From b8a434bc812f9a44fa1ec05e735e57ef6ef74e01 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Fri, 1 Oct 2010 18:09:27 +0200 Subject: import httpd 2.2.16 --- README.confd | 9 + httpd-2.0.45-export.patch | 20 + httpd-2.0.48-release.patch | 16 + httpd-2.1.10-apctl.patch | 107 +++++ httpd-2.1.10-apxs.patch | 97 ++++ httpd-2.1.10-disablemods.patch | 36 ++ httpd-2.1.10-layout.patch | 17 + httpd-2.1.10-pod.patch | 53 +++ httpd-2.2.0-authnoprov.patch | 30 ++ httpd-2.2.11-corelimit.patch | 28 ++ httpd-2.2.11-selinux.patch | 51 ++ httpd-2.2.11-xfsz.patch | 11 + httpd-2.2.9-deplibs.patch | 14 + httpd-2.2.9-suenable.patch | 11 + httpd.conf | 1009 ++++++++++++++++++++++++++++++++++++++++ httpd.init | 123 +++++ httpd.logrotate | 9 + httpd.spec | 841 +++++++++++++++++++++++++++++++++ httpd.sysconf | 22 + index.html | 130 ++++++ manual.conf | 12 + ssl.conf | 223 +++++++++ welcome.conf | 11 + 23 files changed, 2880 insertions(+) create mode 100644 README.confd create mode 100644 httpd-2.0.45-export.patch create mode 100644 httpd-2.0.48-release.patch create mode 100644 httpd-2.1.10-apctl.patch create mode 100644 httpd-2.1.10-apxs.patch create mode 100644 httpd-2.1.10-disablemods.patch create mode 100644 httpd-2.1.10-layout.patch create mode 100644 httpd-2.1.10-pod.patch create mode 100644 httpd-2.2.0-authnoprov.patch create mode 100644 httpd-2.2.11-corelimit.patch create mode 100644 httpd-2.2.11-selinux.patch create mode 100644 httpd-2.2.11-xfsz.patch create mode 100644 httpd-2.2.9-deplibs.patch create mode 100644 httpd-2.2.9-suenable.patch create mode 100644 httpd.conf create mode 100755 httpd.init create mode 100644 httpd.logrotate create mode 100644 httpd.spec create mode 100644 httpd.sysconf create mode 100644 index.html create mode 100644 manual.conf create mode 100644 ssl.conf create mode 100644 welcome.conf diff --git a/README.confd b/README.confd new file mode 100644 index 0000000..c12e149 --- /dev/null +++ b/README.confd @@ -0,0 +1,9 @@ + +This directory holds Apache 2.0 module-specific configuration files; +any files in this directory which have the ".conf" extension will be +processed as Apache configuration files. + +Files are processed in alphabetical order, so if using configuration +directives which depend on, say, mod_perl being loaded, ensure that +these are placed in a filename later in the sort order than "perl.conf". + diff --git a/httpd-2.0.45-export.patch b/httpd-2.0.45-export.patch new file mode 100644 index 0000000..d105996 --- /dev/null +++ b/httpd-2.0.45-export.patch @@ -0,0 +1,20 @@ + +There is no need to "suck in" the apr/apr-util symbols when using +a shared libapr{,util}, it just bloats the symbol table; so don't. + +Upstream-HEAD: needed +Upstream-2.0: omit +Upstream-Status: EXPORT_DIRS change is conditional on using shared apr + +--- httpd-2.2.2/server/Makefile.in.export ++++ httpd-2.2.2/server/Makefile.in +@@ -58,9 +58,6 @@ + for dir in $(EXPORT_DIRS); do \ + ls $$dir/*.h >> $$tmp; \ + done; \ +- for dir in $(EXPORT_DIRS_APR); do \ +- (ls $$dir/ap[ru].h $$dir/ap[ru]_*.h >> $$tmp 2>/dev/null); \ +- done; \ + sort -u $$tmp > $@; \ + rm -f $$tmp + diff --git a/httpd-2.0.48-release.patch b/httpd-2.0.48-release.patch new file mode 100644 index 0000000..fd6fd2b --- /dev/null +++ b/httpd-2.0.48-release.patch @@ -0,0 +1,16 @@ + +Upstream-HEAD: vendor +Upstream-2.0: vendor +Upstream-Status: vendor-specific change + +--- httpd-2.0.48/server/core.c.release ++++ httpd-2.0.48/server/core.c +@@ -2758,7 +2758,7 @@ + ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MAJORVERSION); + } + else { +- ap_add_version_component(pconf, AP_SERVER_BASEVERSION " (" PLATFORM ")"); ++ ap_add_version_component(pconf, AP_SERVER_BASEVERSION " (@RELEASE@)"); + } + + /* diff --git a/httpd-2.1.10-apctl.patch b/httpd-2.1.10-apctl.patch new file mode 100644 index 0000000..4e34ea6 --- /dev/null +++ b/httpd-2.1.10-apctl.patch @@ -0,0 +1,107 @@ + +- fail gracefully if links is not installed on target system +- source sysconfig/httpd for custom env. vars etc. +- make httpd -t work even in SELinux +- refuse to restart into a bad config +- pass $OPTIONS to all $HTTPD invocation + +Upstream-HEAD: vendor +Upstream-2.0: vendor +Upstream-Status: Vendor-specific changes for better initscript integration + +--- httpd-2.1.10/support/apachectl.in.apctl ++++ httpd-2.1.10/support/apachectl.in +@@ -43,19 +43,25 @@ + # the path to your httpd binary, including options if necessary + HTTPD='@exp_sbindir@/@progname@' + # +-# pick up any necessary environment variables +-if test -f @exp_sbindir@/envvars; then +- . @exp_sbindir@/envvars +-fi + # + # a command that outputs a formatted text version of the HTML at the + # url given on the command line. Designed for lynx, however other + # programs may work. +-LYNX="@LYNX_PATH@ -dump" ++if [ -x "@LYNX_PATH@" ]; then ++ LYNX="@LYNX_PATH@ -dump" ++else ++ LYNX=none ++fi + # + # the URL to your server's mod_status status page. If you do not + # have one, then status and fullstatus will not work. + STATUSURL="http://localhost:@PORT@/server-status" ++ ++# Source /etc/sysconfig/httpd for $HTTPD setting, etc. ++if [ -r /etc/sysconfig/httpd ]; then ++ . /etc/sysconfig/httpd ++fi ++ + # + # Set this variable to a command that increases the maximum + # number of file descriptors allowed per child process. This is +@@ -75,29 +81,51 @@ + ARGV="-h" + fi + ++function checklynx() { ++if [ "$LYNX" = "none" ]; then ++ echo "The 'links' package is required for this functionality." ++ exit 8 ++fi ++} ++ ++function testconfig() { ++# httpd is denied terminal access in SELinux, so run in the ++# current context to get stdout from $HTTPD -t. ++if test -x /usr/sbin/selinuxenabled && /usr/sbin/selinuxenabled; then ++ runcon -- `id -Z` $HTTPD $OPTIONS -t ++else ++ $HTTPD $OPTIONS -t ++fi ++ERROR=$? ++} ++ + case $ARGV in +-start|stop|restart|graceful|graceful-stop) +- $HTTPD -k $ARGV +- ERROR=$? ++restart|graceful) ++ if $HTTPD $OPTIONS -t >&/dev/null; then ++ $HTTPD $OPTIONS -k $ARGV ++ ERROR=$? ++ else ++ echo "apachectl: Configuration syntax error, will not run \"$ARGV\":" ++ testconfig ++ fi + ;; +-startssl|sslstart|start-SSL) +- echo The startssl option is no longer supported. +- echo Please edit httpd.conf to include the SSL configuration settings +- echo and then use "apachectl start". +- ERROR=2 ++start|stop|graceful-stop) ++ $HTTPD $OPTIONS -k $ARGV ++ ERROR=$? + ;; + configtest) +- $HTTPD -t +- ERROR=$? ++ testconfig + ;; + status) ++ checklynx + $LYNX $STATUSURL | awk ' /process$/ { print; exit } { print } ' + ;; + fullstatus) ++ checklynx + $LYNX $STATUSURL + ;; + *) +- $HTTPD $ARGV ++ $HTTPD $OPTIONS $ARGV + ERROR=$? + esac + diff --git a/httpd-2.1.10-apxs.patch b/httpd-2.1.10-apxs.patch new file mode 100644 index 0000000..5881276 --- /dev/null +++ b/httpd-2.1.10-apxs.patch @@ -0,0 +1,97 @@ + +- remove unnecessary stuff which runs httpd during build +- drop unnecessary --libs output from ap?-?-config +- make multilib-safe + +Upstream-Status: The is-mod_so-linked-in hack is done better on trunk. + The multilib hack is awful and can't go upstream. + +--- httpd-2.2.2/support/apxs.in.apxs ++++ httpd-2.2.2/support/apxs.in +@@ -25,7 +25,18 @@ + + my %config_vars = (); + +-my $installbuilddir = "@exp_installbuilddir@"; ++# Awful hack to make apxs libdir-agnostic: ++my $pkg_config = "/usr/bin/pkg-config"; ++if (! -x "$pkg_config") { ++ error("$pkg_config not found!"); ++ exit(1); ++} ++ ++my $libdir = `pkg-config --variable=libdir apr-1`; ++chomp $libdir; ++ ++my $installbuilddir = $libdir . "/httpd/build"; ++ + get_config_vars("$installbuilddir/config_vars.mk",\%config_vars); + + # read the configuration variables once +@@ -184,34 +195,6 @@ + } + } + +-## +-## Initial shared object support check +-## +-my $httpd = get_vars("sbindir") . "/" . get_vars("progname"); +-$httpd = eval qq("$httpd"); +-$httpd = eval qq("$httpd"); +-my $envvars = get_vars("sbindir") . "/envvars"; +-$envvars = eval qq("$envvars"); +-$envvars = eval qq("$envvars"); +- +-#allow apxs to be run from the source tree, before installation +-if ($0 =~ m:support/apxs$:) { +- ($httpd = $0) =~ s:support/apxs$::; +-} +- +-unless (-x "$httpd") { +- error("$httpd not found or not executable"); +- exit 1; +-} +- +-unless (grep /mod_so/, `. $envvars && $httpd -l`) { +- error("Sorry, no shared object support for Apache"); +- error("available under your platform. Make sure"); +- error("the Apache module mod_so is compiled into"); +- error("your server binary `$httpd'."); +- exit 1; +-} +- + sub get_config_vars{ + my ($file, $rh_config) = @_; + +@@ -291,7 +274,7 @@ + $data =~ s|%NAME%|$name|sg; + $data =~ s|%TARGET%|$CFG_TARGET|sg; + $data =~ s|%PREFIX%|$prefix|sg; +- $data =~ s|%INSTALLBUILDDIR%|$installbuilddir|sg; ++ $data =~ s|%LIBDIR%|$libdir|sg; + + my ($mkf, $mods, $src) = ($data =~ m|^(.+)-=#=-\n(.+)-=#=-\n(.+)|s); + +@@ -433,9 +416,9 @@ + + if ($opt_p == 1) { + +- my $apr_libs=`$apr_config --cflags --ldflags --link-libtool --libs`; ++ my $apr_libs=`$apr_config --cflags --ldflags --link-libtool`; + chomp($apr_libs); +- my $apu_libs=`$apu_config --ldflags --link-libtool --libs`; ++ my $apu_libs=`$apu_config --ldflags --link-libtool`; + chomp($apu_libs); + + $opt .= " ".$apu_libs." ".$apr_libs; +@@ -646,8 +629,8 @@ + + builddir=. + top_srcdir=%PREFIX% +-top_builddir=%PREFIX% +-include %INSTALLBUILDDIR%/special.mk ++top_builddir=%LIBDIR%/httpd ++include %LIBDIR%/httpd/build/special.mk + + # the used tools + APXS=apxs diff --git a/httpd-2.1.10-disablemods.patch b/httpd-2.1.10-disablemods.patch new file mode 100644 index 0000000..7e938e4 --- /dev/null +++ b/httpd-2.1.10-disablemods.patch @@ -0,0 +1,36 @@ + +Support "--enable-modules=none" to build an httpd binary with +no optional modules enabled. + +Upstream-Status: committed to trunk, r357168 + +--- httpd-2.1.10/acinclude.m4.disablemods ++++ httpd-2.1.10/acinclude.m4 +@@ -289,14 +289,19 @@ + + AC_ARG_ENABLE(modules, + APACHE_HELP_STRING(--enable-modules=MODULE-LIST,Space-separated list of modules to enable | "all" | "most"),[ +- for i in $enableval; do +- if test "$i" = "all" -o "$i" = "most"; then +- module_selection=$i +- else +- i=`echo $i | sed 's/-/_/g'` +- eval "enable_$i=yes" +- fi +- done ++ if test "$enableval" = "none"; then ++ module_default=no ++ module_selection=none ++ else ++ for i in $enableval; do ++ if test "$i" = "all" -o "$i" = "most"; then ++ module_selection=$i ++ else ++ i=`echo $i | sed 's/-/_/g'` ++ eval "enable_$i=yes" ++ fi ++ done ++ fi + ]) + + AC_ARG_ENABLE(mods-shared, diff --git a/httpd-2.1.10-layout.patch b/httpd-2.1.10-layout.patch new file mode 100644 index 0000000..0c4df7c --- /dev/null +++ b/httpd-2.1.10-layout.patch @@ -0,0 +1,17 @@ + +Tweak the default config to get installbuilddir right. + +Upstream-Status: should really make the "RedHat" layout DTRT again and + use that layout instead + +--- httpd-2.1.10/config.layout.layout ++++ httpd-2.1.10/config.layout +@@ -20,7 +20,7 @@ + mandir: ${prefix}/man + sysconfdir: ${prefix}/conf + datadir: ${prefix} +- installbuilddir: ${datadir}/build ++ installbuilddir: ${libdir}/httpd/build + errordir: ${datadir}/error + iconsdir: ${datadir}/icons + htdocsdir: ${datadir}/htdocs diff --git a/httpd-2.1.10-pod.patch b/httpd-2.1.10-pod.patch new file mode 100644 index 0000000..8d522dc --- /dev/null +++ b/httpd-2.1.10-pod.patch @@ -0,0 +1,53 @@ + +Hack to send the dummy HTTP request only to the first listener +configured, to avoid spamming the SSL vhost in the default install. + +In 2.2 lr->protocol could be used instead to do this properly, if +that was actually initialized properly by mod_ssl. + +Upstream-Status: not submitted, ugly hack which only makes a difference + to the default configuration used in Fedora. Need to find + a way to do this properly. + +--- httpd-2.1.10/server/mpm_common.c.pod ++++ httpd-2.1.10/server/mpm_common.c +@@ -583,6 +584,7 @@ + apr_socket_t *sock; + apr_pool_t *p; + apr_size_t len; ++ ap_listen_rec *lr; + + /* create a temporary pool for the socket. pconf stays around too long */ + rv = apr_pool_create(&p, pod->p); +@@ -590,8 +592,11 @@ + return rv; + } + +- rv = apr_socket_create(&sock, ap_listeners->bind_addr->family, +- SOCK_STREAM, 0, p); ++ /* Find an HTTP listener specified first in the configuration. */ ++ for (lr = ap_listeners; lr->next != NULL; lr = lr->next) ++ /* noop */; ++ ++ rv = apr_socket_create(&sock, lr->bind_addr->family, SOCK_STREAM, 0, p); + if (rv != APR_SUCCESS) { + ap_log_error(APLOG_MARK, APLOG_WARNING, rv, ap_server_conf, + "get socket to connect to listener"); +@@ -614,7 +619,7 @@ + return rv; + } + +- rv = apr_socket_connect(sock, ap_listeners->bind_addr); ++ rv = apr_socket_connect(sock, lr->bind_addr); + if (rv != APR_SUCCESS) { + int log_level = APLOG_WARNING; + +@@ -627,7 +632,7 @@ + } + + ap_log_error(APLOG_MARK, log_level, rv, ap_server_conf, +- "connect to listener on %pI", ap_listeners->bind_addr); ++ "connect to listener on %pI", lr->bind_addr); + } + + /* Create the request string. We include a User-Agent so that diff --git a/httpd-2.2.0-authnoprov.patch b/httpd-2.2.0-authnoprov.patch new file mode 100644 index 0000000..c9cfe8b --- /dev/null +++ b/httpd-2.2.0-authnoprov.patch @@ -0,0 +1,30 @@ +--- httpd-2.2.0/modules/aaa/mod_authn_file.c.authnoprov ++++ httpd-2.2.0/modules/aaa/mod_authn_file.c +@@ -70,6 +70,10 @@ + apr_status_t status; + char *file_password = NULL; + ++ if (!conf->pwfile) { ++ return AUTH_GENERAL_ERROR; ++ } ++ + status = ap_pcfg_openfile(&f, r->pool, conf->pwfile); + + if (status != APR_SUCCESS) { +--- httpd-2.2.0/modules/aaa/mod_auth_basic.c.authnoprov ++++ httpd-2.2.0/modules/aaa/mod_auth_basic.c +@@ -252,6 +252,14 @@ + return DECLINED; + } + ++ /* If no providers were configured, and the default file ++ * provider gave a general error (which will happen only if ++ * has not been configured), presume that a non-provider-based ++ * authn module is configured, and get out of the way. */ ++ if (!conf->providers && auth_result == AUTH_GENERAL_ERROR) { ++ return DECLINED; ++ } ++ + switch (auth_result) { + case AUTH_DENIED: + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, diff --git a/httpd-2.2.11-corelimit.patch b/httpd-2.2.11-corelimit.patch new file mode 100644 index 0000000..ea9f857 --- /dev/null +++ b/httpd-2.2.11-corelimit.patch @@ -0,0 +1,28 @@ +--- httpd-2.2.11/server/core.c.corelimit ++++ httpd-2.2.11/server/core.c +@@ -3777,6 +3779,25 @@ static int core_post_config(apr_pool_t * + + set_banner(pconf); + ap_setup_make_content_type(pconf); ++ ++#ifdef RLIMIT_CORE ++ if (ap_coredumpdir_configured) { ++ struct rlimit lim; ++ ++ if (getrlimit(RLIMIT_CORE, &lim) == 0 && lim.rlim_cur == 0) { ++ lim.rlim_cur = lim.rlim_max; ++ if (setrlimit(RLIMIT_CORE, &lim) == 0) { ++ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, ++ "core dump file size limit raised to %lu bytes", ++ lim.rlim_cur); ++ } else { ++ ap_log_error(APLOG_MARK, APLOG_NOTICE, errno, NULL, ++ "core dump file size is zero, setrlimit failed"); ++ } ++ } ++ } ++#endif ++ + return OK; + } + diff --git a/httpd-2.2.11-selinux.patch b/httpd-2.2.11-selinux.patch new file mode 100644 index 0000000..7b1b3cb --- /dev/null +++ b/httpd-2.2.11-selinux.patch @@ -0,0 +1,51 @@ +--- httpd-2.2.11/configure.in.selinux ++++ httpd-2.2.11/configure.in +@@ -412,6 +412,10 @@ getpgid + dnl confirm that a void pointer is large enough to store a long integer + APACHE_CHECK_VOID_PTR_LEN + ++AC_CHECK_LIB(selinux, is_selinux_enabled, [ ++ APR_ADDTO(AP_LIBS, [-lselinux]) ++]) ++ + dnl ## Check for the tm_gmtoff field in struct tm to get the timezone diffs + AC_CACHE_CHECK([for tm_gmtoff in struct tm], ac_cv_struct_tm_gmtoff, + [AC_TRY_COMPILE([#include +--- httpd-2.2.11/server/core.c.selinux ++++ httpd-2.2.11/server/core.c +@@ -51,6 +51,8 @@ + + #include "mod_so.h" /* for ap_find_loaded_module_symbol */ + ++#include ++ + /* LimitRequestBody handling */ + #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1) + #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0) +@@ -3796,6 +3798,26 @@ static int core_post_config(apr_pool_t * + } + #endif + ++ { ++ static int already_warned = 0; ++ int is_enabled = is_selinux_enabled() > 0; ++ ++ if (is_enabled && !already_warned) { ++ security_context_t con; ++ ++ if (getcon(&con) == 0) { ++ ++ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, ++ "SELinux policy enabled; " ++ "httpd running as context %s", con); ++ ++ already_warned = 1; ++ ++ freecon(con); ++ } ++ } ++ } ++ + return OK; + } + diff --git a/httpd-2.2.11-xfsz.patch b/httpd-2.2.11-xfsz.patch new file mode 100644 index 0000000..7f9e16a --- /dev/null +++ b/httpd-2.2.11-xfsz.patch @@ -0,0 +1,11 @@ +--- httpd-2.2.11/server/mpm/prefork/prefork.c.xfsz ++++ httpd-2.2.11/server/mpm/prefork/prefork.c +@@ -399,7 +399,7 @@ static void set_signals(void) + ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, "sigaction(SIGXCPU)"); + #endif + #ifdef SIGXFSZ +- sa.sa_handler = SIG_DFL; ++ sa.sa_handler = SIG_IGN; + if (sigaction(SIGXFSZ, &sa, NULL) < 0) + ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, "sigaction(SIGXFSZ)"); + #endif diff --git a/httpd-2.2.9-deplibs.patch b/httpd-2.2.9-deplibs.patch new file mode 100644 index 0000000..def61ed --- /dev/null +++ b/httpd-2.2.9-deplibs.patch @@ -0,0 +1,14 @@ +--- httpd-2.2.9/configure.in.deplibs ++++ httpd-2.2.9/configure.in +@@ -588,9 +588,8 @@ APACHE_HELP_STRING(--with-suexec-umask,u + AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] ) + + dnl APR should go after the other libs, so the right symbols can be picked up +-apulinklibs="`$apu_config --avoid-ldap --link-libtool --libs`" \ +- || apulinklibs="`$apu_config --link-libtool --libs`" +-AP_LIBS="$AP_LIBS $apulinklibs `$apr_config --link-libtool --libs`" ++apulinklibs="`$apu_config --link-libtool`" ++AP_LIBS="$AP_LIBS $apulinklibs `$apr_config --link-libtool`" + APACHE_SUBST(AP_LIBS) + APACHE_SUBST(AP_BUILD_SRCLIB_DIRS) + APACHE_SUBST(AP_CLEAN_SRCLIB_DIRS) diff --git a/httpd-2.2.9-suenable.patch b/httpd-2.2.9-suenable.patch new file mode 100644 index 0000000..2227632 --- /dev/null +++ b/httpd-2.2.9-suenable.patch @@ -0,0 +1,11 @@ +--- httpd-2.2.9/os/unix/unixd.c.suenable ++++ httpd-2.2.9/os/unix/unixd.c +@@ -215,7 +215,7 @@ AP_DECLARE(void) unixd_pre_config(apr_po + } + + if ((wrapper.protection & APR_USETID) && wrapper.user == 0) { +- unixd_config.suexec_enabled = 1; ++ unixd_config.suexec_enabled = access(SUEXEC_BIN, R_OK|X_OK) == 0; + } + } + diff --git a/httpd.conf b/httpd.conf new file mode 100644 index 0000000..78cdc37 --- /dev/null +++ b/httpd.conf @@ -0,0 +1,1009 @@ +# +# This is the main Apache server configuration file. It contains the +# configuration directives that give the server its instructions. +# See for detailed information. +# In particular, see +# +# for a discussion of each configuration directive. +# +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# +# The configuration directives are grouped into three basic sections: +# 1. Directives that control the operation of the Apache server process as a +# whole (the 'global environment'). +# 2. Directives that define the parameters of the 'main' or 'default' server, +# which responds to requests that aren't handled by a virtual host. +# These directives also provide default values for the settings +# of all virtual hosts. +# 3. Settings for virtual hosts, which allow Web requests to be sent to +# different IP addresses or hostnames and have them handled by the +# same Apache server process. +# +# Configuration and logfile names: If the filenames you specify for many +# of the server's control files begin with "/" (or "drive:/" for Win32), the +# server will use that explicit path. If the filenames do *not* begin +# with "/", the value of ServerRoot is prepended -- so "logs/foo.log" +# with ServerRoot set to "/etc/httpd" will be interpreted by the +# server as "/etc/httpd/logs/foo.log". +# + +### Section 1: Global Environment +# +# The directives in this section affect the overall operation of Apache, +# such as the number of concurrent requests it can handle or where it +# can find its configuration files. +# + +# +# Don't give away too much information about all the subcomponents +# we are running. Comment out this line if you don't mind remote sites +# finding out what major optional modules you are running +ServerTokens OS + +# +# ServerRoot: The top of the directory tree under which the server's +# configuration, error, and log files are kept. +# +# NOTE! If you intend to place this on an NFS (or otherwise network) +# mounted filesystem then please read the LockFile documentation +# (available at ); +# you will save yourself a lot of trouble. +# +# Do NOT add a slash at the end of the directory path. +# +ServerRoot "/etc/httpd" + +# +# PidFile: The file in which the server should record its process +# identification number when it starts. Note the PIDFILE variable in +# /etc/sysconfig/httpd must be set appropriately if this location is +# changed. +# +PidFile run/httpd.pid + +# +# Timeout: The number of seconds before receives and sends time out. +# +Timeout 60 + +# +# KeepAlive: Whether or not to allow persistent connections (more than +# one request per connection). Set to "Off" to deactivate. +# +KeepAlive Off + +# +# MaxKeepAliveRequests: The maximum number of requests to allow +# during a persistent connection. Set to 0 to allow an unlimited amount. +# We recommend you leave this number high, for maximum performance. +# +MaxKeepAliveRequests 100 + +# +# KeepAliveTimeout: Number of seconds to wait for the next request from the +# same client on the same connection. +# +KeepAliveTimeout 5 + +## +## Server-Pool Size Regulation (MPM specific) +## + +# prefork MPM +# StartServers: number of server processes to start +# MinSpareServers: minimum number of server processes which are kept spare +# MaxSpareServers: maximum number of server processes which are kept spare +# ServerLimit: maximum value for MaxClients for the lifetime of the server +# MaxClients: maximum number of server processes allowed to start +# MaxRequestsPerChild: maximum number of requests a server process serves + +StartServers 8 +MinSpareServers 5 +MaxSpareServers 20 +ServerLimit 256 +MaxClients 256 +MaxRequestsPerChild 4000 + + +# worker MPM +# StartServers: initial number of server processes to start +# MaxClients: maximum number of simultaneous client connections +# MinSpareThreads: minimum number of worker threads which are kept spare +# MaxSpareThreads: maximum number of worker threads which are kept spare +# ThreadsPerChild: constant number of worker threads in each server process +# MaxRequestsPerChild: maximum number of requests a server process serves + +StartServers 4 +MaxClients 300 +MinSpareThreads 25 +MaxSpareThreads 75 +ThreadsPerChild 25 +MaxRequestsPerChild 0 + + +# +# Listen: Allows you to bind Apache to specific IP addresses and/or +# ports, in addition to the default. See also the +# directive. +# +# Change this to Listen on specific IP addresses as shown below to +# prevent Apache from glomming onto all bound IP addresses (0.0.0.0) +# +#Listen 12.34.56.78:80 +Listen 80 + +# +# Dynamic Shared Object (DSO) Support +# +# To be able to use the functionality of a module which was built as a DSO you +# have to place corresponding `LoadModule' lines at this location so the +# directives contained in it are actually available _before_ they are used. +# Statically compiled modules (those listed by `httpd -l') do not need +# to be loaded here. +# +# Example: +# LoadModule foo_module modules/mod_foo.so +# +LoadModule auth_basic_module modules/mod_auth_basic.so +LoadModule auth_digest_module modules/mod_auth_digest.so +LoadModule