archive-com.com » COM » C » CAPITALSAFETY.COM

Total: 175

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".
  • Directive Quick Reference - Apache HTTP Server
    Off sv E Ignore the fact that a response has no Last Modified header CacheLastModifiedFactor float 0 1 sv E The factor used to compute an expiry date based on the LastModified date CacheMaxExpire seconds 86400 one day sv E The maximum time in seconds to cache a document CacheMaxFileSize bytes 1000000 sv E The maximum size in bytes of a document to be placed in the cache CacheMinFileSize bytes 1 sv E The minimum size in bytes of a document to be placed in the cache CacheNegotiatedDocs On Off Off sv B Allows content negotiated documents to be cached by proxy servers CacheRoot directory sv E The directory root under which cache files are stored CacheStoreNoStore On Off Off sv E Attempt to cache requests or responses that have been marked as no store CacheStorePrivate On Off Off sv E Attempt to cache responses that the server has marked as private CGIMapExtension cgi path extension dh C Technique for locating the interpreter for CGI scripts CharsetDefault charset svdh X Charset to translate into CharsetOptions option option DebugLevel 0 NoImpl svdh X Configures charset translation behavior CharsetSourceEnc charset svdh X Source charset of files CheckSpelling on off Off svdh E Enables the spelling module ContentDigest On Off Off svdh C Enables the generation of Content MD5 HTTP Response headers CookieDomain domain svdh E The domain to which the tracking cookie applies CookieExpires expiry period svdh E Expiry time for the tracking cookie CookieLog filename sv B Sets filename for the logging of cookies CookieName token Apache svdh E Name of the tracking cookie CookieStyle Netscape Cookie Cookie2 RFC2109 RFC2965 Netscape svdh E Format of the cookie header field CookieTracking on off off svdh E Enables tracking cookie CoreDumpDirectory directory s M Directory where Apache attempts to switch before dumping core CustomLog file pipe format nickname env environment variable sv B Sets filename and format of log file Dav On Off provider name Off d E Enable WebDAV HTTP methods DavDepthInfinity on off off svd E Allow PROPFIND Depth Infinity requests DavGenericLockDB file path svd E Location of the DAV lock database DavLockDB file path sv E Location of the DAV lock database DavMinTimeout seconds 0 svd E Minimum amount of time the server holds a lock on a DAV resource DBDExptime time in seconds sv E Keepalive time for idle connections DBDKeep number sv E Maximum sustained number of connections DBDMax number sv E Maximum number of connections DBDMin number sv E Minimum number of connections DBDParams param1 value1 param2 value2 sv E Parameters for database connection DBDPersist 0 1 sv E Whether to use persistent connections DBDPrepareSQL SQL statement label sv E Define an SQL prepared statement DBDriver name sv E Specify an SQL driver DefaultIcon url path svdh B Icon to display for files when no specific icon is configured DefaultLanguage MIME lang svdh B Sets all files in the given scope to the specified language DefaultType MIME type text plain svdh C MIME content type that will be sent if the server cannot determine a type in any other way DeflateBufferSize value 8096 sv E Fragment size to be compressed at one time by zlib DeflateCompressionLevel value sv E How much compression do we apply to the output DeflateFilterNote type notename sv E Places the compression ratio in a note for logging DeflateMemLevel value 9 sv E How much memory should be used by zlib for compression DeflateWindowSize value 15 sv E Zlib compression window size Deny from all host env env variable host env env variable dh B Controls which hosts are denied access to the server Directory directory path Directory sv C Enclose a group of directives that apply only to the named file system directory and sub directories DirectoryIndex local url local url index html svdh B List of resources to look for when the client requests a directory DirectoryMatch regex DirectoryMatch sv C Enclose directives that apply to file system directories matching a regular expression and their subdirectories DirectorySlash On Off On svdh B Toggle trailing slash redirects on or off DocumentRoot directory path usr local apache h sv C Directory that forms the main document tree visible from the web DumpIOInput On Off Off s E Dump all input data to the error log DumpIOOutput On Off Off s E Dump all output data to the error log EnableExceptionHook On Off Off s M Enables a hook that runs exception handlers after a crash EnableMMAP On Off On svdh C Use memory mapping to read files during delivery EnableSendfile On Off On svdh C Use the kernel sendfile support to deliver files to the client ErrorDocument error code document svdh C What the server will return to the client in case of an error ErrorLog file path syslog facility logs error log Uni sv C Location where the server will log errors Example svdh X Demonstration directive to illustrate the Apache module API ExpiresActive On Off svdh E Enables generation of Expires headers ExpiresByType MIME type code seconds svdh E Value of the Expires header configured by MIME type ExpiresDefault code seconds svdh E Default algorithm for calculating expiration time ExtendedStatus On Off Off s B Keep track of extended status information for each request ExtFilterDefine filtername parameters s E Define an external filter ExtFilterOptions option option DebugLevel 0 NoLogS d E Configure mod ext filter options FileETag component INode MTime Size svdh C File attributes used to create the ETag HTTP response header Files filename Files svdh C Contains directives that apply to matched filenames FilesMatch regex FilesMatch svdh C Contains directives that apply to regular expression matched filenames FilterChain filter name svdh B Configure the filter chain FilterDeclare filter name type svdh B Declare a smart filter FilterProtocol filter name provider name proto flags svdh B Deal with correct HTTP protocol handling FilterProvider filter name provider name req resp env dispatch match svdh B Register a content filter FilterTrace filter name level svd B Get debug diagnostic information from mod filter ForceLanguagePriority None Prefer Fallback Prefer Fallback Prefer svdh B Action to take if a single acceptable document is not found ForceType MIME type None dh C Forces all matching files to be served with the specified MIME content type ForensicLog filename pipe sv E Sets filename of the forensic log GracefulShutDownTimeout seconds s M Specify a timeout after which a gracefully shutdown server will exit Group unix group 1 s M Group under which the server will answer requests Header condition set append add unset echo header value early env variable svdh E Configure HTTP response headers HeaderName filename svdh B Name of the file that will be inserted at the top of the index listing HostnameLookups On Off Double Off svd C Enables DNS lookups on client IP addresses IdentityCheck On Off Off svd E Enables logging of the RFC 1413 identity of the remote user IdentityCheckTimeout seconds 30 svd E Determines the timeout duration for ident requests IfDefine parameter name IfDefine svdh C Encloses directives that will be processed only if a test is true at startup IfModule module file module identifier IfModule svdh C Encloses directives that are processed conditional on the presence or absence of a specific module IfVersion operator version IfVersion svdh E contains version dependent configuration ImapBase map referer URL http servername svdh B Default base for imagemap files ImapDefault error nocontent map referer URL nocontent svdh B Default action when an imagemap is called with coordinates that are not explicitly mapped ImapMenu none formatted semiformatted unformatted svdh B Action if no coordinates are given when calling an imagemap Include file path directory path svd C Includes other configuration files from within the server configuration files IndexIgnore file file svdh B Adds to the list of files to hide when listing a directory IndexOptions option option svdh B Various configuration settings for directory indexing IndexOrderDefault Ascending Descending Name Date Size Description Ascending Name svdh B Sets the default ordering of the directory index IndexStyleSheet url path svdh B Adds a CSS stylesheet to the directory index ISAPIAppendLogToErrors on off off svdh B Record HSE APPEND LOG PARAMETER requests from ISAPI extensions to the error log ISAPIAppendLogToQuery on off on svdh B Record HSE APPEND LOG PARAMETER requests from ISAPI extensions to the query field ISAPICacheFile file path file path sv B ISAPI dll files to be loaded at startup ISAPIFakeAsync on off off svdh B Fake asynchronous support for ISAPI callbacks ISAPILogNotSupported on off off svdh B Log unsupported feature requests from ISAPI extensions ISAPIReadAheadBuffer size 49152 svdh B Size of the Read Ahead Buffer sent to ISAPI extensions KeepAlive On Off On sv C Enables HTTP persistent connections KeepAliveTimeout seconds 5 sv C Amount of time the server will wait for subsequent requests on a persistent connection LanguagePriority MIME lang MIME lang svdh B The precendence of language variants for cases where the client does not express a preference LDAPCacheEntries number 1024 s E Maximum number