1# $MirSecuCron$
2# $MirOS: src/usr.sbin/httpd/conf/httpd.conf,v 1.23 2014/04/28 20:47:56 tg Exp $
3# $OpenBSD: httpd.conf,v 1.22 2008/01/25 09:59:57 sthen Exp $
4#
5# Based upon the NCSA server configuration files originally by Rob McCool.
6#
7# This is the main httpd server configuration file.  It contains the
8# configuration directives that give the server its instructions.
9# See <URL:http://www.apache.org/docs/> for detailed information about
10# the directives.
11#
12# Do NOT simply read the instructions in here without understanding
13# what they do.  They're here only as hints or reminders.  If you are unsure
14# consult the online docs. You have been warned.
15#
16# After this file is processed, the server will look for and process
17# /var/www/conf/srm.conf and then /var/www/conf/access.conf
18# unless you have overridden these with ResourceConfig and/or
19# AccessConfig directives here.
20#
21# The configuration directives are grouped into three basic sections:
22#  1. Directives that control the operation of the httpd server process as a
23#     whole (the 'global environment').
24#  2. Directives that define the parameters of the 'main' or 'default' server,
25#     which responds to requests that aren't handled by a virtual host.
26#     These directives also provide default values for the settings
27#     of all virtual hosts.
28#  3. Settings for virtual hosts, which allow Web requests to be sent to
29#     different IP addresses or hostnames and have them handled by the
30#     same httpd server process.
31#
32# Configuration and logfile names: If the filenames you specify for many
33# of the server's control files begin with "/" (or "drive:/" for Win32), the
34# server will use that explicit path.  If the filenames do *not* begin
35# with "/", the value of ServerRoot is prepended -- so "logs/foo.log"
36# with ServerRoot set to "/var/www" will be interpreted by the
37# server as "/var/www/logs/foo.log".
38#
39
40### Section 1: Global Environment
41#
42# The directives in this section affect the overall operation of httpd,
43# such as the number of concurrent requests it can handle or where it
44# can find its configuration files.
45#
46
47#
48# ServerType is either inetd, or standalone.  Inetd mode is only supported on
49# Unix platforms.
50#
51ServerType standalone
52
53#
54# ServerTokens is either Full, OS, Minimal, or ProductOnly.
55# The values define what version information is returned in the
56# Server header in HTTP responses.
57#
58# ServerTokens OS
59
60#
61# ServerRoot: The top of the directory tree under which the server's
62# configuration, error, and log files are kept.
63#
64# NOTE!  If you intend to place this on an NFS (or otherwise network)
65# mounted filesystem then please read the LockFile documentation
66# (available at <URL:http://www.apache.org/docs/mod/core.html#lockfile>);
67# you will save yourself a lot of trouble.
68#
69# Do NOT add a slash at the end of the directory path.
70#
71ServerRoot "/var/www"
72
73#
74# The LockFile directive sets the path to the lockfile used when httpd
75# is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or
76# USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at
77# its default value. The main reason for changing it is if the logs
78# directory is NFS mounted, since the lockfile MUST BE STORED ON A LOCAL
79# DISK. The PID of the main server process is automatically appended to
80# the filename.
81#
82#LockFile logs/accept.lock
83
84#
85# PidFile: The file in which the server should record its process
86# identification number when it starts.
87#
88PidFile logs/httpd.pid
89
90#
91# ScoreBoardFile: File used to store internal server process information.
92# Not all architectures require this.  But if yours does (you'll know because
93# this file will be created when you run httpd) then you *must* ensure that
94# no two invocations of httpd share the same scoreboard file.
95#
96ScoreBoardFile logs/httpd_runtime_status
97
98#
99# In the standard configuration, the server will process httpd.conf,
100# srm.conf, and access.conf in that order.  The latter two files are
101# now deprecated and not installed any more, as it is recommended that
102# all directives be kept in a single file for simplicity.
103#
104#ResourceConfig conf/srm.conf
105#AccessConfig conf/access.conf
106
107#
108# Timeout: The number of seconds before receives and sends time out.
109#
110Timeout 300
111
112#
113# KeepAlive: Whether or not to allow persistent connections (more than
114# one request per connection). Set to "Off" to deactivate.
115#
116KeepAlive On
117
118#
119# MaxKeepAliveRequests: The maximum number of requests to allow
120# during a persistent connection. Set to 0 to allow an unlimited amount.
121# We recommend you leave this number high, for maximum performance.
122#
123MaxKeepAliveRequests 100
124
125#
126# KeepAliveTimeout: Number of seconds to wait for the next request from the
127# same client on the same connection.
128#
129KeepAliveTimeout 15
130
131#
132# Server-pool size regulation.  Rather than making you guess how many
133# server processes you need, httpd dynamically adapts to the load it
134# sees --- that is, it tries to maintain enough server processes to
135# handle the current load, plus a few spare servers to handle transient
136# load spikes (e.g., multiple simultaneous requests from a single
137# Netscape browser).
138#
139# It does this by periodically checking how many servers are waiting
140# for a request.  If there are fewer than MinSpareServers, it creates
141# a new spare.  If there are more than MaxSpareServers, some of the
142# spares die off.  The default values are probably OK for most sites.
143#
144MinSpareServers 5
145MaxSpareServers 10
146
147#
148# Number of servers to start initially --- should be a reasonable ballpark
149# figure.
150#
151StartServers 5
152
153#
154# Limit on total number of servers running, i.e., limit on the number
155# of clients who can simultaneously connect --- if this limit is ever
156# reached, clients will be LOCKED OUT, so it should NOT BE SET TOO LOW.
157# It is intended mainly as a brake to keep a runaway server from taking
158# the system with it as it spirals down...
159#
160MaxClients 150
161
162#
163# MaxRequestsPerChild: the number of requests each child process is
164# allowed to process before the child dies.  The child will exit so
165# as to avoid problems after prolonged use when httpd (and maybe the
166# libraries it uses) leak memory or other resources.  On most systems, this
167# isn't really needed, but a few (such as Solaris) do have notable leaks
168# in the libraries.