authn_file_module modules/mod_authn_file.so +LoadModule authn_alias_module modules/mod_authn_alias.so +LoadModule authn_anon_module modules/mod_authn_anon.so +LoadModule authn_dbm_module modules/mod_authn_dbm.so +LoadModule authn_default_module modules/mod_authn_default.so +LoadModule authz_host_module modules/mod_authz_host.so +LoadModule authz_user_module modules/mod_authz_user.so +LoadModule authz_owner_module modules/mod_authz_owner.so +LoadModule authz_groupfile_module modules/mod_authz_groupfile.so +LoadModule authz_dbm_module modules/mod_authz_dbm.so +LoadModule authz_default_module modules/mod_authz_default.so +LoadModule ldap_module modules/mod_ldap.so +LoadModule authnz_ldap_module modules/mod_authnz_ldap.so +LoadModule include_module modules/mod_include.so +LoadModule log_config_module modules/mod_log_config.so +LoadModule logio_module modules/mod_logio.so +LoadModule env_module modules/mod_env.so +LoadModule ext_filter_module modules/mod_ext_filter.so +LoadModule mime_magic_module modules/mod_mime_magic.so +LoadModule expires_module modules/mod_expires.so +LoadModule deflate_module modules/mod_deflate.so +LoadModule headers_module modules/mod_headers.so +LoadModule usertrack_module modules/mod_usertrack.so +LoadModule setenvif_module modules/mod_setenvif.so +LoadModule mime_module modules/mod_mime.so +LoadModule dav_module modules/mod_dav.so +LoadModule status_module modules/mod_status.so +LoadModule autoindex_module modules/mod_autoindex.so +LoadModule info_module modules/mod_info.so +LoadModule dav_fs_module modules/mod_dav_fs.so +LoadModule vhost_alias_module modules/mod_vhost_alias.so +LoadModule negotiation_module modules/mod_negotiation.so +LoadModule dir_module modules/mod_dir.so +LoadModule actions_module modules/mod_actions.so +LoadModule speling_module modules/mod_speling.so +LoadModule userdir_module modules/mod_userdir.so +LoadModule alias_module modules/mod_alias.so +LoadModule substitute_module modules/mod_substitute.so +LoadModule rewrite_module modules/mod_rewrite.so +LoadModule proxy_module modules/mod_proxy.so +LoadModule proxy_balancer_module modules/mod_proxy_balancer.so +LoadModule proxy_ftp_module modules/mod_proxy_ftp.so +LoadModule proxy_http_module modules/mod_proxy_http.so +LoadModule proxy_ajp_module modules/mod_proxy_ajp.so +LoadModule proxy_connect_module modules/mod_proxy_connect.so +LoadModule cache_module modules/mod_cache.so +LoadModule suexec_module modules/mod_suexec.so +LoadModule disk_cache_module modules/mod_disk_cache.so +LoadModule cgi_module modules/mod_cgi.so +LoadModule version_module modules/mod_version.so + +# +# The following modules are not loaded by default: +# +#LoadModule asis_module modules/mod_asis.so +#LoadModule authn_dbd_module modules/mod_authn_dbd.so +#LoadModule cern_meta_module modules/mod_cern_meta.so +#LoadModule cgid_module modules/mod_cgid.so +#LoadModule dbd_module modules/mod_dbd.so +#LoadModule dumpio_module modules/mod_dumpio.so +#LoadModule filter_module modules/mod_filter.so +#LoadModule ident_module modules/mod_ident.so +#LoadModule log_forensic_module modules/mod_log_forensic.so +#LoadModule unique_id_module modules/mod_unique_id.so +# + +# +# Load config files from the config directory "/etc/httpd/conf.d". +# +Include conf.d/*.conf + +# +# ExtendedStatus controls whether Apache will generate "full" status +# information (ExtendedStatus On) or just basic information (ExtendedStatus +# Off) when the "server-status" handler is called. The default is Off. +# +#ExtendedStatus On + +# +# If you wish httpd to run as a different user or group, you must run +# httpd as root initially and it will switch. +# +# User/Group: The name (or #number) of the user/group to run httpd as. +# . On SCO (ODT 3) use "User nouser" and "Group nogroup". +# . On HPUX you may not be able to use shared memory as nobody, and the +# suggested workaround is to create a user www and use that user. +# NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET) +# when the value of (unsigned)Group is above 60000; +# don't use Group #-1 on these systems! +# +User apache +Group apache + +### Section 2: 'Main' server configuration +# +# The directives in this section set up the values used by the 'main' +# server, which responds to any requests that aren't handled by a +# definition. These values also provide defaults for +# any containers you may define later in the file. +# +# All of these directives may appear inside containers, +# in which case these default settings will be overridden for the +# virtual host being defined. +# + +# +# ServerAdmin: Your address, where problems with the server should be +# e-mailed. This address appears on some server-generated pages, such +# as error documents. e.g. admin@your-domain.com +# +ServerAdmin root@localhost + +# +# ServerName gives the name and port that the server uses to identify itself. +# This can often be determined automatically, but we recommend you specify +# it explicitly to prevent problems during startup. +# +# If this is not set to valid DNS name for your host, server-generated +# redirections will not work. See also the UseCanonicalName directive. +# +# If your host doesn't have a registered DNS name, enter its IP address here. +# You will have to access it by its address anyway, and this will make +# redirections work in a sensible way. +# +#ServerName www.example.com:80 + +# +# UseCanonicalName: Determines how Apache constructs self-referencing +# URLs and the SERVER_NAME and SERVER_PORT variables. +# When set "Off", Apache will use the Hostname and Port supplied +# by the client. When set "On", Apache will use the value of the +# ServerName directive. +# +UseCanonicalName Off + +# +# DocumentRoot: The directory out of which you will serve your +# documents. By default, all requests are taken from this directory, but +# symbolic links and aliases may be used to point to other locations. +# +DocumentRoot "/var/www/html" + +# +# Each directory to which Apache has access can be configured with respect +# to which services and features are allowed and/or disabled in that +# directory (and its subdirectories). +# +# First, we configure the "default" to be a very restrictive set of +# features. +# + + Options FollowSymLinks + AllowOverride None + + +# +# Note that from this point forward you must specifically allow +# particular features to be enabled - so if something's not working as +# you might expect, make sure that you have specifically enabled it +# below. +# + +# +# This should be changed to whatever you set DocumentRoot to. +# + + +# +# Possible values for the Options directive are "None", "All", +# or any combination of: +# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews +# +# Note that "MultiViews" must be named *explicitly* --- "Options All" +# doesn't give it to you. +# +# The Options directive is both complicated and important. Please see +# http://httpd.apache.org/docs/2.2/mod/core.html#options +# for more information. +# + Options Indexes FollowSymLinks + +# +# AllowOverride controls what directives may be placed in .htaccess files. +# It can be "All", "None", or any combination of the keywords: +# Options FileInfo AuthConfig Limit +# + AllowOverride None + +# +# Controls who can get stuff from this server. +# + Order allow,deny + Allow from all + + + +# +# UserDir: The name of the directory that is appended onto a user's home +# directory if a ~user request is received. +# +# The path to the end user account 'public_html' directory must be +# accessible to the webserver userid. This usually means that ~userid +# must have permissions of 711, ~userid/public_html must have permissions +# of 755, and documents contained therein must be world-readable. +# Otherwise, the client will only receive a "403 Forbidden" message. +# +# See also: http://httpd.apache.org/docs/misc/FAQ.html#forbidden +# + + # + # UserDir is disabled by default since it can confirm the presence + # of a username on the system (depending on home directory + # permissions). + # + UserDir disabled + + # + # To enable requests to /~user/ to serve the user's public_html + # directory, remove the "UserDir disabled" line above, and uncomment + # the following line instead: + # + #UserDir public_html + + + +# +# Control access to UserDir directories. The following is an example +# for a site where these directories are restricted to read-only. +# +# +# AllowOverride FileInfo AuthConfig Limit +# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec +# +# Order allow,deny +# Allow from all +# +# +# Order deny,allow +# Deny from all +# +# + +# +# DirectoryIndex: sets the file that Apache will serve if a directory +# is requested. +# +# The index.html.var file (a type-map) is used to deliver content- +# negotiated documents. The MultiViews Option can be used for the +# same purpose, but it is much slower. +# +DirectoryIndex index.html index.html.var + +# +# AccessFileName: The name of the file to look for in each directory +# for additional configuration directives. See also the AllowOverride +# directive. +# +AccessFileName .htaccess + +# +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. +# + + Order allow,deny + Deny from all + Satisfy All + + +# +# TypesConfig describes where the mime.types file (or equivalent) is +# to be found. +# +TypesConfig /etc/mime.types + +# +# DefaultType is the default MIME type the server will use for a document +# if it cannot otherwise determine one, such as from filename extensions. +# If your server contains mostly text or HTML documents, "text/plain" is +# a good value. If most of your content is binary, such as applications +# or images, you may want to use "application/octet-stream" instead to +# keep browsers from trying to display binary files as though they are +# text. +# +DefaultType text/plain + +# +# The mod_mime_magic module allows the server to use various hints from the +# contents of the file itself to determine its type. The MIMEMagicFile +# directive tells the module where the hint definitions are located. +# + +# MIMEMagicFile /usr/share/magic.mime + MIMEMagicFile conf/magic + + +# +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +# +HostnameLookups Off + +# +# EnableMMAP: Control whether memory-mapping is used to deliver +# files (assuming that the underlying OS supports it). +# The default is on; turn this off if you serve from NFS-mounted +# filesystems. On some systems, turning it off (regardless of +# filesystem) can improve performance; for details, please see +# http://httpd.apache.org/docs/2.2/mod/core.html#enablemmap +# +#EnableMMAP off + +# +# EnableSendfile: Control whether the sendfile kernel support is +# used to deliver files (assuming that the OS supports it). +# The default is on; turn this off if you serve from NFS-mounted +# filesystems. Please see +# http://httpd.apache.org/docs/2.2/mod/core.html#enablesendfile +# +#EnableSendfile off + +# +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +# +ErrorLog logs/error_log + +# +# LogLevel: Control the number of messages logged to the error_log. +# Possible values include: debug, info, notice, warn, error, crit, +# alert, emerg. +# +LogLevel warn + +# +# The following directives define some format nicknames for use with +# a CustomLog directive (see below). +# +LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined +LogFormat "%h %l %u %t \"%r\" %>s %b" common +LogFormat "%{Referer}i -> %U" referer +LogFormat "%{User-agent}i" agent + +# "combinedio" includes actual counts of actual bytes received (%I) and sent (%O); this +# requires the mod_logio module to be loaded. +#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + +# +# The location and format of the access logfile (Common Logfile Format). +# If you do not define any access logfiles within a +# container, they will be logged