = 0;
-#if defined(WIN32) || defined(NETWARE) || defined(CYGWIN_WINSOCK)
if (fb->flags & B_SOCKET) {
rc2 = ap_pclosesocket(fb->pool, fb->fd);
if (fb->fd_in != fb->fd) {
@@ -1525,24 +1524,13 @@ API_EXPORT(int) ap_bclose(BUFF *fb)
else {
rc3 = 0;
}
- }
-#if !defined(NETWARE) && !defined(CYGWIN_WINSOCK)
- else if (fb->hFH != INVALID_HANDLE_VALUE) {
+ } else {
+#if defined(WIN32)
+ if (fb->hFH != INVALID_HANDLE_VALUE) {
rc2 = ap_pcloseh(fb->pool, fb->hFH);
rc3 = 0;
}
-#endif
else {
-#elif defined(BEOS)
- if (fb->flags & B_SOCKET) {
- rc2 = ap_pclosesocket(fb->pool, fb->fd);
- if (fb->fd_in != fb->fd) {
- rc3 = ap_pclosesocket(fb->pool, fb->fd_in);
- }
- else {
- rc3 = 0;
- }
- } else {
#endif
rc2 = ap_pclosef(fb->pool, fb->fd);
if (fb->fd_in != fb->fd) {
@@ -1551,7 +1539,8 @@ API_EXPORT(int) ap_bclose(BUFF *fb)
else {
rc3 = 0;
}
-#if defined(WIN32) || defined (BEOS) || defined(NETWARE) || defined(CYGWIN_WINSOCK)
+ }
+#if defined(WIN32)
}
#endif
diff --git a/usr.sbin/httpd/src/main/http_core.c b/usr.sbin/httpd/src/main/http_core.c
index 07ed6ec9140..f08fa50d54e 100644
--- a/usr.sbin/httpd/src/main/http_core.c
+++ b/usr.sbin/httpd/src/main/http_core.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: http_core.c,v 1.15 2003/08/21 13:11:35 henning Exp $ */
+/* $OpenBSD: http_core.c,v 1.16 2003/11/17 18:57:05 henning Exp $ */
/* ====================================================================
* The Apache Software License, Version 1.1
@@ -1280,7 +1280,7 @@ static const char *set_error_document(cmd_parms *cmd, core_dir_config *conf,
if (error_number == 401 &&
line[0] != '/' && line[0] != '"') { /* Ignore it... */
ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, cmd->server,
- "cannot use a full or relative URL in a 401 ErrorDocument "
+ "cannot use a full URL in a 401 ErrorDocument "
"directive --- ignoring!");
}
else { /* Store it... */
diff --git a/usr.sbin/httpd/src/main/http_main.c b/usr.sbin/httpd/src/main/http_main.c
index a4c4b77bff6..a91e8eaab6b 100644
--- a/usr.sbin/httpd/src/main/http_main.c
+++ b/usr.sbin/httpd/src/main/http_main.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: http_main.c,v 1.33 2003/10/24 10:38:30 henning Exp $ */
+/* $OpenBSD: http_main.c,v 1.34 2003/11/17 18:57:05 henning Exp $ */
/* ====================================================================
* The Apache Software License, Version 1.1
@@ -3780,11 +3780,7 @@ static int make_sock(pool *p, const struct sockaddr_in *server)
#ifndef _OSD_POSIX
ap_log_error(APLOG_MARK, APLOG_CRIT, server_conf,
"make_sock: for %s, setsockopt: (SO_REUSEADDR)", addr);
-#ifdef BEOS
closesocket(s);
-#else
- close(s);
-#endif
ap_unblock_alarms();
exit(1);
#endif /*_OSD_POSIX*/
@@ -3794,11 +3790,7 @@ static int make_sock(pool *p, const struct sockaddr_in *server)
if (setsockopt(s, SOL_SOCKET, SO_KEEPALIVE, (char *) &one, sizeof(int)) < 0) {
ap_log_error(APLOG_MARK, APLOG_CRIT, server_conf,
"make_sock: for %s, setsockopt: (SO_KEEPALIVE)", addr);
-#ifdef BEOS
closesocket(s);
-#else
- close(s);
-#endif
ap_unblock_alarms();
exit(1);
@@ -3853,11 +3845,7 @@ static int make_sock(pool *p, const struct sockaddr_in *server)
GETUSERMODE();
#endif
-#ifdef BEOS
closesocket(s);
-#else
- close(s);
-#endif
ap_unblock_alarms();
exit(1);
}
@@ -3869,11 +3857,7 @@ static int make_sock(pool *p, const struct sockaddr_in *server)
if (listen(s, ap_listenbacklog) == -1) {
ap_log_error(APLOG_MARK, APLOG_ERR, server_conf,