169#
170MaxRequestsPerChild 1024
171
172#
173# MaxFOOPerChild: these directives set the current and hard rlimits for
174# the child processes. Attempts to exceed them will cause the the OS to
175# take appropriate action. See the setrlimit(2) and signal(3).
176# In contrast to RLimitFOO, these apply to httpd child processes as well,
177# and not just to CGIs and the likes.
178#
179MaxCPUPerChild 0
180MaxDATAPerChild 0
181MaxNOFILEPerChild 0
182MaxRSSPerChild 0
183MaxSTACKPerChild 0
184MaxTIMEPerChild 0
185
186#
187# Listen: Allows you to bind httpd to specific IP addresses and/or
188# ports, in addition to the default. See also the <VirtualHost>
189# directive.
190#
191#Listen 3000
192#Listen 12.34.56.78:80
193
194#
195# Listen can take two arguments. This is an extension for supporting IPv6.
196# Note that httpd will listen _only_ to IPv6 addresses by default, because
197# the KAME BSD IPv6 stack does not implement IPv4-mapped addresses for
198# security reasons, so don't comment the following two lines:
199Listen :: 80
200Listen 0.0.0.0 80
201
202#
203# BindAddress: You can support virtual hosts with this option. This directive
204# is used to tell the server which IP address to listen to. It can either
205# contain "*", an IP address, or a fully qualified Internet domain name.
206# See also the <VirtualHost> and Listen directives.
207#
208#BindAddress *
209
210#
211# Dynamic Shared Object (DSO) Support
212#
213# To be able to use the functionality of a module which was built as a DSO you
214# have to place corresponding 'LoadModule' lines at this location so the
215# directives contained in it are actually available _before_ they are used.
216# Please read the file README.DSO in the MirOS httpd distribution for more
217# details about the DSO mechanism and run 'httpd -l' for the list of already
218# built-in (statically linked and thus always available) modules in your httpd
219# binary.
220#
221# Note: The order is which modules are loaded is important.  Don't change
222# the order below without expert advice.
223#
224# Example:
225# LoadModule foo_module libexec/mod_foo.so
226
227# "anonymous" user access to authenticated areas
228# LoadModule anon_auth_module	/usr/libexec/httpd/modules/mod_auth_anon.so
229
230# user authentication using Berkeley DB files
231# LoadModule db_auth_module	/usr/libexec/httpd/modules/mod_auth_db.so
232
233# user authentication using DBM files
234# LoadModule dbm_auth_module	/usr/libexec/httpd/modules/mod_auth_dbm.so
235
236# authentication using new-style MD5 Digest Authentication (experimental)
237# LoadModule digest_auth_module	/usr/libexec/httpd/modules/mod_auth_digest.so
238
239# CERN httpd metafile semantics
240# LoadModule cern_meta_module	/usr/libexec/httpd/modules/mod_cern_meta.so
241
242# configuration defines ($xxx)
243# LoadModule define_module	/usr/libexec/httpd/modules/mod_define.so
244
245# user authentication using old-style MD5 Digest Authentication
246# LoadModule digest_module	/usr/libexec/httpd/modules/mod_digest.so
247
248# generation of Expires HTTP headers according to user-specified criteria
249# LoadModule expires_module	/usr/libexec/httpd/modules/mod_expires.so
250
251# customization of HTTP response headers
252# LoadModule headers_module	/usr/libexec/httpd/modules/mod_headers.so
253
254# comprehensive overview of the server configuration
255# LoadModule info_module	/usr/libexec/httpd/modules/mod_info.so
256
257# logging of the client user agents (deprecated in favor of mod_log_config)
258# LoadModule agent_log_module	/usr/libexec/httpd/modules/mod_log_agent.so
259
260# logging of referers (deprecated in favor of mod_log_config)
261# LoadModule referer_log_module	/usr/libexec/httpd/modules/mod_log_referer.so
262
263# determining the MIME type of a file by looking at a few bytes of its contents
264# LoadModule mime_magic_module	/usr/libexec/httpd/modules/mod_mime_magic.so
265
266# mmap()ing of a statically configured list of frequently requested but
267# not changed files (experimental)
268# LoadModule mmap_static_module	/usr/libexec/httpd/modules/mod_mmap_static.so
269
270# rule-based rewriting engine to rewrite requested URLs on the fly
271# LoadModule rewrite_module	/usr/libexec/httpd/modules/mod_rewrite.so
272
273# attempt to correct misspellings of URLs that users might have entered
274# LoadModule speling_module	/usr/libexec/httpd/modules/mod_speling.so
275
276# provides an environment variable with a unique identifier for each request
277# LoadModule unique_id_module	/usr/libexec/httpd/modules/mod_unique_id.so
278
279# uses cookies to provide for a clickstream log of user activity on a site
280# LoadModule usertrack_module	/usr/libexec/httpd/modules/mod_usertrack.so
281
282# dynamically configured mass virtual hosting
283# LoadModule vhost_alias_module	/usr/libexec/httpd/modules/mod_vhost_alias.so
284
285# caching proxy
286# LoadModule proxy_module	/usr/libexec/httpd/modules/libproxy.so
287
288#
289# Include extra module configuration files
290#
291Include /var/www/conf/modules/*.conf
292
293#
294# ExtendedStatus controls whether httpd will generate "full" status
295# information (ExtendedStatus On) or just basic information (ExtendedStatus
296# Off) when the "server-status" handler is called. The default is Off.
297#
298#ExtendedStatus On
299
300### Section 2: 'Main' server configuration
301#
302# The directives in this section set up the values used by the 'main'
303# server, which responds to any requests that aren't handled by a
304# <VirtualHost> definition.  These values also provide defaults for
305# any <VirtualHost> containers you may define later in the file.
306#
307# All of these directives may appear inside <VirtualHost> containers,
308# in which case these default settings will be overridden for the
309# virtual host being defined.
