1# $MirSecuCron$ 2# $MirOS: src/usr.sbin/httpd/conf/httpd.conf,v 1.23 2014/04/28 20:47:56 tg Exp $ 3# $OpenBSD: httpd.conf,v 1.22 2008/01/25 09:59:57 sthen Exp $ 4# 5# Based upon the NCSA server configuration files originally by Rob McCool. 6# 7# This is the main httpd server configuration file. It contains the 8# configuration directives that give the server its instructions. 9# See <URL:http://www.apache.org/docs/> for detailed information about 10# the directives. 11# 12# Do NOT simply read the instructions in here without understanding 13# what they do. They're here only as hints or reminders. If you are unsure 14# consult the online docs. You have been warned. 15# 16# After this file is processed, the server will look for and process 17# /var/www/conf/srm.conf and then /var/www/conf/access.conf 18# unless you have overridden these with ResourceConfig and/or 19# AccessConfig directives here. 20# 21# The configuration directives are grouped into three basic sections: 22# 1. Directives that control the operation of the httpd server process as a 23# whole (the 'global environment'). 24# 2. Directives that define the parameters of the 'main' or 'default' server, 25# which responds to requests that aren't handled by a virtual host. 26# These directives also provide default values for the settings 27# of all virtual hosts. 28# 3. Settings for virtual hosts, which allow Web requests to be sent to 29# different IP addresses or hostnames and have them handled by the 30# same httpd server process. 31# 32# Configuration and logfile names: If the filenames you specify for many 33# of the server's control files begin with "/" (or "drive:/" for Win32), the 34# server will use that explicit path. If the filenames do *not* begin 35# with "/", the value of ServerRoot is prepended -- so "logs/foo.log" 36# with ServerRoot set to "/var/www" will be interpreted by the 37# server as "/var/www/logs/foo.log". 38# 39 40### Section 1: Global Environment 41# 42# The directives in this section affect the overall operation of httpd, 43# such as the number of concurrent requests it can handle or where it 44# can find its configuration files. 45# 46 47# 48# ServerType is either inetd, or standalone. Inetd mode is only supported on 49# Unix platforms. 50# 51ServerType standalone 52 53# 54# ServerTokens is either Full, OS, Minimal, or ProductOnly. 55# The values define what version information is returned in the 56# Server header in HTTP responses. 57# 58# ServerTokens OS 59 60# 61# ServerRoot: The top of the directory tree under which the server's 62# configuration, error, and log files are kept. 63# 64# NOTE! If you intend to place this on an NFS (or otherwise network) 65# mounted filesystem then please read the LockFile documentation 66# (available at <URL:http://www.apache.org/docs/mod/core.html#lockfile>); 67# you will save yourself a lot of trouble. 68# 69# Do NOT add a slash at the end of the directory path. 70# 71ServerRoot "/var/www" 72 73# 74# The LockFile directive sets the path to the lockfile used when httpd 75# is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or 76# USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at 77# its default value. The main reason for changing it is if the logs 78# directory is NFS mounted, since the lockfile MUST BE STORED ON A LOCAL 79# DISK. The PID of the main server process is automatically appended to 80# the filename. 81# 82#LockFile logs/accept.lock 83 84# 85# PidFile: The file in which the server should record its process 86# identification number when it starts. 87# 88PidFile logs/httpd.pid 89 90# 91# ScoreBoardFile: File used to store internal server process information. 92# Not all architectures require this. But if yours does (you'll know because 93# this file will be created when you run httpd) then you *must* ensure that 94# no two invocations of httpd share the same scoreboard file. 95# 96ScoreBoardFile logs/httpd_runtime_status 97 98# 99# In the standard configuration, the server will process httpd.conf, 100# srm.conf, and access.conf in that order. The latter two files are 101# now deprecated and not installed any more, as it is recommended that 102# all directives be kept in a single file for simplicity. 103# 104#ResourceConfig conf/srm.conf 105#AccessConfig conf/access.conf 106 107# 108# Timeout: The number of seconds before receives and sends time out. 109# 110Timeout 300 111 112# 113# KeepAlive: Whether or not to allow persistent connections (more than 114# one request per connection). Set to "Off" to deactivate. 115# 116KeepAlive On 117 118# 119# MaxKeepAliveRequests: The maximum number of requests to allow 120# during a persistent connection. Set to 0 to allow an unlimited amount. 121# We recommend you leave this number high, for maximum performance. 122# 123MaxKeepAliveRequests 100 124 125# 126# KeepAliveTimeout: Number of seconds to wait for the next request from the 127# same client on the same connection. 128# 129KeepAliveTimeout 15 130 131# 132# Server-pool size regulation. Rather than making you guess how many 133# server processes you need, httpd dynamically adapts to the load it 134# sees --- that is, it tries to maintain enough server processes to 135# handle the current load, plus a few spare servers to handle transient 136# load spikes (e.g., multiple simultaneous requests from a single 137# Netscape browser). 138# 139# It does this by periodically checking how many servers are waiting 140# for a request. If there are fewer than MinSpareServers, it creates 141# a new spare. If there are more than MaxSpareServers, some of the 142# spares die off. The default values are probably OK for most sites. 143# 144MinSpareServers 5 145MaxSpareServers 10 146 147# 148# Number of servers to start initially --- should be a reasonable ballpark 149# figure. 