here. Contrariwise, if you *do* +# define per- access logfiles, transactions will be +# logged therein and *not* in this file. +# +#CustomLog logs/access_log common + +# +# If you would like to have separate agent and referer logfiles, uncomment +# the following directives. +# +#CustomLog logs/referer_log referer +#CustomLog logs/agent_log agent + +# +# For a single logfile with access, agent, and referer information +# (Combined Logfile Format), use the following directive: +# +CustomLog logs/access_log combined + +# +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated +# documents or custom error documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +# +ServerSignature On + +# +# Aliases: Add here as many aliases as you need (with no limit). The format is +# Alias fakename realname +# +# Note that if you include a trailing / on fakename then the server will +# require it to be present in the URL. So "/icons" isn't aliased in this +# example, only "/icons/". If the fakename is slash-terminated, then the +# realname must also be slash terminated, and if the fakename omits the +# trailing slash, the realname must also omit it. +# +# We include the /icons/ alias for FancyIndexed directory listings. If you +# do not use FancyIndexing, you may comment this out. +# +Alias /icons/ "/var/www/icons/" + + + Options Indexes MultiViews FollowSymLinks + AllowOverride None + Order allow,deny + Allow from all + + +# +# WebDAV module configuration section. +# + + # Location of the WebDAV lock database. + DAVLockDB /var/lib/dav/lockdb + + +# +# ScriptAlias: This controls which directories contain server scripts. +# ScriptAliases are essentially the same as Aliases, except that +# documents in the realname directory are treated as applications and +# run by the server when requested rather than as documents sent to the client. +# The same rules about trailing "/" apply to ScriptAlias directives as to +# Alias. +# +ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" + +# +# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased +# CGI directory exists, if you have that configured. +# + + AllowOverride None + Options None + Order allow,deny + Allow from all + + +# +# Redirect allows you to tell clients about documents which used to exist in +# your server's namespace, but do not anymore. This allows you to tell the +# clients where to look for the relocated document. +# Example: +# Redirect permanent /foo http://www.example.com/bar + +# +# Directives controlling the display of server-generated directory listings. +# + +# +# IndexOptions: Controls the appearance of server-generated directory +# listings. +# +IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable Charset=UTF-8 + +# +# AddIcon* directives tell the server which icon to show for different +# files or filename extensions. These are only displayed for +# FancyIndexed directories. +# +AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip + +AddIconByType (TXT,/icons/text.gif) text/* +AddIconByType (IMG,/icons/image2.gif) image/* +AddIconByType (SND,/icons/sound2.gif) audio/* +AddIconByType (VID,/icons/movie.gif) video/* + +AddIcon /icons/binary.gif .bin .exe +AddIcon /icons/binhex.gif .hqx +AddIcon /icons/tar.gif .tar +AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv +AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip +AddIcon /icons/a.gif .ps .ai .eps +AddIcon /icons/layout.gif .html .shtml .htm .pdf +AddIcon /icons/text.gif .txt +AddIcon /icons/c.gif .c +AddIcon /icons/p.gif .pl .py +AddIcon /icons/f.gif .for +AddIcon /icons/dvi.gif .dvi +AddIcon /icons/uuencoded.gif .uu +AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl +AddIcon /icons/tex.gif .tex +AddIcon /icons/bomb.gif core + +AddIcon /icons/back.gif .. +AddIcon /icons/hand.right.gif README +AddIcon /icons/folder.gif ^^DIRECTORY^^ +AddIcon /icons/blank.gif ^^BLANKICON^^ + +# +# DefaultIcon is which icon to show for files which do not have an icon +# explicitly set. +# +DefaultIcon /icons/unknown.gif + +# +# AddDescription allows you to place a short description after a file in +# server-generated indexes. These are only displayed for FancyIndexed +# directories. +# Format: AddDescription "description" filename +# +#AddDescription "GZIP compressed document" .gz +#AddDescription "tar archive" .tar +#AddDescription "GZIP compressed tar archive" .tgz + +# +# ReadmeName is the name of the README file the server will look for by +# default, and append to directory listings. +# +# HeaderName is the name of a file which should be prepended to +# directory indexes. +ReadmeName README.html +HeaderName HEADER.html + +# +# IndexIgnore is a set of filenames which directory indexing should ignore +# and not include in the listing. Shell-style wildcarding is permitted. +# +IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t + +# +# DefaultLanguage and AddLanguage allows you to specify the language of +# a document. You can then use content negotiation to give a browser a +# file in a language the user can understand. +# +# Specify a default language. This means that all data +# going out without a specific language tag (see below) will +# be marked with this one. You probably do NOT want to set +# this unless you are sure it is correct for all cases. +# +# * It is generally better to not mark a page as +# * being a certain language than marking it with the wrong +# * language! +# +# DefaultLanguage nl +# +# Note 1: The suffix does not have to be the same as the language +# keyword --- those with documents in Polish (whose net-standard +# language code is pl) may wish to use "AddLanguage pl .po" to +# avoid the ambiguity with the common suffix for perl scripts. +# +# Note 2: The example entries below illustrate that in some cases +# the two character 'Language' abbreviation is not identical to +# the two character 'Country' code for its country, +# E.g. 'Danmark/dk' versus 'Danish/da'. +# +# Note 3: In the case of 'ltz' we violate the RFC by using a three char +# specifier. There is 'work in progress' to fix this and get +# the reference data for rfc1766 cleaned up. +# +# Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl) +# English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de) +# Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja) +# Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn) +# Norwegian (no) - Polish (pl) - Portugese (pt) +# Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv) +# Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW) +# +AddLanguage ca .ca +AddLanguage cs .cz .cs +AddLanguage da .dk +AddLanguage de .de +AddLanguage el .el +AddLanguage en .en +AddLanguage eo .eo +AddLanguage es .es +AddLanguage et .et +AddLanguage fr .fr +AddLanguage he .he +AddLanguage hr .hr +AddLanguage it .it +AddLanguage ja .ja +AddLanguage ko .ko +AddLanguage ltz .ltz +AddLanguage nl .nl +AddLanguage nn .nn +AddLanguage no .no +AddLanguage pl .po +AddLanguage pt .pt +AddLanguage pt-BR .pt-br +AddLanguage ru .ru +AddLanguage sv .sv +AddLanguage zh-CN .zh-cn +AddLanguage zh-TW .zh-tw + +# +# LanguagePriority allows you to give precedence to some languages +# in case of a tie during content negotiation. +# +# Just list the languages in decreasing order of preference. We have +# more or less alphabetized them here. You probably want to change this. +# +LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW + +# +# ForceLanguagePriority allows you to serve a result page rather than +# MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback) +# [in case no accepted languages matched the available variants] +# +ForceLanguagePriority Prefer Fallback + +# +# Specify a default charset for all content served; this enables +# interpretation of all content as UTF-8 by default. To use the +# default browser choice (ISO-8859-1), or to allow the META tags +# in HTML content to override this choice, comment out this +# directive: +# +AddDefaultCharset UTF-8 + +# +# AddType allows you to add to or override the MIME configuration +# file mime.types for specific file types. +# +#AddType application/x-tar .tgz + +# +# AddEncoding allows you to have certain browsers uncompress +# information on the fly. Note: Not all browsers support this. +# Despite the name similarity, the following Add* directives have nothing +# to do with the FancyIndexing customization directives above. +# +#AddEncoding x-compress .Z +#AddEncoding x-gzip .gz .tgz + +# If the AddEncoding directives above are commented-out, then you +# probably should define those extensions to indicate media types: +# +AddType application/x-compress .Z +AddType application/x-gzip .gz .tgz + +# +# MIME-types for downloading Certificates and CRLs +# +AddType application/x-x509-ca-cert .crt +AddType application/x-pkcs7-crl .crl + +# +# AddHandler allows you to map certain file extensions to "handlers": +# actions unrelated to filetype. These can be either built into the server +# or added with the Action directive (see below) +# +# To use CGI scripts outside of ScriptAliased directories: +# (You will also need to add "ExecCGI" to the "Options" directive.) +# +#AddHandler cgi-script .cgi + +# +# For files that include their own HTTP headers: +# +#AddHandler send-as-is asis + +# +# For type maps (negotiated resources): +# (This is enabled by default to allow the Apache "It Worked" page +# to be distributed in multiple languages.) +# +AddHandler type-map var + +# +# Filters allow you to process content before it is sent to the client. +# +# To parse .shtml files for server-side includes (SSI): +# (You will also need to add "Includes" to the "Options" directive.) +# +AddType text/html .shtml +AddOutputFilter INCLUDES .shtml + +# +# Action lets you define media types that will execute a script whenever +# a matching file is called. This eliminates the need for repeated URL +# pathnames for oft-used CGI file processors. +# Format: Action media/type /cgi-script/location +# Format: Action handler-name /cgi-script/location +# + +# +# Customizable error responses come in three flavors: +# 1) plain text 2) local redirects 3) external redirects +# +# Some examples: +#ErrorDocument 500 "The server made a boo boo." +#ErrorDocument 404 /missing.html +#ErrorDocument 404 "/cgi-bin/missing_handler.pl" +#ErrorDocument 402 http://www.example.com/subscription_info.html +# + +# +# Putting this all together, we can internationalize error responses. +# +# We use Alias to redirect any /error/HTTP_.html.var response to +# our collection of by-error message multi-language collections. We use +# includes to substitute the appropriate text. +# +# You can modify the messages' appearance without changing any of the +# default HTTP_.html.var files by adding the line: +# +# Alias /error/include/ "/your/include/path/" +# +# which allows you to create your own set of files by starting with the +# /var/www/error/include/ files and +# copying them to /your/include/path/, even on a per-VirtualHost basis. +# + +Alias /error/ "/var/www/error/" + + + + + AllowOverride None + Options IncludesNoExec + AddOutputFilter Includes html + AddHandler type-map var + Order allow,deny + Allow from all + LanguagePriority en es de fr + ForceLanguagePriority Prefer Fallback + + +# ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var +# ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var +# ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var +# ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var +# ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var +# ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var +# ErrorDocument 410 /error/HTTP_GONE.html.var +# ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var +# ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var +# ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var +# ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var +# ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var +# ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var +# ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var +# ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var +# ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var +# ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var + + + + +# +# The following directives modify normal HTTP response behavior to +# handle known problems with browser implementations. +# +BrowserMatch "Mozilla/2" nokeepalive +BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 +BrowserMatch "RealPlayer 4\.0" force-response-1.0 +BrowserMatch "Java/1\.0" force-response-1.0 +BrowserMatch "JDK/1\.0" force-response-1.0 + +# +# The following directive disables redirects on non-GET requests for +# a directory that does not include the trailing slash. This fixes a +# problem with Microsoft WebFolders which does not appropriately handle +# redirects for folders with DAV methods. +# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV. +# +BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully +BrowserMatch "MS FrontPage" redirect-carefully +BrowserMatch "^WebDrive" redirect-carefully +BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully +BrowserMatch "^gnome-vfs/1.0" redirect-carefully +BrowserMatch "^XML Spy" redirect-carefully +BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully + +# +# Allow server status reports generated by mod_status, +# with the URL of http://servername/server-status +# Change the ".example.com" to match your domain to enable. +# +# +# SetHandler server-status +# Order deny,allow +# Deny from all +# Allow from .example.com +# + +# +# Allow remote server configuration reports, with the URL of +# http://servername/server-info (requires that mod_info.c be loaded). +# Change the ".example.com" to match your domain to enable. +# +# +# SetHandler server-info +# Order deny,allow +# Deny from all +# Allow from .example.com +# + +# +# Proxy Server directives. Uncomment the following lines to +# enable the proxy server: +# +# +#ProxyRequests On +# +# +# Order deny,allow +# Deny from all +# Allow from .example.com +# + +# +# Enable/disable the handling of HTTP/1.1 "Via:" headers. +# ("Full" adds the server version; "Block" removes all outgoing Via: headers) +# Set to one of: Off | On | Full | Block +# +#ProxyVia On + +# +# To enable a cache of proxied content, uncomment the following lines. +# See http://httpd.apache.org/docs/2.2/mod/mod_cache.html for more details. +# +# +# CacheEnable disk / +# CacheRoot "/var/cache/mod_proxy" +# +# + +# +# End of proxy directives. + +### Section 3: Virtual Hosts +# +# VirtualHost: If you want to maintain multiple domains/hostnames on your +# machine you can setup VirtualHost containers for them. Most configurations +# use only name-based virtual hosts so the server doesn't need to worry about +# IP addresses. This is indicated by the asterisks in the directives below. +# +# Please see the documentation at +# +# for further details before you try to setup virtual hosts. +# +# You may use the command line option '-S' to verify your virtual host +# configuration. + +# +# Use name-based virtual hosting. +# +#NameVirtualHost *:80 +# +# NOTE: NameVirtualHost cannot be used without a port specifier +# (e.g. :80) if mod_ssl is being used, due to the nature of the +# SSL protocol. +# + +# +# VirtualHost example: +# Almost any Apache directive may go into a VirtualHost container. +# The first VirtualHost section is used for requests without a known +# server name. +# +# +# ServerAdmin webmaster@dummy-host.example.com +# DocumentRoot /www/docs/dummy-host.example.com +# ServerName dummy-host.example.com +# ErrorLog logs/dummy-host.example.com-error_log +# CustomLog logs/dummy-host.example.com-access_log common +# diff --git a/httpd.init b/httpd.init new file mode 100755 index 0000000..597eeb8 --- /dev/null +++ b/httpd.init @@ -0,0 +1,123 @@ +#!/bin/bash +# +# httpd Startup script for the Apache HTTP Server +# +# chkconfig: - 85 15 +# description: The Apache HTTP Server is an efficient and extensible \ +# server implementing the current HTTP standards. +# processname: httpd +# config: /etc/httpd/conf/httpd.conf +# config: /etc/sysconfig/httpd +# pidfile: /var/run/httpd/httpd.pid +# +### BEGIN INIT INFO +# Provides: httpd +# Required-Start: $local_fs $remote_fs $network $named +# Required-Stop: $local_fs $remote_fs $network +# Should-Start: distcache +# Short-Description: start and stop Apache HTTP Server +# Description: The Apache HTTP Server is an extensible server +# implementing the current HTTP standards. +### END INIT INFO + +# Source function library. +. /etc/rc.d/init.d/functions + +if [ -f /etc/sysconfig/httpd ]; then + . /etc/sysconfig/httpd +fi + +# Start httpd in the C locale by default. +HTTPD_LANG=${HTTPD_LANG-"C"} + +# This will prevent initlog from swallowing up a pass-phrase prompt if +# mod_ssl needs a pass-phrase from the user. +INITLOG_ARGS="" + +# Set HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server +# with the thread-based "worker" MPM; BE WARNED that some modules may not +# work correctly with a thread-based MPM; notably PHP will refuse to start. + +# Path to the apachectl script, server binary, and short-form for messages. +apachectl=/usr/sbin/apachectl +httpd=${HTTPD-/usr/sbin/httpd} +prog=httpd +pidfile=${PIDFILE-/var/run/httpd/httpd.pid} +lockfile=${LOCKFILE-/var/lock/subsys/httpd} +RETVAL=0 + +# The semantics of these two functions differ from the way apachectl does +# things -- attempting to start while running is a failure, and shutdown +# when not running is also a failure. So we just do it the way init scripts +# are expected to behave here. +start() { + echo -n $"Starting $prog: " + LANG=$HTTPD_LANG daemon --pidfile=${pidfile} $httpd $OPTIONS + RETVAL=$? + echo + [ $RETVAL = 0 ] && touch ${lockfile} + return $RETVAL +} + +# When stopping httpd a delay of >10 second is required before SIGKILLing the +# httpd parent; this gives enough time for the httpd parent to SIGKILL any +# errant children. +stop() { + echo -n $"Stopping $prog: " + killproc -p ${pidfile} -d 10 $httpd + RETVAL=$? + echo + [ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile} +} +reload() { + echo -n $"Reloading $prog: " + if ! LANG=$HTTPD_LANG $httpd $OPTIONS -t >&/dev/null; then + RETVAL=6 + echo $"not reloading due to configuration syntax error" + failure $"not reloading $httpd due to configuration syntax error" + else + # Force LSB behaviour from killproc + LSB=1 killproc -p ${pidfile} $httpd -HUP + RETVAL=$? + if [ $RETVAL -eq 7 ]; then + failure $"httpd shutdown" + fi + fi + echo +} + +# See how we were called. +case "$1" in + start) + start + ;; + stop) + stop + ;; + status) + status -p ${pidfile} $httpd + RETVAL=$? + ;; + restart) + stop + start + ;; + condrestart|try-restart) + if status -p ${pidfile} $httpd >&/dev/null; then + stop + start + fi + ;; + force-reload|reload) + reload + ;; + graceful|help|configtest|fullstatus) + $apachectl $@ + RETVAL=$? + ;; + *) + echo $"Usage: $prog {start|stop|restart|condrestart|try-restart|force-reload|reload|status|fullstatus|graceful|help|configtest}" + RETVAL=2 +esac + +exit $RETVAL diff --git a/httpd.logrotate b/httpd.logrotate new file mode 100644 index 0000000..794b9d7 --- /dev/null +++ b/httpd.logrotate @@ -0,0 +1,9 @@ +/var/log/httpd/*log { + missingok + notifempty + sharedscripts + delaycompress + postrotate + /sbin/service httpd reload > /dev/null 2>/dev/null || true + endscript +} diff --git a/httpd.spec b/httpd.spec new file mode 100644 index 0000000..3dd570d --- /dev/null +++ b/httpd.spec @@ -0,0 +1,841 @@ +%define contentdir /var/www +%define suexec_caller apache +%define mmn 20051115 +%define vstring Fedora +%define mpms worker event + +Summary: Apache HTTP Server +Name: httpd +Version: 2.2.16 +Release: 1%{?dist} +URL: http://httpd.apache.org/ +Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz +Source1: index.html +Source3: httpd.logrotate +Source4: httpd.init +Source5: httpd.sysconf +Source10: httpd.conf +Source11: ssl.conf +Source12: welcome.conf +Source13: manual.conf +# Documentation +Source33: README.confd +# build/scripts patches +Patch1: httpd-2.1.10-apctl.patch +Patch2: httpd-2.1.10-apxs.patch +Patch3: httpd-2.2.9-deplibs.patch +Patch4: httpd-2.1.10-disablemods.patch +Patch5: httpd-2.1.10-layout.patch +# Features/functional changes +Patch20: httpd-2.0.48-release.patch +Patch21: httpd-2.2.11-xfsz.patch +Patch22: httpd-2.1.10-pod.patch +Patch23: httpd-2.0.45-export.patch +Patch24: httpd-2.2.11-corelimit.patch +Patch25: httpd-2.2.11-selinux.patch +Patch26: httpd-2.2.9-suenable.patch +# Bug fixes +Patch54: httpd-2.2.0-authnoprov.patch +License: ASL 2.0 +Group: System Environment/Daemons +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root +BuildRequires: autoconf, perl, pkgconfig, findutils +BuildRequires: zlib-devel, libselinux-devel +BuildRequires: apr-devel >= 1.2.0, apr-util-devel >= 1.2.0, pcre-devel >= 5.0 +Requires: initscripts >= 8.36, /etc/mime.types, system-logos >= 7.92.1-1 +Obsoletes: httpd-suexec +Requires(pre): /usr/sbin/useradd +Requires(post): chkconfig +Provides: webserver +Provides: mod_dav = %{version}-%{release}, httpd-suexec = %{version}-%{release} +Provides: httpd-mmn = %{mmn} +Requires: httpd-tools = %{version}-%{release}, apr-util-ldap + +%description +The Apache HTTP Server is a powerful, efficient, and extensible +web server. + +%package devel +Group: Development/Libraries +Summary: Development interfaces for the Apache HTTP server +Obsoletes: secureweb-devel, apache-devel, stronghold-apache-devel +Requires: apr-devel, apr-util-devel, pkgconfig +Requires: httpd = %{version}-%{release} + +%description devel +The httpd-devel package contains the APXS binary and other files +that you need to build Dynamic Shared Objects (DSOs) for the +Apache HTTP Server. + +If you are installing the Apache HTTP server and you want to be +able to compile or develop additional modules for Apache, you need +to install this package. + +%package manual +Group: Documentation +Summary: Documentation for the Apache HTTP server +Requires: httpd = %{version}-%{release} +Obsoletes: secureweb-manual, apache-manual +BuildArch: noarch + +%description manual +The httpd-manual package contains the complete manual and +reference guide for the Apache HTTP server. The information can +also be found at http://httpd.apache.org/docs/2.2/. + +%package tools +Group: System Environment/Daemons +Summary: Tools for use with the Apache HTTP Server + +%description tools +The httpd-tools package contains tools which can be used with +the Apache HTTP Server. + +%package -n mod_ssl +Group: System Environment/Daemons +Summary: SSL/TLS module for the Apache HTTP Server +Epoch: 1 +BuildRequires: openssl-devel, distcache-devel +Requires(post): openssl, /bin/cat +Requires(pre): httpd +Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmn} +Obsoletes: stronghold-mod_ssl + +%description -n mod_ssl +The mod_ssl module provides strong cryptography for the Apache Web +server via the Secure Sockets Layer (SSL) and Transport Layer +Security (TLS) protocols. + +%prep +%setup -q +%patch1 -p1 -b .apctl +%patch2 -p1 -b .apxs +%patch3 -p1 -b .deplibs +%patch4 -p1 -b .disablemods +%patch5 -p1 -b .layout + +%patch21 -p1 -b .xfsz +%patch22 -p1 -b .pod +%patch23 -p1 -b .export +%patch24 -p1 -b .corelimit +%patch25 -p1 -b .selinux +%patch26 -p1 -b .suenable + +%patch54 -p1 -b .authnoprov + +# Patch in vendor/release string +sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1 + +# Safety check: prevent build if defined MMN does not equal upstream MMN. +vmmn=`echo MODULE_MAGIC_NUMBER_MAJOR | cpp -include include/ap_mmn.h | sed -n '/^2/p'` +if test "x${vmmn}" != "x%{mmn}"; then + : Error: Upstream MMN is now ${vmmn}, packaged MMN is %{mmn}. + : Update the mmn macro and rebuild. + exit 1 +fi + +: Building with MMN %{mmn} and vendor string '%{vstring}' + +%build +# forcibly prevent use of bundled apr, apr-util, pcre +rm -rf srclib/{apr,apr-util,pcre} + +# regenerate configure scripts +autoheader && autoconf || exit 1 + +# Before configure; fix location of build dir in generated apxs +%{__perl} -pi -e "s:\@exp_installbuilddir\@:%{_libdir}/httpd/build:g" \ + support/apxs.in + +CFLAGS=$RPM_OPT_FLAGS +SH_LDFLAGS="-Wl,-z,relro" +export CFLAGS SH_LDFLAGS + +# Hard-code path to links to avoid unnecessary builddep +export LYNX_PATH=/usr/bin/links + +function mpmbuild() +{ +mpm=$1; shift +mkdir $mpm; pushd $mpm +../configure \ + --prefix=%{_sysconfdir}/httpd \ + --exec-prefix=%{_prefix} \ + --bindir=%{_bindir} \ + --sbindir=%{_sbindir} \ + --mandir=%{_mandir} \ + --libdir=%{_libdir} \ + --sysconfdir=%{_sysconfdir}/httpd/conf \ + --includedir=%{_includedir}/httpd \ + --libexecdir=%{_libdir}/httpd/modules \ + --datadir=%{contentdir} \ + --with-installbuilddir=%{_libdir}/httpd/build \ + --with-mpm=$mpm \ + --with-apr=%{_prefix} --with-apr-util=%{_prefix} \ + --enable-suexec --with-suexec \ + --with-suexec-caller=%{suexec_caller} \ + --with-suexec-docroot=%{contentdir} \ + --with-suexec-logfile=%{_localstatedir}/log/httpd/suexec.log \ + --with-suexec-bin=%{_sbindir}/suexec \ + --with-suexec-uidmin=500 --with-suexec-gidmin=100 \ + --enable-pie \ + --with-pcre \ + $* + +make %{?