310#
311
312#
313# If your ServerType directive (set earlier in the 'Global Environment'
314# section) is set to "inetd", the next few directives don't have any
315# effect since their settings are defined by the inetd configuration.
316# Skip ahead to the ServerAdmin directive.
317#
318
319#
320# Port: The port to which the standalone server listens. For
321# ports < 1023, you will need httpd to be run as root initially.
322# NOTE: Do not use Port, use the "Listen" directive above!
323#
324#Port 80
325
326##
327##  SSL Support
328##
329##  When we also provide SSL we have to listen to the
330##  standard HTTP port (see above) and to the HTTPS port
331##
332<IfDefine SSL>
333Listen :: 443
334Listen 0.0.0.0 443
335</IfDefine>
336
337#
338# If you wish httpd to run as a different user or group, you must run
339# httpd as root initially and it will switch.
340#
341# User/Group: The name (or #number) of the user/group to run httpd as.
342#  . On SCO (ODT 3) use "User nouser" and "Group nogroup".
343#  . On HPUX you may not be able to use shared memory as nobody, and the
344#    suggested workaround is to create a user www and use that user.
345#  NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
346#  when the value of (unsigned)Group is above 60000;
347#  don't use Group #-1 on these systems!
348#  On OpenBSD or MirOS, use user www, group www.
349#
350User www
351Group www
352
353#
354# ServerAdmin: Your address, where problems with the server should be
355# e-mailed.  This address appears on some server-generated pages, such
356# as error documents.
357#
358ServerAdmin you@your.address.invalid
359
360#
361# ServerName allows you to set a host name which is sent back to clients for
362# your server if it's different than the one the program would get (i.e., use
363# "www" instead of the host's real name).
364#
365# Note: You cannot just invent host names and hope they work. The name you
366# define here must be a valid DNS name for your host. If you don't understand
367# this, ask your network administrator.
368# If your host doesn't have a registered DNS name, enter its IP address here.
369# You will have to access it by its address (e.g., http://123.45.67.89/)
370# anyway, and this will make redirections work in a sensible way.
371#
372# 127.0.0.1 is the TCP/IP local loop-back address, often named localhost. Your
373# machine always knows itself by this address. If you use httpd strictly for
374# local testing and development, you may use 127.0.0.1 as the server name.
375#
376#ServerName www.example.com
377
378#
379# DocumentRoot: The directory out of which you will serve your
380# documents. By default, all requests are taken from this directory, but
381# symbolic links and aliases may be used to point to other locations.
382#
383DocumentRoot "/var/www/htdocs"
384
385#
386# Each directory to which httpd has access can be configured with respect
387# to which services and features are allowed and/or disabled in that
388# directory (and its subdirectories).
389#
390# First, we configure the "default" to be a very restrictive set of
391# permissions.
392#
393<Directory />
394    Options FollowSymLinks
395    AllowOverride None
396</Directory>
397
398#
399# Note that from this point forward you must specifically allow
400# particular features to be enabled - so if something's not working as
401# you might expect, make sure that you have specifically enabled it
402# below.
403#
404
405#
406# This should be changed to whatever you set DocumentRoot to.
407#
408<Directory "/var/www/htdocs">
409
410#
411# This may also be "None", "All", or any combination of "Indexes",
412# "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".
413#
414# Note that "MultiViews" must be named *explicitly* --- "Options All"
415# doesn't give it to you.
416#
417    Options Indexes FollowSymLinks ExecCGI
418
419#
420# This controls which options the .htaccess files in directories can
421# override. Can also be "All", or any combination of "Options", "FileInfo",
422# "AuthConfig", and "Limit"
423#
424    AllowOverride None
425
426#
427# Controls who can get stuff from this server.
428#
429    Order allow,deny
430    Allow from all
431</Directory>
432
433#
434# UserDir: The directory which is prepended onto a users username, within
435# which a users's web pages are looked for if a ~user request is received.
436# Relative pathes are relative to the user's home directory.
437#
438# "disabled" turns this feature off.
439#
440# Since httpd will chroot(2) to the ServerRoot path by default,
441# you should use
442#	UserDir /var/www/users
443# and create per user directories in /var/www/users/<username>
444#
445# On MirOS, suexec(8) is configured to look for user directories
446# in ~user/pub/ once enabled. This won't work with chrooted
447# operation, so you need to recompile your httpd in that case.
448#
449#UserDir pub
450UserDir disabled
451
452#
453# Control access to UserDir directories.  The following is an example
454# for a site where these directories are restricted to read-only and
455# are located under /users/<username>
456# You will need to change this to match your site's home directories.
457#
458#<Directory /users/*>
459#<Directory /home/*/pub>
460#    AllowOverride FileInfo AuthConfig Limit Options
461#    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
462#    <Limit GET POST OPTIONS PROPFIND>
463#        Order allow,deny
464#        Allow from all
465#    </Limit>
466#    <LimitExcept GET POST OPTIONS PROPFIND>
467#        Order deny,allow
468#        Deny from all
469#    </LimitExcept>
470#</Directory>
471
472#
473# DirectoryIndex: Name of the file or files to use as a pre-written HTML
474# directory index.  Separate multiple entries with spaces.
475#
476DirectoryIndex index.cgi index.php index.htm default.htm index.html
477
478#
479# AccessFileName: The name of the file to look for in each directory
480# for access control information.
481#
482AccessFileName .htaccess
483
484#
485# The following lines prevent .htaccess files from being viewed by
486# Web clients.  Since .htaccess files often contain authorization
487# information, access is disallowed for security reasons.  Comment
488# these lines out if you want Web visitors to see the contents of
489# .htaccess files.  If you change the AccessFileName directive above,
490# be sure to make the corresponding changes here.
491#
492# Also, folks tend to use names such as .htpasswd for password
493# files, so this will protect those as well.