150# 151StartServers 5 152 153# 154# Limit on total number of servers running, i.e., limit on the number 155# of clients who can simultaneously connect --- if this limit is ever 156# reached, clients will be LOCKED OUT, so it should NOT BE SET TOO LOW. 157# It is intended mainly as a brake to keep a runaway server from taking 158# the system with it as it spirals down... 159# 160MaxClients 150 161 162# 163# MaxRequestsPerChild: the number of requests each child process is 164# allowed to process before the child dies. The child will exit so 165# as to avoid problems after prolonged use when httpd (and maybe the 166# libraries it uses) leak memory or other resources. On most systems, this 167# isn't really needed, but a few (such as Solaris) do have notable leaks 168# in the libraries. 169# 170MaxRequestsPerChild 1024 171 172# 173# MaxFOOPerChild: these directives set the current and hard rlimits for 174# the child processes. Attempts to exceed them will cause the the OS to 175# take appropriate action. See the setrlimit(2) and signal(3). 176# In contrast to RLimitFOO, these apply to httpd child processes as well, 177# and not just to CGIs and the likes. 178# 179MaxCPUPerChild 0 180MaxDATAPerChild 0 181MaxNOFILEPerChild 0 182MaxRSSPerChild 0 183MaxSTACKPerChild 0 184MaxTIMEPerChild 0 185 186# 187# Listen: Allows you to bind httpd to specific IP addresses and/or 188# ports, in addition to the default. See also the <VirtualHost> 189# directive. 190# 191#Listen 3000 192#Listen 12.34.56.78:80 193 194# 195# Listen can take two arguments. This is an extension for supporting IPv6. 196# Note that httpd will listen _only_ to IPv6 addresses by default, because 197# the KAME BSD IPv6 stack does not implement IPv4-mapped addresses for 198# security reasons, so don't comment the following two lines: 199Listen :: 80 200Listen 0.0.0.0 80 201 202# 203# BindAddress: You can support virtual hosts with this option. This directive 204# is used to tell the server which IP address to listen to. It can either 205# contain "*", an IP address, or a fully qualified Internet domain name. 206# See also the <VirtualHost> and Listen directives. 207# 208#BindAddress * 209 210# 211# Dynamic Shared Object (DSO) Support 212# 213# To be able to use the functionality of a module which was built as a DSO you 214# have to place corresponding 'LoadModule' lines at this location so the 215# directives contained in it are actually available _before_ they are used. 216# Please read the file README.DSO in the MirOS httpd distribution for more 217# details about the DSO mechanism and run 'httpd -l' for the list of already 218# built-in (statically linked and thus always available) modules in your httpd 219# binary. 220# 221# Note: The order is which modules are loaded is important. Don't change 222# the order below without expert advice. 223# 224# Example: 225# LoadModule foo_module libexec/mod_foo.so 226 227# "anonymous" user access to authenticated areas 228# LoadModule anon_auth_module /usr/libexec/httpd/modules/mod_auth_anon.so 229 230# user authentication using Berkeley DB files 231# LoadModule db_auth_module /usr/libexec/httpd/modules/mod_auth_db.so 232 233# user authentication using DBM files 234# LoadModule dbm_auth_module /usr/libexec/httpd/modules/mod_auth_dbm.so 235 236# authentication using new-style MD5 Digest Authentication (experimental) 237# LoadModule digest_auth_module /usr/libexec/httpd/modules/mod_auth_digest.so 238 239# CERN httpd metafile semantics 240# LoadModule cern_meta_module /usr/libexec/httpd/modules/mod_cern_meta.so 241 242# configuration defines ($xxx) 243# LoadModule define_module /usr/libexec/httpd/modules/mod_define.so 244 245# user authentication using old-style MD5 Digest Authentication 246# LoadModule digest_module /usr/libexec/httpd/modules/mod_digest.so 247 248# generation of Expires HTTP headers according to user-specified criteria 249# LoadModule expires_module /usr/libexec/httpd/modules/mod_expires.so 250 251# customization of HTTP response headers 252# LoadModule headers_module /usr/libexec/httpd/modules/mod_headers.so 253 254# comprehensive overview of the server configuration 255# LoadModule info_module /usr/libexec/httpd/modules/mod_info.so 256 257# logging of the client user agents (deprecated in favor of mod_log_config) 258# LoadModule agent_log_module /usr/libexec/httpd/modules/mod_log_agent.so 259 260# logging of referers (deprecated in favor of mod_log_config) 261# LoadModule referer_log_module /usr/libexec/httpd/modules/mod_log_referer.so 262 263# determining the MIME type of a file by looking at a few bytes of its contents 264# LoadModule mime_magic_module /usr/libexec/httpd/modules/mod_mime_magic.so 265 266# mmap()ing of a statically configured list of frequently requested but 267# not changed files (experimental) 268# LoadModule mmap_static_module /usr/libexec/httpd/modules/mod_mmap_static.so 269 270# rule-based rewriting engine to rewrite requested URLs on the fly 271# LoadModule rewrite_module /usr/libexec/httpd/modules/mod_rewrite.so 272 273# attempt to correct misspellings of URLs that users might have entered 274# LoadModule speling_module /usr/libexec/httpd/modules/mod_speling.so 275 276# provides an environment variable with a unique identifier for each request 277# LoadModule unique_id_module /usr/libexec/httpd/modules/mod_unique_id.so 278 279# uses cookies to provide for a clickstream log of user activity on a site 280# LoadModule usertrack_module /usr/libexec/httpd/modules/mod_usertrack.so 281 282# dynamically configured mass virtual hosting 283# LoadModule vhost_alias_module /usr/libexec/httpd/modules/mod_vhost_alias.so 284 285# caching proxy 286# LoadModule proxy_module /usr/libexec/httpd/modules/libproxy.so 287 288# 289# Include extra module configuration files 290# 291Include /var/www/conf/modules/*.conf 292 293# 294# ExtendedStatus controls whether httpd will generate "full" status 295# information (ExtendedStatus On) or just basic information (ExtendedStatus 296# Off) when the "server-status" handler is called. The default is Off. 297# 298#ExtendedStatus On 299 300### Section 2: 'Main' server configuration 301# 302# The directives in this section set up the values used by the 'main' 303# server, which responds to any requests that aren't handled by a 304# <VirtualHost> definition. These values also provide defaults for 305# any <VirtualHost> containers you may define later in the file. 306# 307# All of these directives may appear inside <VirtualHost> containers, 308# in which case these default settings will be overridden for the 309# virtual host being defined. 