Dear all, I don't seem to be able to make apache-ssl authentication work anymore after I switched my server to the new debian stable release code named sarge (containing apache-ssl 1.3.3) . Upon login with a browser I will be queried for the password, but the dialog box just comes back up. /var/log/apache-ssl/error.log tells me: [error] user USERNAME not found: /~USERNAME I'm not very familiar with the config and honestly haven't touched it in a year or two ... so I'm at a loss and would appreciate any comments on the appended config files (/etc/apache-ssl/modules.conf, /etc/apache-ssl/httpd.conf). Thanks for any insight, Joh /etc/apache-ssl/modules.conf: # Autogenerated file - do not edit! # This file is maintained by the apache-ssl package. # To update it, run the command: # /usr/sbin/apache-modconf apache-ssl ClearModuleList AddModule mod_so.c AddModule mod_macro.c LoadModule config_log_module /usr/lib/apache/1.3/mod_log_config_ssl.so LoadModule mime_magic_module /usr/lib/apache/1.3/mod_mime_magic.so LoadModule mime_module /usr/lib/apache/1.3/mod_mime_ssl.so LoadModule negotiation_module /usr/lib/apache/1.3/mod_negotiation.so LoadModule status_module /usr/lib/apache/1.3/mod_status.so LoadModule autoindex_module /usr/lib/apache/1.3/mod_autoindex.so LoadModule dir_module /usr/lib/apache/1.3/mod_dir.so LoadModule cgi_module /usr/lib/apache/1.3/mod_cgi.so LoadModule userdir_module /usr/lib/apache/1.3/mod_userdir.so LoadModule alias_module /usr/lib/apache/1.3/mod_alias.so LoadModule rewrite_module /usr/lib/apache/1.3/mod_rewrite.so LoadModule access_module /usr/lib/apache/1.3/mod_access.so LoadModule expires_module /usr/lib/apache/1.3/mod_expires.so LoadModule unique_id_module /usr/lib/apache/1.3/mod_unique_id.so LoadModule setenvif_module /usr/lib/apache/1.3/mod_setenvif.so LoadModule apache_ssl_module /usr/lib/apache/1.3/libssl.so LoadModule sys_auth_module /usr/lib/apache/1.3/mod_auth_sys.so /etc/apache-ssl/httpd.conf: ## ## httpd.conf -- Apache HTTP server configuration file ## # # Based upon the NCSA server configuration files originally by Rob McCool. # # This is the main Apache server configuration file. It contains the # configuration directives that give the server its instructions. # See <URL:http://www.apache.org/docs/> for detailed information about # the directives. # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # # After this file is processed, the server will look for and process # /etc/apache-ssl/srm.conf and then /etc/apache-ssl/access.conf # unless you have overridden these with ResourceConfig and/or # AccessConfig directives here. # # The configuration directives are grouped into three basic sections: # 1. Directives that control the operation of the Apache server process as a # whole (the 'global environment'). # 2. Directives that define the parameters of the 'main' or 'default' server, # which responds to requests that aren't handled by a virtual host. # These directives also provide default values for the settings # of all virtual hosts. # 3. Settings for virtual hosts, which allow Web requests to be sent to # different IP addresses or hostnames and have them handled by the # same Apache server process. # # Configuration and logfile names: If the filenames you specify for many # of the server's control files begin with "/" (or "drive:/" for Win32), the # server will use that explicit path. If the filenames do *not* begin # with "/", the value of ServerRoot is prepended -- so "logs/foo.log" # with ServerRoot set to "/usr/local/apache" will be interpreted by the # server as "/usr/local/apache/logs/foo.log". # ### Section 1: Global Environment # # The directives in this section affect the overall operation of Apache, # such as the number of concurrent requests it can handle or where it # can find its configuration files. # # # ServerType is either inetd, or standalone. Inetd mode is only supported on # Unix platforms. # SSL Servers MUST be standalone, currently. # ServerType standalone # # ServerRoot: The top of the directory tree under which the server's # configuration, error, and log files are kept, unless they are specified # with an absolute path. # # NOTE! If you intend to place this on an NFS (or otherwise network) # mounted filesystem then please read the LockFile documentation # (available at <URL:http://www.apache.org/docs/mod/core.html#lockfile>); # you will save yourself a lot of trouble. # # Do NOT add a slash at the end of the directory path. # ServerRoot /etc/apache-ssl # # The LockFile directive sets the path to the lockfile used when Apache # is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or # USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at # its default value. The main reason for changing it is if the logs # directory is NFS mounted, since the lockfile MUST BE STORED ON A LOCAL # DISK. The PID of the main server process is automatically appended to # the filename. # LockFile /var/lock/apache.lock # # PidFile: The file in which the server should record its process # identification number when it starts. # PidFile /var/run/apache-ssl.pid # # ScoreBoardFile: File used to store internal server process information. # Not all architectures require this. But if yours does (you'll know because # this file will be created when you run Apache) then you *must* ensure that # no two invocations of Apache share the same scoreboard file. # ScoreBoardFile /var/run/apache-ssl.scoreboard # # In the standard configuration, the server will process this file, # srm.conf, and access.conf in that order. The latter two files are # now distributed empty, as it is recommended that all directives # be kept in a single file for simplicity. The commented-out values # below are the built-in defaults. You can have the server ignore # these files altogether by using "/dev/null" (for Unix) or # "nul" (for Win32) for the arguments to the directives. # #ResourceConfig /etc/apache-ssl/srm.conf #AccessConfig /etc/apache-ssl/access.conf # # Timeout: The number of seconds before receives and sends time out. # Timeout 300 # # KeepAlive: Whether or not to allow persistent connections (more than # one request per connection). Set to "Off" to deactivate. # KeepAlive On # # MaxKeepAliveRequests: The maximum number of requests to allow # during a persistent connection. Set to 0 to allow an unlimited amount. # We recommend you leave this number high, for maximum performance. # MaxKeepAliveRequests 100 # # KeepAliveTimeout: Number of seconds to wait for the next request from the # same client on the same connection. # KeepAliveTimeout 15 # # Server-pool size regulation. Rather than making you guess how many # server processes you need, Apache dynamically adapts to the load it # sees --- that is, it tries to maintain enough server processes to # handle the current load, plus a few spare servers to handle transient # load spikes (e.g., multiple simultaneous requests from a single # Netscape browser). # # It does this by periodically checking how many servers are waiting # for a request. If there are fewer than MinSpareServers, it creates # a new spare. If there are more than MaxSpareServers, some of the # spares die off. The default values are probably OK for most sites. # MinSpareServers 1 MaxSpareServers 10 # # Number of servers to start initially --- should be a reasonable ballpark # figure. # StartServers 1 # # Limit on total number of servers running, i.e., limit on the number # of clients who can simultaneously connect --- if this limit is ever # reached, clients will be LOCKED OUT, so it should NOT BE SET TOO LOW. # It is intended mainly as a brake to keep a runaway server from taking # the system with it as it spirals down... # MaxClients 150 # # MaxRequestsPerChild: the number of requests each child process is # allowed to process before the child dies. The child will exit so # as to avoid problems after prolonged use when Apache (and maybe the # libraries it uses) leak memory or other resources. On most systems, this # isn't really needed, but a few (such as Solaris) do have notable leaks # in the libraries. For these platforms, set to something like 10000 # or so; a setting of 0 means unlimited. # # NOTE: This value does not include keepalive requests after the initial # request per connection. For example, if a child process handles # an initial request and 10 subsequent "keptalive" requests, it # would only count as 1 request towards this limit. # MaxRequestsPerChild 100 # # Listen: Allows you to bind Apache to specific IP addresses and/or # ports, in addition to the default. See also the <VirtualHost> # directive. # #Listen 3000 #Listen 12.34.56.78:80 # # BindAddress: You can support virtual hosts with this option. This directive # is used to tell the server which IP address to listen to. It can either # contain "*", an IP address, or a fully qualified Internet domain name. # See also the <VirtualHost> and Listen directives. # #BindAddress * # # Dynamic Shared Object (DSO) Support # # To be able to use the functionality of a module which was built as a DSO you # have to place corresponding `LoadModule' lines at this location so the # directives contained in it are actually available _before_ they are used. # Please read the file README.DSO in the Apache 1.3 distribution for more # details about the DSO mechanism and run `apache -l' for the list of already # built-in (statically linked and thus always available) modules in your apache # binary. # # Please keep this LoadModule: line here, it is needed for installation. Include /etc/apache-ssl/modules.conf # # ExtendedStatus: controls whether Apache will generate "full" status # information (ExtendedStatus On) or just basic information (ExtendedStatus # Off) when the "server-status" handler is called. The default is Off. # ExtendedStatus On ### Section 2: 'Main' server configuration # # The directives in this section set up the values