494#
495<Files ~ "^\.ht">
496    Order allow,deny
497    Deny from all
498    Satisfy All
499</Files>
500
501#
502# CacheNegotiatedDocs: By default, httpd sends "Pragma: no-cache" with each
503# document that was negotiated on the basis of content. This asks proxy
504# servers not to cache the document. Uncommenting the following line disables
505# this behavior, and proxies will be allowed to cache the documents.
506#
507#CacheNegotiatedDocs
508
509#
510# UseCanonicalName:  (new for 1.3)  With this setting turned on, whenever
511# httpd needs to construct a self-referencing URL (a URL that refers back
512# to the server the response is coming from) it will use ServerName and
513# Port to form a "canonical" name.  With this setting off, httpd will
514# use the hostname:port that the client supplied, when possible.  This
515# also affects SERVER_NAME and SERVER_PORT in CGI scripts.
516#
517UseCanonicalName Off
518
519#
520# TypesConfig describes where the mime.types file (or equivalent) is
521# to be found.
522#
523TypesConfig conf/mime.types
524
525#
526# DefaultType is the default MIME type the server will use for a document
527# if it cannot otherwise determine one, such as from filename extensions.
528# If your server contains mostly text or HTML documents, "text/plain" is
529# a good value.  If most of your content is binary, such as applications
530# or images, you may want to use "application/octet-stream" instead to
531# keep browsers from trying to display binary files as though they are
532# text.
533#
534#DefaultType text/plain
535DefaultType application/octet-stream
536
537#
538# The mod_mime_magic module allows the server to use various hints from the
539# contents of the file itself to determine its type.  The MIMEMagicFile
540# directive tells the module where the hint definitions are located.
541# mod_mime_magic is not part of the default server (you have to add
542# it yourself with a LoadModule [see the DSO paragraph in the 'Global
543# Environment' section], or recompile the server and include mod_mime_magic
544# as part of the configuration), so it's enclosed in an <IfModule> container.
545# This means that the MIMEMagicFile directive will only be processed if the
546# module is part of the server.
547#
548<IfModule mod_mime_magic.c>
549    MIMEMagicFile conf/magic
550</IfModule>
551
552#
553# HostnameLookups: Log the names of clients or just their IP addresses
554# e.g., mirbsd.de (on) or 204.62.129.132 (off).
555# The default is off because it'd be overall better for the net if people
556# had to knowingly turn this feature on, since enabling it means that
557# each client request will result in AT LEAST one lookup request to the
558# nameserver.
559#
560# See also combinedlookup under LogFormat
561#
562HostnameLookups Off
563
564#
565# ErrorLog: The location of the error log file.
566# If you do not specify an ErrorLog directive within a <VirtualHost>
567# container, error messages relating to that virtual host will be
568# logged here.  If you *do* define an error logfile for a <VirtualHost>
569# container, that host's errors will be logged there and not here.
570# Either a filename or the text "syslog:" followed by a facility
571# name may be specified here.
572#
573#ErrorLog syslog:daemon
574ErrorLog logs/error_log
575
576#
577# LogLevel: Control the number of messages logged to the error_log.
578# Possible values include: debug, info, notice, warn, error, crit,
579# alert, emerg.
580#
581LogLevel warn
582
583#
584# The following directives define some format nicknames for use with
585# a CustomLog directive (see below).
586#
587LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
588LogFormat "%h %l %u %t %{SSL_PROTOCOL}x:%{SSL_CIPHER}x:%{address-family}n\"%{Host}i\" \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedssl
589LogFormat "%h/%a %l %u %t %{SSL_PROTOCOL}x:%{SSL_CIPHER}x:%{address-family}n\"%{Host}i\" \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedlookup
590LogFormat "%h %l %u %t \"%r\" %>s %b" common
591LogFormat "%{Referer}i -> %U" referer
592LogFormat "%{User-agent}i" agent
593
594#
595# The location and format of the access logfile (Common Logfile Format).
596# If you do not define any access logfiles within a <VirtualHost>
597# container, they will be logged here.  Contrariwise, if you *do*
598# define per-<VirtualHost> access logfiles, transactions will be
599# logged therein and *not* in this file.
600#
601#CustomLog logs/access_log common
602
603#
604# If you would like to have agent and referer logfiles, uncomment the
605# following directives.
606#
607#CustomLog logs/referer_log referer
608#CustomLog logs/agent_log agent
609
610#
611# If you prefer a single logfile with access, agent, and referer information
612# (Combined Logfile Format) you can use the following directive.
613#
614#CustomLog logs/access_log combined
615CustomLog logs/access_log combinedssl
616# Use this when setting HostnameLookups On
617#CustomLog logs/access_log combinedlookup
618
619#
620# Optionally add a line containing the server version and virtual host
621# name to server-generated pages (error documents, FTP directory listings,
622# mod_status and mod_info output etc., but not CGI generated documents).
623# Set to "EMail" to also include a mailto: link to the ServerAdmin.
624# Set to one of:  On | Off | EMail
625#
626ServerSignature EMail
627
628#
629# Aliases: Add here as many aliases as you need (with no limit). The format is
630# Alias fakename realname
631#
632# Note that if you include a trailing / on fakename then the server will
633# require it to be present in the URL.  So "/icons" isn't aliased in this
634# example, only "/icons/"..
635#
636Alias /icons/ "/var/www/icons/"
637
638<Directory "/var/www/icons">
639    Options Indexes MultiViews
640    AllowOverride None
641    Order allow,deny
642    Allow from all
643</Directory>
644
645Alias /manual/ "/var/www/htdocs/manual/"
646
647<Directory "/var/www/htdocs/manual">
648    Options Indexes FollowSymlinks MultiViews
649    AllowOverride None
650    Order allow,deny
651    Allow from all
652</Directory>
653
654#
655# ScriptAlias: This controls which directories contain server scripts.
656# ScriptAliases are essentially the same as Aliases, except that
657# documents in the realname directory are treated as applications and
658# run by the server when requested rather than as documents sent to the client.