310# 311 312# 313# If your ServerType directive (set earlier in the 'Global Environment' 314# section) is set to "inetd", the next few directives don't have any 315# effect since their settings are defined by the inetd configuration. 316# Skip ahead to the ServerAdmin directive. 317# 318 319# 320# Port: The port to which the standalone server listens. For 321# ports < 1023, you will need httpd to be run as root initially. 322# NOTE: Do not use Port, use the "Listen" directive above! 323# 324#Port 80 325 326## 327## SSL Support 328## 329## When we also provide SSL we have to listen to the 330## standard HTTP port (see above) and to the HTTPS port 331## 332<IfDefine SSL> 333Listen :: 443 334Listen 0.0.0.0 443 335</IfDefine> 336 337# 338# If you wish httpd to run as a different user or group, you must run 339# httpd as root initially and it will switch. 340# 341# User/Group: The name (or #number) of the user/group to run httpd as. 342# . On SCO (ODT 3) use "User nouser" and "Group nogroup". 343# . On HPUX you may not be able to use shared memory as nobody, and the 344# suggested workaround is to create a user www and use that user. 345# NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET) 346# when the value of (unsigned)Group is above 60000; 347# don't use Group #-1 on these systems! 348# On OpenBSD or MirOS, use user www, group www. 349# 350User www 351Group www 352 353# 354# ServerAdmin: Your address, where problems with the server should be 355# e-mailed. This address appears on some server-generated pages, such 356# as error documents. 357# 358ServerAdmin you@your.address.invalid 359 360# 361# ServerName allows you to set a host name which is sent back to clients for 362# your server if it's different than the one the program would get (i.e., use 363# "www" instead of the host's real name). 364# 365# Note: You cannot just invent host names and hope they work. The name you 366# define here must be a valid DNS name for your host. If you don't understand 367# this, ask your network administrator. 368# If your host doesn't have a registered DNS name, enter its IP address here. 369# You will have to access it by its address (e.g., http://123.45.67.89/) 370# anyway, and this will make redirections work in a sensible way. 371# 372# 127.0.0.1 is the TCP/IP local loop-back address, often named localhost. Your 373# machine always knows itself by this address. If you use httpd strictly for 374# local testing and development, you may use 127.0.0.1 as the server name. 375# 376#ServerName www.example.com 377 378# 379# DocumentRoot: The directory out of which you will serve your 380# documents. By default, all requests are taken from this directory, but 381# symbolic links and aliases may be used to point to other locations. 382# 383DocumentRoot "/var/www/htdocs" 384 385# 386# Each directory to which httpd has access can be configured with respect 387# to which services and features are allowed and/or disabled in that 388# directory (and its subdirectories). 389# 390# First, we configure the "default" to be a very restrictive set of 391# permissions. 392# 393<Directory /> 394 Options FollowSymLinks 395 AllowOverride None 396</Directory> 397 398# 399# Note that from this point forward you must specifically allow 400# particular features to be enabled - so if something's not working as 401# you might expect, make sure that you have specifically enabled it 402# below. 403# 404 405# 406# This should be changed to whatever you set DocumentRoot to. 407# 408<Directory "/var/www/htdocs"> 409 410# 411# This may also be "None", "All", or any combination of "Indexes", 412# "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews". 413# 414# Note that "MultiViews" must be named *explicitly* --- "Options All" 415# doesn't give it to you. 416# 417 Options Indexes FollowSymLinks ExecCGI 418 419# 420# This controls which options the .htaccess files in directories can 421# override. Can also be "All", or any combination of "Options", "FileInfo", 422# "AuthConfig", and "Limit" 423# 424 AllowOverride None 425 426# 427# Controls who can get stuff from this server. 428# 429 Order allow,deny 430 Allow from all 431</Directory> 432 433# 434# UserDir: The directory which is prepended onto a users username, within 435# which a users's web pages are looked for if a ~user request is received. 436# Relative pathes are relative to the user's home directory. 437# 438# "disabled" turns this feature off. 439# 440# Since httpd will chroot(2) to the ServerRoot path by default, 441# you should use 442# UserDir /var/www/users 443# and create per user directories in /var/www/users/<username> 444# 445# On MirOS, suexec(8) is configured to look for user directories 446# in ~user/pub/ once enabled. This won't work with chrooted 447# operation, so you need to recompile your httpd in that case. 448# 449#UserDir pub 450UserDir disabled 451 452# 453# Control access to UserDir directories. The following is an example 454# for a site where these directories are restricted to read-only and 455# are located under /users/<username> 456# You will need to change this to match your site's home directories. 457# 458#<Directory /users/*> 459#<Directory /home/*/pub> 460# AllowOverride FileInfo AuthConfig Limit Options 461# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec 462# <Limit GET POST OPTIONS PROPFIND> 463# Order allow,deny 464# Allow from all 465# </Limit> 466# <LimitExcept GET POST OPTIONS PROPFIND> 467# Order deny,allow 468# Deny from all 469# </LimitExcept> 470#</Directory> 471 472# 473# DirectoryIndex: Name of the file or files to use as a pre-written HTML 474# directory index. Separate multiple entries with spaces. 