of entries in the primary LDAP cache LDAPCacheTTL seconds 600 s E Time that cached items remain valid LDAPConnectionTimeout seconds s E Specifies the socket connection timeout in seconds LDAPOpCacheEntries number 1024 s E Number of entries used to cache LDAP compare operations LDAPOpCacheTTL seconds 600 s E Time that entries in the operation cache remain valid LDAPSharedCacheFile directory path filename s E Sets the shared memory cache file LDAPSharedCacheSize bytes 102400 s E Size in bytes of the shared memory cache LDAPTrustedClientCert type directory path filename nickname password svdh E Sets the file containing or nickname referring to a per connection client certificate Not all LDAP toolkits support per connection client certificates LDAPTrustedGlobalCert type directory path filename password s E Sets the file or database containing global trusted Certificate Authority or global client certificates LDAPTrustedMode type sv E Specifies the SSL TLS mode to be used when connecting to an LDAP server LDAPVerifyServerCert On Off On s E Force server certificate verification Limit method method Limit svdh C Restrict enclosed access controls to only certain HTTP methods LimitExcept method method LimitExcept svdh C Restrict access controls to all HTTP methods except the named ones LimitInternalRecursion number number 10 sv C Determine maximum number of internal redirects and nested subrequests LimitRequestBody bytes 0 svdh C Restricts the total size of the HTTP request body sent from the client LimitRequestFields number 100 s C Limits the number of HTTP request header fields that will be accepted from the client LimitRequestFieldsize bytes s C Limits the size of the HTTP request header allowed from the client LimitRequestLine bytes 8190 s C Limit the size of the HTTP request line that will be accepted from the client LimitXMLRequestBody bytes 1000000 svdh C Limits the size of an XML based request body Listen IP address portnumber protocol s M IP addresses and ports that the server listens to ListenBacklog backlog s M Maximum length of the queue of pending connections LoadFile filename filename s E Link in the named object file or library LoadModule module filename s E Links in the object file or library and adds to the list of active modules Location URL path URL Location sv C Applies the enclosed directives only to matching URLs LocationMatch regex LocationMatch sv C Applies the enclosed directives only to regular expression matching URLs LockFile filename logs accept lock s M Location of the accept serialization lock file LogFormat format nickname nickname h l u t r sv B Describes a format for use in a log file LogLevel level warn sv C Controls the verbosity of the ErrorLog MaxClients number s M Maximum number of child processes that will be created to serve requests MaxKeepAliveRequests number 100 sv C Number of requests allowed on a persistent connection MaxMemFree KBytes 0 s M Maximum amount of memory that the main allocator is allowed to hold without calling free MaxRequestsPerChild number 10000 s M Limit on the number of requests that an individual child server will handle during its life MaxRequestsPerThread number 0 s M Limit on the number of requests that an individual thread will handle during its life MaxSpareServers number 10 s M Maximum number of idle child server processes MaxSpareThreads number s M Maximum number of idle threads MaxThreads number 2048 s M Set the maximum number of worker threads MCacheMaxObjectCount value 1009 s E The maximum number of objects allowed to be placed in the cache MCacheMaxObjectSize bytes 10000 s E The maximum size in bytes of a document allowed in the cache MCacheMaxStreamingBuffer size in bytes the smaller of 1000 s E Maximum amount of a streamed response to buffer in memory before declaring the response uncacheable MCacheMinObjectSize bytes 0 s E The minimum size in bytes of a document to be allowed in the cache MCacheRemovalAlgorithm LRU GDSF GDSF s E The algorithm used to select documents for removal from the cache MCacheSize KBytes 100 s E The maximum amount of memory used by the cache in KBytes MetaDir directory web svdh E Name of the directory to find CERN style meta information files MetaFiles on off off svdh E Activates CERN meta file processing MetaSuffix suffix meta svdh E File name suffix for the file containg CERN style meta information MimeMagicFile file path sv E Enable MIME type determination based on file contents using the specified magic file MinSpareServers number 5 s M Minimum number of idle child server processes MinSpareThreads number s M Minimum number of idle threads available to handle request spikes MMapFile file path file path s X Map a list of files into memory at startup time ModMimeUsePathInfo On Off Off d B Tells mod mime to treat path info components as part of the filename MultiviewsMatch Any NegotiatedOnly Filters Handlers Handlers Filters NegotiatedOnly svdh B The types of files that will be included when searching for a matching file with MultiViews NameVirtualHost addr port s C Designates an IP address for name virtual hosting NoProxy host host sv E Hosts domains or networks that will be connected to directly NWSSLTrustedCerts filename filename s B List of additional client certificates NWSSLUpgradeable IP address portnumber s B Allows a connection to be upgraded to an SSL connection upon request Options option option All svdh C Configures what features are available in a particular directory Order ordering Deny Allow dh B Controls the default access state and the order in which Allow and Deny are evaluated PassEnv env variable env variable svdh B Passes environment variables from the shell PidFile filename logs httpd pid s M File where the server records the process ID of the daemon ProtocolEcho On Off sv X Turn the echo server on or off Proxy wildcard url Proxy sv E Container for directives applied to proxied resources ProxyBadHeader IsError Ignore StartBody IsError sv E Determines how to handle bad header lines in a response ProxyBlock word host domain word host domain sv E Words hosts or domains that are banned from being proxied ProxyDomain Domain sv E Default domain name for proxied requests ProxyErrorOverride On Off Off sv E Override error pages for proxied content ProxyIOBufferSize bytes 8192 sv E Determine size of internal data throughput buffer ProxyMatch regex ProxyMatch sv E Container for directives applied to regular expression matched proxied resources ProxyMaxForwards number 10 sv E Maximium number of proxies that a request can be forwarded through ProxyPass path url key value key value svd E Maps remote servers into the local server URL space ProxyPassReverse path url svd E Adjusts the URL in HTTP response headers sent from a reverse proxied server ProxyPassReverseCookieDomain internal domain public domain svd E Adjusts the Domain string in Set Cookie headers from a reverse proxied server ProxyPassReverseCookiePath internal path public path svd E Adjusts the Path string in Set Cookie headers from a reverse proxied server ProxyPreserveHost On Off Off sv E Use incoming Host HTTP request header for proxy request ProxyReceiveBufferSize bytes 0 sv E Network buffer size for proxied HTTP and FTP connections ProxyRemote match remote server sv E Remote proxy used to handle certain requests ProxyRemoteMatch regex remote server sv E Remote proxy used to handle requests matched by regular expressions ProxyRequests On Off Off sv E Enables forward standard proxy requests ProxyTimeout seconds 300 sv E Network timeout for proxied requests ProxyVia On Off Full Block Off sv E Information provided in the Via HTTP response header for proxied requests ReadmeName filename svdh B Name of the file that will be inserted at the end of the index listing ReceiveBufferSize bytes 0 s M TCP receive buffer size Redirect status URL path URL svdh B Sends an external redirect asking the client to fetch a different URL RedirectMatch status regex URL svdh B Sends an external redirect based on a regular expression match of the current URL RedirectPermanent URL path URL svdh B Sends an external permanent redirect asking the client to fetch a different URL RedirectTemp URL path URL svdh B Sends an external temporary redirect asking the client to fetch a different URL RemoveCharset extension extension vdh B Removes any character set associations for a set of file extensions RemoveEncoding extension extension vdh B Removes any content encoding associations for a set of file extensions RemoveHandler extension extension vdh B Removes any handler associations for a set of file extensions RemoveInputFilter extension extension vdh B Removes any input filter associations for a set of file extensions RemoveLanguage extension extension vdh B Removes any language associations for a set of file extensions RemoveOutputFilter extension extension vdh B Removes any output filter associations for a set of file extensions RemoveType extension extension vdh B Removes any content type associations for a set of file extensions RequestHeader set append add unset header value early env variable svdh E Configure HTTP request headers Require entity name entity name dh C Selects which authenticated users can access a resource RewriteBase URL path dh E Sets the base URL for per directory rewrites RewriteCond TestString CondPattern svdh E Defines a