659# The same rules about trailing "/" apply to ScriptAlias directives as to
660# Alias.
661#
662ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
663
664#
665# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
666# CGI directory exists, if you have that configured.
667#
668<Directory "/var/www/cgi-bin">
669    AllowOverride None
670    Options None
671    Order allow,deny
672    Allow from all
673</Directory>
674
675#
676# Redirect allows you to tell clients about documents which used to exist in
677# your server's namespace, but do not anymore. This allows you to tell the
678# clients where to look for the relocated document.
679# Format: Redirect old-URI new-URL
680#
681
682#
683# Directives controlling the display of server-generated directory listings.
684#
685
686#
687# FancyIndexing is whether you want fancy directory indexing or standard
688#
689#IndexOptions FancyIndexing
690
691#
692# AddIcon* directives tell the server which icon to show for different
693# files or filename extensions.  These are only displayed for
694# FancyIndexed directories.
695#
696AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
697
698AddIconByType (TXT,/icons/text.gif) text/*
699AddIconByType (IMG,/icons/image2.gif) image/*
700AddIconByType (SND,/icons/sound2.gif) audio/*
701AddIconByType (VID,/icons/movie.gif) video/*
702
703AddIcon /icons/binary.gif .bin .exe
704AddIcon /icons/binhex.gif .hqx
705AddIcon /icons/tar.gif .tar
706AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
707AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
708AddIcon /icons/a.gif .ps .ai .eps
709AddIcon /icons/layout.gif .html .shtml .htm .pdf
710AddIcon /icons/text.gif .txt
711AddIcon /icons/c.gif .c
712AddIcon /icons/p.gif .pl .py
713AddIcon /icons/f.gif .for
714AddIcon /icons/dvi.gif .dvi
715AddIcon /icons/uuencoded.gif .uu
716AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
717AddIcon /icons/tex.gif .tex
718AddIcon /icons/bomb.gif core
719
720AddIcon /icons/back.gif ..
721AddIcon /icons/hand.right.gif README
722AddIcon /icons/folder.gif ^^DIRECTORY^^
723AddIcon /icons/blank.gif ^^BLANKICON^^
724
725#
726# DefaultIcon is which icon to show for files which do not have an icon
727# explicitly set.
728#
729DefaultIcon /icons/unknown.gif
730
731#
732# AddDescription allows you to place a short description after a file in
733# server-generated indexes.  These are only displayed for FancyIndexed
734# directories.
735# Format: AddDescription "description" filename
736#
737#AddDescription "GZIP compressed document" .gz
738#AddDescription "tar archive" .tar
739#AddDescription "GZIP compressed tar archive" .tgz
740
741#
742# ReadmeName is the name of the README file the server will look for by
743# default, and append to directory listings.
744#
745# HeaderName is the name of a file which should be prepended to
746# directory indexes.
747#
748ReadmeName README
749HeaderName HEADER
750
751#
752# IndexIgnore is a set of filenames which directory indexing should ignore
753# and not include in the listing.  Shell-style wildcarding is permitted.
754#
755IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
756
757#
758# AddEncoding allows you to have certain browsers (Mosaic/X 2.1+) uncompress
759# information on the fly. Note: Not all browsers support this.
760# Despite the name similarity, the following Add* directives have nothing
761# to do with the FancyIndexing customization directives above.
762#
763AddEncoding x-compress .Z
764AddEncoding x-gzip .gz
765
766#
767# AddLanguage allows you to specify the language of a document. You can
768# then use content negotiation to give a browser a file in a language
769# it can understand.
770#
771# Note 1: The suffix does not have to be the same as the language
772# keyword --- those with documents in Polish (whose net-standard
773# language code is pl) may wish to use "AddLanguage pl .po" to
774# avoid the ambiguity with the common suffix for perl scripts.
775#
776# Note 2: The example entries below illustrate that in quite
777# some cases the two character 'Language' abbreviation is not
778# identical to the two character 'Country' code for its country,
779# E.g. 'Danmark/dk' versus 'Danish/da'.
780#
781# Note 3: In the case of 'ltz' we violate the RFC by using a three char
782# specifier. But there is 'work in progress' to fix this and get
783# the reference data for rfc1766 cleaned up.
784#
785# Danish (da) - Dutch (nl) - English (en) - Estonian (ee)
786# French (fr) - German (de) - Greek-Modern (el)
787# Italian (it) - Korean (kr) - Norwegian (no) - Norwegian Nynorsk (nn)
788# Portugese (pt) - Luxembourgeois* (ltz)
789# Spanish (es) - Swedish (sv) - Catalan (ca) - Czech(cs)
790# Polish (pl) - Brazilian Portuguese (pt-br) - Japanese (ja)
791# Russian (ru)
792#
793AddLanguage da	.dk
794AddLanguage nl	.nl
795AddLanguage en	.en
796AddLanguage et	.ee
797AddLanguage fr	.fr
798AddLanguage de	.de
799AddLanguage el	.el
800AddLanguage he	.he
801AddCharset ISO-8859-8	.iso8859-8
802AddLanguage it	.it
803AddLanguage ja	.ja
804AddCharset ISO-2022-JP	.jis
805AddLanguage kr	.kr
806AddCharset ISO-2022-KR	.iso-kr
807AddLanguage nn	.nn
808AddLanguage no	.no
809AddLanguage pl	.po
810AddCharset ISO-8859-2	.iso-pl
811AddLanguage pt	.pt
812AddLanguage pt-br .pt-br
813AddLanguage ltz	.lu
814AddLanguage ca	.ca
815AddLanguage es	.es
816AddLanguage sv	.sv
817AddLanguage cs	.cz .cs
818AddLanguage ru	.ru
819AddLanguage zh-TW .zh-tw
820AddCharset Big5		.Big5	.big5
821AddCharset WINDOWS-1251	.cp-1251
822AddCharset CP866	.cp866
823AddCharset ISO-8859-5	.iso-ru
824AddCharset KOI8-R	.koi8-r
825AddCharset UCS-2	.ucs2
826AddCharset UCS-4	.ucs4
827AddCharset UTF-8	.utf8
828
829#
830# LanguagePriority allows you to give precedence to some languages
831# in case of a tie during content negotiation.