475# 476DirectoryIndex index.cgi index.php index.htm default.htm index.html 477 478# 479# AccessFileName: The name of the file to look for in each directory 480# for access control information. 481# 482AccessFileName .htaccess 483 484# 485# The following lines prevent .htaccess files from being viewed by 486# Web clients. Since .htaccess files often contain authorization 487# information, access is disallowed for security reasons. Comment 488# these lines out if you want Web visitors to see the contents of 489# .htaccess files. If you change the AccessFileName directive above, 490# be sure to make the corresponding changes here. 491# 492# Also, folks tend to use names such as .htpasswd for password 493# files, so this will protect those as well. 494# 495<Files ~ "^\.ht"> 496 Order allow,deny 497 Deny from all 498 Satisfy All 499</Files> 500 501# 502# CacheNegotiatedDocs: By default, httpd sends "Pragma: no-cache" with each 503# document that was negotiated on the basis of content. This asks proxy 504# servers not to cache the document. Uncommenting the following line disables 505# this behavior, and proxies will be allowed to cache the documents. 506# 507#CacheNegotiatedDocs 508 509# 510# UseCanonicalName: (new for 1.3) With this setting turned on, whenever 511# httpd needs to construct a self-referencing URL (a URL that refers back 512# to the server the response is coming from) it will use ServerName and 513# Port to form a "canonical" name. With this setting off, httpd will 514# use the hostname:port that the client supplied, when possible. This 515# also affects SERVER_NAME and SERVER_PORT in CGI scripts. 516# 517UseCanonicalName Off 518 519# 520# TypesConfig describes where the mime.types file (or equivalent) is 521# to be found. 522# 523TypesConfig conf/mime.types 524 525# 526# DefaultType is the default MIME type the server will use for a document 527# if it cannot otherwise determine one, such as from filename extensions. 528# If your server contains mostly text or HTML documents, "text/plain" is 529# a good value. If most of your content is binary, such as applications 530# or images, you may want to use "application/octet-stream" instead to 531# keep browsers from trying to display binary files as though they are 532# text. 533# 534#DefaultType text/plain 535DefaultType application/octet-stream 536 537# 538# The mod_mime_magic module allows the server to use various hints from the 539# contents of the file itself to determine its type. The MIMEMagicFile 540# directive tells the module where the hint definitions are located. 541# mod_mime_magic is not part of the default server (you have to add 542# it yourself with a LoadModule [see the DSO paragraph in the 'Global 543# Environment' section], or recompile the server and include mod_mime_magic 544# as part of the configuration), so it's enclosed in an <IfModule> container. 545# This means that the MIMEMagicFile directive will only be processed if the 546# module is part of the server. 547# 548<IfModule mod_mime_magic.c> 549 MIMEMagicFile conf/magic 550</IfModule> 551 552# 553# HostnameLookups: Log the names of clients or just their IP addresses 554# e.g., mirbsd.de (on) or 204.62.129.132 (off). 555# The default is off because it'd be overall better for the net if people 556# had to knowingly turn this feature on, since enabling it means that 557# each client request will result in AT LEAST one lookup request to the 558# nameserver. 559# 560# See also combinedlookup under LogFormat 561# 562HostnameLookups Off 563 564# 565# ErrorLog: The location of the error log file. 566# If you do not specify an ErrorLog directive within a <VirtualHost> 567# container, error messages relating to that virtual host will be 568# logged here. If you *do* define an error logfile for a <VirtualHost> 569# container, that host's errors will be logged there and not here. 570# Either a filename or the text "syslog:" followed by a facility 571# name may be specified here. 572# 573#ErrorLog syslog:daemon 574ErrorLog logs/error_log 575 576# 577# LogLevel: Control the number of messages logged to the error_log. 578# Possible values include: debug, info, notice, warn, error, crit, 579# alert, emerg. 580# 581LogLevel warn 582 583# 584# The following directives define some format nicknames for use with 585# a CustomLog directive (see below). 586# 587LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined 588LogFormat "%h %l %u %t %{SSL_PROTOCOL}x:%{SSL_CIPHER}x:%{address-family}n\"%{Host}i\" \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedssl 589LogFormat "%h/%a %l %u %t %{SSL_PROTOCOL}x:%{SSL_CIPHER}x:%{address-family}n\"%{Host}i\" \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedlookup 590LogFormat "%h %l %u %t \"%r\" %>s %b" common 591LogFormat "%{Referer}i -> %U" referer 592LogFormat "%{User-agent}i" agent 593 594# 595# The location and format of the access logfile (Common Logfile Format). 596# If you do not define any access logfiles within a <VirtualHost> 597# container, they will be logged here. Contrariwise, if you *do* 598# define per-<VirtualHost> access logfiles, transactions will be 599# logged therein and *not* in this file. 600# 601#CustomLog logs/access_log common 602 603# 604# If you would like to have agent and referer logfiles, uncomment the 605# following directives. 606# 607#CustomLog logs/referer_log referer 608#CustomLog logs/agent_log agent 609 610# 611# If you prefer a single logfile with access, agent, and referer information 612# (Combined Logfile Format) you can use the following directive. 613# 614#CustomLog logs/access_log combined 615CustomLog logs/access_log combinedssl 616# Use this when setting HostnameLookups On 617#CustomLog logs/access_log combinedlookup 618 619# 620# Optionally add a line containing the server version and virtual host 621# name to server-generated pages (error documents, FTP directory listings, 622# mod_status and mod_info output etc., but not CGI generated documents). 623# Set to "EMail" to also include a mailto: link to the ServerAdmin. 