    Original URL path: http://bc.capitalsafety.com/manual/mod/quickreference.html (2016-02-16)
    Open archived version from archive


  • Multi-Processing Modules (MPMs) - Apache HTTP Server
    always accommodated a wide variety of environments through its modular design This design allows the webmaster to choose which features will be included in the server by selecting which modules to load either at compile time or at run time Apache 2 0 extends this modular design to the most basic functions of a web server The server ships with a selection of Multi Processing Modules MPMs which are responsible for binding to network ports on the machine accepting requests and dispatching children to handle the requests Extending the modular design to this level of the server allows two important benefits Apache can more cleanly and efficiently support a wide variety of operating systems In particular the Windows version of Apache is now much more efficient since mpm winnt can use native networking features in place of the POSIX layer used in Apache 1 3 This benefit also extends to other operating systems that implement specialized MPMs The server can be better customized for the needs of the particular site For example sites that need a great deal of scalability can choose to use a threaded MPM like worker or event while sites requiring stability or compatibility with older software can use a prefork At the user level MPMs appear much like other Apache modules The main difference is that one and only one MPM must be loaded into the server at any time The list of available MPMs appears on the module index page Choosing an MPM MPMs must be chosen during configuration and compiled into the server Compilers are capable of optimizing a lot of functions if threads are used but only if they know that threads are being used To actually choose the desired MPM use the argument with mpm NAME with the configure script NAME is

    Original URL path: http://bc.capitalsafety.com/manual/mpm.html (2016-02-16)
    Open archived version from archive

  • Server and Supporting Programs - Apache HTTP Server
    ab Apache HTTP server benchmarking tool apxs APache eXtenSion tool configure Configure the source tree dbmmanage Create and update user authentication files in DBM format for basic authentication htcacheclean Clean up the disk cache htdigest Create and update user authentication files for digest authentication htdbm Manipulate DBM password databases htpasswd Create and update user authentication files for basic authentication httxt2dbm Create dbm files for use with RewriteMap logresolve Resolve hostnames

    Original URL path: http://bc.capitalsafety.com/manual/programs/ (2016-02-16)
    Open archived version from archive

  • Caching Guide - Apache HTTP Server
    response includes the private option in a Cache Control header it will not be stored unless the CacheStorePrivate has been used to require otherwise Likewise if the response includes the no store option in a Cache Control header it will not be stored unless the CacheStoreNoStore has been used A response will not be stored if it includes a Vary header containing the match all What Should Not be Cached In short any content which is highly time sensitive or which varies depending on the particulars of the request that are not covered by HTTP negotiation should not be cached If you have dynamic content which changes depending on the IP address of the requester or changes every 5 minutes it should almost certainly not be cached If on the other hand the content served differs depending on the values of various HTTP headers it is possible that it might be possible to cache it intelligently through the use of a Vary header Variable Negotiated Content If a response with a Vary header is received by mod cache when requesting content by the backend it will attempt to handle it intelligently If possible mod cache will detect the headers attributed in the Vary response in future requests and serve the correct cached response If for example a response is received with a vary header such as Vary negotiate accept language accept charset mod cache will only serve the cached content to requesters with matching accept language and accept charset headers matching those of the original request Security Considerations Authorisation Access and Control Using mod cache is very much like having a built in reverse proxy Requests will be served by the caching module unless it determines that the backend should be queried When caching local resources this drastically changes the security model of Apache As traversing a filesystem hierarchy to examine potential htaccess files would be a very expensive operation partially defeating the point of caching to speed up requests mod cache makes no decision about whether a cached entity is authorised for serving In other words if mod cache has cached some content it will be served from the cache as long as that content has not expired If for example your configuration permits access to a resource by IP address you should ensure that this content is not cached You can do this by using the CacheDisable directive or mod expires Left unchecked mod cache very much like a reverse proxy would cache the content when served and then serve it to any client on any IP address Local exploits As requests to end users can be served from the cache the cache itself can become a target for those wishing to deface or interfere with content It is important to bear in mind that the cache must at all times be writable by the user which Apache is running as This is in stark contrast to the usually recommended situation of maintaining all content unwritable by the Apache user If the Apache user is compromised for example through a flaw in a CGI process it is possible that the cache may be targeted When using mod disk cache it is relatively easy to insert or modify a cached entity This presents a somewhat elevated risk in comparison to the other types of attack it is possible to make as the Apache user If you are using mod disk cache you should bear this in mind ensure you upgrade Apache when security upgrades are announced and run CGI processes as a non Apache user using suEXEC if possible Cache Poisoning When running Apache as a caching proxy server there is also the potential for so called cache poisoning Cache Poisoning is a broad term for attacks in which an attacker causes the proxy server to retrieve incorrect and usually undesirable content from the backend For example if the DNS servers used by your system running Apache are vulnerable to DNS cache poisoning an attacker may be able to control where Apache connects to when requesting content from the origin server Another example is so called HTTP request smuggling attacks This document is not the correct place for an in depth discussion of HTTP request smuggling instead try your favourite search engine however it is important to be aware that it is possible to make a series of requests and to exploit a vulnerability on an origin webserver such that the attacker can entirely control the content retrieved by the proxy File Handle Caching Related Modules Related Directives mod file cache mod mem cache CacheFile CacheEnable CacheDisable The act of opening a file can itself be a source of delay particularly on network filesystems By maintaining a cache of open file descriptors for commonly served files Apache can avoid this delay Currently Apache provides two different implementations of File Handle Caching CacheFile The most basic form of caching present in Apache is the file handle caching provided by mod file cache Rather than caching file contents this cache maintains a table of open file descriptors Files to be cached in this manner are specified in the configuration file using the CacheFile directive The CacheFile directive instructs Apache to open the file when Apache is started and to re use this file handle for all subsequent access to this file CacheFile usr local apache2 htdocs index html If you intend to cache a large number of files in this manner you must ensure that your operating system s limit for the number of open files is set appropriately Although using CacheFile does not cause the file contents to be cached per se it does mean that if the file changes while Apache is running these changes will not be picked up The file will be consistently served as it was when Apache was started If the file is removed while Apache is running Apache will continue to maintain an open file descriptor and serve the file as it was when