832# Just list the languages in decreasing order of preference. We have
833# more or less alphabetized them here. You probably want to change this.
834#
835LanguagePriority en de da nl et fr el it ja kr no pl pt pt-br ru ltz ca es sv tw
836
837#
838# AddType allows you to tweak mime.types without actually editing it, or to
839# make certain files to be certain types.
840#
841# For example, the PHP module (not part of the httpd distribution)
842# will typically use:
843#
844#AddType application/x-httpd-php .php
845AddType application/x-tar .tgz
846AddType application/x-cpio .cgz
847AddType application/x-bittorrent .torrent
848AddType application/x-x509-ca-cert .cer .crt .pem
849
850#
851# AddHandler allows you to map certain file extensions to "handlers",
852# actions unrelated to filetype. These can be either built into the server
853# or added with the Action command (see below)
854#
855# If you want to use server side includes, or CGI outside
856# ScriptAliased directories, uncomment the following lines.
857#
858# To use CGI scripts:
859#
860AddHandler cgi-script .cgi
861
862#
863# To use server-parsed HTML files
864#
865#AddType text/html .shtml
866#AddHandler server-parsed .shtml
867
868#
869# Uncomment the following line to enable httpd's send-asis HTTP file
870# feature
871#
872#AddHandler send-as-is asis
873
874#
875# If you wish to use server-parsed imagemap files, use
876#
877#AddHandler imap-file map
878
879#
880# To enable type maps, you might want to use
881#
882#AddHandler type-map var
883
884#
885# Action lets you define media types that will execute a script whenever
886# a matching file is called. This eliminates the need for repeated URL
887# pathnames for oft-used CGI file processors.
888# Format: Action media/type /cgi-script/location
889# Format: Action handler-name /cgi-script/location
890#
891
892#
893# MetaDir: specifies the name of the directory in which httpd can find
894# meta information files. These files contain additional HTTP headers
895# to include when sending the document
896#
897#MetaDir .web
898
899#
900# MetaSuffix: specifies the file name suffix for the file containing the
901# meta information.
902#
903#MetaSuffix .meta
904
905#
906# Customizable error response (httpd style)
907#  these come in three flavors
908#
909#    1) plain text
910#ErrorDocument 500 "The server made a boo boo.
911#  n.b.  the (") marks it as text, it does not get output
912#
913#    2) local redirects
914#ErrorDocument 404 /missing.html
915#  to redirect to local URL /missing.html
916#ErrorDocument 404 /cgi-bin/missing_handler.pl
917#  N.B.: You can redirect to a script or a document using server-side-includes.
918#
919#    3) external redirects
920#ErrorDocument 402 http://www.example.com/subscription_info.html
921#  N.B.: Many of the environment variables associated with the original
922#  request will *not* be available to such a script.
923
924#
925# The following directives modify normal HTTP response behavior.
926# The first directive disables keepalive for Netscape 2.x and browsers that
927# spoof it. There are known problems with these browser implementations.
928# The second directive is for Microsoft Internet Explorer 4.0b2
929# which has a broken HTTP/1.1 implementation and does not properly
930# support keepalive when it is used on 301 or 302 (redirect) responses.
931#
932BrowserMatch "Mozilla/2" nokeepalive
933BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
934
935#
936# The following directive disables HTTP/1.1 responses to browsers which
937# are in violation of the HTTP/1.0 spec by not being able to grok a
938# basic 1.1 response.
939#
940BrowserMatch "RealPlayer 4\.0" force-response-1.0
941BrowserMatch "Java/1\.0" force-response-1.0
942BrowserMatch "JDK/1\.0" force-response-1.0
943#
944# Some intermediate versions of /usr/bin/ftp claimed to support HTTP/1.1
945# while they did not implement support for the chunked encoding; current
946# versions back that out and only claim to support HTTP/1.0; future ver-
947# sions that fix this bug will have to change the user agent string.
948#
949BrowserMatch "MirOS ftp" downgrade-1.0 force-response-1.0
950BrowserMatch "OpenBSD ftp" downgrade-1.0 force-response-1.0
951
952#
953# These get the general type of the browser used, for SSL later.
954#
955BrowserMatch "^Mozilla"	isBrowser=nn
956BrowserMatch "MSIE"	isBrowser=msie
957BrowserMatch "Lynx/"	isBrowser=lynx
958
959#
960# Allow server status reports, with the URL of http://servername/server-status
961# Change the ".example.com" to match your domain to enable.
962#
963#<Location /server-status>
964#    SetHandler server-status
965#    Order deny,allow
966#    Deny from all
967#    Allow from .example.com
968#</Location>
969
970#
971# Allow remote server configuration reports, with the URL of
972#  http://servername/server-info (requires that mod_info.c be loaded).
973# Change the ".example.com" to match your domain to enable.
974#
975#<Location /server-info>
976#    SetHandler server-info
977#    Order deny,allow
978#    Deny from all
979#    Allow from .example.com
980#</Location>
981
982#
983# Proxy Server directives. Uncomment the following lines to
984# enable the proxy server:
985#
986#<IfModule mod_proxy.c>
987#ProxyRequests On
988#
989#<Directory proxy:*>
990#    Order deny,allow
991#    Deny from all
992#    Allow from .your_domain.com
993#</Directory>
994
995#
996# Enable/disable the handling of HTTP/1.1 "Via:" headers.
997# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
998# Set to one of: Off | On | Full | Block
999#
1000#ProxyVia On
1001
1002#
1003# To enable the cache as well, edit and uncomment the following lines:
1004# (no cacheing without CacheRoot)
1005#
1006#CacheRoot "/var/www/proxy"
1007#CacheSize 5
1008#CacheGcInterval 4
1009#CacheMaxExpire 24
1010#CacheLastModifiedFactor 0.1
1011#CacheDefaultExpire 1
1012#NoCache a_domain.com another_domain.edu joes.garage_sale.com
1013
1014#</IfModule>
1015# End of proxy directives.