used by the 'main' # server, which responds to any requests that aren't handled by a # <VirtualHost> definition. These values also provide defaults for # any <VirtualHost> containers you may define later in the file. # # All of these directives may appear inside <VirtualHost> containers, # in which case these default settings will be overridden for the # virtual host being defined. # # # If your ServerType directive (set earlier in the 'Global Environment' # section) is set to "inetd", the next few directives don't have any # effect since their settings are defined by the inetd configuration. # Skip ahead to the ServerAdmin directive. # # # Port: The port to which the standalone server listens. For # ports < 1023, you will need apache to be run as root initially. # # The default port for SSL is 443... Port 443 # # If you wish apache to run as a different user or group, you must run # apacheas root initially and it will switch. # # User/Group: The name (or #number) of the user/group to run apache as. # . On SCO (ODT 3) use "User nouser" and "Group nogroup". # . On HPUX you may not be able to use shared memory as nobody, and the # suggested workaround is to create a user www and use that user. # NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET) # when the value of (unsigned)Group is above 60000; # don't use Group nobody on these systems! # User www-data Group www-data # # ServerAdmin: Your address, where problems with the server should be # e-mailed. This address appears on some server-generated pages, such # as error documents. # ServerAdmin webmaster@xxxxxxxxxxxxxxxx # # ServerName: allows you to set a host name which is sent back to clients for # your server if it's different than the one the program would get (i.e., use # "www" instead of the host's real name). # # Note: You cannot just invent host names and hope they work. The name you # define here must be a valid DNS name for your host. If you don't understand # this, ask your network administrator. # If your host doesn't have a registered DNS name, enter its IP address here. # You will have to access it by its address (e.g., http://123.45.67.89/) # anyway, and this will make redirections work in a sensible way. # ServerName aule.caltech.edu # # DocumentRoot: The directory out of which you will serve your # documents. By default, all requests are taken from this directory, but # symbolic links and aliases may be used to point to other locations. # DocumentRoot /var/www # # Each directory to which Apache has access, can be configured with respect # to which services and features are allowed and/or disabled in that # directory (and its subdirectories). # # First, we configure the "default" to be a very restrictive set of # permissions. # <Directory /> Options SymLinksIfOwnerMatch AllowOverride None </Directory> # # Note that from this point forward you must specifically allow # particular features to be enabled - so if something's not working as # you might expect, make sure that you have specifically enabled it # below. # # # This should be changed to whatever you set DocumentRoot to. # <Directory /var/www/> # # This may also be "None", "All", or any combination of "Indexes", # "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews". # # Note that "MultiViews" must be named *explicitly* --- "Options All" # doesn't give it to you. # Options Indexes Includes FollowSymLinks MultiViews # # This controls which options the .htaccess files in directories can # override. Can also be "All", or any combination of "Options", "FileInfo", # "AuthConfig", and "Limit" # AllowOverride None # # Controls who can get stuff from this server. # Order allow,deny Allow from all </Directory> # # UserDir: The name of the directory which is appended onto a user's home # directory if a ~user request is received. # <IfModule mod_userdir.c> UserDir "" </IfModule> # # Control access to UserDir directories. The following is an example # for a site where these directories are restricted to read-only. # # useful for troubleshooting rewrite rules: # RewriteLog "/var/log/apache-ssl/rewrite.log" # RewriteLogLevel 9 <Location ~ ^/~[^/]+$> # force a trailing slash on all userdir requests and while we # are at it be sure to force to own user's home directory. RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule ^/home/([^/]+) https://aule.caltech.edu/~%1/ [R] RewriteRule ^/home/([^/]+) https://aule.caltech.edu/~$1/ [R] </Location> <Directory /home/*> AuthType Basic AuthName "CALTECH Deshaies Lab Department of Biology Authorized Users ONLY" AllowOverride FileInfo AuthConfig Limit Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec <Limit GET POST OPTIONS PROPFIND> Order deny,allow Deny from all Allow from IP/SUBNET COMBOS require valid-user </Limit> <Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK> Order deny,allow Deny from all </Limit> # HACK to hide the other userdirs (security by obscurity!?!): # Always do an initial internal redirect to ~REMOTE_USER/<location> # unless the obscure hardcoded '7d2fe113439cd4199f40d063c97fed01' # query string is passed in as an argument (unlikely but possible). # After the initial redirect the query string now has our secret # key and thus will not rewrite again # Unfortunately we had to do this hack to avoid from having an # infinite loop when forcing the the rewrite a la: # RewriteRule ^/home/[^/]+(.