    Original URL path: http://bc.capitalsafety.com/manual/caching.html (2016-02-16)
    Open archived version from archive

  • Dynamic Shared Object (DSO) Support - Apache HTTP Server
    usually called shared libraries or DSO libraries and named libfoo so or libfoo so 1 2 They reside in a system directory usually usr lib and the link to the executable program is established at build time by specifying lfoo to the linker command This hard codes library references into the executable program file so that at start time the Unix loader is able to locate libfoo so in usr lib in paths hard coded via linker options like R or in paths configured via the environment variable LD LIBRARY PATH It then resolves any yet unresolved symbols in the executable program which are available in the DSO Symbols in the executable program are usually not referenced by the DSO because it s a reusable library of general code and hence no further resolving has to be done The executable program has no need to do anything on its own to use the symbols from the DSO because the complete resolving is done by the Unix loader In fact the code to invoke ld so is part of the run time startup code which is linked into every executable program which has been bound non static The advantage of dynamic loading of common library code is obvious the library code needs to be stored only once in a system library like libc so saving disk space for every program In the second way the DSO s are usually called shared objects or DSO files and can be named with an arbitrary extension although the canonical name is foo so These files usually stay inside a program specific directory and there is no automatically established link to the executable program where they are used Instead the executable program manually loads the DSO at run time into its address space via dlopen At this time no resolving of symbols from the DSO for the executable program is done But instead the Unix loader automatically resolves any yet unresolved symbols in the DSO from the set of symbols exported by the executable program and its already loaded DSO libraries especially all symbols from the ubiquitous libc so This way the DSO gets knowledge of the executable program s symbol set as if it had been statically linked with it in the first place Finally to take advantage of the DSO s API the executable program has to resolve particular symbols from the DSO via dlsym for later use inside dispatch tables etc In other words The executable program has to manually resolve every symbol it needs to be able to use it The advantage of such a mechanism is that optional program parts need not be loaded and thus do not spend memory until they are needed by the program in question When required these program parts can be loaded dynamically to extend the base program s functionality Although this DSO mechanism sounds straightforward there is at least one difficult step here The resolving of symbols from the executable program for the DSO

    Original URL path: http://bc.capitalsafety.com/manual/dso.html (2016-02-16)
    Open archived version from archive