624# Set to one of: On | Off | EMail 625# 626ServerSignature EMail 627 628# 629# Aliases: Add here as many aliases as you need (with no limit). The format is 630# Alias fakename realname 631# 632# Note that if you include a trailing / on fakename then the server will 633# require it to be present in the URL. So "/icons" isn't aliased in this 634# example, only "/icons/".. 635# 636Alias /icons/ "/var/www/icons/" 637 638<Directory "/var/www/icons"> 639 Options Indexes MultiViews 640 AllowOverride None 641 Order allow,deny 642 Allow from all 643</Directory> 644 645Alias /manual/ "/var/www/htdocs/manual/" 646 647<Directory "/var/www/htdocs/manual"> 648 Options Indexes FollowSymlinks MultiViews 649 AllowOverride None 650 Order allow,deny 651 Allow from all 652</Directory> 653 654# 655# ScriptAlias: This controls which directories contain server scripts. 656# ScriptAliases are essentially the same as Aliases, except that 657# documents in the realname directory are treated as applications and 658# run by the server when requested rather than as documents sent to the client. 659# The same rules about trailing "/" apply to ScriptAlias directives as to 660# Alias. 661# 662ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" 663 664# 665# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased 666# CGI directory exists, if you have that configured. 667# 668<Directory "/var/www/cgi-bin"> 669 AllowOverride None 670 Options None 671 Order allow,deny 672 Allow from all 673</Directory> 674 675# 676# Redirect allows you to tell clients about documents which used to exist in 677# your server's namespace, but do not anymore. This allows you to tell the 678# clients where to look for the relocated document. 679# Format: Redirect old-URI new-URL 680# 681 682# 683# Directives controlling the display of server-generated directory listings. 684# 685 686# 687# FancyIndexing is whether you want fancy directory indexing or standard 688# 689#IndexOptions FancyIndexing 690 691# 692# AddIcon* directives tell the server which icon to show for different 693# files or filename extensions. These are only displayed for 694# FancyIndexed directories. 695# 696AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip 697 698AddIconByType (TXT,/icons/text.gif) text/* 699AddIconByType (IMG,/icons/image2.gif) image/* 700AddIconByType (SND,/icons/sound2.gif) audio/* 701AddIconByType (VID,/icons/movie.gif) video/* 702 703AddIcon /icons/binary.gif .bin .exe 704AddIcon /icons/binhex.gif .hqx 705AddIcon /icons/tar.gif .tar 706AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv 707AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip 708AddIcon /icons/a.gif .ps .ai .eps 709AddIcon /icons/layout.gif .html .shtml .htm .pdf 710AddIcon /icons/text.gif .txt 711AddIcon /icons/c.gif .c 712AddIcon /icons/p.gif .pl .py 713AddIcon /icons/f.gif .for 714AddIcon /icons/dvi.gif .dvi 715AddIcon /icons/uuencoded.gif .uu 716AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl 717AddIcon /icons/tex.gif .tex 718AddIcon /icons/bomb.gif core 719 720AddIcon /icons/back.gif .. 721AddIcon /icons/hand.right.gif README 722AddIcon /icons/folder.gif ^^DIRECTORY^^ 723AddIcon /icons/blank.gif ^^BLANKICON^^ 724 725# 726# DefaultIcon is which icon to show for files which do not have an icon 727# explicitly set. 728# 729DefaultIcon /icons/unknown.gif 730 731# 732# AddDescription allows you to place a short description after a file in 733# server-generated indexes. These are only displayed for FancyIndexed 734# directories. 735# Format: AddDescription "description" filename 736# 737#AddDescription "GZIP compressed document" .gz 738#AddDescription "tar archive" .tar 739#AddDescription "GZIP compressed tar archive" .tgz 740 741# 742# ReadmeName is the name of the README file the server will look for by 743# default, and append to directory listings. 744# 745# HeaderName is the name of a file which should be prepended to 746# directory indexes. 747# 748ReadmeName README 749HeaderName HEADER 750 751# 752# IndexIgnore is a set of filenames which directory indexing should ignore 753# and not include in the listing. Shell-style wildcarding is permitted. 754# 755IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t 756 757# 758# AddEncoding allows you to have certain browsers (Mosaic/X 2.1+) uncompress 759# information on the fly. Note: Not all browsers support this. 760# Despite the name similarity, the following Add* directives have nothing 761# to do with the FancyIndexing customization directives above. 762# 763AddEncoding x-compress .Z 764AddEncoding x-gzip .gz 765 766# 767# AddLanguage allows you to specify the language of a document. You can 768# then use content negotiation to give a browser a file in a language 769# it can understand. 770# 771# Note 1: The suffix does not have to be the same as the language 772# keyword --- those with documents in Polish (whose net-standard 773# language code is pl) may wish to use "AddLanguage pl .po" to 774# avoid the ambiguity with the common suffix for perl scripts. 775# 776# Note 2: The example entries below illustrate that in quite 777# some cases the two character 'Language' abbreviation is not 778# identical to the two character 'Country' code for its country, 779# E.g. 'Danmark/dk' versus 'Danish/da'. 