*) /~%1$1 [L] RewriteEngine on RewriteCond %{QUERY_STRING} ! ^7d2fe113439cd4199f40d063c97fed01$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule ^/home/[^/]+/+(.*) /~% 1/$1?7d2fe113439cd4199f40d063c97fed01 </Directory> # # DirectoryIndex: Name of the file or files to use as a pre-written HTML # directory index. Separate multiple entries with spaces. # <IfModule mod_dir.c> DirectoryIndex index.html index.htm index.shtml index.cgi </IfModule> # # AccessFileName: The name of the file to look for in each directory # for access control information. # AccessFileName .htaccess # # The following lines prevent .htaccess files from being viewed by # Web clients. Since .htaccess files often contain authorization # information, access is disallowed for security reasons. Comment # these lines out if you want Web visitors to see the contents of # .htaccess files. If you change the AccessFileName directive above, # be sure to make the corresponding changes here. # # Also, folks tend to use names such as .htpasswd for password # files, so this will protect those as well. # <Files ~ "^\.ht"> Order allow,deny Deny from all </Files> # # CacheNegotiatedDocs: By default, Apache sends "Pragma: no-cache" with each # document that was negotiated on the basis of content. This asks proxy # servers not to cache the document. Uncommenting the following line disables # this behavior, and proxies will be allowed to cache the documents. # #CacheNegotiatedDocs # # UseCanonicalName: (new for 1.3) With this setting turned on, whenever # Apache needs to construct a self-referencing URL (a URL that refers back # to the server the response is coming from) it will use ServerName and # Port to form a "canonical" name. With this setting off, Apache will # use the hostname:port that the client supplied, when possible. This # also affects SERVER_NAME and SERVER_PORT in CGI scripts. # UseCanonicalName On # # TypesConfig describes where the mime.types file (or equivalent) is # to be found. # TypesConfig /etc/mime.types # # DefaultType is the default MIME type the server will use for a document # if it cannot otherwise determine one, such as from filename extensions. # If your server contains mostly text or HTML documents, "text/plain" is # a good value. If most of your content is binary, such as applications # or images, you may want to use "application/octet-stream" instead to # keep browsers from trying to display binary files as though they are # text. # DefaultType text/plain # # The mod_mime_magic module allows the server to use various hints from the # contents of the file itself to determine its type. The MIMEMagicFile # directive tells the module where the hint definitions are located. # mod_mime_magic is not part of the default server (you have to add # it yourself with a LoadModule [see the DSO paragraph in the 'Global # Environment' section], or recompile the server and include mod_mime_magic # as part of the configuration), so it's enclosed in an <IfModule> container. # This means that the MIMEMagicFile directive will only be processed if the # module is part of the server. # <IfModule mod_mime_magic.c> MIMEMagicFile share/magic </IfModule> # # HostnameLookups: Log the names of clients or just their IP addresses # e.g., www.apache.org (on) or 204.62.129.132 (off). # The default is off because it'd be overall better for the net if people # had to knowingly turn this feature on, since enabling it means that # each client request will result in AT LEAST one lookup request to the # nameserver. # HostnameLookups Off # Note that Log files are now rotated by logrotate, not by apache itself. # This means that apache no longer attempts to magically determine # where your log files are kept; you have to fill out stanzas in # /etc/logrotate.d/apache-ssl yourself. # # ErrorLog: The location of the error log file. # If you do not specify an ErrorLog directive within a <VirtualHost> # container, error messages relating to that virtual host will be # logged here. If you *do* define an error logfile for a <VirtualHost> # container, that host's errors will be logged there and not here. # ErrorLog /var/log/apache-ssl/error.log # # LogLevel: Control the number of messages logged to the error_log. # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. # LogLevel warn # # The following directives define some format nicknames for use with # a CustomLog directive (see below). # LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %T %v" full LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %P %T" debug LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent # # The location and format of the access logfile (Common Logfile Format). # If you do not define any access logfiles within a <VirtualHost> # container, they will be logged here. Contrariwise, if you *do* # define per-<VirtualHost> access logfiles, transactions will be # logged therein and *not* in this file. # #CustomLog /var/log/apache-ssl/access.log common # # If you would like to have agent and referer logfiles, uncomment the # following directives. # #CustomLog /var/log/apache-ssl/referer.log referer #CustomLog /var/log/apache-ssl/agent.log agent # # If you prefer a single logfile with access, agent, and referer information # (Combined Logfile Format) you can use the following directive. # CustomLog /var/log/apache-ssl/access.log combined # # Optionally add a line containing the server version and virtual host # name to server-generated pages (error documents, FTP directory listings, # mod_status and mod_info output etc., but not CGI generated documents). # Set to "EMail" to also include a mailto: link to the ServerAdmin. # Set to one of: On | Off | EMail # ServerSignature On # # Aliases: Add here as many aliases as you need (with no limit). The format is # Alias fakename realname # # Note that if you include a trailing / on fakename then the server will # require it to be present in the URL. So "/icons" isn't aliased in this # example, only "/icons/".. # Alias /icons/ /usr/share/apache/icons/ <Directory /usr/share/apache/icons> Options Indexes MultiViews AllowOverride None Order allow,deny Allow from all </Directory> # # ScriptAlias: This controls which directories contain server scripts. # ScriptAliases are essentially the same as Aliases, except that # documents in the realname directory are treated as applications and # run by the server when requested rather than as documents sent to the client. # The same rules about trailing "/" apply to ScriptAlias directives as to # Alias. # ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ # # "/usr/lib/cgi-bin" could be changed to whatever your ScriptAliased # CGI directory exists, if you have that configured. # <Directory /usr/lib/cgi-bin/> AllowOverride None Options ExecCGI Order allow,deny Allow from all </Directory> # # Redirect allows you to tell clients about documents which used to exist in # your server's namespace, but do not anymore. This allows you to tell the # clients where to look for the relocated document. # Format: Redirect old-URI new-URL # # # Directives controlling the display of server-generated directory listings. # <IfModule mod_autoindex.c> # # FancyIndexing: whether you want fancy directory indexing or standard # IndexOptions FancyIndexing NameWidth=* # # AddIcon* directives tell the server which icon to show for different # files or filename extensions. These are only displayed for # FancyIndexed directories. # AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip AddIconByType (TXT,/icons/text.gif) text/* AddIconByType (IMG,/icons/image2.gif) image/* AddIconByType (SND,/icons/sound2.gif) audio/* AddIconByType (VID,/icons/movie.gif) video/* AddIcon /icons/binary.gif .bin .exe AddIcon /icons/binhex.gif .hqx AddIcon /icons/tar.gif .tar AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip AddIcon /icons/a.gif .ps .ai .eps AddIcon /icons/layout.gif .html .shtml .htm .pdf AddIcon /icons/text.gif .txt AddIcon /icons/c.gif .c AddIcon /icons/p.gif .pl .py AddIcon /icons/f.gif .for AddIcon /icons/dvi.gif .dvi AddIcon /icons/uuencoded.gif .uu AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl AddIcon /icons/tex.gif .tex AddIcon /icons/bomb.gif core AddIcon /icons/deb.gif .deb AddIcon /icons/back.gif .. AddIcon /icons/hand.right.gif README AddIcon /icons/folder.gif ^^DIRECTORY^^ AddIcon /icons/blank.gif ^^BLANKICON^^ # # DefaultIcon: which icon to show for files which do not have an icon # explicitly set. # DefaultIcon /icons/unknown.gif # # AddDescription: allows you to place a short description after a file in # server-generated indexes. These are only displayed for FancyIndexed # directories. # Format: AddDescription "description" filename # #AddDescription "GZIP compressed document" .gz #AddDescription "tar archive" .tar #AddDescription "GZIP compressed tar archive" .tgz # # ReadmeName: the name of the README file the server will look for by # default, and append to directory listings. # # HeaderName: the name of a file which should be prepended to # directory indexes. # # The server will first look for name.html and include it if found. # If name.html doesn't exist, the server will then look for name.txt # and include it as plaintext if found. # ReadmeName README HeaderName HEADER # # IndexIgnore: a set of filenames which directory indexing should ignore # and not include in the listing. Shell-style wildcarding is permitted. # IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t </IfModule> # # Document types. # <IfModule mod_mime.c> # AddEncoding allows you to have certain browsers (Mosaic/X 2.1+) # uncompress information on the fly. Note: Not all browsers support # this. Despite the name similarity, the following Add* directives # have nothing to do with the FancyIndexing customization # directives above. AddEncoding x-compress Z AddEncoding x-gzip gz tgz # # AddLanguage: allows you to specify the language of a document. You can # then use content negotiation to give a browser a file in a language # it can understand. # # Note 1: The suffix does not have to be the same as the language # keyword --- those with documents in Polish (whose net-standard # language code is pl) may wish to use "AddLanguage pl .po" to # avoid the ambiguity with the common suffix for perl scripts. # # Note 2: The example entries below illustrate that in quite # some cases the two character 'Language' abbriviation is not # identical to the two character 'Country' code for its country, # E.g. 'Danmark/dk' versus 'Danish/da'. # # Note 3: In the case of 'ltz' we violate the RFC by using a three char # specifier. But there is 'work in progress' to fix this and get # the reference data for rfc1766 cleaned up. # # Danish (da) - Dutch (nl) - English (en) - Estonian (ee) # French (fr) - German (de) - Greek-Modern (el) # Italian (it) - Portugese (pt) - Luxembourgeois* (ltz) # Spanish (es) - Swedish (sv) - Catalan (ca) - Czech(cz) # Polish (pl) - Brazilian Portuguese (pt-br) - Japanese (ja) # AddLanguage da .dk AddLanguage nl .nl AddLanguage en .en AddLanguage et .ee AddLanguage fr .fr AddLanguage de .de AddLanguage el .el AddLanguage it .it AddLanguage ja .ja AddCharset ISO-2022-JP .jis AddLanguage pl .po AddCharset ISO-8859-2 .iso-pl AddLanguage pt .pt AddLanguage pt-br .pt-br AddLanguage ltz .lu AddLanguage ca .ca AddLanguage es .es AddLanguage sv .se AddLanguage cz .cz # LanguagePriority: allows you to give precedence to some languages # in case of a tie during content negotiation. # # Just list the languages in decreasing order of preference. We have # more or less alphabetized them here. You probably want to change # this. # <IfModule mod_negotiation.c> LanguagePriority en da nl et fr de el it ja pl pt pt-br ltz ca es sv </IfModule> # # AddType allows you to tweak mime.types without actually editing # it, or to make certain files to be certain types. # # For example, the PHP 3.x module (not part of the Apache # distribution - see http://www.php.net) will typically use: # #AddType application/x-httpd-php3 .php3 #AddType application/x-httpd-php3-source .phps # # And for PHP 4.x, use: # #AddType application/x-httpd-php .php #AddType application/x-httpd-php-source .phps AddType application/x-tar .tgz AddType image/bmp .bmp # hdml AddType text/x-hdml .hdml # # AddHandler allows you to map certain file extensions to "handlers", # actions unrelated to filetype. These can be either built into # the server or added with the Action command (see below). # # If you want to use server side includes, or CGI outside # ScriptAliased directories, uncomment the following lines. # # To use CGI scripts: # #AddHandler cgi-script .cgi .sh .pl # # To use server-parsed HTML files # #AddType text/html .shtml #AddHandler server-parsed .shtml # # Uncomment the following line to enable Apache's send-asis HTTP # file feature. # #AddHandler send-as-is asis # # If you wish to use server-parsed imagemap files, use # #AddHandler imap-file map # # To enable type maps, you might want to use # #AddHandler type-map var </IfModule> # End of document types. # Default charset to iso-8859-1 (ttp://www.apache.org/info/css-security/). AddDefaultCharset on # # Action: lets you define media types that will execute a script whenever # a matching file is called. This eliminates the need for repeated URL # pathnames for oft-used CGI file processors. # Format: Action media/type /cgi-script/location # Format: Action handler-name /cgi-script/location # # # MetaDir: specifies the name of the directory in which Apache can find # meta information files. These files contain additional HTTP headers # to include when sending the document # #MetaDir .web # # MetaSuffix: specifies the file name suffix for the file containing the # meta information. # #MetaSuffix .meta # # Customizable error response (Apache style) # these come in three flavors # # 1) plain text #ErrorDocument 500 "The server made a boo boo. # n.b. the (") marks it as text, it does not get output # # 2) local redirects #ErrorDocument 404 /missing.html # to redirect to local URL /missing.html #ErrorDocument 404 /cgi-bin/missing_handler.pl # N.B.: You can redirect to a script or a document using server-side-includes. # # 3) external redirects #ErrorDocument 402 http://some.other_server.com/subscription_info.html # N.B.: Many of the environment variables associated with the original # request will *not* be available to such a script. <IfModule mod_setenvif.c> # # The