_smp_mflags} +popd +} + +# Build everything and the kitchen sink with the prefork build +mpmbuild prefork \ + --enable-mods-shared=all \ + --enable-ssl --with-ssl --enable-distcache \ + --enable-proxy \ + --enable-cache \ + --enable-disk-cache \ + --enable-ldap --enable-authnz-ldap \ + --enable-cgid \ + --enable-authn-anon --enable-authn-alias \ + --disable-imagemap + +# For the other MPMs, just build httpd and no optional modules +for f in %{mpms}; do + mpmbuild $f --enable-modules=none +done + +%install +rm -rf $RPM_BUILD_ROOT + +# Classify ab and logresolve as section 1 commands, as they are in /usr/bin +mv docs/man/ab.8 docs/man/ab.1 +mv docs/man/logresolve.8 docs/man/logresolve.1 + +pushd prefork +make DESTDIR=$RPM_BUILD_ROOT install +popd + +# install alternative MPMs +for f in %{mpms}; do + install -m 755 ${f}/httpd $RPM_BUILD_ROOT%{_sbindir}/httpd.${f} +done + +# install conf file/directory +mkdir $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d +install -m 644 $RPM_SOURCE_DIR/README.confd \ + $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/README +for f in ssl.conf welcome.conf manual.conf; do + install -m 644 -p $RPM_SOURCE_DIR/$f \ + $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/$f +done + +rm $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf/*.conf +install -m 644 -p $RPM_SOURCE_DIR/httpd.conf \ + $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf/httpd.conf + +mkdir $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig +install -m 644 -p $RPM_SOURCE_DIR/httpd.sysconf \ + $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/httpd + +# for holding mod_dav lock database +mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/lib/dav + +# create a prototype session cache +mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/mod_ssl +touch $RPM_BUILD_ROOT%{_localstatedir}/cache/mod_ssl/scache.{dir,pag,sem} + +# create cache root +mkdir $RPM_BUILD_ROOT%{_localstatedir}/cache/mod_proxy + +# move utilities to /usr/bin +mv $RPM_BUILD_ROOT%{_sbindir}/{ab,htdbm,logresolve,htpasswd,htdigest} \ + $RPM_BUILD_ROOT%{_bindir} + +# Make the MMN accessible to module packages +echo %{mmn} > $RPM_BUILD_ROOT%{_includedir}/httpd/.mmn + +# docroot +mkdir $RPM_BUILD_ROOT%{contentdir}/html +install -m 644 -p $RPM_SOURCE_DIR/index.html \ + $RPM_BUILD_ROOT%{contentdir}/error/noindex.html + +# remove manual sources +find $RPM_BUILD_ROOT%{contentdir}/manual \( \ + -name \*.xml -o -name \*.xml.* -o -name \*.ent -o -name \*.xsl -o -name \*.dtd \ + \) -print0 | xargs -0 rm -f + +# Strip the manual down just to English and replace the typemaps with flat files: +set +x +for f in `find $RPM_BUILD_ROOT%{contentdir}/manual -name \*.html -type f`; do + if test -f ${f}.en; then + cp ${f}.en ${f} + rm ${f}.* + fi +done +set -x + +# Symlink for the powered-by-$DISTRO image: +ln -s ../../..%{_datadir}/pixmaps/poweredby.png \ + $RPM_BUILD_ROOT%{contentdir}/icons/poweredby.png + +# Set up /var directories +rmdir $RPM_BUILD_ROOT%{_sysconfdir}/httpd/logs +mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/httpd +mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/run/httpd + +# symlinks for /etc/httpd +ln -s ../..%{_localstatedir}/log/httpd $RPM_BUILD_ROOT/etc/httpd/logs +ln -s ../..%{_localstatedir}/run/httpd $RPM_BUILD_ROOT/etc/httpd/run +ln -s ../..%{_libdir}/httpd/modules $RPM_BUILD_ROOT/etc/httpd/modules + +# install SYSV init stuff +mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d +install -m755 $RPM_SOURCE_DIR/httpd.init \ + $RPM_BUILD_ROOT/etc/rc.d/init.d/httpd + +# install log rotation stuff +mkdir -p $RPM_BUILD_ROOT/etc/logrotate.d +install -m 644 -p $RPM_SOURCE_DIR/httpd.logrotate \ + $RPM_BUILD_ROOT/etc/logrotate.d/httpd + +# fix man page paths +sed -e "s|/usr/local/apache2/conf/httpd.conf|/etc/httpd/conf/httpd.conf|" \ + -e "s|/usr/local/apache2/conf/mime.types|/etc/mime.types|" \ + -e "s|/usr/local/apache2/conf/magic|/etc/httpd/conf/magic|" \ + -e "s|/usr/local/apache2/logs/error_log|/var/log/httpd/error_log|" \ + -e "s|/usr/local/apache2/logs/access_log|/var/log/httpd/access_log|" \ + -e "s|/usr/local/apache2/logs/httpd.pid|/var/run/httpd/httpd.pid|" \ + -e "s|/usr/local/apache2|/etc/httpd|" < docs/man/httpd.8 \ + > $RPM_BUILD_ROOT%{_mandir}/man8/httpd.8 + +# Make ap_config_layout.h libdir-agnostic +sed -i '/.*DEFAULT_..._LIBEXECDIR/d;/DEFAULT_..._INSTALLBUILDDIR/d' \ + $RPM_BUILD_ROOT%{_includedir}/httpd/ap_config_layout.h + +# Fix path to instdso in special.mk +sed -i '/instdso/s,top_srcdir,top_builddir,' \ + $RPM_BUILD_ROOT%{_libdir}/httpd/build/special.mk + +# Remove unpackaged files +rm -f $RPM_BUILD_ROOT%{_libdir}/*.exp \ + $RPM_BUILD_ROOT/etc/httpd/conf/mime.types \ + $RPM_BUILD_ROOT%{_libdir}/httpd/modules/*.exp \ + $RPM_BUILD_ROOT%{_libdir}/httpd/build/config.nice \ + $RPM_BUILD_ROOT%{_bindir}/ap?-config \ + $RPM_BUILD_ROOT%{_sbindir}/{checkgid,dbmmanage,envvars*} \ + $RPM_BUILD_ROOT%{contentdir}/htdocs/* \ + $RPM_BUILD_ROOT%{_mandir}/man1/dbmmanage.* \ + $RPM_BUILD_ROOT%{contentdir}/cgi-bin/* + +rm -rf $RPM_BUILD_ROOT/etc/httpd/conf/{original,extra} + +# Make suexec a+rw so it can be stripped. %%files lists real permissions +chmod 755 $RPM_BUILD_ROOT%{_sbindir}/suexec + +%pre +# Add the "apache" user +/usr/sbin/useradd -c "Apache" -u 48 \ + -s /sbin/nologin -r -d %{contentdir} apache 2> /dev/null || : + +%post +# Register the httpd service +/sbin/chkconfig --add httpd + +%preun +if [ $1 = 0 ]; then + /sbin/service httpd stop > /dev/null 2>&1 + /sbin/chkconfig --del httpd +fi + +%posttrans +/sbin/service httpd condrestart >/dev/null 2>&1 || : + +%define sslcert %{_sysconfdir}/pki/tls/certs/localhost.crt +%define sslkey %{_sysconfdir}/pki/tls/private/localhost.key + +%post -n mod_ssl +umask 077 + +if [ ! -f %{sslkey} ] ; then +%{_bindir}/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 1024 > %{sslkey} 2> /dev/null +fi + +FQDN=`hostname` +if [ "x${FQDN}" = "x" ]; then + FQDN=localhost.localdomain +fi + +if [ ! -f %{sslcert} ] ; then +cat << EOF | %{_bindir}/openssl req -new -key %{sslkey} \ + -x509 -days 365 -set_serial $RANDOM \ + -out %{sslcert} 2>/dev/null +-- +SomeState +SomeCity +SomeOrganization +SomeOrganizationalUnit +${FQDN} +root@${FQDN} +EOF +fi + +%check +# Check the built modules are all PIC +if readelf -d $RPM_BUILD_ROOT%{_libdir}/httpd/modules/*.so | grep TEXTREL; then + : modules contain non-relocatable code + exit 1 +fi + +# Verify that the same modules were built into the httpd binaries +./prefork/httpd -l | grep -v prefork > prefork.mods +for mpm in %{mpms}; do + ./${mpm}/httpd -l | grep -v ${mpm} > ${mpm}.mods + if ! diff -u prefork.mods ${mpm}.mods; then + : Different modules built into httpd binaries, will not proceed + exit 1 + fi +done + +%clean +rm -rf $RPM_BUILD_ROOT + +%files +%defattr(-,root,root) + +%doc ABOUT_APACHE README CHANGES LICENSE VERSIONING NOTICE + +%dir %{_sysconfdir}/httpd +%{_sysconfdir}/httpd/modules +%{_sysconfdir}/httpd/logs +%{_sysconfdir}/httpd/run +%dir %{_sysconfdir}/httpd/conf +%config(noreplace) %{_sysconfdir}/httpd/conf/httpd.conf +%config(noreplace) %{_sysconfdir}/httpd/conf.d/welcome.conf +%config(noreplace) %{_sysconfdir}/httpd/conf/magic + +%config(noreplace) %{_sysconfdir}/logrotate.d/httpd +%{_sysconfdir}/rc.d/init.d/httpd + +%dir %{_sysconfdir}/httpd/conf.d +%{_sysconfdir}/httpd/conf.d/README + +%config(noreplace) %{_sysconfdir}/sysconfig/httpd + +%{_sbindir}/ht* +%{_sbindir}/apachectl +%{_sbindir}/rotatelogs +%attr(4510,root,%{suexec_caller}) %{_sbindir}/suexec + +%dir %{_libdir}/httpd +%dir %{_libdir}/httpd/modules +%{_libdir}/httpd/modules/mod*.so +%exclude %{_libdir}/httpd/modules/mod_ssl.so + +%dir %{contentdir} +%dir %{contentdir}/cgi-bin +%dir %{contentdir}/html +%dir %{contentdir}/icons +%dir %{contentdir}/error +%dir %{contentdir}/error/include +%{contentdir}/icons/* +%{contentdir}/error/README +%{contentdir}/error/noindex.html +%config %{contentdir}/error/*.var +%config %{contentdir}/error/include/*.html + +%attr(0710,root,apache) %dir %{_localstatedir}/run/httpd +%attr(0700,root,root) %dir %{_localstatedir}/log/httpd +%attr(0700,apache,apache) %dir %{_localstatedir}/lib/dav +%attr(0700,apache,apache) %dir %{_localstatedir}/cache/mod_proxy + +%{_mandir}/man8/* +%exclude %{_mandir}/man8/apxs.8* + +%files tools +%defattr(-,root,root) +%{_bindir}/* +%{_mandir}/man1/* +%doc LICENSE NOTICE + +%files manual +%defattr(-,root,root) +%{contentdir}/manual +%config %{_sysconfdir}/httpd/conf.d/manual.conf + +%files -n mod_ssl +%defattr(-,root,root) +%{_libdir}/httpd/modules/mod_ssl.so +%config(noreplace) %{_sysconfdir}/httpd/conf.d/ssl.conf +%attr(0700,apache,root) %dir %{_localstatedir}/cache/mod_ssl +%attr(0600,apache,root) %ghost %{_localstatedir}/cache/mod_ssl/scache.dir +%attr(0600,apache,root) %ghost %{_localstatedir}/cache/mod_ssl/scache.pag +%attr(0600,apache,root) %ghost %{_localstatedir}/cache/mod_ssl/scache.sem + +%files devel +%defattr(-,root,root) +%{_includedir}/httpd +%{_sbindir}/apxs +%{_mandir}/man8/apxs.8* +%dir %{_libdir}/httpd/build +%{_libdir}/httpd/build/*.mk +%{_libdir}/httpd/build/*.sh + +%changelog +* Mon Jul 26 2010 Joe Orton - 2.2.16-1 +- update to 2.2.16 + +* Fri Jul 9 2010 Joe Orton - 2.2.15-3 +- default config tweaks: + * harden httpd.conf w.r.t. .htaccess restriction (#591293) + * load mod_substitute, mod_version by default + * drop proxy_ajp.conf, load mod_proxy_ajp in httpd.conf + * add commented list of shipped-but-unloaded modules + * bump up worker defaults a little + * drop KeepAliveTimeout to 5 secs per upstream +- fix LSB compliance in init script (#522074) +- bundle NOTICE in -tools +- use init script in logrotate postrotate to pick up PIDFILE +- drop some old Obsoletes/Conflicts + +* Sun Apr 04 2010 Robert Scheck - 2.2.15-1 +- update to 2.2.15 (#572404, #579311) + +* Thu Dec 3 2009 Joe Orton - 2.2.14-1 +- update to 2.2.14 +- relax permissions on /var/run/httpd (#495780) +- Requires(pre): httpd in mod_ssl subpackage (#543275) +- add partial security fix for CVE-2009-3555 (#533125) + +* Tue Oct 27 2009 Tom "spot" Callaway 2.2.13-4 +- add additional explanatory text to test page to help prevent legal emails to Fedora + +* Tue Sep 8 2009 Joe Orton 2.2.13-2 +- restart service in posttrans (#491567) + +* Fri Aug 21 2009 Tomas Mraz - 2.2.13-2 +- rebuilt with new openssl + +* Tue Aug 18 2009 Joe Orton 2.2.13-1 +- update to 2.2.13 + +* Fri Jul 24 2009 Fedora Release Engineering - 2.2.11-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Tue Jun 16 2009 Joe Orton 2.2.11-9 +- build -manual as noarch + +* Tue Mar 17 2009 Joe Orton 2.2.11-8 +- fix pidfile in httpd.logrotate (thanks to Rainer Traut) +- don't build mod_mem_cache or mod_file_cache + +* Tue Feb 24 2009 Fedora Release Engineering - 2.2.11-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Thu Jan 22 2009 Joe Orton 2.2.11-6 +- Require: apr-util-ldap (#471898) +- init script changes: pass pidfile to status(), use status() in + condrestart (#480602), support try-restart as alias for + condrestart +- change /etc/httpd/run symlink to have destination /var/run/httpd, + and restore "run/httpd.conf" as default PidFile (#478688) + +* Fri Jan 16 2009 Tomas Mraz 2.2.11-5 +- rebuild with new openssl + +* Sat Dec 27 2008 Robert Scheck 2.2.11-4 +- Made default configuration using /var/run/httpd for pid file + +* Thu Dec 18 2008 Joe Orton 2.2.11-3 +- update to 2.2.11 +- package new /var/run/httpd directory, and move default pidfile + location inside there + +* Tue Oct 21 2008 Joe Orton 2.2.10-2 +- update to 2.2.10 + +* Tue Jul 15 2008 Joe Orton 2.2.9-5 +- move AddTypes for SSL cert/CRL types from ssl.conf to httpd.conf (#449979) + +* Mon Jul 14 2008 Joe Orton 2.2.9-4 +- use Charset=UTF-8 in default httpd.conf (#455123) +- only enable suexec when appropriate (Jim Radford, #453697) + +* Thu Jul 10 2008 Tom "spot" Callaway 2.2.9-3 +- rebuild against new db4 4.7 + +* Tue Jul 8 2008 Joe Orton 2.2.9-2 +- update to 2.2.9 +- build event MPM too + +* Wed Jun 4 2008 Joe Orton 2.2.8-4 +- correct UserDir directive in default config (#449815) + +* Tue Feb 19 2008 Fedora Release Engineering - 2.2.8-3 +- Autorebuild for GCC 4.3 + +* Tue Jan 22 2008 Joe Orton 2.2.8-2 +- update to 2.2.8 +- drop mod_imagemap + +* Wed Dec 05 2007 Release Engineering - 2.2.6-4 + - Rebuild for openssl bump + +* Mon Sep 17 2007 Joe Orton 2.2.6-3 +- add fix for SSL library string regression (PR 43334) +- use powered-by logo from system-logos (#250676) +- preserve timestamps for installed config files + +* Fri Sep 7 2007 Joe Orton 2.2.6-2 +- update to 2.2.6 (#250757, #282761) + +* Sun Sep 2 2007 Joe Orton 2.2.4-10 +- rebuild for fixed APR + +* Wed Aug 22 2007 Joe Orton 2.2.4-9 +- rebuild for expat soname bump + +* Tue Aug 21 2007 Joe Orton 2.2.4-8 +- fix License +- require /etc/mime.types (#249223) + +* Thu Jul 26 2007 Joe Orton 2.2.4-7 +- drop -tools dependency on httpd (thanks to Matthias Saou) + +* Wed Jul 25 2007 Joe Orton 2.2.4-6 +- split out utilities into -tools subpackage, based on patch + by Jason Tibbs (#238257) + +* Tue Jul 24 2007 Joe Orton 2.2.4-5 +- spec file cleanups: provide httpd-suexec, mod_dav; + don't obsolete mod_jk; drop trailing dots from Summaries +- init script + * add LSB info header, support force-reload (#246944) + * update description + * drop 1.3 config check + * pass $pidfile to daemon and pidfile everywhere + +* Wed May 9 2007 Joe Orton 2.2.4-4 +- update welcome page branding + +* Tue Apr 3 2007 Joe Orton 2.2.4-3 +- drop old triggers, old Requires, xmlto BR +- use Requires(...) correctly +- use standard BuildRoot +- don't mark init script as config file +- trim CHANGES further + +* Mon Mar 12 2007 Joe Orton 2.2.4-2 +- update to 2.2.4 +- drop the migration guide (#223605) + +* Thu Dec 7 2006 Joe Orton 2.2.3-8 +- fix path to instdso.sh in special.mk (#217677) +- fix detection of links in "apachectl fullstatus" + +* Tue Dec 5 2006 Joe Orton 2.2.3-7 +- rebuild for libpq soname bump + +* Sat Nov 11 2006 Joe Orton 2.2.3-6 +- rebuild for BDB soname bump + +* Mon Sep 11 2006 Joe Orton 2.2.3-5 +- updated "powered by Fedora" logo (#205573, Diana Fong) +- tweak welcome page wording slightly (#205880) + +* Fri Aug 18 2006 Jesse Keating - 2.2.3-4 +- rebuilt with latest binutils to pick up 64K -z commonpagesize on ppc* + (#203001) + +* Thu Aug 3 2006 Joe Orton 2.2.3-3 +- init: use killproc() delay to avoid race killing parent + +* Fri Jul 28 2006 Joe Orton 2.2.3-2 +- update to 2.2.3 +- trim %%changelog to >=2.0.52 + +* Thu Jul 20 2006 Joe Orton 2.2.2-8 +- fix segfault on dummy connection failure at graceful restart (#199429) + +* Wed Jul 19 2006 Joe Orton 2.2.2-7 +- fix "apxs -g"-generated Makefile +- fix buildconf with autoconf 2.60 + +* Wed Jul 12 2006 Jesse Keating - 2.2.2-5.1 +- rebuild + +* Wed Jun 7 2006 Joe Orton 2.2.2-5 +- require pkgconfig for -devel (#194152) +- fixes for installed support makefiles (special.mk et al) +- BR autoconf + +* Fri Jun 2 2006 Joe Orton 2.2.2-4 +- make -devel package multilib-safe (#192686) + +* Thu May 11 2006 Joe Orton 2.2.2-3 +- build DSOs using -z relro linker flag + +* Wed May 3 2006 Joe Orton 2.2.2-2 +- update to 2.2.2 + +* Thu Apr 6 2006 Joe Orton 2.2.0-6 +- rebuild to pick up apr-util LDAP interface fix (#188073) + +* Fri Feb 10 2006 Jesse Keating - (none):2.2.0-5.1.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - (none):2.2.0-5.1.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Mon Feb 6 2006 Joe Orton 2.2.0-5.1 +- mod_auth_basic/mod_authn_file: if no provider is configured, + and AuthUserFile is not configured, decline to handle authn + silently rather than failing noisily. + +* Fri Feb 3 2006 Joe Orton 2.2.0-5 +- mod_ssl: add security fix for CVE-2005-3357 (#177914) +- mod_imagemap: add security fix for CVE-2005-3352 (#177913) +- add fix for AP_INIT_* designated initializers with C++ compilers +- httpd.conf: enable HTMLTable in default IndexOptions +- httpd.conf: add more "redirect-carefully" matches for DAV clients + +* Thu Jan 5 2006 Joe Orton 2.2.0-4 +- mod_proxy_ajp: fix Cookie handling (Mladen Turk, r358769) + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Wed Dec 7 2005 Joe Orton 2.2.0-3 +- strip manual to just English content + +* Mon Dec 5 2005 Joe Orton 2.2.0-2 +- don't strip C-L from HEAD responses (Greg Ames, #110552) +- load mod_proxy_balancer by default +- add proxy_ajp.conf to load/configure mod_proxy_ajp +- Obsolete mod_jk +- update docs URLs in httpd.conf/ssl.conf + +* Fri Dec 2 2005 Joe Orton 2.2.0-1 +- update to 2.2.0 + +* Wed Nov 30 2005 Joe Orton 2.1.10-2 +- enable mod_authn_alias, mod_authn_anon +- update default httpd.conf + +* Fri Nov 25 2005 Joe Orton 2.1.10-1 +- update to 2.1.10 +- require apr >= 1.2.0, apr-util >= 1.2.0 + +* Wed Nov 9 2005 Tomas Mraz 2.0.54-16 +- rebuilt against new openssl + +* Thu Nov 3 2005 Joe Orton 2.0.54-15 +- log notice giving SELinux context at startup if enabled +- drop SSLv2 and restrict default cipher suite in default + SSL configuration + +* Thu Oct 20 2005 Joe Orton 2.0.54-14 +- mod_ssl: add security fix for SSLVerifyClient (CVE-2005-2700) +- add security fix for byterange filter DoS (CVE-2005-2728) +- add security fix for C-L vs T-E handling (CVE-2005-2088) +- mod_ssl: add security fix for CRL overflow (CVE-2005-1268) +- mod_ldap/mod_auth_ldap: add fixes from 2.0.x branch (upstream #34209 etc) +- add fix for dummy connection handling (#167425) +- mod_auth_digest: fix hostinfo comparison in CONNECT requests +- mod_include: fix variable corruption in nested includes (upstream #12655) +- mod_ssl: add fix for handling non-blocking reads +- mod_ssl: fix to enable output buffering (upstream #35279) +- mod_ssl: buffer request bodies for per-location renegotiation (upstream #12355) + +* Sat Aug 13 2005 Joe Orton 2.0.54-13 +- don't load by default: mod_cern_meta, mod_asis +- do load by default: mod_ext_filter (#165893) + +* Thu Jul 28 2005 Joe Orton 2.0.54-12 +- drop broken epoch deps + +* Thu Jun 30 2005 Joe Orton 2.0.54-11 +- mod_dav_fs: fix uninitialized variable (#162144) +- add epoch to dependencies as appropriate +- mod_ssl: drop dependencies on dev, make +- mod_ssl: mark post script dependencies as such + +* Mon May 23 2005 Joe Orton 2.0.54-10 +- remove broken symlink (Robert Scheck, #158404) + +* Wed May 18 2005 Joe Orton 2.0.54-9 +- add piped logger fixes (w/Jeff Trawick) + +* Mon May 9 2005 Joe Orton 2.0.54-8 +- drop old "powered by Red Hat" logos + +* Wed May 4 2005 Joe Orton 2.0.54-7 +- mod_userdir: fix memory allocation issue (upstream #34588) +- mod_ldap: fix memory corruption issue (Brad Nicholes, upstream #34618) + +* Tue Apr 26 2005 Joe Orton 2.0.54-6 +- fix key/cert locations in post script + +* Mon Apr 25 2005 Joe Orton 2.0.54-5 +- create default dummy cert in /etc/pki/tls +- use a pseudo-random serial number on the dummy cert +- change default ssl.conf to point at /etc/pki/tls +- merge back -suexec subpackage; SELinux policy can now be + used to persistently disable suexec (#155716) +- drop /etc/httpd/conf/ssl.* directories and Makefiles +- unconditionally enable PIE support +- mod_ssl: fix for picking up -shutdown options (upstream #34452) + +* Mon Apr 18 2005 Joe Orton 2.0.54-4 +- replace PreReq with Requires(pre) + +* Mon Apr 18 2005 Joe Orton 2.0.54-3 +- update to 2.0.54 + +* Tue Mar 29 2005 Joe Orton 2.0.53-6 +- update default httpd.conf: + * clarify the comments on AddDefaultCharset usage (#135821) + * remove all the AddCharset default extensions + * don't load mod_imap by default + * synch with upstream 2.0.53 httpd-std.conf +- mod_ssl: set user from SSLUserName in access hook (upstream #31418) +- htdigest: fix permissions of created files (upstream #33765) +- remove htsslpass + +* Wed Mar 2 2005 Joe Orton 2.0.53-5 +- apachectl: restore use of $OPTIONS again + +* Wed Feb 9 2005 Joe Orton 2.0.53-4 +- update to 2.0.53 +- move prefork/worker modules comparison to %%check + +* Mon Feb 7 2005 Joe Orton 2.0.52-7 +- fix cosmetic issues in "service httpd reload" +- move User/Group higher in httpd.conf (#146793) +- load mod_logio by default in httpd.conf +- apachectl: update for correct libselinux tools locations + +* Tue Nov 16 2004 Joe Orton 2.0.52-6 +- add security fix for CVE CAN-2004-0942 (memory consumption DoS) +- SELinux: run httpd -t under runcon in configtest (Steven Smalley) +- fix SSLSessionCache comment for distcache in ssl.conf +- restart using SIGHUP not SIGUSR1 after logrotate +- add ap_save_brigade fix (upstream #31247) +- mod_ssl: fix possible segfault in auth hook (upstream #31848) +- add htsslpass(1) and configure as default SSLPassPhraseDialog (#128677) +- apachectl: restore use of $OPTIONS +- apachectl, httpd.init: refuse to restart if $HTTPD -t fails +- apachectl: run $HTTPD -t in user SELinux context for configtest +- update for pcre-5.0 header locations + +* Sat Nov 13 2004 Jeff Johnson 2.0.52-5 +- rebuild against db-4.3.21 aware apr-util. + +* Thu Nov 11 2004 Jeff Johnson 2.0.52-4 +- rebuild against db-4.3-21. + +* Thu Sep 28 2004 Joe Orton 2.0.52-3 +- add dummy connection address fixes from HEAD +- mod_ssl: add security fix for CAN-2004-0885 + +* Tue Sep 28 2004 Joe Orton 2.0.52-2 +- update to 2.0.52 + diff --git a/httpd.sysconf b/httpd.sysconf new file mode 100644 index 0000000..7102c61 --- /dev/null +++ b/httpd.sysconf @@ -0,0 +1,22 @@ +# Configuration file for the httpd service. + +# +# The default processing model (MPM) is the process-based +# 'prefork' model. A thread-based model, 'worker', is also +# available, but does not work with some modules (such as PHP). +# The service must be stopped before changing this variable. +# +#HTTPD=/usr/sbin/httpd.worker + +# +# To pass additional options (for instance, -D definitions) to the +# httpd binary at startup, set OPTIONS here. +# +#OPTIONS= + +# +# By default, the httpd process is started in the C locale; to +# change the locale in which the server runs, the HTTPD_LANG +# variable can be set. +# +#HTTPD_LANG=C diff --git a/index.html b/index.html new file mode 100644 index 0000000..5dfe52d --- /dev/null +++ b/index.html @@ -0,0 +1,130 @@ + + + + + Test Page for the Apache HTTP Server on Fedora + + + + + +