"make_sock: unable to listen for connections on %s", addr);
-#ifdef BEOS
closesocket(s);
-#else
- close(s);
-#endif
ap_unblock_alarms();
exit(1);
}
@@ -3923,11 +3907,7 @@ static int make_sock(pool *p, const struct sockaddr_in *server)
"larger than FD_SETSIZE (%u) "
"found, you probably need to rebuild Apache with a "
"larger FD_SETSIZE", addr, s, FD_SETSIZE);
-#ifdef BEOS
closesocket(s);
-#else
- close(s);
-#endif
exit(1);
}
#endif
diff --git a/usr.sbin/httpd/src/main/http_request.c b/usr.sbin/httpd/src/main/http_request.c
index c0e27afb749..b936a6c083e 100644
--- a/usr.sbin/httpd/src/main/http_request.c
+++ b/usr.sbin/httpd/src/main/http_request.c
@@ -1117,7 +1117,15 @@ API_EXPORT(void) ap_die(int type, request_rec *r)
* apache code, and continue with the usual REDIRECT handler.
* But note that the client will ultimately see the wrong
* status...
+ *
+ * Also, before updating r->status, we may need to ensure that
+ * the connection is dropped. For example, there may be
+ * unread request body that would confuse us if we try
+ * to read another request.
*/
+ if (ap_status_drops_connection(r->status)) {
+ r->connection->keepalive = -1;
+ }
r->status = REDIRECT;
ap_table_setn(r->headers_out, "Location", custom_response);
}
diff --git a/usr.sbin/httpd/src/main/rfc1413.c b/usr.sbin/httpd/src/main/rfc1413.c
index ebef8be6886..6bc0dbfc72b 100644
--- a/usr.sbin/httpd/src/main/rfc1413.c
+++ b/usr.sbin/httpd/src/main/rfc1413.c
@@ -99,6 +99,38 @@
int ap_rfc1413_timeout = RFC1413_TIMEOUT; /* Global so it can be changed */
+#if (defined (NETWARE) || defined (WIN32))
+#define write(a,b,c) send(a,b,c,0)
+#define read(a,b,c) recv(a,b,c,0)
+#endif
+
+#ifdef MULTITHREAD
+#define RFC_USER_STATIC
+
+static int setsocktimeout (int sock, int timeout)
+{
+#if (defined (NETWARE) || defined (WIN32))
+ u_long msec = 0;
+
+ /* Make sure that we are in blocking mode */
+ if (ioctlsocket(sock, FIONBIO, &msec) == SOCKET_ERROR) {
+ return h_errno;
+ }
+
+ /* Win32 timeouts are in msec, represented as int */
+ msec = timeout * 1000;
+ setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO,
+ (char *) &msec, sizeof(msec));
+ setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO,
+ (char *) &msec, sizeof(msec));
+#else
+ /* XXX Needs to be implemented for non-winsock platforms */
+#endif
+ return 0;
+}
+#else /* MULTITHREAD */
+
+#define RFC_USER_STATIC static
static JMP_BUF timebuf;
/* ident_timeout - handle timeouts */
@@ -106,6 +138,7 @@ static void ident_timeout(int sig)
{
ap_longjmp(timebuf, sig);
}
+#endif
/* bind_connect - bind both ends of a socket */
/* Ambarish fix this. Very broken */
@@ -237,22 +270,28 @@ static int get_rfc1413(int sock, const struct sockaddr_in *our_sin,
/* rfc1413 - return remote user name, given socket structures */
API_EXPORT(char *) ap_rfc1413(conn_rec *conn, server_rec *srv)
{
- static char user[RFC1413_USERLEN + 1]; /* XXX */
- static char *result;
- static int sock;
+ RFC_USER_STATIC char user[RFC1413_USERLEN + 1]; /* XXX */
+ RFC_USER_STATIC char *result;
+ RFC_USER_STATIC int sock;
result = FROM_UNKNOWN;
sock = ap_psocket_ex(conn->pool, AF_INET, SOCK_STREAM, IPPROTO_TCP, 1);
if (sock < 0) {
- ap_log_error(APLOG_MARK, APLOG_CRIT, srv,
- "socket: rfc1413: error creating socket");
- conn->remote_logname = result;
+ ap_log_error(APLOG_MARK, APLOG_CRIT, srv,
+ "socket: rfc1413: error creating socket");
+ conn->remote_logname = result;
}
/*
* Set up a timer so we won't get stuck while waiting for the server.