1016
1017### Section 3: Virtual Hosts
1018#
1019# VirtualHost: If you want to maintain multiple domains/hostnames on your
1020# machine you can setup VirtualHost containers for them.
1021# Please see the documentation at <URL:http://www.apache.org/docs/vhosts/>
1022# for further details before you try to setup virtual hosts.
1023# You may use the command line option '-S' to verify your virtual host
1024# configuration.
1025
1026# ATTENTION: Since httpd supports IPv6 operation, configuration of
1027# virtual hosts heavily deviates from other similar webservers and
1028# is not exactly straight-forward. Wildcards usually don't work.
1029
1030#
1031# If you want to use name-based virtual hosts you need to define at
1032# least one IP address (and port number) for them.
1033#
1034#NameVirtualHost 12.34.56.78:80
1035#NameVirtualHost 12.34.56.78
1036
1037#
1038# VirtualHost example:
1039# Almost any httpd directive may go into a VirtualHost container.
1040#
1041#<VirtualHost ip.address.of.host.example.com>
1042#    ServerAdmin webmaster@host.example.com
1043#    DocumentRoot /www/docs/host.example.com
1044#    ServerName host.example.com
1045#    ErrorLog logs/host.example.com-error_log
1046#    CustomLog logs/host.example.com-access_log common
1047#</VirtualHost>
1048
1049#<VirtualHost _default_:*>
1050#</VirtualHost>
1051
1052
1053##
1054##  SSL Global Context
1055##
1056##  All SSL configuration in this context applies both to
1057##  the main server and all SSL-enabled virtual hosts.
1058##
1059
1060#
1061#   Some MIME-types for downloading Certificates and CRLs
1062#
1063<IfDefine SSL>
1064AddType application/x-x509-ca-cert .cer
1065AddType application/x-pkcs7-crl    .crl
1066</IfDefine>
1067
1068<IfModule mod_ssl.c>
1069
1070#   Pass Phrase Dialog:
1071#   Configure the pass phrase gathering process.
1072#   The filtering dialog program ('builtin' is a internal
1073#   terminal dialog) has to provide the pass phrase on stdout.
1074SSLPassPhraseDialog  builtin
1075
1076#   Inter-Process Session Cache:
1077#   Configure the SSL Session Cache: First either 'none'
1078#   or 'dbm:/path/to/file' for the mechanism to use and
1079#   second the expiring timeout (in seconds).
1080SSLSessionCache         dbm:logs/ssl_scache
1081SSLSessionCacheTimeout  300
1082
1083#   Semaphore:
1084#   Configure the path to the mutual exclusion semaphore the
1085#   SSL engine uses internally for inter-process synchronization.
1086SSLMutex  sem
1087
1088#   Pseudo Random Number Generator (PRNG):
1089#   Configure one or more sources to seed the PRNG of the
1090#   SSL library. The seed data should be of good random quality.
1091#SSLRandomSeed startup builtin
1092#SSLRandomSeed connect builtin
1093#SSLRandomSeed startup file:/dev/urandom 32
1094#SSLRandomSeed connect file:/dev/urandom 32
1095
1096#   Logging:
1097#   The home of the dedicated SSL protocol logfile. Errors are
1098#   additionally duplicated in the general error log file.  Put
1099#   this somewhere where it cannot be used for symlink attacks on
1100#   a real server (i.e. somewhere where only root can write).
1101#   Log levels are (ascending order: higher ones include lower ones):
1102#   none, error, warn, info, trace, debug.
1103SSLLog      logs/ssl_engine_log
1104SSLLogLevel info
1105
1106</IfModule>
1107
1108<IfDefine SSL>
1109
1110##
1111## SSL Virtual Host Context
1112##
1113
1114<VirtualHost _default_:443>
1115# ATTENTION: this uses the sendmail(8) certs by default!
1116
1117#  General setup for the virtual host
1118DocumentRoot /var/www/htdocs
1119#ServerName new.host.name
1120#ServerAdmin you@your.address
1121ErrorLog logs/error_log
1122#TransferLog logs/access_log
1123CustomLog logs/access_log combinedssl
1124# Use this when setting HostnameLookups On
1125#CustomLog logs/access_log combinedlookup
1126
1127#   SSL Engine Switch:
1128#   Enable/Disable SSL for this virtual host.
1129SSLEngine on
1130
1131#   SSL Protocol Selection:
1132#   Configure usable SSL protocol flavours.
1133SSLProtocol All -SSLv2
1134#SSLProtocol TLSv1
1135
1136#   SSL Cipher Suite:
1137#   List the ciphers that the client is permitted to negotiate.
1138#   See the mod_ssl documentation for a complete list.
1139# Remove :ECDHE-RSA-RC4-SHA:RC4-SHA if MSIE compatibility is not required.
1140SSLCipherSuite kEECDH+aRSA:kEDH+aRSA:!COMPLEMENTOFDEFAULT:!ADH:!AECDH:-MEDIUM:!LOW:!EXPORT:!aNULL:!eNULL:EDH-DSS-DES-CBC3-SHA:ECDHE-RSA-RC4-SHA:RC4-SHA
1141
1142#   HTTPS SERVER CERTIFICATE/KEY/CA
1143
1144#   Server Certificate:
1145#   Point SSLCertificateFile at a PEM encoded certificate.  If
1146#   the certificate is encrypted, then you will be prompted for a
1147#   pass phrase.  Note that a kill -HUP will prompt again.
1148SSLCertificateFile	/etc/ssl/default.cer
1149
1150#   Server Private Key:
1151#   If the key is not combined with the certificate, use this
1152#   directive to point at the key file.