780# 781# Note 3: In the case of 'ltz' we violate the RFC by using a three char 782# specifier. But there is 'work in progress' to fix this and get 783# the reference data for rfc1766 cleaned up. 784# 785# Danish (da) - Dutch (nl) - English (en) - Estonian (ee) 786# French (fr) - German (de) - Greek-Modern (el) 787# Italian (it) - Korean (kr) - Norwegian (no) - Norwegian Nynorsk (nn) 788# Portugese (pt) - Luxembourgeois* (ltz) 789# Spanish (es) - Swedish (sv) - Catalan (ca) - Czech(cs) 790# Polish (pl) - Brazilian Portuguese (pt-br) - Japanese (ja) 791# Russian (ru) 792# 793AddLanguage da .dk 794AddLanguage nl .nl 795AddLanguage en .en 796AddLanguage et .ee 797AddLanguage fr .fr 798AddLanguage de .de 799AddLanguage el .el 800AddLanguage he .he 801AddCharset ISO-8859-8 .iso8859-8 802AddLanguage it .it 803AddLanguage ja .ja 804AddCharset ISO-2022-JP .jis 805AddLanguage kr .kr 806AddCharset ISO-2022-KR .iso-kr 807AddLanguage nn .nn 808AddLanguage no .no 809AddLanguage pl .po 810AddCharset ISO-8859-2 .iso-pl 811AddLanguage pt .pt 812AddLanguage pt-br .pt-br 813AddLanguage ltz .lu 814AddLanguage ca .ca 815AddLanguage es .es 816AddLanguage sv .sv 817AddLanguage cs .cz .cs 818AddLanguage ru .ru 819AddLanguage zh-TW .zh-tw 820AddCharset Big5 .Big5 .big5 821AddCharset WINDOWS-1251 .cp-1251 822AddCharset CP866 .cp866 823AddCharset ISO-8859-5 .iso-ru 824AddCharset KOI8-R .koi8-r 825AddCharset UCS-2 .ucs2 826AddCharset UCS-4 .ucs4 827AddCharset UTF-8 .utf8 828 829# 830# LanguagePriority allows you to give precedence to some languages 831# in case of a tie during content negotiation. 832# Just list the languages in decreasing order of preference. We have 833# more or less alphabetized them here. You probably want to change this. 834# 835LanguagePriority en de da nl et fr el it ja kr no pl pt pt-br ru ltz ca es sv tw 836 837# 838# AddType allows you to tweak mime.types without actually editing it, or to 839# make certain files to be certain types. 840# 841# For example, the PHP module (not part of the httpd distribution) 842# will typically use: 843# 844#AddType application/x-httpd-php .php 845AddType application/x-tar .tgz 846AddType application/x-cpio .cgz 847AddType application/x-bittorrent .torrent 848AddType application/x-x509-ca-cert .cer .crt .pem 849 850# 851# AddHandler allows you to map certain file extensions to "handlers", 852# actions unrelated to filetype. These can be either built into the server 853# or added with the Action command (see below) 854# 855# If you want to use server side includes, or CGI outside 856# ScriptAliased directories, uncomment the following lines. 857# 858# To use CGI scripts: 859# 860AddHandler cgi-script .cgi 861 862# 863# To use server-parsed HTML files 864# 865#AddType text/html .shtml 866#AddHandler server-parsed .shtml 867 868# 869# Uncomment the following line to enable httpd's send-asis HTTP file 870# feature 871# 872#AddHandler send-as-is asis 873 874# 875# If you wish to use server-parsed imagemap files, use 876# 877#AddHandler imap-file map 878 879# 880# To enable type maps, you might want to use 881# 882#AddHandler type-map var 883 884# 885# Action lets you define media types that will execute a script whenever 886# a matching file is called. This eliminates the need for repeated URL 887# pathnames for oft-used CGI file processors. 888# Format: Action media/type /cgi-script/location 889# Format: Action handler-name /cgi-script/location 890# 891 892# 893# MetaDir: specifies the name of the directory in which httpd can find 894# meta information files. These files contain additional HTTP headers 895# to include when sending the document 896# 897#MetaDir .web 898 899# 900# MetaSuffix: specifies the file name suffix for the file containing the 901# meta information. 902# 903#MetaSuffix .meta 904 905# 906# Customizable error response (httpd style) 907# these come in three flavors 908# 909# 1) plain text 910#ErrorDocument 500 "The server made a boo boo. 911# n.b. the (") marks it as text, it does not get output 912# 913# 2) local redirects 914#ErrorDocument 404 /missing.html 915# to redirect to local URL /missing.html 916#ErrorDocument 404 /cgi-bin/missing_handler.pl 917# N.B.: You can redirect to a script or a document using server-side-includes. 918# 919# 3) external redirects 920#ErrorDocument 402 http://www.example.com/subscription_info.html 921# N.B.: Many of the environment variables associated with the original 922# request will *not* be available to such a script. 923 924# 925# The following directives modify normal HTTP response behavior. 926# The first directive disables keepalive for Netscape 2.x and browsers that 927# spoof it. There are known problems with these browser implementations. 928# The second directive is for Microsoft Internet Explorer 4.0b2 929# which has a broken HTTP/1.1 implementation and does not properly 930# support keepalive when it is used on 301 or 302 (redirect) responses. 931# 932BrowserMatch "Mozilla/2" nokeepalive 933BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 934 935# 936# The following directive disables HTTP/1.1 responses to browsers which 937# are in violation of the HTTP/1.0 spec by not being able to grok a 938# basic 1.1 response. 939# 940BrowserMatch "RealPlayer 4\.0" force-response-1.0 941BrowserMatch "Java/1\.0" force-response-1.0 942BrowserMatch "JDK/1\.0" force-response-1.0 943# 944# Some intermediate versions of /usr/bin/ftp claimed to support HTTP/1.1 945# while they did not implement support for the chunked encoding; current 946# versions back that out and only claim to support HTTP/1.0; future ver- 947# sions that fix this bug will have to change the user agent string. 948# 949BrowserMatch "MirOS ftp" downgrade-1.0 force-response-1.0 950BrowserMatch "OpenBSD ftp" downgrade-1.0 force-response-1.0 951 952# 953# These get the general type of the browser used, for SSL later. 954# 955BrowserMatch "^Mozilla" isBrowser=nn 956BrowserMatch "MSIE" isBrowser=msie 957BrowserMatch "Lynx/" isBrowser=lynx 958 959# 960# Allow server status reports, with the URL of http://servername/server-status 961# Change the ".example.com" to match your domain to enable. 962# 963#<Location /server-status> 964# SetHandler server-status 965# Order deny,allow 966# Deny from all 967# Allow from .example.com 968#</Location> 969 970# 971# Allow remote server configuration reports, with the URL of 972# http://servername/server-info (requires that mod_info.c be loaded). 973# Change the ".example.com" to match your domain to enable. 