*/
+#ifdef MULTITHREAD
+ if (setsocktimeout(sock, ap_rfc1413_timeout) == 0) {
+ if (get_rfc1413(sock, &conn->local_addr, &conn->remote_addr, user, srv) >= 0)
+ result = ap_pstrdup (conn->pool, user);
+ }
+#else
if (ap_setjmp(timebuf) == 0) {
ap_set_callback_and_alarm(ident_timeout, ap_rfc1413_timeout);
@@ -260,8 +299,10 @@ API_EXPORT(char *) ap_rfc1413(conn_rec *conn, server_rec *srv)
result = user;
}
ap_set_callback_and_alarm(NULL, 0);
+#endif
ap_pclosesocket(conn->pool, sock);
conn->remote_logname = result;
return conn->remote_logname;
}
+
diff --git a/usr.sbin/httpd/src/modules/proxy/proxy_ftp.c b/usr.sbin/httpd/src/modules/proxy/proxy_ftp.c
index 9195a66f392..a39c111fd0c 100644
--- a/usr.sbin/httpd/src/modules/proxy/proxy_ftp.c
+++ b/usr.sbin/httpd/src/modules/proxy/proxy_ftp.c
@@ -547,13 +547,14 @@ static int ftp_cleanup_and_return(request_rec *r, BUFF *ctrl, BUFF *data, int cs
*/
int ap_proxy_ftp_handler(request_rec *r, cache_req *c, char *url)
{
- char *host, *path, *strp, *parms;
+ char *desthost, *path, *strp, *parms;
+ char *strp2;
char *cwd = NULL;
char *user = NULL;
/* char *account = NULL; how to supply an account in a URL? */
const char *password = NULL;
const char *err;
- int port, i, j, len, rc, nocache = 0;
+ int destport, i, j, len, rc, nocache = 0;
int csd = 0, sock = -1, dsock = -1;
struct sockaddr_in server;
struct hostent server_hp;
@@ -562,6 +563,8 @@ int ap_proxy_ftp_handler(request_rec *r, cache_req *c, char *url)
BUFF *ctrl = NULL;
BUFF *data = NULL;
pool *p = r->pool;
+ char *destportstr = NULL;
+ const char *urlptr = NULL;
int one = 1;
NET_SIZE_T clen;
char xfer_type = 'A'; /* after ftp login, the default is ASCII */
@@ -593,17 +596,34 @@ int ap_proxy_ftp_handler(request_rec *r, cache_req *c, char *url)
/* We break the URL into host, port, path-search */
- host = r->parsed_uri.hostname;
- port = (r->parsed_uri.port != 0)
- ? r->parsed_uri.port
- : ap_default_port_for_request(r);
- path = ap_pstrdup(p, r->parsed_uri.path);
- if (path == NULL)
- path = "";
- else
- while (*path == '/')
- ++path;
+ urlptr = strstr(url, "://");
+ if (urlptr == NULL)
+ return HTTP_BAD_REQUEST;
+ urlptr += 3;
+ destport = 21;
+ strp = strchr(urlptr, '/');
+ if (strp == NULL) {
+ desthost = ap_pstrdup(p, urlptr);
+ urlptr = "/";
+ }
+ else {
+ char *q = ap_palloc(p, strp - urlptr + 1);
+ memcpy(q, urlptr, strp - urlptr);
+ q[strp - urlptr] = '\0';
+ urlptr = strp;
+ desthost = q;
+ }
+ strp2 = strchr(desthost, ':');
+ if (strp2 != NULL) {
+ *(strp2++) = '\0';
+ if (ap_isdigit(*strp2)) {
+ destport = atoi(strp2);
+ destportstr = strp2;
+ }
+ }
+ path = strchr(urlptr, '/')+1;
+
/*
* The "Authorization:" header must be checked first. We allow the user
* to "override" the URL-coded user [ & password ] in the Browsers'
@@ -643,25 +663,25 @@ int ap_proxy_ftp_handler(request_rec *r, cache_req *c, char *url)
}
/* check if ProxyBlock directive on this host */
- destaddr.s_addr = ap_inet_addr(host);
+ destaddr.s_addr = ap_inet_addr(desthost);
for (i = 0; i < conf->noproxies->nelts; i++) {
if (destaddr.s_addr == npent[i].addr.s_addr ||
(npent[i].name != NULL &&
- (npent[i].name[0] == '*' || strstr(host, npent[i].name) != NULL)))
+ (npent[i].name[0] == '*' || strstr(desthost, npent[i].name) != NULL)))
return ap_proxyerror(r, HTTP_FORBIDDEN,
"Connect to remote machine blocked");
}
- ap_log_error(APLOG_MARK, APLOG_DEBUG | APLOG_NOERRNO, r->server, "FTP: connect to %s:%d", host, port);
+ ap_log_error(APLOG_MARK, APLOG_DEBUG | APLOG_NOERRNO, r->server, "FTP: connect to %s:%d", desthost, destport);
- parms = strchr(path, ';');
+ parms = strchr(url, ';');
if (parms != NULL)
*(parms++) = '\0';
memset(&server, 0, sizeof(struct sockaddr_in));
server.sin_family = AF_INET;
- server.sin_port = htons((unsigned short)port);
- err = ap_proxy_host2addr(host, &server_hp);
+ server.sin_port = htons((unsigned short)destport);
+ err = ap_proxy_host2addr(desthost, &server_hp);
if (err != NULL)
return ap_proxyerror(r, HTTP_INTERNAL_SERVER_ERROR, err);