1153SSLCertificateKeyFile	/etc/ssl/private/default.key
1154
1155#   Server Certificate Chain:
1156#   Point SSLCertificateChainFile at a file containing the
1157#   concatenation of PEM encoded CA certificates which form the
1158#   certificate chain for the server certificate. Alternatively
1159#   the referenced file can be the same as SSLCertificateFile
1160#   when the CA certificates are directly appended to the server
1161#   certificate for convenience.
1162#   Since these are sent to the client, it MUST NOT be the same
1163#   as SSLCACertificateFile or a concatenation of all files from
1164#   the SSLCACertificatePath but ONLY the chain of Root CA and
1165#   intermediate certs required to validate SSLCertificateFile.
1166SSLCertificateChainFile	/etc/ssl/deflt-ca.cer
1167
1168#   HTTPS CLIENT CERTIFICATE/CA/CRL
1169
1170#   Certificate Authority (CA):
1171#   Set the CA certificate verification path where to find CA
1172#   certificates for client authentication or alternatively one
1173#   huge file containing all of them (file must be PEM encoded).
1174#   These probably will not be used in constructing a CA chain
1175#   should SSLCertificateChainFile be absent, even though the
1176#   mod_ssl documentation indicates this!
1177#   Note: Inside SSLCACertificatePath you need hash symlinks
1178#         to point to the certificate files. Use the provided
1179#         Makefile to update the hash symlinks after changes.
1180SSLCACertificatePath	/etc/ssl/certs
1181#SSLCACertificateFile	/etc/ssl/all-ca.pem
1182
1183# Certificate Revocation Lists (CRL):
1184# Set the CA revocation path where to find CA CRLs for client
1185# authentication or alternatively one huge file containing all
1186# of them (file must be PEM encoded)
1187# Note: Inside SSLCARevocationPath you need hash symlinks
1188#       to point to the certificate files.
1189#SSLCARevocationPath	/etc/ssl/crls
1190#SSLCARevocationFile	/etc/ssl/all-crl.pem
1191
1192#   Client Authentication (Type):
1193#   Client certificate verification type and depth.  Types are
1194#   none, optional, require and optional_no_ca.  Depth is a
1195#   number which specifies how deeply to verify the certificate
1196#   issuer chain before deciding the certificate is not valid.
1197#SSLVerifyClient require
1198#SSLVerifyDepth  10
1199
1200#   Access Control:
1201#   With SSLRequire you can do per-directory access control based
1202#   on arbitrary complex boolean expressions containing server
1203#   variable checks and other lookup directives.  The syntax is a
1204#   mixture between C and Perl.  See the mod_ssl documentation
1205#   for more details.
1206#<Location />
1207#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
1208#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
1209#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
1210#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
1211#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
1212#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
1213#</Location>
1214
1215#   SSL Engine Options:
1216#   Set various options for the SSL engine.
1217# o FakeBasicAuth:
1218#     Translate the client X.509 into a Basic Authorisation.  This means that
1219#     the standard Auth/DBMAuth methods can be used for access control.  The
1220#     user name is the 'one line' version of the client's X.509 certificate.
1221#     Note that no password is obtained from the user. Every entry in the user
1222#     file needs this password: 'xxj31ZMTZzkVA'.
1223# o ExportCertData:
1224#     This exports two additional environment variables: SSL_CLIENT_CERT and
1225#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
1226#     server (always existing) and the client (only existing when client
1227#     authentication is used). This can be used to import the certificates
1228#     into CGI scripts.
1229# o StdEnvVars:
1230#     This exports the standard SSL/TLS related 'SSL_*' environment variables.
1231#     Per default this exportation is switched off for performance reasons,
1232#     because the extraction step is an expensive operation and is usually
1233#     useless for serving static content. So one usually enables the
1234#     exportation for CGI and SSI requests only.
1235# o CompatEnvVars:
1236#     This exports obsolete environment variables for backward compatibility
1237#     to Apache(TM)-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x.
1238#     Use this to provide compatibility to existing CGI scripts.
1239# o StrictRequire:
1240#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
1241#     under a "Satisfy any" situation, i.e. when it applies access is denied
1242#     and no other module can change it.
1243# o OptRenegotiate:
1244#     This enables optimized SSL connection renegotiation handling when SSL
1245#     directives are used in per-directory context.
1246SSLOptions +FakeBasicAuth +ExportCertData
1247#SSLOptions +StdEnvVars +CompatEnvVars +StrictRequire +OptRenegotiate
1248
1249<Files ~ "\.(cgi|shtml|phtml|pl|sh|php|php3|php?)$">
1250    SSLOptions +StdEnvVars
1251</Files>
1252<Directory "/var/www/cgi-bin">
1253    SSLOptions +StdEnvVars
1254</Directory>
1255
1256#   SSL Protocol Adjustments:
1257#   The safe and default but still SSL/TLS standard compliant shutdown
1258#   approach is that mod_ssl sends the close notify alert but doesn't wait for
1259#   the close notify alert from client. When you need a different shutdown
1260#   approach you can use one of the following variables:
1261# o ssl-unclean-shutdown:
1262#     This forces an unclean shutdown when the connection is closed, i.e. no
1263#     SSL close notify alert is send or allowed to received.  This violates
1264#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
1265#     this when you receive I/O errors because of the standard approach where
1266#     mod_ssl sends the close notify alert.
1267# o ssl-accurate-shutdown:
1268#     This forces an accurate shutdown when the connection is closed, i.e. a
1269#     SSL close notify alert is send and mod_ssl waits for the close notify
1270#     alert of the client. This is 100% SSL/TLS standard compliant, but in
1271#     practice often causes hanging connections with brain-dead browsers. Use
1272#     this only for browsers where you know that their SSL implementation
1273#     works correctly.
1274#   Note: Most problems of broken clients are also related to the HTTP
1275#   keep-alive facility, so you usually additionally want to disable
1276#   these too (see the BrowserMatch section above).
1277SetEnvIf isBrowser msie ssl-unclean-shutdown
1278
1279</VirtualHost>
1280
1281</IfDefine>
1282