974# 975#<Location /server-info> 976# SetHandler server-info 977# Order deny,allow 978# Deny from all 979# Allow from .example.com 980#</Location> 981 982# 983# Proxy Server directives. Uncomment the following lines to 984# enable the proxy server: 985# 986#<IfModule mod_proxy.c> 987#ProxyRequests On 988# 989#<Directory proxy:*> 990# Order deny,allow 991# Deny from all 992# Allow from .your_domain.com 993#</Directory> 994 995# 996# Enable/disable the handling of HTTP/1.1 "Via:" headers. 997# ("Full" adds the server version; "Block" removes all outgoing Via: headers) 998# Set to one of: Off | On | Full | Block 999# 1000#ProxyVia On 1001 1002# 1003# To enable the cache as well, edit and uncomment the following lines: 1004# (no cacheing without CacheRoot) 1005# 1006#CacheRoot "/var/www/proxy" 1007#CacheSize 5 1008#CacheGcInterval 4 1009#CacheMaxExpire 24 1010#CacheLastModifiedFactor 0.1 1011#CacheDefaultExpire 1 1012#NoCache a_domain.com another_domain.edu joes.garage_sale.com 1013 1014#</IfModule> 1015# End of proxy directives. 1016 1017### Section 3: Virtual Hosts 1018# 1019# VirtualHost: If you want to maintain multiple domains/hostnames on your 1020# machine you can setup VirtualHost containers for them. 1021# Please see the documentation at <URL:http://www.apache.org/docs/vhosts/> 1022# for further details before you try to setup virtual hosts. 1023# You may use the command line option '-S' to verify your virtual host 1024# configuration. 1025 1026# ATTENTION: Since httpd supports IPv6 operation, configuration of 1027# virtual hosts heavily deviates from other similar webservers and 1028# is not exactly straight-forward. Wildcards usually don't work. 1029 1030# 1031# If you want to use name-based virtual hosts you need to define at 1032# least one IP address (and port number) for them. 1033# 1034#NameVirtualHost 12.34.56.78:80 1035#NameVirtualHost 12.34.56.78 1036 1037# 1038# VirtualHost example: 1039# Almost any httpd directive may go into a VirtualHost container. 1040# 1041#<VirtualHost ip.address.of.host.example.com> 1042# ServerAdmin webmaster@host.example.com 1043# DocumentRoot /www/docs/host.example.com 1044# ServerName host.example.com 1045# ErrorLog logs/host.example.com-error_log 1046# CustomLog logs/host.example.com-access_log common 1047#</VirtualHost> 1048 1049#<VirtualHost _default_:*> 1050#</VirtualHost> 1051 1052 1053## 1054## SSL Global Context 1055## 1056## All SSL configuration in this context applies both to 1057## the main server and all SSL-enabled virtual hosts. 1058## 1059 1060# 1061# Some MIME-types for downloading Certificates and CRLs 1062# 1063<IfDefine SSL> 1064AddType application/x-x509-ca-cert .cer 1065AddType application/x-pkcs7-crl .crl 1066</IfDefine> 1067 1068<IfModule mod_ssl.c> 1069 1070# Pass Phrase Dialog: 1071# Configure the pass phrase gathering process. 1072# The filtering dialog program ('builtin' is a internal 1073# terminal dialog) has to provide the pass phrase on stdout. 1074SSLPassPhraseDialog builtin 1075 1076# Inter-Process Session Cache: 1077# Configure the SSL Session Cache: First either 'none' 1078# or 'dbm:/path/to/file' for the mechanism to use and 1079# second the expiring timeout (in seconds). 1080SSLSessionCache dbm:logs/ssl_scache 1081SSLSessionCacheTimeout 300 1082 1083# Semaphore: 1084# Configure the path to the mutual exclusion semaphore the 1085# SSL engine uses internally for inter-process synchronization. 1086SSLMutex sem 1087 1088# Pseudo Random Number Generator (PRNG): 1089# Configure one or more sources to seed the PRNG of the 1090# SSL library. The seed data should be of good random quality. 1091#SSLRandomSeed startup builtin 1092#SSLRandomSeed connect builtin 1093#SSLRandomSeed startup file:/dev/urandom 32 1094#SSLRandomSeed connect file:/dev/urandom 32 1095 1096# Logging: 1097# The home of the dedicated SSL protocol logfile. Errors are 1098# additionally duplicated in the general error log file. Put 1099# this somewhere where it cannot be used for symlink attacks on 1100# a real server (i.e. somewhere where only root can write). 1101# Log levels are (ascending order: higher ones include lower ones): 1102# none, error, warn, info, trace, debug. 1103SSLLog logs/ssl_engine_log 1104SSLLogLevel info 1105 1106</IfModule> 1107 1108<IfDefine SSL> 1109 1110## 1111## SSL Virtual Host Context 1112## 1113 1114<VirtualHost _default_:443> 1115# ATTENTION: this uses the sendmail(8) certs by default! 1116 1117# General setup for the virtual host 1118DocumentRoot /var/www/htdocs 1119#ServerName new.host.name 1120#ServerAdmin you@your.address 1121ErrorLog logs/error_log 1122#TransferLog logs/access_log 1123CustomLog logs/access_log combinedssl 1124# Use this when setting HostnameLookups On 1125#CustomLog logs/access_log combinedlookup 1126 1127# SSL Engine Switch: 1128# Enable/Disable SSL for this virtual host. 1129SSLEngine on 1130 1131# SSL Protocol Selection: 1132# Configure usable SSL protocol flavours. 1133SSLProtocol All -SSLv2 1134#SSLProtocol TLSv1 1135 1136# SSL Cipher Suite: 1137# List the ciphers that the client is permitted to negotiate. 1138# See the mod_ssl documentation for a complete list. 1139# Remove :ECDHE-RSA-RC4-SHA:RC4-SHA if MSIE compatibility is not required. 1140SSLCipherSuite kEECDH+aRSA:kEDH+aRSA:!COMPLEMENTOFDEFAULT:!ADH:!AECDH:-MEDIUM:!LOW:!EXPORT:!aNULL:!eNULL:EDH-DSS-DES-CBC3-SHA:ECDHE-RSA-RC4-SHA:RC4-SHA 1141 1142# HTTPS SERVER CERTIFICATE/KEY/CA 1143 1144# Server Certificate: 1145# Point SSLCertificateFile at a PEM encoded certificate. If 1146# the certificate is encrypted, then you will be prompted for a 1147# pass phrase. Note that a kill -HUP will prompt again. 1148SSLCertificateFile /etc/ssl/default.cer 1149 1150# Server Private Key: 1151# If the key is not combined with the certificate, use this 1152# directive to point at the key file. 1153SSLCertificateKeyFile /etc/ssl/private/default.key 1154 1155# Server Certificate Chain: 1156# Point SSLCertificateChainFile at a file containing the 1157# concatenation of PEM encoded CA certificates which form the 1158# certificate chain for the server certificate. Alternatively 1159# the referenced file can be the same as SSLCertificateFile 1160# when the CA certificates are directly appended to the server 1161# certificate for convenience. 