@@ -1293,7 +1313,7 @@ int ap_proxy_ftp_handler(request_rec *r, cache_req *c, char *url)
if (destaddr.s_addr == ncent[i].addr.s_addr ||
(ncent[i].name != NULL &&
(ncent[i].name[0] == '*' ||
- strstr(host, ncent[i].name) != NULL))) {
+ strstr(desthost, ncent[i].name) != NULL))) {
nocache = 1;
break;
}
diff --git a/usr.sbin/httpd/src/modules/ssl/Makefile.tmpl b/usr.sbin/httpd/src/modules/ssl/Makefile.tmpl
index 38162731d72..0ee5efe798a 100644
--- a/usr.sbin/httpd/src/modules/ssl/Makefile.tmpl
+++ b/usr.sbin/httpd/src/modules/ssl/Makefile.tmpl
@@ -9,7 +9,7 @@
##
## ====================================================================
-## Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+## Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/Makefile.win32 b/usr.sbin/httpd/src/modules/ssl/Makefile.win32
index 92781c182f9..53efc8e5ffd 100644
--- a/usr.sbin/httpd/src/modules/ssl/Makefile.win32
+++ b/usr.sbin/httpd/src/modules/ssl/Makefile.win32
@@ -10,7 +10,7 @@
##
## ====================================================================
-## Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+## Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/libssl.module b/usr.sbin/httpd/src/modules/ssl/libssl.module
index 7b25d02afc8..bac4dc9f860 100644
--- a/usr.sbin/httpd/src/modules/ssl/libssl.module
+++ b/usr.sbin/httpd/src/modules/ssl/libssl.module
@@ -10,7 +10,7 @@
##
## ====================================================================
-## Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+## Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/libssl.version b/usr.sbin/httpd/src/modules/ssl/libssl.version
index 27741bbb5e1..041ddcfe1c1 100644
--- a/usr.sbin/httpd/src/modules/ssl/libssl.version
+++ b/usr.sbin/httpd/src/modules/ssl/libssl.version
@@ -1 +1 @@
-mod_ssl/2.8.15-1.3.28
+mod_ssl/2.8.16-1.3.29
diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.c b/usr.sbin/httpd/src/modules/ssl/mod_ssl.c
index 04995fb3ea3..160eb22c355 100644
--- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.c
+++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.c
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -74,7 +74,7 @@
* identify the module to SCCS `what' and RCS `ident' commands
*/
static char const sccsid[] = "@(#) mod_ssl/" MOD_SSL_VERSION " >";
-static char const rcsid[] = "$Id: mod_ssl.c,v 1.8 2001/06/20 18:06:15 brad Exp $";
+static char const rcsid[] = "$Id: mod_ssl.c,v 1.9 2003/11/17 18:57:05 henning Exp $";
/*
* the table of configuration directives we provide
diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h
index 8d881940d48..9f78fb1f8be 100644
--- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h
+++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_compat.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_compat.c
index ba1039b1ae7..691ca13b54f 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_compat.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_compat.c
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c
index 3ff679ea1a4..d6276ea7922 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_dh.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_dh.c
index c698a90eaba..f774b2880ca 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_dh.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_dh.c
@@ -12,7 +12,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_ds.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_ds.c
index f0f9e00e48c..04727d5323e 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_ds.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_ds.c
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_ext.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_ext.c
index b7df879650c..61c63c765a8 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_ext.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_ext.c
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c
index d93c2fff8ab..8e7b7d94e57 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_engine_init.c,v 1.22 2003/03/19 15:13:26 henning Exp $ */