  • Environment Variables in Apache - Apache HTTP Server
    of access to the server based on characteristics of the client For example you can use these directives to deny access to a particular browser User Agent Conditional Logging Environment variables can be logged in the access log using the LogFormat option e In addition the decision on whether or not to log requests can be made based on the status of environment variables using the conditional form of the CustomLog directive In combination with SetEnvIf this allows for flexible control of which requests are logged For example you can choose not to log requests for filenames ending in gif or you can choose to only log requests from clients which are outside your subnet Conditional Response Headers The Header directive can use the presence or absence of an environment variable to determine whether or not a certain HTTP header will be placed in the response to the client This allows for example a certain response header to be sent only if a corresponding header is received in the request from the client External Filter Activation External filters configured by mod ext filter using the ExtFilterDefine directive can by activated conditional on an environment variable using the disableenv and enableenv options URL Rewriting The ENV form of TestString in the RewriteCond allows mod rewrite s rewrite engine to make decisions conditional on environment variables Note that the variables accessible in mod rewrite without the ENV prefix are not actually environment variables Rather they are variables special to mod rewrite which cannot be accessed from other modules Special Purpose Environment Variables Interoperability problems have led to the introduction of mechanisms to modify the way Apache behaves when talking to particular clients To make these mechanisms as flexible as possible they are invoked by defining environment variables typically with BrowserMatch though SetEnv and PassEnv could also be used for example downgrade 1 0 This forces the request to be treated as a HTTP 1 0 request even if it was in a later dialect force gzip If you have the DEFLATE filter activated this environment variable will ignore the accept encoding setting of your browser and will send compressed output unconditionally force no vary This causes any Vary fields to be removed from the response header before it is sent back to the client Some clients don t interpret this field correctly setting this variable can work around this problem Setting this variable also implies force response 1 0 force response 1 0 This forces an HTTP 1 0 response to clients making an HTTP 1 0 request It was originally implemented as a result of a problem with AOL s proxies Some HTTP 1 0 clients may not behave correctly when given an HTTP 1 1 response and this can be used to interoperate with them gzip only text html When set to a value of 1 this variable disables the DEFLATE output filter provided by mod deflate for content types other than text html If you d rather use statically

    Original URL path: http://bc.capitalsafety.com/manual/env.html (2016-02-16)
    Open archived version from archive