following directives modify normal HTTP response behavior. # The first directive disables keepalive for Netscape 2.x and browsers that # spoof it. There are known problems with these browser implementations. # The second directive is for Microsoft Internet Explorer 4.0b2 # which has a broken HTTP/1.1 implementation and does not properly # support keepalive when it is used on 301 or 302 (redirect) responses. # BrowserMatch "Mozilla/2" nokeepalive BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 # # The following directive disables HTTP/1.1 responses to browsers which # are in violation of the HTTP/1.0 spec by not being able to grok a # basic 1.1 response. # BrowserMatch "RealPlayer 4\.0" force-response-1.0 BrowserMatch "Java/1\.0" force-response-1.0 BrowserMatch "JDK/1\.0" force-response-1.0 </IfModule> # If the perl module is installed, this will be enabled. <IfModule mod_perl.c> Alias /perl/ /var/www/perl/ <Location /perl> SetHandler perl-script PerlHandler Apache::Registry Options +ExecCGI </Location> </IfModule> # # Allow http put (such as Netscape Gold's publish feature) # Use htpasswd to generate /etc/apache/passwd. # You must unremark these two lines at the top of this file as well: #LoadModule put_module modules/mod_put.so # #Alias /upload /tmp #<Location /upload> # EnablePut On # AuthType Basic # AuthName Temporary # AuthUserFile /etc/apache/passwd # EnableDelete Off # umask 007 # <Limit PUT> # require valid-user # </Limit> #</Location> # # Allow server status reports, with the URL of http://servername/server-status # Change the ".your_domain.com" to match your domain to enable. # #<Location /server-status> # SetHandler server-status # Order deny,allow # Deny from all # Allow from .your_domain.com #</Location> # # Allow remote server configuration reports, with the URL of # http://servername/server-info (requires that mod_info.c be loaded). # Change the ".your_domain.com" to match your domain to enable. # #<Location /server-info> # SetHandler server-info # Order deny,allow # Deny from all # Allow from .your_domain.com #</Location> # Allow access to local system documentation from localhost. # (Debian Policy assumes /usr/share/doc is "/doc/", at least from the localhost.) Alias /doc/ /usr/share/doc/ <Location /doc> order deny,allow deny from all allow from 127.0.0.0/255.0.0.0 Options Indexes FollowSymLinks MultiViews </Location> # # There have been reports of people trying to abuse an old bug from pre-1.1 # days. This bug involved a CGI script distributed as a part of Apache. # By uncommenting these lines you can redirect these attacks to a logging # script on phf.apache.org. Or, you can record them yourself, using the script # support/phf_abuse_log.cgi. # #<Location /cgi-bin/phf*> # Deny from all # ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi #</Location> <IfModule mod_proxy.c> # # Proxy Server directives. Uncomment the following lines to # enable the proxy server: # #<IfModule mod_proxy.c> #ProxyRequests On # #<Directory proxy:*> # Order deny,allow # Deny from all # Allow from .your_domain.com #</Directory> </IfModule> # # Enable/disable the handling of HTTP/1.1 "Via:" headers. # ("Full" adds the server version; "Block" removes all outgoing Via: headers) # Set to one of: Off | On | Full | Block # #ProxyVia On # # To enable the cache as well, edit and uncomment the following lines: # (no cacheing without CacheRoot) # #CacheRoot "/var/cache/apache" #CacheSize 5 #CacheGcInterval 4 #CacheMaxExpire 24 #CacheLastModifiedFactor 0.1 #CacheDefaultExpire 1 #NoCache a_domain.com another_domain.edu joes.garage_sale.com #</IfModule> # End of proxy directives. ### Section 3: Virtual Hosts # # VirtualHost: If you want to maintain multiple domains/hostnames on your # machine you can setup VirtualHost containers for them. # Please see the documentation at <URL:http://www.apache.org/docs/vhosts/> # for further details before you try to setup virtual hosts. # You may use the command line option '-S' to verify your virtual host # configuration. # # If you want to use name-based virtual hosts you need to define at # least one IP address (and port number) for them. # #NameVirtualHost 12.34.56.78:80 #NameVirtualHost 12.34.56.78 # # VirtualHost example: # Almost any Apache directive may go into a VirtualHost container. # #<VirtualHost ip.address.of.host.some_domain.com> # ServerAdmin webmaster@xxxxxxxxxxxxxxxxxxxx # DocumentRoot /www/docs/host.some_domain.com # ServerName host.some_domain.com # ErrorLog logs/host.some_domain.com-error.log # CustomLog logs/host.some_domain.com-access.log common #</VirtualHost> #<VirtualHost _default_:*> #</VirtualHost> # ----------------------------SSL---------------------------------- # This is an example configuration file for Apache-SSL. # Copyright (C) 1995,6,7 Ben Laurie # By popular demand, this file now illustrates the way to create two websites, # one secured (on port 8887), the other not (on port 8888). # You