core - Apache HTTP Server Version 2.5
Apache Core Features
Available Languages:
Core Apache HTTP Server features that are always
Directives
Bugfix checklistSee also
Configures optimizations for a Protocol's Listener Sockets
AcceptFilter protocol accept_filter
server config
This directive enables operating system specific optimizations for a
listening socket by the Protocol type.
The basic premise is for the kernel to not send a socket to the server
process until either data is received or an entire HTTP Request is buffered.
Only , Linux's more primitive
TCP_DEFER_ACCEPT, and Windows' optimized AcceptEx()
are currently supported.
Using none for an argument will disable any accept filters
for that protocol.
This is useful for protocols that require a server
send data first, such as ftp: or nntp:
AcceptFilter nntp none
The default protocol names are https for port 443
and http for all other ports.
To specify that another
protocol is being used with a listening port, add the protocol
argument to the
directive.
The default values on FreeBSD are:
AcceptFilter http httpready
AcceptFilter https dataready
The httpready accept filter buffers entire HTTP requests at
the kernel level.
Once an entire request is received, the kernel then
sends it to the server. See the
man page for more details.
Since HTTPS requests are
encrypted, only the
filter is used.
The default values on Linux are:
AcceptFilter http data
AcceptFilter https data
Linux's TCP_DEFER_ACCEPT does not support buffering http
Any value besides none will enable
TCP_DEFER_ACCEPT on that listener. For more details
see the Linux
The default values on Windows are:
AcceptFilter http connect
AcceptFilter https connect
Window's mpm_winnt interprets the AcceptFilter to toggle the AcceptEx()
API, and does not support http protocol buffering. connect
will use the AcceptEx() API, also retrieve the network endpoint
addresses, but like none the connect option
does not wait for the initial data transmission.
On Windows, none uses accept() rather than AcceptEx()
and will not recycle sockets between connections.
This is useful for
network adapters with broken driver support, as well as some virtual
network providers such as vpn drivers, or spam, virus or spyware
The data AcceptFilter (Windows)
For versions 2.4.23 and prior, the Windows data accept
filter waited until data had been transmitted and the initial data
buffer and network endpoint addresses had been retrieved from the
single AcceptEx() invocation. This implementation was subject to a
denial of service attack and has been disabled.
Current releases of httpd default to the connect filter
on Windows, and will fall back to connect if
data is specified. Users of prior releases are encouraged
to add an explicit setting of connect for their
AcceptFilter, as shown above.
Resources accept trailing pathname information
AcceptPathInfo On|Off|Default
AcceptPathInfo Default
server config, virtual host, directory, .htaccess
This directive controls whether requests that contain trailing
pathname information that follows an actual filename (or
non-existent file in an existing directory) will be accepted or
The trailing pathname information can be made
available to scripts in the PATH_INFO environment
For example, assume the location /test/ points to
a directory that contains only the single file
here.html.
Then requests for
/test/here.html/more and
/test/nothere.html/more both collect
/more as PATH_INFO.
The three possible arguments for the
AcceptPathInfo directive are:
OffA request will only be accepted if it
maps to a literal path that exists.
Therefore a request with
trailing pathname information after the true filename such as
/test/here.html/more in the above example will return
a 404 NOT FOUND error.
OnA request will be accepted if a
leading path component maps to a file that exists.
example /test/here.html/more will be accepted if
/test/here.html maps to a valid file.
DefaultThe treatment of requests with
trailing pathname information is determined by the
responsible for the request.
The core handler for normal files defaults to rejecting
PATH_INFO requests. Handlers that serve scripts, such as
and , generally accept
PATH_INFO by default.
The primary purpose of the AcceptPathInfo
directive is to allow you to override the handler's choice of
accepting or rejecting PATH_INFO. This override is required,
for example, when you use a , such
as , to generate content
based on PATH_INFO.
The core handler would usually reject
the request, so you can use the following configuration to enable
such a script:
&Files "mypaths.shtml"&
Options +Includes
SetOutputFilter INCLUDES
AcceptPathInfo On
Name of the distributed configuration file
AccessFileName filename [filename] ...
AccessFileName .htaccess
server config, virtual host
While processing a request, the server looks for
the first existing configuration file from this list of names in
every directory of the path to the document, if distributed
configuration files are . For example:
AccessFileName .acl
Before returning the document
/usr/local/web/index.html, the server will read
/.acl, /usr/.acl,
/usr/local/.acl and /usr/local/web/.acl
for directives unless they have been disabled with:
&Directory "/"&
AllowOverride None
&/Directory&
Default charset parameter to be added when a response
content-type is text/plain or text/html
AddDefaultCharset On|Off|charset
AddDefaultCharset Off
server config, virtual host, directory, .htaccess
This directive specifies a default value for the media type
charset parameter (the name of a character encoding) to be added
to a response if and only if the response's content-type is either
text/plain or text/html.
This should override
any charset specified in the body of the response via a META
element, though the exact behavior is often dependent on the user's client
configuration. A setting of AddDefaultCharset Off
disables this functionality. AddDefaultCharset On enables
a default charset of iso-8859-1. Any other value is assumed
to be the charset to be used, which should be one of the
for use in Internet media types (MIME types).
For example:
AddDefaultCharset utf-8
AddDefaultCharset should only be used when all
of the text resources to which it applies are known to be in that
character encoding and it is too inconvenient to label their charset
individually. One such example is to add the charset parameter
to resources containing generated content, such as legacy CGI
scripts, that might be vulnerable to cross-site scripting attacks
due to user-provided data being included in the output.
Note, however,
that a better solution is to just fix (or delete) those scripts, since
setting a default charset does not protect users that have enabled
the "auto-detect character encoding" feature on their browser.
Determines whether encoded path separators in URLs are allowed to
be passed through
AllowEncodedSlashes On|Off|NoDecode
AllowEncodedSlashes Off
server config, virtual host
NoDecode option available in 2.3.12 and later.
The AllowEncodedSlashes directive allows URLs
which contain encoded path separators (%2F for /
and additionally %5C for \ on accordant systems)
to be used in the path info.
With the default value, Off, such URLs are refused
with a 404 (Not found) error.
With the value On, such URLs are accepted, and encoded
slashes are decoded like all other encoded characters.
With the value NoDecode, such URLs are accepted, but
encoded slashes are not decoded but left in their encoded state.
Turning AllowEncodedSlashes On is
mostly useful when used in conjunction with PATH_INFO.
If encoded slashes are needed in path info, use of NoDecode is
strongly recommended as a security measure.
Allowing slashes
to be decoded could potentially allow unsafe paths.
Types of directives that are allowed in
.htaccess files
AllowOverride All|None|directive-type
[directive-type] ...
AllowOverride None (2.3.9 and later), AllowOverride All (2.3.8 and earlier)
When the server finds an .htaccess file (as
specified by ),
it needs to know which directives declared in that file can override
earlier configuration directives.
Only available in &Directory& sections
AllowOverride is valid only in
sections specified without regular expressions, not in ,
When this directive is set to None and
completely ignored. In this case, the server will not even attempt
to read .htaccess files in the filesystem.
When this directive is set to All, then any
directive which has the .htaccess
is allowed in
.htaccess files.
The directive-type can be one of the following
groupings of directives. (See the
for an up-to-date listing of which directives are enabled by each
directive-type.)
Allow use of the authorization directives (,
, , , etc.).
Allow use of the directives controlling document types
Add* and Remove* directives),
document meta data (, , , , , , , , , ),
directives (, , , , ),
directives (, , , ), and
Allow use of the directives controlling directory indexing
, , , , , , , ,
Allow use of the directives controlling host access (,
Nonfatal=[Override|Unknown|All]
Allow use of AllowOverride option to treat invalid (unrecognized
or disallowed) directives in
.htaccess as nonfatal. Instead of causing an Internal Server
Error, disallowed or unrecognised directives will be ignored
and a warning logged:
Nonfatal=Override treats directives
forbidden by AllowOverride as nonfatal.
Nonfatal=Unknown treats unknown directives
as nonfatal.
This covers typos and directives implemented
by a module that's not present.
Nonfatal=All treats both the above as nonfatal.
Note that a syntax error in a valid directive will still cause
an Internal Server Error.
Nonfatal errors may have security implications for .htaccess users.
For example, if AllowOverride disallows AuthConfig, users'
configuration designed to restrict access to a site will be disabled.
[=Option,...]
Allow use of the directives controlling specific directory
features ( and
An equal sign may be given followed by a comma-separated list, without
spaces, of options that may be set using the
Implicit disabling of Options
Even though the list of options that may be used in .htaccess files
can be limited with this directive, as long as any
directive is allowed any
other inherited option can be disabled by using the non-relative
In other words, this mechanism cannot force a specific option
to remain set while allowing any others to be set.
AllowOverride Options=Indexes,MultiViews
AllowOverride AuthConfig Indexes
In the example above, all directives that are neither in the group
AuthConfig nor Indexes cause an internal
server error.
For security and performance reasons, do not set
AllowOverride to anything other than None
in your &Directory "/"& block. Instead, find (or
create) the &Directory& block that refers to the
directory where you're actually planning to place a
.htaccess file.
Individual directives that are allowed in
.htaccess files
AllowOverrideList None|directive
[directive-type] ...
AllowOverrideList None
When the server finds an .htaccess file (as
specified by ),
it needs to know which directives declared in that file can override
earlier configuration directives.
Only available in &Directory& sections
AllowOverrideList is valid only in
sections specified without regular expressions, not in ,
When this directive is set to None and
is set to None,
files are completely
In this case, the server will not even attempt to read
.htaccess files in the filesystem.
AllowOverride None
AllowOverrideList Redirect RedirectMatch
In the example above, only the Redirect and
RedirectMatch directives are allowed. All others will
cause an Internal Server Error.
AllowOverride AuthConfig
AllowOverrideList CookieTracking CookieName
In the example above,
grants permission to the AuthConfig
directive grouping and AllowOverrideList grants
permission to only two directives from the FileInfo directive
grouping. All others will cause an Internal Server Error.
Set the minimum filter type eligible for asynchronous handling
AsyncFilter request|connection|network
AsyncFilter request
server config, virtual host
Only available from Apache 2.5.0 and later.
This directive controls the minimum filter levels that are eligible
for asynchronous handling. This may be necessary to support legacy external
filters that did not handle meta buckets correctly.
If set to "network", asynchronous handling will be limited to the network
filter only. If set to "connection", all connection and network filters
will be eligible for asynchronous handling, including .
If set to "request", all filters will be eligible for asynchronous handling.
Technique for locating the interpreter for CGI
CGIMapExtension cgi-path .extension
directory, .htaccess
NetWare only
This directive is used to control how Apache httpd finds the
interpreter used to run CGI scripts. For example, setting
CGIMapExtension sys:\foo.nlm .foo will
cause all CGI script files with a .foo extension to
be passed to the FOO interpreter.
Enables passing HTTP authorization headers to scripts as CGI
CGIPassAuth On|Off
CGIPassAuth Off
directory, .htaccess
AuthConfig
Available in Apache HTTP Server 2.4.13 and later
CGIPassAuth allows scripts access to HTTP
authorization headers such as Authorization, which is
required for scripts that implement HTTP Basic authentication.
Normally these HTTP headers are hidden from scripts. This is to disallow
scripts from seeing user ids and passwords used to access the server when
HTTP Basic authentication is enabled in the web server.
This directive
should be used when scripts are allowed to implement HTTP Basic
authentication.
This directive can be used instead of the compile-time setting
SECURITY_HOLE_PASS_AUTHORIZATION which has been available
in previous versions of Apache HTTP Server.
The setting is respected by any modules which use
ap_add_common_vars(), such as ,
, and so on.
Notably, it affects
modules which don't handle the request in the usual sense but
still use this API; examples of this are
Third-party modules that don't
use ap_add_common_vars() may choose to respect the setting
Controls how some CGI variables are set
CGIVar variable rule
directory, .htaccess
Available in Apache HTTP Server 2.4.21 and later
This directive controls how some CGI variables are set.
REQUEST_URI rules:
original-uri (default)
The value is taken from the original request line, and will not
reflect internal redirects or subrequests which change the requested
current-uri
The value reflects the resource currently being processed,
which may be different than the original request from the client
due to internal redirects or subrequests.
Enables the generation of Content-MD5 HTTP Response
ContentDigest On|Off
ContentDigest Off
server config, virtual host, directory, .htaccess
This directive enables the generation of
Content-MD5 headers as defined in RFC1864
respectively RFC2616.
MD5 is an algorithm for computing a "message digest"
(sometimes called "fingerprint") of arbitrary-length data, with
a high degree of confidence that any alterations in the data
will be reflected in alterations in the message digest.
The Content-MD5 header provides an end-to-end
message integrity check (MIC) of the entity-body. A proxy or
client may check this header for detecting accidental
modification of the entity-body in transit. Example header:
Content-MD5: AuLb7Dp1rqtRtxz2m9kRpA==
Note that this can cause performance problems on your server
since the message digest is computed on every request (the
values are not cached).
Content-MD5 is only sent for documents served
by the , and not by any module. For example,
SSI documents, output from CGI scripts, and byte range responses
do not have this header.
Base directory for the server run-time files
DefaultRuntimeDir directory-path
DefaultRuntimeDir DEFAULT_REL_RUNTIMEDIR (logs/)
server config
Available in Apache 2.4.2 and later
The DefaultRuntimeDir directive sets the
directory in which the server will create various run-time files
(shared memory, locks, etc.). If set as a relative path, the full path
will be relative to ServerRoot.
DefaultRuntimeDir scratch/
The default location of DefaultRuntimeDir may be
modified by changing the DEFAULT_REL_RUNTIMEDIR #define
at build time.
Note: ServerRoot should be specified before this
directive is used. Otherwise, the default value of ServerRoot
would be used to set the base directory.
for information on how to properly set
permissions on the ServerRoot
This directive has no effect other than to emit warnings
if the value is not none. In prior versions, DefaultType
would specify a default media type to assign to response content for
which no other media type configuration could be found.
DefaultType media-type|none
DefaultType none
server config, virtual host, directory, .htaccess
All choices except none are DISABLED for 2.3.x and later.
This directive has been disabled.
For backwards compatibility
of configuration files, it may be specified with the value
none, meaning no default media type. For example:
DefaultType None
DefaultType None is only available in
httpd-2.2.7 and later.
Use the mime.types configuration file and the
to configure media
type assignments via file extensions, or the
directive to configure
the media type for specific resources. Otherwise, the server will
send the response without a Content-Type header field and the
recipient may attempt to guess the media type.
Define a variable
Define parameter-name [parameter-value]
server config, virtual host
In its one parameter form, Define is
equivalent to passing the -D argument to
. It can be used to toggle the use of
sections without needing to alter -D arguments in any
startup scripts.
In addition to that, if the second parameter is given, a config variable
is set to this value. The variable can be used in the configuration using
the ${VAR} syntax. The variable is always globally defined
and not limited to the scope of the surrounding config section.
&IfDefine TEST&
Define servername
&/IfDefine&
&IfDefine !TEST&
Define servername
Define SSL
&/IfDefine&
DocumentRoot "/var/www/${servername}/htdocs"
Variable names may not contain colon ":" characters, to avoid clashes
with 's syntax.
Virtual Host scope and pitfalls
While this directive is supported in virtual host context,
the changes it makes are visible to any later configuration
directives, beyond any enclosing virtual host.
Enclose a group of directives that apply only to the
named file-system directory, sub-directories, and their contents.
&Directory directory-path&
... &/Directory&
server config, virtual host
&Directory& and
&/Directory& are used to enclose a group of
directives that will apply only to the named directory,
sub-directories of that directory, and the files within the respective
directories.
Any directive that is allowed
in a directory context may be used. Directory-path is
either the full path to a directory, or a wild-card string using
Unix shell-style matching. In a wild-card string, ? matches
any single character, and * matches any sequences of
characters. You may also use [] character ranges. None
of the wildcards match a `/' character, so &Directory
"/*/public_html"& will not match
/home/user/public_html, but &Directory
"/home/*/public_html"& will match. Example:
&Directory "/usr/local/httpd/htdocs"&
Options Indexes FollowSymLinks
&/Directory&
Directory paths may be quoted, if you like, however, it
must be quoted if the path contains spaces. This is because a
space would otherwise indicate the end of an argument.
Be careful with the directory-path arguments:
They have to literally match the filesystem path which Apache httpd uses
to access the files. Directives applied to a particular
&Directory& will not apply to files accessed from
that same directory via a different path, such as via different symbolic
can also be used, with the addition of the
~ character. For example:
&Directory ~ "^/www/[0-9]{3}"&
&/Directory&
would match directories in /www/ that consisted of
three numbers.
If multiple (non-regular expression) &Directory& sections
match the directory (or one of its parents) containing a document,
then the directives are applied in the order of shortest match
first, interspersed with the directives from the
files. For example,
&Directory "/"&
AllowOverride None
&/Directory&
&Directory "/home"&
AllowOverride FileInfo
&/Directory&
for access to the document /home/web/dir/doc.html
the steps are:
Apply directive AllowOverride None
(disabling .htaccess files).
Apply directive AllowOverride FileInfo (for
directory /home).
Apply any FileInfo directives in
/home/.htaccess, /home/web/.htaccess and
/home/web/dir/.htaccess in that order.
Regular expressions are not considered until after all of the
normal sections have been applied. Then all of the regular
expressions are tested in the order they appeared in the
configuration file. For example, with
&Directory ~ "abc$"&
# ... directives here ...
&/Directory&
the regular expression section won't be considered until after
all normal &Directory&s and
.htaccess files have been applied. Then the regular
expression will match on /home/abc/public_html/abc and
the corresponding &Directory& will
be applied.
Note that the default access for
&Directory "/"& is to permit all access.
This means that Apache httpd will serve any file mapped from an URL. It is
recommended that you change this with a block such
&Directory "/"&
Require all denied
&/Directory&
and then override this for directories you
want accessible. See the
page for more
The directory sections occur in the httpd.conf file.
&Directory& directives
cannot nest, and cannot appear in a
explanation of how these different sections are combined when a
request is received
Enclose directives that apply to
the contents of file-system directories matching a regular expression.
&DirectoryMatch regex&
... &/DirectoryMatch&
server config, virtual host
&DirectoryMatch& and
&/DirectoryMatch& are used to enclose a group
of directives which will apply only to the named directory (and the files within),
the same as .
However, it takes as an argument a
For example:
&DirectoryMatch "^/www/(.+/)?[0-9]{3}/"&
&/DirectoryMatch&
matches directories in /www/ (or any subdirectory thereof)
that consist of three numbers.
Compatibility
Prior to 2.3.9, this directive implicitly applied to sub-directories
(like ) and
could not match the end of line symbol ($).
In 2.3.9 and later,
only directories that match the expression are affected by the enclosed
directives.
Trailing Slash
This directive applies to requests for directories that may or may
not end in a trailing slash, so expressions that are anchored to the
end of line ($) must be written with care.
From 2.4.8 onwards, named groups and backreferences are captured and
written to the environment with the corresponding name prefixed with
"MATCH_" and in upper case. This allows elements of paths to be referenced
from within
and modules like
. In order to prevent confusion, numbered
(unnamed) backreferences are ignored. Use named groups instead.
&DirectoryMatch "^/var/www/combined/(?&sitename&[^/]+)"&
Require ldap-group cn=%{env:MATCH_SITENAME},ou=combined,o=Example
&/DirectoryMatch&
a description of how regular expressions are mixed in with normal
&Directory&s
for an explanation of how these different
sections are combined when a request is received
Directory that forms the main document tree visible
from the web
DocumentRoot directory-path
DocumentRoot "/usr/local/apache/htdocs"
server config, virtual host
This directive sets the directory from which
will serve files. Unless matched by a directive like , the server appends the
path from the requested URL to the document root to make the
path to the document. Example:
DocumentRoot "/usr/web"
then an access to
/index.html refers to
/usr/web/index.html. If the directory-path is
not absolute then it is assumed to be relative to the .
The DocumentRoot should be specified without
a trailing slash.
Contains directives that apply only if the condition of a
section is not
satisfied by a request at runtime
&Else& ... &/Else&
server config, virtual host, directory, .htaccess
Nested conditions are evaluated in 2.4.26 and later
The &Else& applies the enclosed
directives if and only if the most recent
&ElseIf& section
in the same scope has not been applied.
For example: In
&If "-z req('Host')"&
The &If& would match HTTP/1.0
requests without a Host: header and the
&Else& would match requests
with a Host: header.
for an explanation of how these
different sections are combined when a request is received.
&ElseIf&, and
&Else& are applied last.
Contains directives that apply only if a condition is satisfied
by a request at runtime while the condition of a previous
&ElseIf& section is not
&ElseIf expression& ... &/ElseIf&
server config, virtual host, directory, .htaccess
Nested conditions are evaluated in 2.4.26 and later
The &ElseIf& applies the enclosed
directives if and only if both the given condition evaluates to true and
the most recent &If& or
&ElseIf& section in the same scope has
not been applied.
For example: In
&If "-R '10.1.0.0/16'"&
&ElseIf "-R '10.0.0.0/8'"&
The &ElseIf& would match if
the remote address of a request belongs to the subnet 10.0.0.0/8 but
not to the subnet 10.1.0.0/16.
for a complete reference and more examples.
for an explanation of how these
different sections are combined when a request is received.
&ElseIf&, and
&Else& are applied last.
Use memory-mapping to read files during delivery
EnableMMAP On|Off
EnableMMAP On
server config, virtual host, directory, .htaccess
This directive controls whether the
memory-mapping if it needs to read the contents of a file during
By default, when the handling of a request requires
access to the data within a file -- for example, when delivering a
server-parsed file using
-- Apache httpd
memory-maps the file if the OS supports it.
This memory-mapping sometimes yields a performance improvement.
But in some environments, it is better to disable the memory-mapping
to prevent operational problems:
On some multiprocessor systems, memory-mapping can reduce the
performance of the .
Deleting or truncating a file while
has it memory-mapped can cause
crash with a segmentation fault.
For server configurations that are vulnerable to these problems,
you should disable memory-mapping of delivered files by specifying:
EnableMMAP Off
For NFS mounted files, this feature may be disabled explicitly for
the offending files by specifying:
&Directory "/path-to-nfs-files"&
EnableMMAP Off
&/Directory&
Use the kernel sendfile support to deliver files to the client
EnableSendfile On|Off
EnableSendfile Off
server config, virtual host, directory, .htaccess
Default changed to Off in
version 2.3.9.
This directive controls whether
may use the
sendfile support from the kernel to transmit file contents to the client.
By default, when the handling of a request requires no access
to the data within a file -- for example, when delivering a
static file -- Apache httpd uses sendfile to deliver the file contents
without ever reading the file if the OS supports it.
This sendfile mechanism avoids separate read and send operations,
and buffer allocations. But on some platforms or within some
filesystems, it is better to disable this feature to avoid
operational problems:
Some platforms may have broken sendfile support that the build
system did not detect, especially if the binaries were built on
another box and moved to such a machine with broken sendfile
On Linux the use of sendfile triggers TCP-checksum
offloading bugs on certain networking cards when using IPv6.
On Linux on Itanium, sendfile may be unable to handle
files over 2GB in size.
With a network-mounted
(e.g., NFS, SMB, CIFS, FUSE),
the kernel may be unable to serve the network file through
its own cache.
For server configurations that are not vulnerable to these problems,
you may enable this feature by specifying:
EnableSendfile On
For network mounted files, this feature may be disabled explicitly
for the offending files by specifying:
&Directory "/path-to-nfs-files"&
EnableSendfile Off
&/Directory&
Please note that the per-directory and .htaccess configuration
of EnableSendfile is not supported by
Only global definition of EnableSendfile
is taken into account by the module.
Abort configuration parsing with a custom error message
Error message
server config, virtual host, directory, .htaccess
2.3.9 and later
If an error can be detected within the configuration, this
directive can be used to generate a custom error message, and halt
configuration parsing.
The typical use is for reporting required
modules which are missing from the configuration.
# ensure that mod_include is loaded
&IfModule !include_module&
Error "mod_include is required by mod_foo.
Load it with LoadModule."
&/IfModule&
# ensure that exactly one of SSL,NOSSL is defined
&IfDefine SSL&
&IfDefine NOSSL&
Error "Both SSL and NOSSL are defined.
Define only one of them."
&/IfDefine&
&/IfDefine&
&IfDefine !SSL&
&IfDefine !NOSSL&
Error "Either SSL or NOSSL must be defined."
&/IfDefine&
&/IfDefine&
What the server will return to the client
in case of an error
ErrorDocument error-code document
server config, virtual host, directory, .htaccess
In the event of a problem or error, Apache httpd can be configured
to do one of four things,
output a simple hardcoded error message
output a customized message
internally redirect to a local URL-path to handle the
problem/error
redirect to an external URL to handle the
problem/error
The first option is the default, while options 2-4 are
configured using the ErrorDocument
directive, which is followed by the HTTP response code and a URL
or a message. Apache httpd will sometimes offer additional information
regarding the problem/error.
From 2.4.13,
used inside the directive to produce dynamic strings and URLs.
URLs can begin with a slash (/) for local web-paths (relative
to the ), or be a
full URL which the client can resolve. Alternatively, a message
can be provided to be displayed by the browser. Note that deciding
whether the parameter is an URL, a path or a message is performed
before any expression is parsed. Examples:
ErrorDocument 500 /cgi-bin/server-error.cgi
ErrorDocument 404 /errors/bad_urls.php
ErrorDocument 401 /subscription_info.html
ErrorDocument 403 "Sorry, can't allow you access today"
ErrorDocument 403 Forbidden!
ErrorDocument 403 /errors/forbidden.py?referrer=%{escape:%{HTTP_REFERER}}
Additionally, the special value default can be used
to specify Apache httpd's simple hardcoded message.
While not required
under normal circumstances, default will restore
Apache httpd's simple hardcoded message for configurations that would
otherwise inherit an existing ErrorDocument.
ErrorDocument 404 /cgi-bin/bad_urls.pl
&Directory "/web/docs"&
ErrorDocument 404 default
&/Directory&
Note that when you specify an ErrorDocument
that points to a remote URL (ie. anything with a method such as
http in front of it), Apache HTTP Server will send a redirect to the
client to tell it where to find the document, even if the
document ends up being on the same server. This has several
implications, the most important being that the client will not
receive the original error status code, but instead will
receive a redirect status code. This in turn can confuse web
robots and other clients which try to determine if a URL is
valid using the status code. In addition, if you use a remote
URL in an ErrorDocument 401, the client will not
know to prompt the user for a password since it will not
receive the 401 status code. Therefore, if you use an
ErrorDocument 401 directive, then it must refer to a local
Microsoft Internet Explorer (MSIE) will by default ignore
server-generated error messages when they are "too small" and substitute
its own "friendly" error messages. The size threshold varies depending on
the type of error, but in general, if you make your error document
greater than 512 bytes, then MSIE will show the server-generated
error rather than masking it.
More information is available in
Microsoft Knowledge Base article .
Although most error messages can be overridden, there are certain
circumstances where the internal messages are used regardless of the
setting of .
particular, if a malformed request is detected, normal request processing
will be immediately halted and the internal error message returned.
This is necessary to guard against security problems caused by
bad requests.
If you are using mod_proxy, you may wish to enable
so that you can provide
custom error messages on behalf of your Origin servers. If you don't enable ProxyErrorOverride,
Apache httpd will not generate custom error documents for proxied content.
Location where the server will log errors
ErrorLog file-path|syslog[:[facility][:tag]]
ErrorLog logs/error_log (Unix) ErrorLog logs/error.log (Windows and OS/2)
server config, virtual host
The ErrorLog directive sets the name of
the file to which the server will log any errors it encounters. If
the file-path is not absolute then it is assumed to be
relative to the .
ErrorLog "/var/log/httpd/error_log"
If the file-path
begins with a pipe character "|" then it is assumed to be a
command to spawn to handle the error log.
ErrorLog "|/usr/local/bin/httpd_errors"
See the notes on
more information.
Using syslog instead of a filename enables logging
via syslogd(8) if the system supports it and if
is loaded. The default is to use syslog facility local7,
but you can override this by using the syslog:facility
syntax where facility can be one of the names usually documented in
syslog(1).
The facility is effectively global, and if it is changed
in individual virtual hosts, the final facility specified affects the
entire server. Same rules apply for the syslog tag, which by default
uses the Apache binary name, httpd in most cases. You can
also override this by using the syslog::tag
ErrorLog syslog:user
ErrorLog syslog:user:httpd.srv1
ErrorLog syslog::httpd.srv2
Additional modules can provide their own ErrorLog providers. The syntax
is similar to the syslog example above.
SECURITY: See the
document for details on why your security could be compromised
if the directory where log files are stored is writable by
anyone other than the user that starts the server.
When entering a file path on non-Unix platforms, care should be taken
to make sure that only forward slashes are used even though the platform
may allow the use of back slashes. In general it is a good idea to always
use forward slashes throughout the configuration files.
Format specification for error log entries
ErrorLogFormat [connection|request] format
server config, virtual host
ErrorLogFormat allows to specify what
supplementary information is logged in the error log in addition to the
actual log message.
#Simple example
ErrorLogFormat "[%t] [%l] [pid %P] %F: %E: [client %a] %M"
Specifying connection or request as first
parameter allows to specify additional formats, causing additional
information to be logged when the first message is logged for a specific
connection or request, respectively. This additional information is only
logged once per connection/request. If a connection or request is processed
without causing any log message, the additional information is not logged
It can happen that some format string items do not produce output.
example, the Referer header is only present if the log message is
associated to a request and the log message happens at a time when the
Referer header has already been read from the client.
If no output is
produced, the default behavior is to delete everything from the preceding
space character to the next space character.
This means the log line is
implicitly divided into fields on non-whitespace to whitespace transitions.
If a format string item does not produce output, the whole field is
For example, if the remote address %a in the log
format [%t] [%l] [%a] %M& is not available, the surrounding
brackets are not logged either.
Space characters can be escaped with a
backslash to prevent them from delimiting a field.
The combination '%&'
(percent space) is a zero-width field delimiter that does not produce any
The above behavior can be changed by adding modifiers to the format
string item. A - (minus) modifier causes a minus to be logged if the
respective item does not produce any output. In once-per-connection/request
formats, it is also possible to use the + (plus) modifier. If an
item with the plus modifier does not produce any output, the whole line is
A number as modifier can be used to assign a log severity level to a
format item. The item will only be logged if the severity of the log
message is not higher than the specified log severity level. The number can
range from 1 (alert) over 4 (warn) and 7 (debug) to 15 (trace8).
For example, here's what would happen if you added modifiers to
the %{Referer}i token, which logs the
Referer request header.
%-{Referer}i
Logs a - if Referer is not set.
%+{Referer}i
Omits the entire line if Referer is not set.
%4{Referer}i
Logs the Referer only if the log message severity
is higher than 4.
Some format string items accept additional parameters in braces.
The percent sign
Client IP address and port of the request
Underlying peer IP address and port of the connection (see the
Local IP-address and port
Request environment variable name
APR/OS error status code and string
Source file name and line number of the log call
Request header name
Number of keep-alive requests on this connection
Loglevel of the message
Log ID of the request
Log ID of the connection
Log ID of the connection if used in connection scope, empty otherwise
Name of the module logging the message
The actual log message
Request note name
Process ID of current process
Thread ID of current thread
System unique thread ID of current thread (the same ID as
displayed by e.g. top; currently Linux only)
The current time
The current time including micro-seconds
The current time in compact ISO 8601 format, including
micro-seconds
The canonical
of the current server.
The server name of the server serving the request according to the
\& (backslash space)
Non-field delimiting space
%& (percent space)
Field delimiter (no output)
The log ID format %L produces a unique id for a connection
or request. This can be used to correlate which log lines belong to the
same connection or request, which request happens on which connection.
A %L format string is also available in
to allow to correlate access log entries
with error log lines. If
is loaded, its
unique id will be used as log ID for requests.
#Example (default format for threaded MPMs)
ErrorLogFormat "[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"
This would result in error messages such as:
[Thu May 12 08:28:57.1] [core:error] [pid 8777:tid ] [client ::1:58619] File does not exist: /usr/local/apache2/htdocs/favicon.ico
Notice that, as discussed above, some fields are omitted
entirely because they are not defined.
#Example (similar to the 2.2.x format)
ErrorLogFormat "[%t] [%l] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"
#Advanced example with request/connection log IDs
ErrorLogFormat "[%{uc}t] [%-m:%-l] [R:%L] [C:%{C}L] %7F: %E: %M"
ErrorLogFormat request "[%{uc}t] [R:%L] Request %k on C:%{c}L pid:%P tid:%T"
ErrorLogFormat request "[%{uc}t] [R:%L] UA:'%+{User-Agent}i'"
ErrorLogFormat request "[%{uc}t] [R:%L] Referer:'%+{Referer}i'"
ErrorLogFormat connection "[%{uc}t] [C:%{c}L] local\ %a remote\ %A"
Keep track of extended status information for each
ExtendedStatus On|Off
ExtendedStatus Off[*]
server config
This option tracks additional data per worker about the
currently executing request and creates a utilization summary.
You can see these variables during runtime by configuring
Note that other modules may
rely on this scoreboard.
This setting applies to the entire server and cannot be
enabled or disabled on a virtualhost-by-virtualhost basis.
The collection of extended status information can slow down
the server.
Also note that this setting cannot be changed
during a graceful restart.
Note that loading
will change
the default behavior to ExtendedStatus On, while other
third party modules may do the same.
Such modules rely on
collecting detailed information about the state of all workers.
The default is changed by
with version 2.3.6. The previous default was always Off.
File attributes used to create the ETag
HTTP response header for static files
FileETag component ...
FileETag MTime Size
server config, virtual host, directory, .htaccess
The default used to be "INode&MTime&Size" in 2.3.14 and
The FileETag directive configures the file
attributes that are used to create the ETag (entity
tag) response header field when the document is based on a static file.
(The ETag value is used in cache management to save
network bandwidth.) The
FileETag directive allows you to choose
which of these -- if any -- should be used. The recognized keywords are:
The file's i-node number will be included in the calculation
The date and time the file was last modified will be included
The number of bytes in the file will be included
All available fields will be used. This is equivalent to:
FileETag INode MTime Size
If a document is file-based, no ETag field will be
included in the response
The INode, MTime, and Size
keywords may be prefixed with either + or -,
which allow changes to be made to the default setting inherited
from a broader scope. Any keyword appearing without such a prefix
immediately and completely cancels the inherited setting.
If a directory's configuration includes
FileETag&INode&MTime&Size, and a
subdirectory's includes FileETag&-INode,
the setting for that subdirectory (which will be inherited by
any sub-subdirectories that don't override it) will be equivalent to
FileETag&MTime&Size.
Do not change the default for directories or locations that have WebDAV
enabled and use
as a storage provider.
uses MTime&Size
as a fixed format for ETag comparisons on conditional requests.
These conditional requests will break if the ETag format is
changed via FileETag.
Server Side Includes
An ETag is not generated for responses parsed by
since the response entity can change without a change of the INode, MTime, or Size
of the static file with embedded SSI directives.
Contains directives that apply to matched
&Files filename& ... &/Files&
server config, virtual host, directory, .htaccess
The &Files& directive
limits the scope of the enclosed directives by filename. It is comparable
directives. It should be matched with a &/Files&
directive. The directives given within this section will be applied to
any object with a basename (last component of filename) matching the
specified filename. &Files&
sections are processed in the order they appear in the
configuration file, after the
sections and
.htaccess files are read, but before
sections. Note
that &Files& can be nested
sections to restrict the
portion of the filesystem they apply to.
The filename argument should include a filename, or
a wild-card string, where ? matches any single character,
and * matches any sequences of characters.
&Files "cat.html"&
# Insert stuff that applies to cat.html here
&Files "?at.*"&
# This would apply to cat.html, bat.html, hat.php and so on.
can also be used, with the addition of the
~ character. For example:
&Files ~ "\.(gif|jpe?g|png)$"&
would match most common Internet graphics formats.
is preferred,
Note that unlike
sections, &Files& sections can be used inside
.htaccess files. This allows users to control access to
their own files, at a file-by-file level.
for an explanation of how these
different sections are combined when a request is received
Contains directives that apply to regular-expression matched
&FilesMatch regex& ... &/FilesMatch&
server config, virtual host, directory, .htaccess
The &FilesMatch& directive
limits the scope of the enclosed directives by filename, just as the
does. However, it accepts a . For example:
&FilesMatch ".+\.(gif|jpe?g|png)$"&
&/FilesMatch&
would match most common Internet graphics formats.
The .+ at the start of the regex ensures that
files named .png, or .gif, for example,
are not matched.
From 2.4.8 onwards, named groups and backreferences are captured and
written to the environment with the corresponding name prefixed with
"MATCH_" and in upper case. This allows elements of files to be referenced
from within
and modules like
. In order to prevent confusion, numbered
(unnamed) backreferences are ignored. Use named groups instead.
&FilesMatch "^(?&sitename&[^/]+)"&
require ldap-group cn=%{env:MATCH_SITENAME},ou=combined,o=Example
&/FilesMatch&
for an explanation of how these
different sections are combined when a request is received
Forces all matching files to be served with the specified
media type in the HTTP Content-Type header field
ForceType media-type|None
directory, .htaccess
When placed into an .htaccess file or a
section, this directive forces all matching files to be served
with the content type identification given by
media-type. For example, if you had a directory full of
GIF files, but did not want to label them all with .gif,
you might want to use:
ForceType image/gif
Note that this directive overrides other indirect media type
associations defined in mime.types or via the
You can also override more general
ForceType settings
by using the value of None:
# force all files to be image/gif:
&Location "/images"&
ForceType image/gif
&/Location&
# but normal mime-type associations here:
&Location "/images/mixed"&
ForceType None
&/Location&
This directive primarily overrides the content types generated for
static files served out of the filesystem.
For resources other than
static files, where the generator of the response typically specifies
a Content-Type, this directive has no effect.
If no handler is explicitly set for a request, the specified content
type will also be used as the handler name.
When explicit directives such as
do not apply
to the current request, the internal handler name normally set by those
directives is instead set to the content type specified by this directive.
This is a historical behavior that some third-party modules
(such as mod_php) may look for a "synthetic" content type used only to
signal the module to take responsibility for the matching request.
Configurations that rely on such "synthetic" types should be avoided.
Additionally, configurations that restrict access to
restrict access to this directive as well.
Directory to write gmon.out profiling data to.
GprofDir /tmp/gprof/|/tmp/gprof/%
server config, virtual host
When the server has been compiled with gprof profiling support,
GprofDir causes gmon.out files to
be written to the specified directory when the process exits.
argument ends with a percent symbol ('%'), subdirectories are created
for each process id.
This directive currently only works with the
Enables DNS lookups on client IP addresses
HostnameLookups On|Off|Double
HostnameLookups Off
server config, virtual host, directory
This directive enables DNS lookups so that host names can be
logged (and passed to CGIs/SSIs in REMOTE_HOST).
The value Double refers to doing double-reverse
DNS lookup. That is, after a reverse lookup is performed, a forward
lookup is then performed on that result. At least one of the IP
addresses in the forward lookup must match the original
address. (In "tcpwrappers" terminology this is called
PARANOID.)
Regardless of the setting, when
used for controlling access by hostname, a double reverse lookup
will be performed.
This is necessary for security. Note that the
result of this double-reverse isn't generally available unless you
set HostnameLookups Double. For example, if only
HostnameLookups On and a request is made to an object
that is protected by hostname restrictions, regardless of whether
the double-reverse fails or not, CGIs will still be passed the
single-reverse result in REMOTE_HOST.
The default is Off in order to save the network
traffic for those sites that don't truly need the reverse
lookups done. It is also better for the end users because they
don't have to suffer the extra latency that a lookup entails.
Heavily loaded sites should leave this directive
Off, since DNS lookups can take considerable
amounts of time. The utility , compiled by
default to the bin subdirectory of your installation
directory, can be used to look up host names from logged IP addresses
Finally, if you have , a hostname lookup will be performed regardless of
the setting of HostnameLookups.
Modify restrictions on HTTP Request Messages
HttpProtocolOptions [Strict|Unsafe] [RegisteredMethods|LenientMethods]
[Allow0.9|Require1.0]
HttpProtocolOptions Strict LenientMethods Allow0.9
server config, virtual host
2.2.32 or 2.4.24 and later
This directive changes the rules applied to the HTTP Request Line
() and the HTTP Request Header Fields
(), which are now applied by default or using
the Strict option. Due to legacy modules, applications or
custom user-agents which must be deprecated the Unsafe
option has been added to revert to the legacy behaviors.
These rules are applied prior to request processing,
so must be configured at the global or default (first) matching
virtual host section, by IP/port interface (and not by name)
to be honored.
The directive accepts three parameters from the following list
of choices, applying the default to the ones not specified:
Strict|Unsafe
Prior to the introduction of this directive, the Apache HTTP Server
request message parsers were tolerant of a number of forms of input
which did not conform to the protocol.
call out only two of the potential
risks of accepting non-conformant request messages, while
"Message Parsing Robustness" identify the
risks of accepting obscure whitespace and request message formatting.
As of the introduction of this directive, all grammar rules of the
specification are enforced in the default Strict operating
mode, and the strict whitespace suggested by section 3.5 is enforced
and cannot be relaxed.
Security risks of Unsafe
Users are strongly cautioned against toggling the Unsafe
mode of operation, particularly on outward-facing, publicly accessible
server deployments.
If an interface is required for faulty monitoring
or other custom service consumers running on an intranet, users should
toggle the Unsafe option only on a specific virtual host configured
to service their internal private network.
Example of a request leading to HTTP 400 with Strict mode
# Missing CRLF
GET / HTTP/1.0\n\n
Command line tools and CRLF
Some tools need to be forced to use CRLF, otherwise httpd will return
a HTTP 400 response like described in the above use case. For example,
the OpenSSL s_client needs the -crlf parameter to work
can help while reviewing the HTTP request to identify issues like the
absence of CRLF.
RegisteredMethods|LenientMethods
"Request Methods" "Overview" requires that
origin servers shall respond with a HTTP 501 status code when an
unsupported method is encountered in the request line.
This already happens when the LenientMethods option is used,
but administrators may wish to toggle the RegisteredMethods
option and register any non-standard methods using the
directive, particularly if the Unsafe
option has been toggled.
Forward Proxy compatibility
The RegisteredMethods option should not
be toggled for forward proxy hosts, as the methods supported by the
origin servers are unknown to the proxy server.
Example of a request leading to HTTP 501 with LenientMethods mode
# Unknown HTTP method
WOW / HTTP/1.0\r\n\r\n
# Lowercase HTTP method
get / HTTP/1.0\r\n\r\n
Allow0.9|Require1.0
"Compatibility With Previous Versions" had
encouraged HTTP servers to support legacy HTTP/0.9 requests. RFC 7230
supersedes this with "The expectation to support HTTP/0.9 requests has
been removed" and offers additional comments in
. The Require1.0 option allows
the user to remove support of the default Allow0.9 option's
Example of a request leading to HTTP 400 with Require1.0 mode
# Unsupported HTTP version
GET /\r\n\r\n
Reviewing the messages logged to the
, configured with
debug level,
can help identify such faulty requests along with their origin.
Users should pay particular attention to the 400 responses in the access
log for invalid requests which were unexpectedly rejected.
Contains directives that apply only if a condition is
satisfied by a request at runtime
&If expression& ... &/If&
server config, virtual host, directory, .htaccess
Nested conditions are evaluated in 2.4.26 and later
The &If& directive
evaluates an expression at runtime, and applies the enclosed
directives if and only if the expression evaluates to true.
For example:
&If "-z req('Host')"&
would match HTTP/1.0 requests without a Host: header.
Expressions may contain various shell-like operators for string
comparison (==, !=, &, ...),
integer comparison (-eq, -ne, ...),
and others (-n, -z, -f, ...).
It is also possible to use regular expressions,
&If "%{QUERY_STRING} =~ /(delete|commit)=.*?elem/"&
shell-like pattern matches and many other operations. These operations
can be done on request headers (req), environment variables
(env), and a large number of other properties. The full
documentation is available in .
Only directives that support the
can be used within this configuration section.
Certain variables, such as CONTENT_TYPE and other
response headers, are set after &If& conditions have already
been evaluated, and so will not be available to use in this
directive.
for a complete reference and more examples.
for an explanation of how these
different sections are combined when a request is received.
&ElseIf&, and
&Else& are applied last.
Encloses directives that will be processed only
if a test is true at startup
&IfDefine [!]parameter-name& ...
&/IfDefine&
server config, virtual host, directory, .htaccess
The &IfDefine test&...&/IfDefine&
section is used to mark directives that are conditional. The
directives within an &IfDefine&
section are only processed if the test is true. If
test is false, everything between the start and end markers is
The test in the &IfDefine& section directive can be one of two forms:
parameter-name
!parameter-name
In the former case, the directives between the start and end
markers are only processed if the parameter named
parameter-name is defined. The second format reverses
the test, and only processes the directives if
parameter-name is not defined.
The parameter-name argument is a define as given on the
command line via -Dparameter
at the time the server was started or by the
directive.
&IfDefine& sections are
nest-able, which can be used to implement simple
multiple-parameter tests. Example:
httpd -DReverseProxy -DUseCache -DMemCache ...
&IfDefine ReverseProxy&
LoadModule proxy_module
modules/mod_proxy.so
LoadModule proxy_http_module
modules/mod_proxy_http.so
&IfDefine UseCache&
LoadModule cache_module
modules/mod_cache.so
&IfDefine MemCache&
LoadModule mem_cache_module
modules/mod_mem_cache.so
&/IfDefine&
&IfDefine !MemCache&
LoadModule cache_disk_module
modules/mod_cache_disk.so
&/IfDefine&
&/IfDefine&
&/IfDefine&
Encloses directives that are processed conditional on the
presence or absence of a specific directive
&IfDirective [!]directive-name& ...
&/IfDirective&
server config, virtual host, directory, .htaccess
The &IfDirective test&...&/IfDirective&
section is used to mark directives that are conditional on the presence of
a specific directive. The directives within an &IfDirective& section are only processed if the test
is true. If test is false, everything between the start and
end markers is ignored.
The test in the &IfDirective& section can be one of two forms:
directive-name
!directive-name
In the former case, the directives between the start and end
markers are only processed if a directive of the given name is
available at the time of processing.
The second format reverses the test,
and only processes the directives if directive-name is
not available.
This section should only be used if you need to have one
configuration file that works across multiple versions of
, regardless of whether a particular
directive is available. In normal operation, directives need not
be placed in &IfDirective&
Encloses directives that will be processed only
if file exists at startup
&IfFile [!]parameter-name& ...
server config, virtual host, directory, .htaccess
The &IfFile filename&...&/IfFile&
section is used to mark directives that are conditional on
the existence of a file on disk. The directives within an
&IfFile& section are only
processed if the filename exists. If
doesn't exist, everything between the start and end markers is
ignored. filename can be an absolute path or a path
relative to the server root.
The filename in the &IfFile
& section directive can take the same forms as the
test variable in the &IfDefine
& section, i.e. the test can be negated if the
! character is placed directly before filename.
If a relative filename is supplied, the check is
ServerRoot relative.
case where
this directive occurs before the ServerRoot,
the path will be checked relative to the compiled-in server root or
the server root passed in on the command line via the -d
parameter.
Encloses directives that are processed conditional on the
presence or absence of a specific module
&IfModule [!]module-file|module-identifier& ...
&/IfModule&
server config, virtual host, directory, .htaccess
The &IfModule test&...&/IfModule&
section is used to mark directives that are conditional on the presence of
a specific module. The directives within an &IfModule& section are only processed if the test
is true. If test is false, everything between the start and
end markers is ignored.
The test in the &IfModule& section directive can be one of two forms:
In the former case, the directives between the start and end
markers are only processed if the module named module
is included in Apache httpd -- either compiled in or
dynamically loaded using . The second format reverses the test,
and only processes the directives if module is
not included.
The module argument can be either the module identifier or
the file name of the module, at the time it was compiled.
For example,
rewrite_module is the identifier and
mod_rewrite.c is the file name. If a module consists of
several source files, use the name of the file containing the string
STANDARD20_MODULE_STUFF.
&IfModule& sections are
nest-able, which can be used to implement simple multiple-module
This section should only be used if you need to have one
configuration file that works whether or not a specific module
is available. In normal operation, directives need not be
placed in &IfModule&
Encloses directives that are processed conditional on the
presence or absence of a specific section directive
&IfSection [!]section-name& ...
&/IfSection&
server config, virtual host, directory, .htaccess
The &IfSection
test&...&/IfSection& section is used
to mark directives that are conditional on the presence of a
specific section directive.
A section directive is any directive
such as &VirtualHost& which
encloses other directives, and has a directive name with a leading
The directives within an &IfSection& section are only processed if the test
is true. If test is false, everything between the start and
end markers is ignored.
The section-name must be specified without either
the leading "&" or closing "&".
The test in the
&IfSection& section can be one
of two forms:
section-name
!section-name
In the former case, the directives between the start and end
markers are only processed if a section directive of the given
name is available at the time of processing.
The second format
reverses the test, and only processes the directives if
section-name is not an available
section directive.
For example:
&IfSection VirtualHost&
&/IfSection&
This section should only be used if you need to have one
configuration file that works across multiple versions of ,
regardless of whether a particular section directive is
available. In normal operation, directives need not be placed in
&IfSection& sections.
Includes other configuration files from within
the server configuration files
Include file-path|directory-path|wildcard
server config, virtual host, directory
wildcard matching available in 2.3.6 and later
This directive allows inclusion of other configuration files
from within the server configuration files.
Shell-style (fnmatch()) wildcard characters can be used
in the filename or directory parts of the path to include several files
at once, in alphabetical order. In addition, if
Include points to a directory, rather than a file,
Apache httpd will read all files in that directory and any subdirectory.
However, including entire directories is not recommended, because it is
easy to accidentally leave temporary files in a directory that can cause
to fail. Instead, we encourage you to use the
wildcard syntax shown below, to include files that match a particular
pattern, such as *.conf, for example.
directive will
fail with an error if a wildcard expression does not
match any file. The
directive can be used if non-matching wildcards should be ignored.
The file path specified may be an absolute path, or may be relative
directory.
Include /usr/local/apache2/conf/ssl.conf
Include /usr/local/apache2/conf/vhosts/*.conf
Or, providing paths relative to your
directory:
Include conf/ssl.conf
Include conf/vhosts/*.conf
Wildcards may be included in the directory or file portion of the
path. This example will fail if there is no subdirectory in conf/vhosts
that contains at least one *.conf file:
Include conf/vhosts/*/*.conf
Alternatively, the following command will just be ignored in case of
missing files or directories:
IncludeOptional conf/vhosts/*/*.conf
Includes other configuration files from within
the server configuration files
IncludeOptional file-path|directory-path|wildcard
server config, virtual host, directory
Available in 2.3.6 and later
This directive allows inclusion of other configuration files
from within the server configuration files. It works identically to the
directive, with the
exception that if wildcards do not match any file or directory, the
directive will be
silently ignored instead of causing an error.
Enables HTTP persistent connections
KeepAlive On|Off
KeepAlive On
server config, virtual host
The Keep-Alive extension to HTTP/1.0 and the persistent
connection feature of HTTP/1.1 provide long-lived HTTP sessions
which allow multiple requests to be sent over the same TCP
connection. In some cases this has been shown to result in an
almost 50% speedup in latency times for HTML documents with
many images. To enable Keep-Alive connections, set
KeepAlive On.
For HTTP/1.0 clients, Keep-Alive connections will only be
used if they are specifically requested by a client. In
addition, a Keep-Alive connection with an HTTP/1.0 client can
only be used when the length of the content is known in
advance. This implies that dynamic content such as CGI output,
SSI pages, and server-generated directory listings will
generally not use Keep-Alive connections to HTTP/1.0 clients.
For HTTP/1.1 clients, persistent connections are the default
unless otherwise specified. If the client requests it, chunked
encoding will be used in order to send content of unknown
length over persistent connections.
When a client uses a Keep-Alive connection, it will be counted
as a single "request" for the
directive, regardless
of how many requests are sent using the connection.
Amount of time the server will wait for subsequent
requests on a persistent connection
KeepAliveTimeout time-interval[s]
KeepAliveTimeout 5
server config, virtual host
The number of seconds Apache httpd will wait for a subsequent
request before closing the connection. By adding a postfix of ms the
timeout can be also set in milliseconds. Once a request has been
received, the timeout value specified by the
directive applies.
Setting KeepAliveTimeout to a high value
may cause performance problems in heavily loaded servers. The
higher the timeout, the more server processes will be kept
occupied waiting on connections with idle clients.
If KeepAliveTimeout is not
set for a name-based virtual host, the value of the first defined
virtual host best matching the local IP and port will be used.
Restrict enclosed access controls to only certain HTTP
&Limit method [method] ... & ...
directory, .htaccess
AuthConfig, Limit
Access controls are normally effective for
all access methods, and this is the usual
desired behavior. In the general case, access control
directives should not be placed within a
&Limit& section.
The purpose of the &Limit&
directive is to restrict the effect of the access controls to the
nominated HTTP methods. For all other methods, the access
restrictions that are enclosed in the &Limit& bracket will have no
effect. The following example applies the access control
only to the methods POST, PUT, and
DELETE, leaving all other methods unprotected:
&Limit POST PUT DELETE&
Require valid-user
The method names listed can be one or more of: GET,
POST, PUT, DELETE,
CONNECT, OPTIONS,
PATCH, PROPFIND, PROPPATCH,
MKCOL, COPY, MOVE,
LOCK, and UNLOCK. The method name is
case-sensitive. If GET is used, it will also
restrict HEAD requests. The TRACE method
cannot be limited (see ).
section should always be
used in preference to a &Limit&
section when restricting access, since a
section provides protection
against arbitrary methods.
The &Limit& and
directives may be nested.
In this case, each successive level of
&Limit& or
directives must
further restrict the set of me