  • Apache Performance Tuning - Apache HTTP Server
    increases On multiprocessor Solaris servers for example Apache 2 0 sometimes delivers server parsed files faster when mmap is disabled If you memory map a file located on an NFS mounted filesystem and a process on another NFS client machine deletes or truncates the file your process may get a bus error the next time it tries to access the mapped file content For installations where either of these factors applies you should use EnableMMAP off to disable the memory mapping of delivered files Note This directive can be overridden on a per directory basis Sendfile In situations where Apache 2 0 can ignore the contents of the file to be delivered for example when serving static file content it normally uses the kernel sendfile support the file if the OS supports the sendfile 2 operation On most platforms using sendfile improves performance by eliminating separate read and send mechanics However there are cases where using sendfile can harm the stability of the httpd Some platforms may have broken sendfile support that the build system did not detect especially if the binaries were built on another box and moved to such a machine with broken sendfile support With an NFS mounted files the kernel may be unable to reliably serve the network file through it s own cache For installations where either of these factors applies you should use EnableSendfile off to disable sendfile delivery of file contents Note This directive can be overridden on a per directory basis Process Creation Prior to Apache 1 3 the MinSpareServers MaxSpareServers and StartServers settings all had drastic effects on benchmark results In particular Apache required a ramp up period in order to reach a number of children sufficient to serve the load being applied After the initial spawning of StartServers children only one child per second would be created to satisfy the MinSpareServers setting So a server being accessed by 100 simultaneous clients using the default StartServers of 5 would take on the order 95 seconds to spawn enough children to handle the load This works fine in practice on real life servers because they aren t restarted frequently But does really poorly on benchmarks which might only run for ten minutes The one per second rule was implemented in an effort to avoid swamping the machine with the startup of new children If the machine is busy spawning children it can t service requests But it has such a drastic effect on the perceived performance of Apache that it had to be replaced As of Apache 1 3 the code will relax the one per second rule It will spawn one wait a second then spawn two wait a second then spawn four and it will continue exponentially until it is spawning 32 children per second It will stop whenever it satisfies the MinSpareServers setting This appears to be responsive enough that it s almost unnecessary to twiddle the MinSpareServers MaxSpareServers and StartServers knobs When more than 4 children are spawned per second a message will be emitted to the ErrorLog If you see a lot of these errors then consider tuning these settings Use the mod status output as a guide Related to process creation is process death induced by the MaxRequestsPerChild setting By default this is 0 which means that there is no limit to the number of requests handled per child If your configuration currently has this set to some very low number such as 30 you may want to bump this up significantly If you are running SunOS or an old version of Solaris limit this to 10000 or so because of memory leaks When keep alives are in use children will be kept busy doing nothing waiting for more requests on the already open connection The default KeepAliveTimeout of 5 seconds attempts to minimize this effect The tradeoff here is between network bandwidth and server resources In no event should you raise this above about 60 seconds as most of the benefits are lost Compile Time Configuration Issues Choosing an MPM Apache 2 x supports pluggable concurrency models called Multi Processing Modules MPMs When building Apache you must choose an MPM to use There are platform specific MPMs for some platforms beos mpm netware mpmt os2 and mpm winnt For general Unix type systems there are several MPMs from which to choose The choice of MPM can affect the speed and scalability of the httpd The worker MPM uses multiple child processes with many threads each Each thread handles one connection at a time Worker generally is a good choice for high traffic servers because it has a smaller memory footprint than the prefork MPM The prefork MPM uses multiple child processes with one thread each Each process handles one connection at a time On many systems prefork is comparable in speed to worker but it uses more memory Prefork s threadless design has advantages over worker in some situations it can be used with non thread safe third party modules and it is easier to debug on platforms with poor thread debugging support For more information on these and other MPMs please see the MPM documentation Modules Since memory usage is such an important consideration in performance you should attempt to eliminate modules that youare not actually using If you have built the modules as DSOs eliminating modules is a simple matter of commenting out the associated LoadModule directive for that module This allows you to experiment with removing modules and seeing if your site still functions in their absense If on the other hand you have modules statically linked into your Apache binary you will need to recompile Apache in order to remove unwanted modules An associated question that arises here is of course what modules you need and which ones you don t The answer here will of course vary from one web site to another However the minimal list of modules which you can get by with tends to include mod mime mod dir and mod log config mod log config is of course optional as you can run a web site without log files This is however not recommended Atomic Operations Some modules such as mod cache and recent development builds of the worker MPM use APR s atomic API This API provides atomic operations that can be used for lightweight thread synchronization By default APR implements these operations using the most efficient mechanism available on each target OS CPU platform Many modern CPUs for example have an instruction that does an atomic compare and swap CAS operation in hardware On some platforms however APR defaults to a slower mutex based implementation of the atomic API in order to ensure compatibility with older CPU models that lack such instructions If you are building Apache for one of these platforms and you plan to run only on newer CPUs you can select a faster atomic implementation at build time by configuring Apache with the enable nonportable atomics option buildconf configure with mpm worker enable nonportable atomics yes The enable nonportable atomics option is relevant for the following platforms Solaris on SPARC By default APR uses mutex based atomics on Solaris SPARC If you configure with enable nonportable atomics however APR generates code that uses a SPARC v8plus opcode for fast hardware compare and swap If you configure Apache with this option the atomic operations will be more efficient allowing for lower CPU utilization and higher concurrency but the resulting executable will run only on UltraSPARC chips Linux on x86 By default APR uses mutex based atomics on Linux If you configure with enable nonportable atomics however APR generates code that uses a 486 opcode for fast hardware compare and swap This will result in more efficient atomic operations but the resulting executable will run only on 486 and later chips and not on 386 mod status and ExtendedStatus On If you include mod status and you also set ExtendedStatus On when building and running Apache then on every request Apache will perform two calls to gettimeofday 2 or times 2 depending on your operating system and pre 1 3 several extra calls to time 2 This is all done so that the status report contains timing indications For highest performance set ExtendedStatus off which is the default accept Serialization multiple sockets Warning This section has not been fully updated to take into account changes made in the 2 0 version of the Apache HTTP Server Some of the information may still be relevant but please use it with care This discusses a shortcoming in the Unix socket API Suppose your web server uses multiple Listen statements to listen on either multiple ports or multiple addresses In order to test each socket to see if a connection