+/* $OpenBSD: ssl_engine_init.c,v 1.23 2003/11/17 18:57:06 henning Exp $ */
/* _ _
** _ __ ___ ___ __| | ___ ___| | mod_ssl
@@ -11,7 +11,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_io.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_io.c
index d0bdd45066d..63347a159d4 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_io.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_io.c
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
index 318397922bc..e21d9c2421c 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -253,7 +253,8 @@ void ssl_hook_NewConnection(conn_rec *conn)
ap_ctx_set(ap_global_ctx, "ssl::handshake::timeout", (void *)FALSE);
return;
}
- else if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_HTTP_REQUEST) {
+ else if ((ERR_GET_REASON(ERR_peek_error()) == SSL_R_HTTP_REQUEST) &&
+ (ERR_GET_LIB(ERR_peek_error()) == ERR_LIB_SSL)) {
/*
* The case where OpenSSL has recognized a HTTP request:
* This means the client speaks plain HTTP on our HTTPS
@@ -964,11 +965,11 @@ int ssl_hook_Access(request_rec *r)
certstack = SSL_get_peer_cert_chain(ssl);
cert = SSL_get_peer_certificate(ssl);
if (certstack == NULL && cert != NULL) {
- /* client cert is in the session cache, but there is
- no chain, since ssl3_get_client_certificate()
- sk_X509_shift'ed the peer cert out of the chain.
- So we put it back here for the purpose of quick
- renegotiation. */
+ /* client certificate is in the SSL session cache, but
+ there is no chain, since ssl3_get_client_certificate()
+ sk_X509_shift()'ed the peer certificate out of the
+ chain. So we put it back here for the purpose of quick
+ renegotiation. */
certstack = sk_new_null();
sk_X509_push(certstack, cert);
}
@@ -995,10 +996,12 @@ int ssl_hook_Access(request_rec *r)
SSL_set_verify_result(ssl, certstorectx.error);
X509_STORE_CTX_cleanup(&certstorectx);
if (SSL_get_peer_cert_chain(ssl) != certstack) {
- /* created by us, so free it */
+ /* created by us above, so free it */
sk_X509_pop_free(certstack, X509_free);
}
- X509_free(cert);
+ else {
+ /* X509_free(cert); not necessary AFAIK --rse */
+ }
}
else {
/* do a full renegotiation */
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c
index 8c334d74a6b..e5bf3107707 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_log.c
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_mutex.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_mutex.c
index 514cfecd731..e87c5dfa2d2 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_mutex.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_mutex.c
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c
index 2821076829b..d887a014b41 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -237,6 +237,9 @@ void ssl_pphrase_Handle(server_rec *s, pool *p)
ssl_die();
}
cpPassPhraseCur = NULL;
+ /* Ensure that the error stack is empty; otherwise the
+ OpenSSL UI code may dump it to stderr. */
+ ERR_clear_error();
bReadable = ((pPrivateKey = SSL_read_PrivateKey(fp, NULL,
ssl_pphrase_Handle_CB)) != NULL ? TRUE : FALSE);
ap_pfclose(p, fp);
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_rand.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_rand.c
index 98550060d02..86cbf6a0653 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_rand.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_rand.c
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c
index 313fbee2365..958c0530f27 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_expr.c b/usr.sbin/httpd/src/modules/ssl/ssl_expr.c
index 49ab873dedc..e992621ef29 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_expr.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_expr.c
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_expr.h b/usr.sbin/httpd/src/modules/ssl/ssl_expr.h
index 419bb021927..adf12e51639 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_expr.h
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_expr.h
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_expr_eval.c b/usr.sbin/httpd/src/modules/ssl/ssl_expr_eval.c