1162# Since these are sent to the client, it MUST NOT be the same 1163# as SSLCACertificateFile or a concatenation of all files from 1164# the SSLCACertificatePath but ONLY the chain of Root CA and 1165# intermediate certs required to validate SSLCertificateFile. 1166SSLCertificateChainFile /etc/ssl/deflt-ca.cer 1167 1168# HTTPS CLIENT CERTIFICATE/CA/CRL 1169 1170# Certificate Authority (CA): 1171# Set the CA certificate verification path where to find CA 1172# certificates for client authentication or alternatively one 1173# huge file containing all of them (file must be PEM encoded). 1174# These probably will not be used in constructing a CA chain 1175# should SSLCertificateChainFile be absent, even though the 1176# mod_ssl documentation indicates this! 1177# Note: Inside SSLCACertificatePath you need hash symlinks 1178# to point to the certificate files. Use the provided 1179# Makefile to update the hash symlinks after changes. 1180SSLCACertificatePath /etc/ssl/certs 1181#SSLCACertificateFile /etc/ssl/all-ca.pem 1182 1183# Certificate Revocation Lists (CRL): 1184# Set the CA revocation path where to find CA CRLs for client 1185# authentication or alternatively one huge file containing all 1186# of them (file must be PEM encoded) 1187# Note: Inside SSLCARevocationPath you need hash symlinks 1188# to point to the certificate files. 1189#SSLCARevocationPath /etc/ssl/crls 1190#SSLCARevocationFile /etc/ssl/all-crl.pem 1191 1192# Client Authentication (Type): 1193# Client certificate verification type and depth. Types are 1194# none, optional, require and optional_no_ca. Depth is a 1195# number which specifies how deeply to verify the certificate 1196# issuer chain before deciding the certificate is not valid. 1197#SSLVerifyClient require 1198#SSLVerifyDepth 10 1199 1200# Access Control: 1201# With SSLRequire you can do per-directory access control based 1202# on arbitrary complex boolean expressions containing server 1203# variable checks and other lookup directives. The syntax is a 1204# mixture between C and Perl. See the mod_ssl documentation 1205# for more details. 1206#<Location /> 1207#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \ 1208# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ 1209# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ 1210# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ 1211# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ 1212# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ 1213#</Location> 1214 1215# SSL Engine Options: 1216# Set various options for the SSL engine. 1217# o FakeBasicAuth: 1218# Translate the client X.509 into a Basic Authorisation. This means that 1219# the standard Auth/DBMAuth methods can be used for access control. The 1220# user name is the 'one line' version of the client's X.509 certificate. 1221# Note that no password is obtained from the user. Every entry in the user 1222# file needs this password: 'xxj31ZMTZzkVA'. 1223# o ExportCertData: 1224# This exports two additional environment variables: SSL_CLIENT_CERT and 1225# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the 1226# server (always existing) and the client (only existing when client 1227# authentication is used). This can be used to import the certificates 1228# into CGI scripts. 1229# o StdEnvVars: 1230# This exports the standard SSL/TLS related 'SSL_*' environment variables. 1231# Per default this exportation is switched off for performance reasons, 1232# because the extraction step is an expensive operation and is usually 1233# useless for serving static content. So one usually enables the 1234# exportation for CGI and SSI requests only. 1235# o CompatEnvVars: 1236# This exports obsolete environment variables for backward compatibility 1237# to Apache(TM)-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. 1238# Use this to provide compatibility to existing CGI scripts. 1239# o StrictRequire: 1240# This denies access when "SSLRequireSSL" or "SSLRequire" applied even 1241# under a "Satisfy any" situation, i.e. when it applies access is denied 1242# and no other module can change it. 1243# o OptRenegotiate: 1244# This enables optimized SSL connection renegotiation handling when SSL 1245# directives are used in per-directory context. 1246SSLOptions +FakeBasicAuth +ExportCertData 1247#SSLOptions +StdEnvVars +CompatEnvVars +StrictRequire +OptRenegotiate 1248 1249<Files ~ "\.(cgi|shtml|phtml|pl|sh|php|php3|php?)$"> 1250 SSLOptions +StdEnvVars 1251</Files> 1252<Directory "/var/www/cgi-bin"> 1253 SSLOptions +StdEnvVars 1254</Directory> 1255 1256# SSL Protocol Adjustments: 1257# The safe and default but still SSL/TLS standard compliant shutdown 1258# approach is that mod_ssl sends the close notify alert but doesn't wait for 1259# the close notify alert from client. When you need a different shutdown 1260# approach you can use one of the following variables: 1261# o ssl-unclean-shutdown: 1262# This forces an unclean shutdown when the connection is closed, i.e. no 1263# SSL close notify alert is send or allowed to received. This violates 1264# the SSL/TLS standard but is needed for some brain-dead browsers. Use 1265# this when you receive I/O errors because of the standard approach where 1266# mod_ssl sends the close notify alert. 1267# o ssl-accurate-shutdown: 1268# This forces an accurate shutdown when the connection is closed, i.e. a 1269# SSL close notify alert is send and mod_ssl waits for the close notify 1270# alert of the client. This is 100% SSL/TLS standard compliant, but in 1271# practice often causes hanging connections with brain-dead browsers. Use 1272# this only for browsers where you know that their SSL implementation 1273# works correctly. 1274# Note: Most problems of broken clients are also related to the HTTP 1275# keep-alive facility, so you usually additionally want to disable 1276# these too (see the BrowserMatch section above). 1277SetEnvIf isBrowser msie ssl-unclean-shutdown 1278 1279</VirtualHost> 1280 1281</IfDefine> 1282