is ready Apache uses select 2 select 2 indicates that a socket has zero or at least one connection waiting on it Apache s model includes multiple children and all the idle ones test for new connections at the same time A naive implementation looks something like this these examples do not match the code they re contrived for pedagogical purposes for for fd set accept fds FD ZERO accept fds for i first socket i last socket i FD SET i accept fds rc select last socket 1 accept fds NULL NULL NULL if rc 1 continue new connection 1 for i first socket i last socket i if FD ISSET i accept fds new connection accept i NULL NULL if new connection 1 break if new connection 1 break process the new connection But this naive implementation has a serious starvation problem Recall that multiple children execute this loop at the same time and so multiple children will block at select when they are in between requests All those blocked children will awaken and return from select when a single request appears on any socket the number of children which awaken varies depending on the operating system and timing issues They will all then fall down into the loop and try to accept the connection But only one will succeed assuming there s still only one connection ready the rest will be blocked in accept This effectively locks those children into serving requests from that one socket and no other sockets and they ll be stuck there until enough new requests appear on that socket to wake them all up This starvation problem was first documented in PR 467 There are at least two solutions One solution is to make the sockets non blocking In this case the accept won t block the children and they will be allowed to continue immediately But this wastes CPU time Suppose you have ten idle children in select and one connection arrives Then nine of those children will wake up try to accept the connection fail and loop back into select accomplishing nothing Meanwhile none of those children are servicing requests that occurred on other sockets until they get back up to the select again Overall this solution does not seem very fruitful unless you have as many idle CPUs in a multiprocessor box as you have idle children not a very likely situation Another solution the one used by Apache is to serialize entry into the inner loop The loop looks like this differences highlighted for accept mutex on for fd set accept fds FD ZERO accept fds for i first socket i last socket i FD SET i accept fds rc select last socket 1 accept fds NULL NULL NULL if rc 1 continue new connection 1 for i first socket i last socket i if FD ISSET i accept fds new connection accept i NULL NULL if new connection 1 break if new connection 1 break accept mutex off process the new connection The functions accept mutex on and accept mutex off implement a mutual exclusion semaphore Only one child can have the mutex at any time There are several choices for implementing these mutexes The choice is defined in src conf h pre 1 3 or src include ap config h 1 3 or later Some architectures do not have any locking choice made on these architectures it is unsafe to use multiple Listen directives The directive AcceptMutex can be used to change the selected mutex implementation at run time AcceptMutex flock This method uses the flock 2 system call to lock a lock file located by the LockFile directive AcceptMutex fcntl This method uses the fcntl 2 system call to lock a lock file located by the LockFile directive AcceptMutex sysvsem 1 3 or later This method uses SysV style semaphores to implement the mutex Unfortunately SysV style semaphores have some bad side effects One is that it s possible Apache will die without cleaning up the semaphore see the ipcs 8 man page The other is that the semaphore API allows for a denial of service attack by any CGIs running under the same uid as the webserver i e all CGIs unless you use something like suexec or cgiwrapper For these reasons this method is not used on any architecture except IRIX where the previous two are prohibitively expensive on most IRIX boxes AcceptMutex pthread 1 3 or later This method uses POSIX mutexes and should work on any architecture implementing the full POSIX threads specification however appears to only work on Solaris 2 5 or later and even then only in certain configurations If you experiment with this you should watch out for your server hanging and not responding Static content only servers may work just fine AcceptMutex posixsem 2 0 or later This method uses POSIX semaphores The semaphore ownership is not recovered if a thread in the process holding the mutex segfaults resulting in a hang of the web server If your system has another method of serialization which isn t in the above list then it may be worthwhile adding code for it to APR Another solution that has been considered but never implemented is to partially serialize the loop that is let in a certain number of processes This would only be of interest on multiprocessor boxes where it s possible multiple children could run simultaneously and the serialization actually doesn t take advantage of the full bandwidth This is a possible area of future investigation but priority remains low because highly parallel web servers are not the norm Ideally you should run servers without multiple Listen statements if you want the highest performance But read on accept Serialization single socket The above is fine and dandy for multiple socket servers but what about single socket servers In theory they shouldn t experience any of these same problems because all children can just block in accept 2 until a connection arrives and no starvation results In practice this hides almost the same spinning behaviour discussed above in the non blocking solution The way that most TCP stacks are implemented the kernel actually wakes up all processes blocked in accept when a single connection arrives One of those processes gets the connection and returns to user space the rest spin in the kernel and go back to sleep when they discover there s no connection for them This spinning is hidden from the user land code but it s there nonetheless This can result in the same load spiking wasteful behaviour that a non blocking solution to the multiple sockets case can For this reason we have found that many architectures behave more nicely if we serialize even the single socket case So this is actually the default in almost all cases Crude experiments under Linux 2 0 30 on a dual Pentium pro 166 w 128Mb RAM have shown that the serialization of the single socket case causes less than a 3 decrease in requests per second over unserialized single socket But unserialized single socket showed an extra 100ms latency on each request This latency is probably a wash on long haul lines and only an issue on LANs If you want to override the single socket serialization you can define SINGLE LISTEN UNSERIALIZED ACCEPT and then single socket servers will not serialize at all Lingering Close As discussed in draft ietf http connection 00 txt section 8 in order for an HTTP server to reliably implement the protocol it needs to shutdown each direction of the communication independently recall that a TCP connection is bi directional each half is independent of the other This fact is often overlooked by other servers but is correctly implemented in Apache as of 1 2 When this feature was added to Apache it caused a flurry of problems on various versions of Unix because of a shortsightedness The TCP specification does not state that the FIN WAIT 2 state has a timeout but it doesn t prohibit it On systems without the timeout Apache 1 2 induces many sockets stuck forever in the FIN WAIT 2 state In many cases this can be avoided by simply upgrading to the latest TCP IP patches supplied by the vendor In cases where the vendor has never released patches i e SunOS4 although folks with a source license can patch it themselves we have decided to disable this feature There are two ways of accomplishing this One is the socket option SO LINGER But as fate would have it this has never been implemented properly in most TCP IP stacks Even on those stacks with a proper implementation i e Linux 2 0 31 this method proves to be more expensive cputime than the next solution For the most part Apache implements this in a function called lingering close in http main c The function looks roughly like this void lingering close int s char junk buffer 2048 shutdown the sending side shutdown s 1 signal SIGALRM lingering death alarm 30 for select s for reading 2 second timeout if error break if s is ready for reading if read s