index dc7e7b63074..dfcbf9e13dd 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_expr_eval.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_expr_eval.c
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_expr_parse.y b/usr.sbin/httpd/src/modules/ssl/ssl_expr_parse.y
index 1e3ad6e5137..8ac78e57142 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_expr_parse.y
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_expr_parse.y
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_expr_scan.l b/usr.sbin/httpd/src/modules/ssl/ssl_expr_scan.l
index a0db7cccdeb..005e4b58c3e 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_expr_scan.l
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_expr_scan.l
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_scache.c b/usr.sbin/httpd/src/modules/ssl/ssl_scache.c
index 139c7865fec..2b063b50ac8 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_scache.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_scache.c
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_scache_dbm.c b/usr.sbin/httpd/src/modules/ssl/ssl_scache_dbm.c
index 96e4b92e6ee..d01b7c754f7 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_scache_dbm.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_scache_dbm.c
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_scache_shmcb.c b/usr.sbin/httpd/src/modules/ssl/ssl_scache_shmcb.c
index 1cf5816dfd6..fa9cbf5176e 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_scache_shmcb.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_scache_shmcb.c
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 2000-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 2000-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_scache_shmht.c b/usr.sbin/httpd/src/modules/ssl/ssl_scache_shmht.c
index fad41e09ff0..94a0ad9f0a7 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_scache_shmht.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_scache_shmht.c
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util.c b/usr.sbin/httpd/src/modules/ssl/ssl_util.c
index 0c3b04a0358..b01d5d43c2f 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_util.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_util.c
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util_sdbm.c b/usr.sbin/httpd/src/modules/ssl/ssl_util_sdbm.c
index be156aedc35..8a3afbc2b75 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_util_sdbm.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_util_sdbm.c
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util_sdbm.h b/usr.sbin/httpd/src/modules/ssl/ssl_util_sdbm.h
index 723e8095b40..213a3f2ec29 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_util_sdbm.h
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_util_sdbm.h
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c b/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c
index e076f7cb0a3..543680890cc 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.h b/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.h
index 66b8b9fa270..56c9a044186 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.h
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.h
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util_table.c b/usr.sbin/httpd/src/modules/ssl/ssl_util_table.c
index 6473b983253..9860e59b0a2 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_util_table.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_util_table.c
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1999-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1999-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util_table.h b/usr.sbin/httpd/src/modules/ssl/ssl_util_table.h
index 69c53bd8a09..1cccf5b8681 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_util_table.h
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_util_table.h
@@ -9,7 +9,7 @@
*/
/* ====================================================================
- * Copyright (c) 1999-2001 Ralf S. Engelschall. All rights reserved.