Fedora Test Page

+ +
+
+

This page is used to test the proper operation of the Apache HTTP server after it has been installed. If you can read this page, it means that the web server installed at this site is working properly, but has not yet been configured.

+
+
+ +
+
+

If you are a member of the general public:

+ +

The fact that you are seeing this page indicates that the website you just visited is either experiencing problems, or is undergoing routine maintenance.

+ +

If you would like to let the administrators of this website know that you've seen this page instead of the page you expected, you should send them e-mail. In general, mail sent to the name "webmaster" and directed to the website's domain should reach the appropriate person.

+ +

For example, if you experienced problems while visiting www.example.com, you should send e-mail to "webmaster@example.com".

+ +

Fedora is a distribution of Linux, a popular computer operating system. It is commonly used by hosting companies because it is free, and includes free web server software. Many times, they do not set up their web server correctly, and it displays this "test page" instead of the expected website. + +

Accordingly, please keep these facts in mind: +

  • Neither the Fedora Project or Red Hat has any affiliation with any website or content hosted from this server (unless otherwise explicitly stated).
  • +
  • Neither the Fedora Project or Red Hat has "hacked" this webserver, this test page is an included component of Apache's httpd webserver software.
  • + +

    For more information about Fedora, please visit the Fedora Project website.

    +
    +
    + +
    +

    If you are the website administrator:

    + +

    You may now add content to the directory /var/www/html/. Note that until you do so, people visiting your website will see this page, and not your content. To prevent this page from ever being used, follow the instructions in the file /etc/httpd/conf.d/welcome.conf.

    + +
    +

    You are free to use the images below on Apache and Fedora powered HTTP servers. Thanks for using Apache and Fedora!

    + +

    [ Powered by Apache ] [ Powered by Fedora ]

    +
    +
    +
    +
    + + diff --git a/manual.conf b/manual.conf new file mode 100644 index 0000000..f2cbc8f --- /dev/null +++ b/manual.conf @@ -0,0 +1,12 @@ +# +# This configuration file allows the manual to be accessed at +# http://localhost/manual/ +# +AliasMatch ^/manual(?:/(?:de|en|fr|ja|ko|ru))?(/.*)?$ "/var/www/manual$1" + + + Options Indexes + AllowOverride None + Order allow,deny + Allow from all + diff --git a/ssl.conf b/ssl.conf new file mode 100644 index 0000000..07fe32b --- /dev/null +++ b/ssl.conf @@ -0,0 +1,223 @@ +# +# This is the Apache server configuration file providing SSL support. +# It contains the configuration directives to instruct the server how to +# serve pages over an https connection. For detailing information about these +# directives see +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# + +LoadModule ssl_module modules/mod_ssl.so + +# +# When we also provide SSL we have to listen to the +# the HTTPS port in addition. +# +Listen 443 + +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is a internal +# terminal dialog) has to provide the pass phrase on stdout. +SSLPassPhraseDialog builtin + +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First the mechanism +# to use and second the expiring timeout (in seconds). +#SSLSessionCache dc:UNIX:/var/cache/mod_ssl/distcache +SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) +SSLSessionCacheTimeout 300 + +# Semaphore: +# Configure the path to the mutual exclusion semaphore the +# SSL engine uses internally for inter-process synchronization. +SSLMutex default + +# Pseudo Random Number Generator (PRNG): +# Configure one or more sources to seed the PRNG of the +# SSL library. The seed data should be of good random quality. +# WARNING! On some platforms /dev/random blocks if not enough entropy +# is available. This means you then cannot use the /dev/random device +# because it would lead to very long connection times (as long as +# it requires to make more entropy available). But usually those +# platforms additionally provide a /dev/urandom device which doesn't +# block. So, if available, use this one instead. Read the mod_ssl User +# Manual for more details. +SSLRandomSeed startup file:/dev/urandom 256 +SSLRandomSeed connect builtin +#SSLRandomSeed startup file:/dev/random 512 +#SSLRandomSeed connect file:/dev/random 512 +#SSLRandomSeed connect file:/dev/urandom 512 + +# +# Use "SSLCryptoDevice" to enable any supported hardware +# accelerators. Use "openssl engine -v" to list supported +# engine names. NOTE: If you enable an accelerator and the +# server does not start, consult the error logs and ensure +# your accelerator is functioning properly. +# +SSLCryptoDevice builtin +#SSLCryptoDevice ubsec + +## +## SSL Virtual Host Context +## + + + +# General setup for the virtual host, inherited from global configuration +#DocumentRoot "/var/www/html" +#ServerName www.example.com:443 + +# Use separate log files for the SSL virtual host; note that LogLevel +# is not inherited from httpd.conf. +ErrorLog logs/ssl_error_log +TransferLog logs/ssl_access_log +LogLevel warn + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +SSLEngine on + +# SSL Protocol support: +# List the enable protocol levels with which clients will be able to +# connect. Disable SSLv2 access by default: +SSLProtocol all -SSLv2 + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_ssl documentation for a complete list. +SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW + +# Server Certificate: +# Point SSLCertificateFile at a PEM encoded certificate. If +# the certificate is encrypted, then you will be prompted for a +# pass phrase. Note that a kill -HUP will prompt again. A new +# certificate can be generated using the genkey(1) command. +SSLCertificateFile /etc/pki/tls/certs/localhost.crt + +# Server Private Key: +# If the key is not combined with the certificate, use this +# directive to point at the key file. Keep in mind that if +# you've both a RSA and a DSA private key you can configure +# both in parallel (to also allow the use of DSA ciphers, etc.) +SSLCertificateKeyFile /etc/pki/tls/private/localhost.key + +# Server Certificate Chain: +# Point SSLCertificateChainFile at a file containing the +# concatenation of PEM encoded CA certificates which form the +# certificate chain for the server certificate. Alternatively +# the referenced file can be the same as SSLCertificateFile +# when the CA certificates are directly appended to the server +# certificate for convinience. +#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt + +# Certificate Authority (CA): +# Set the CA certificate verification path where to find CA +# certificates for client authentication or alternatively one +# huge file containing all of them (file must be PEM encoded) +#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt + +# Client Authentication (Type): +# Client certificate verification type and depth. Types are +# none, optional, require and optional_no_ca. Depth is a +# number which specifies how deeply to verify the certificate +# issuer chain before deciding the certificate is not valid. +#SSLVerifyClient require +#SSLVerifyDepth 10 + +# Access Control: +# With SSLRequire you can do per-directory access control based +# on arbitrary complex boolean expressions containing server +# variable checks and other lookup directives. The syntax is a +# mixture between C and Perl. See the mod_ssl documentation +# for more details. +# +#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ +# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ +# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ +# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ +# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ +# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ +# + +# SSL Engine Options: +# Set various options for the SSL engine. +# o FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# o ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# o StdEnvVars: +# This exports the standard SSL/TLS related `SSL_*' environment variables. +# Per default this exportation is switched off for performance reasons, +# because the extraction step is an expensive operation and is usually +# useless for serving static content. So one usually enables the +# exportation for CGI and SSI requests only. +# o StrictRequire: +# This denies access when "SSLRequireSSL" or "SSLRequire" applied even +# under a "Satisfy any" situation, i.e. when it applies access is denied +# and no other module can change it. +# o OptRenegotiate: +# This enables optimized SSL connection renegotiation handling when SSL +# directives are used in per-directory context. +#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + +# SSL Protocol Adjustments: +# The safe and default but still SSL/TLS standard compliant shutdown +# approach is that mod_ssl sends the close notify alert but doesn't wait for +# the close notify alert from client. When you need a different shutdown +# approach you can use one of the following variables: +# o ssl-unclean-shutdown: +# This forces an unclean shutdown when the connection is closed, i.e. no +# SSL close notify alert is send or allowed to received. This violates +# the SSL/TLS standard but is needed for some brain-dead browsers. Use +# this when you receive I/O errors because of the standard approach where +# mod_ssl sends the close notify alert. +# o ssl-accurate-shutdown: +# This forces an accurate shutdown when the connection is closed, i.e. a +# SSL close notify alert is send and mod_ssl waits for the close notify +# alert of the client. This is 100% SSL/TLS standard compliant, but in +# practice often causes hanging connections with brain-dead browsers. Use +# this only for browsers where you know that their SSL implementation +# works correctly. +# Notice: Most problems of broken clients are also related to the HTTP +# keep-alive facility, so you usually additionally want to disable +# keep-alive for those clients, too. Use variable "nokeepalive" for this. +# Similarly, one has to force some clients to use HTTP/1.0 to workaround +# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and +# "force-response-1.0" for this. +SetEnvIf User-Agent ".*MSIE.*" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + +# Per-Server Logging: +# The home of a custom SSL log file. Use this when you want a +# compact non-error SSL logfile on a virtual host basis. +CustomLog logs/ssl_request_log \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + + + diff --git a/welcome.conf b/welcome.conf new file mode 100644 index 0000000..c1d23c5 --- /dev/null +++ b/welcome.conf @@ -0,0 +1,11 @@ +# +# This configuration file enables the default "Welcome" +# page if there is no default index page present for +# the root URL. To disable the Welcome page, comment +# out all the lines below. +# + + Options -Indexes + ErrorDocument 403 /error/noindex.html + + -- cgit