    Original URL path: http://bc.capitalsafety.com/manual/misc/perf-tuning.html (2016-02-16)
    Open archived version from archive

  • Server-Wide Configuration - Apache HTTP Server
    will be presented in server generated documents such as error messages The ServerTokens directive sets the value of the Server HTTP response header field The ServerName UseCanonicalName and UseCanonicalPhysicalPort directives are used by the server to determine how to construct self referential URLs For example when a client requests a directory but does not include the trailing slash in the directory name Apache must redirect the client to the full name including the trailing slash so that the client will correctly resolve relative references in the document File Locations Related Modules Related Directives CoreDumpDirectory DocumentRoot ErrorLog LockFile PidFile ScoreBoardFile ServerRoot These directives control the locations of the various files that Apache needs for proper operation When the pathname used does not begin with a slash the files are located relative to the ServerRoot Be careful about locating files in paths which are writable by non root users See the security tips documentation for more details Limiting Resource Usage Related Modules Related Directives LimitRequestBody LimitRequestFields LimitRequestFieldsize LimitRequestLine RLimitCPU RLimitMEM RLimitNPROC ThreadStackSize The LimitRequest directives are used to place limits on the amount of resources Apache will use in reading requests from clients By limiting these values some kinds of denial of

    Original URL path: http://bc.capitalsafety.com/manual/server-wide.html (2016-02-16)
    Open archived version from archive



  •