+ * Copyright (c) 1999-2003 Ralf S. Engelschall. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/usr.sbin/httpd/src/modules/standard/mod_include.c b/usr.sbin/httpd/src/modules/standard/mod_include.c
index fd3b019c8ea..87e1cbdf046 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_include.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_include.c
@@ -1506,6 +1506,7 @@ static int parse_expr(request_rec *r, const char *expr, const char *error)
}
else {
new->left = current->right;
+ new->left->parent = new;
current->right = new;
new->parent = current;
}
@@ -1609,6 +1610,7 @@ static int parse_expr(request_rec *r, const char *expr, const char *error)
}
else {
new->left = current->right;
+ new->left->parent = new;
current->right = new;
new->parent = current;
}
diff --git a/usr.sbin/httpd/src/modules/standard/mod_mime.c b/usr.sbin/httpd/src/modules/standard/mod_mime.c
index f22051ebc58..32c0f03e4cf 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_mime.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_mime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mod_mime.c,v 1.13 2003/08/21 13:11:37 henning Exp $ */
+/* $OpenBSD: mod_mime.c,v 1.14 2003/11/17 18:57:06 henning Exp $ */
/* ====================================================================
* The Apache Software License, Version 1.1
@@ -352,7 +352,7 @@ static void init_mime(server_rec *s, pool *p)
if (!(f = ap_pcfg_openfile(p, types_confname))) {
ap_log_error(APLOG_MARK, APLOG_ERR, s,
- "could not open mime types log file %s.", types_confname);
+ "could not open mime types config file %s.", types_confname);
exit(1);
}
diff --git a/usr.sbin/httpd/src/modules/standard/mod_usertrack.c b/usr.sbin/httpd/src/modules/standard/mod_usertrack.c
index aaab2e76591..2de49ed2a91 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_usertrack.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_usertrack.c
@@ -126,6 +126,8 @@ typedef struct {
char *cookie_name;
char *cookie_domain;
char *prefix_string;
+ char *regexp_string; /* used to compile regexp; save for debugging */
+ regex_t *regexp; /* used to find usertrack cookie in cookie header */
} cookie_dir_rec;
/* Define this to allow post-2000 cookies. Cookies use two-digit dates,
@@ -284,35 +286,48 @@ static void make_cookie(request_rec *r)
return;
}
+/* dcfg->regexp is "^cookie_name=([^;]+)|;[ \t]+cookie_name=([^;]+)",
+ * which has three subexpressions, $0..$2 */
+#define NUM_SUBS 3
+
static int spot_cookie(request_rec *r)
{
cookie_dir_rec *dcfg = ap_get_module_config(r->per_dir_config,
&usertrack_module);
- const char *cookie;
- char *value;
+ const char *cookie_header;
+ regmatch_t regm[NUM_SUBS];
+ int i;
if (!dcfg->enabled) {
return DECLINED;
}
- if ((cookie = ap_table_get(r->headers_in,
- (dcfg->style == CT_COOKIE2
- ? "Cookie2"
- : "Cookie"))))
- if ((value = strstr(cookie, dcfg->cookie_name))) {
- char *cookiebuf, *cookieend;
-
- value += strlen(dcfg->cookie_name) + 1; /* Skip over the '=' */
- cookiebuf = ap_pstrdup(r->pool, value);
- cookieend = strchr(cookiebuf, ';');
- if (cookieend)
- *cookieend = '\0'; /* Ignore anything after a ; */
-
- /* Set the cookie in a note, for logging */
- ap_table_setn(r->notes, "cookie", cookiebuf);
-
- return DECLINED; /* There's already a cookie, no new one */
- }
+ if ((cookie_header = ap_table_get(r->headers_in,
+ (dcfg->style == CT_COOKIE2
+ ? "Cookie2"
+ : "Cookie")))) {
+ if (!ap_regexec(dcfg->regexp, cookie_header, NUM_SUBS, regm, 0)) {
+ char *cookieval = NULL;
+ /* Our regexp,
+ * ^cookie_name=([^;]+)|;[ \t]+cookie_name=([^;]+)
+ * only allows for $1 or $2 to be available. ($0 is always
+ * filled with the entire matched expression, not just
+ * the part in parentheses.) So just check for either one
+ * and assign to cookieval if present. */
+ if (regm[1].rm_so != -1) {
+ cookieval = ap_pregsub(r->pool, "$1", cookie_header,
+ NUM_SUBS, regm);
+ }
+ if (regm[2].rm_so != -1) {
+ cookieval = ap_pregsub(r->pool, "$2", cookie_header,
+ NUM_SUBS, regm);
+ }
+ /* Set the cookie in a note, for logging */
+ ap_table_setn(r->notes, "cookie", cookieval);
+
+ return DECLINED; /* There's already a cookie, no new one */
+ }
+ }
make_cookie(r);
return OK; /* We set our cookie */
}
@@ -422,7 +437,26 @@ static const char *set_cookie_name(cmd_parms *cmd, void *mconfig, char *name)
{
cookie_dir_rec *dcfg = (cookie_dir_rec *) mconfig;
+ /* The goal is to end up with this regexp,
+ * ^cookie_name=([^;]+)|;[ \t]+cookie_name=([^;]+)
+ * with cookie_name
+ * obviously substituted with the real cookie name set by the
+ * user in httpd.conf. */
+ dcfg->regexp_string = ap_pstrcat(cmd->pool, "^", name,
+ "=([^;]+)|;[ \t]+", name,
+ "=([^;]+)", NULL);
+
dcfg->cookie_name = ap_pstrdup(cmd->pool, name);
+
+ dcfg->regexp = ap_pregcomp(cmd->pool, dcfg->regexp_string, REG_EXTENDED);
+ if (dcfg->regexp == NULL) {
+ return "Regular expression could not be compiled.";
+ }
+ if (dcfg->regexp->re_nsub + 1 != NUM_SUBS) {
+ return ap_pstrcat(cmd->pool, "Invalid cookie name \"",
+ name, "\"", NULL);
+ }
+
return NULL;
}
diff --git a/usr.sbin/httpd/src/support/ab.c b/usr.sbin/httpd/src/support/ab.c
index 6b7827a2ac8..ef25566a871 100644
--- a/usr.sbin/httpd/src/support/ab.c
+++ b/usr.sbin/httpd/src/support/ab.c
@@ -1357,14 +1357,15 @@ static void test(void)
static void copyright(void)
{
if (!use_html) {
- printf("This is ApacheBench, Version %s\n", VERSION " <$Revision: 1.13 $> apache-1.3");
+ printf("This is ApacheBench, Version %s\n", VERSION " <$Revision: 1.14 $> apache-1.3");
printf("Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/\n");
printf("Copyright (c) 1998-2002 The Apache Software Foundation, http://www.apache.org/\n");
printf("\n");
}
else {
printf("<p>\n");
- printf(" This is ApacheBench, Version %s <i>&lt;%s&gt;</i> apache-1.3<br>\n", VERSION, "$Revision: 1.13 $"); printf(" Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/<br>\n");
+ printf(" This is ApacheBench, Version %s <i>&lt;%s&gt;</i> apache-1.3<br>\n", VERSION, "$Revision: 1.14 $");
+ printf(" Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/<br>\n");
printf(" Copyright (c) 1998-2002 The Apache Software Foundation, http://www.apache.org/<br>\n");
printf("</p>\n<p>\n");
}
@@ -1591,7 +1592,12 @@ int main(int argc, char **argv)
*/
while (isspace((int)*optarg))
optarg++;
- l = ap_base64encode(tmp, optarg, strlen(optarg));
+ if (ap_base64encode_len(strlen(optarg)) > sizeof(tmp)) {
+ fprintf(stderr, "%s: Authentication credentials too long\n",
+ argv[0]);
+ exit(1);
+ }
+ l = ap_base64encode(tmp, optarg, strlen(optarg));
tmp[l] = '\0';
strncat(auth, "Authorization: Basic ", sizeof(auth)-strlen(auth)-1);
@@ -1604,6 +1610,10 @@ int main(int argc, char **argv)
*/
while (isspace((int)*optarg))
optarg++;
+ if (ap_base64encode_len(strlen(optarg)) > sizeof(tmp)) {
+ fprintf(stderr, "%s: Proxy credentials too long\n", argv[0]);
+ exit(1);
+ }
l = ap_base64encode(tmp, optarg, strlen(optarg));
tmp[l] = '\0';
diff --git a/usr.sbin/httpd/src/support/dbmmanage b/usr.sbin/httpd/src/support/dbmmanage
index 3a9602d9cfe..2ca1250714d 100644
--- a/usr.sbin/httpd/src/support/dbmmanage
+++ b/usr.sbin/httpd/src/support/dbmmanage
@@ -211,7 +211,7 @@ sub genseed {
srand (time ^ $$ or time ^ ($$ + ($$ << 15)));
}
else {
- for (qw(-xlwwa -le)) {
+ for (qw(xlwwa -le)) {
`ps $_ 2>/dev/null`;
$psf = $_, last unless $?;
}
diff --git a/usr.sbin/httpd/src/support/suexec.c b/usr.sbin/httpd/src/support/suexec.c
index dec01e434ed..04f6e494fbc 100644
--- a/usr.sbin/httpd/src/support/suexec.c
+++ b/usr.sbin/httpd/src/support/suexec.c
@@ -138,6 +138,7 @@ char *safe_env_lst[] =
/* variable name starts with */
"HTTP_",
#ifdef MOD_SSL
+ "HTTPS=",
"HTTPS_",
"SSL_",
#endif
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-19 09:50:25 +0000