may need one of thse #User webuser #User ben #Group group # SSL Servers MUST be standalone, currently. #ServerType standalone # The default port for SSL is 443... #Port 8887 #Listen ServerPort Listen 443 # My test document root #DocumentRoot /u/ben/www/1/docs #DocumentRoot /u/ben/apache/apache_1.3.0-ssl/htdocs #<Directory /u/ben/apache/apache_1.3.0-ssl/htdocs/manual> # This directive forbids access except when SSL is in use. Very handy for # defending against configuration errors that expose stuff that should be # protected #SSLRequireSSL #</Directory> # Watch what's going on #TransferLog /var/log/apache-ssl/transfer.log # Note that all SSL options can apply to virtual hosts. # Disable SSL. Useful in combination with virtual hosts. Note that SSLEnable is # now also supported. SSLEnable # Set the path for the global cache server executable. # If this facility gives you trouble, you can disable it by setting # CACHE_SESSIONS to FALSE in apache_ssl.c SSLCacheServerPath /usr/lib/apache-ssl/gcache # Set the global cache server port number, or path. If it is a path, a Unix # domain socket is used. If a number, a TCP socket. SSLCacheServerPort /var/run/gcache_port #SSLCacheServerPort 1234 # Set the session cache timeout, in seconds (set to 15 for testing, use a # higher value in real life) SSLSessionCacheTimeout 15 # Set the CA certificate verification path (must be PEM encoded). # (in addition to getenv("SSL_CERT_DIR"), I think). #SSLCACertificatePath /u/ben/apache/apache_1.2.5-ssl/SSLconf/conf SSLCACertificatePath /etc/apache-ssl # Set the CA certificate verification file (must be PEM encoded). # (in addition to getenv("SSL_CERT_FILE"), I think). #SSLCACertificateFile /some/where/somefile #SSLCACertificateFile /u/ben/apache/apache_1.2.5-ssl/SSLconf/conf/httpsd.pem # Point SSLCertificateFile at a PEM encoded certificate. # If the certificate is encrypted, then you will be prompted for a pass phrase. # Note that a kill -1 will prompt again. # A test certificate can be generated with "make certificate". SSLCertificateFile /etc/apache-ssl/apache.pem #SSLCertificateFile /u/ben/apache/apache_1.2.6-ssl/SSLconf/conf/t1.pem # If the key is not combined with the certificate, use this directive to # point at the key file. If this starts with a '/' it specifies an absolute # path, otherwise it is relative to the default certificate area. That is, it # means "<default>/private/<keyfile>". #SSLCertificateKeyFile /some/place/with/your.key # Set SSLVerifyClient to: # 0 if no certicate is required # 1 if the client may present a valid certificate # 2 if the client must present a valid certificate # 3 if the client may present a valid certificate but it is not required to # have a valid CA SSLVerifyClient 0 # How deeply to verify before deciding they don't have a valid certificate SSLVerifyDepth 10 # Translate the client X509 into a Basic authorisation. This means that the # standard Auth/DBMAuth methods can be used for access control. The user name # is the "one line" version of the client's X509 certificate. Note that no # password is obtained from the user. Every entry in the user file needs this # password: xxj31ZMTZzkVA. See the code for further explanation. SSLFakeBasicAuth # List the ciphers that the client is permitted to negotiate. See the source # for a definitive list. For example: #SSLRequiredCiphers RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA # These two can be used per-directory to require or ban ciphers. Note that (at # least in the current version) Apache-SSL will not attempt to renegotiate if a # cipher is banned (or not required). #SSLRequireCipher #SSLBanCipher # A home for miscellaneous rubbish generated by SSL. Much of it is duplicated # in the error log file. Put this somewhere where it cannot be used for symlink # attacks on a real server (i.e. somewhere where only root can write). #SSLLogFile /var/log/ssl.log # Custom logging CustomLog /var/log/apache-ssl/ssl.log "%t %{version}c %{cipher}c %{clientcert}c" #<VirtualHost scuzzy:8888> #SSLDisable #SSLEnable #</VirtualHost> # If you want, you can disable SSL globally, and enable it in a virtual host... #<VirtualHost scuzzy:8887> #SSLEnable # and the rest of the SSL stuf... #</VirtualHost> # Experiment with authorization... #<Directory /u/ben/www/1/docs> #AuthType Basic #AuthName Experimental #AuthGroupFile /dev/null #AuthUserFile /u/ben/www/1/users #<Limit PUT GET> #allow from all #require valid-user #</Limit> #</Directory> #ScriptAlias /scripts /u/ben/www/scripts #<VirtualHost ServerName:443> #SSLEnable #</VirtualHost> ### # Custom Configuration ### Alias /DTASelect/ /site/DTASelect/default/ # Automatically added by the post-installation script # as part of the transition to a config directory layout # similar to apache2, and that will help users to migrate # from apache to apache2 or revert back easily #Include /etc/apache-ssl/conf.d --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx