CONTENT

CHANGES

Szukaj

#top Konfiguracja¶

[<<]|[<]|[^]|[v]|[>]|[>>]|[Roll]|[#top]|[X]

#top Listen¶

Listen 80

Listen 443

Listen 10.5.5.5:80

Listen 10.5.5.5:443

#top Timeout¶

Zobacz także Timeout dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID

Dokumentacja Apache: KeepAlive
Składnia: KeepAlive On|Off
Context: server config, virtual host
Opis: The Keep-Alive extension to HTTP/1.0 and the persistent connection feature of HTTP/1.1 provide long-lived HTTP sessions which allow multiple requests to be sent over the same TCP connection. In some cases this has been shown to result in an almost 50% speedup in latency times for HTML documents with many images. To enable Keep-Alive connections, set KeepAlive On.
For HTTP/1.0 clients, Keep-Alive connections will only be used if they are specifically requested by a client. In addition, a Keep-Alive connection with an HTTP/1.0 client can only be used when the length of the content is known in advance. This implies that dynamic content such as CGI output, SSI pages, and server-generated directory listings will generally not use Keep-Alive connections to HTTP/1.0 clients. For HTTP/1.1 clients, persistent connections are the default unless otherwise specified. If the client requests it, chunked encoding will be used in order to send content of unknown length over persistent connections.
When a client uses a Keep-Alive connection, it will be counted as a single "request" for the MaxRequestsPerChild directive, regardless of how many requests are sent using the connection.

Dokumentacja Apache: KeepAliveTimeout
Składnia: KeepAliveTimeout seconds
Context: server config, virtual host
Opis: The number of seconds Apache will wait for a subsequent request before closing the connection. Once a request has been received, the timeout value specified by the Timeout directive applies.
Setting KeepAliveTimeout to a high value may cause performance problems in heavily loaded servers. The higher the timeout, the more server processes will be kept occupied waiting on connections with idle clients.
In a name-based virtual host context, the value of the first defined virtual host (the default host) in a set of NameVirtualHost will be used. The other values will be ignored.

Dokumentacja Apache: TimeOut
Składnia: TimeOut seconds
Context: server config, virtual host
Opis: The TimeOut directive defines the length of time Apache will wait for I/O in various circumstances:

When reading data from the client, the length of time to wait for a TCP packet to arrive if the read buffer is empty.
When writing data to the client, the length of time to wait for an acknowledgement of a packet if the send buffer is full.
In mod_cgi, the length of time to wait for output from a CGI script.
In mod_ext_filter, the length of time to wait for output from a filtering process.
In mod_proxy, the default timeout value if ProxyTimeout is not configured.

Dokumentacja Apache: ProxyTimeout
Składnia: ProxyTimeout seconds
Context: server config, virtual host
Opis: This directive allows a user to specify a timeout on proxy requests. This is useful when you have a slow/buggy appserver which hangs, and you would rather just return a timeout and fail gracefully instead of waiting however long it takes the server to return.

Dokumentacja Apache: RequestReadTimeout
Składnia: RequestReadTimeout [header=timeout[[-maxtimeout],MinRate=rate] [body=timeout[[-maxtimeout],MinRate=rate]
Context: server config, virtual host
Opis: This directive can set various timeouts for receiving the request headers and the request body from the client. If the client fails to send headers or body within the configured time, a 408 REQUEST TIME OUT error is sent.

EXAMPLES

# domyślne wartości
KeepAlive On
KeepAliveTimeout 5
TimeOut 300
ProxyTimeout 300 # Value of Timeout
RequestReadTimeout # Default: Unset; no limit

# zalecane wartości
KeepAlive On
KeepAliveTimeout 5
TimeOut 30
ProxyTimeout 30
RequestReadTimeout 30

#top Signature¶

Zobacz także Signature dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID

Dokumentacja Apache: ServerTokens
Składnia: ServerTokens Major|Minor|Min[imal]|Prod[uctOnly]|OS|Full
Context: server config
Opis: The ServerTokens directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.

Dokumentacja Apache: ServerSignature
Składnia: ServerSignature On|Off|EMail
Context: server config, virtual host, directory, .htaccess
Opis: The ServerSignature directive allows the configuration of a trailing footer line under server-generated documents (error messages, mod_proxy ftp directory listings, mod_info output, ...). The reason why you would want to enable such a footer line is that in a chain of proxies, the user often has no possibility to tell which of the chained servers actually produced a returned error message.

EXAMPLES

ServerTokens Major
ServerTokens Minor
ServerTokens Min[imal]
ServerTokens Prod[uctOnly]
ServerTokens OS
ServerTokens Full

ServerSignature On
ServerSignature Off
ServerSignature EMail

Zalecana konfiguracja

# zalecana konfiguracja: wyłączenie informacji o wersji serwera w nagłówku HTTP "Server"
ServerTokens ServerTokens
ServerSignature Off

#top vhosts default¶

Zobacz także vhosts default dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID

Dokumentacja Apache: vhosts

Po przeprowadzeniu post instalacyjnej konfiguracji do pliku /etc/httpd/httpd.conf dodana zostanie (o ile wcześniej już nie istniała) dyrektywa
dołączająca (inkludująca) pliki konfiguracyjne związane z konfiguracją vhostsów w serwerze Apache:

# Virtual hosts
Include /etc/httpd/vhosts/*.conf

#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
[...]
LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vcombined

EXAMPLES
Dzięki w odpowiedni sposób skonstruowanej nazwie plik /etc/httpd/vhosts/00-default.conf będzie zawsze pierwszym przetwarzanym plikiem konfiguracyjnym vhosta w serwerze Apache:

# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, in addition to the default. See also the VirtualHost command
<VirtualHost *:80>
ServerName  127.0.0.1
ServerAlias localhost
ServerAdmin admin@wbcd.pl
ServerPath   /srv/http/vhosts/default
DocumentRoot /srv/http/vhosts/default/
ErrorLog  /var/log/httpd/default-error.log
CustomLog /var/log/httpd/default-access.log vcombined
</VirtualHost>

#top vhosts SSL¶

##
## SSL Virtual Host Context
##
<VirtualHost *:443>
ServerName  wbcd.pl
ServerAlias 10.5.5.5
ServerAdmin admin@wbcd.pl
ServerPath   /srv/http/vhosts/wccd.pl
DocumentRoot /srv/http/vhosts/wbcd.pl/
ErrorLog  /var/log/httpd/wbcd_pl-ssl-error.log
CustomLog /var/log/httpd/wbcd_pl-ssl-access.log combined

SSLEngine on
SSLProtocol All -SSLv3 -SSLv2
SSLCertificateFile    /etc/pki/tls/certs/wbcd.pl.crt
SSLCertificateKeyFile /etc/pki/tls/certs/wbcd.pl.key
SSLCACertificateFile  /etc/pki/tls/certs/wbcd.pl-CA.crt

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/srv/http/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost>

#top ErrorLog¶

Zobacz także ErrorLog dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID

Dokumentacja Apache: ErrorLog
Składnia: ErrorLog file-path|syslog[:facility], ErrorLog logs/error_log Default: (Unix), ErrorLog logs/error.log Default: (Windows and OS/2)
Context: server config, virtual host
Opis: Location where the server will log errors

EXAMPLES

# server config
ErrorLog /var/log/httpd/error.log

# default virtual host
ErrorLog /var/log/httpd/default-error.log

# hostname virtual host
ErrorLog /var/log/httpd/hostname-error.log

#top AccessLog¶

# default virtual host
CustomLog /var/log/httpd/default-access.log vcombined

# hostname virtual host
CustomLog /var/log/httpd/hostname-access.log combined

# hostname virtual host
SetEnvIf Request_URI "^/nagios3-nolog" dontlog
CustomLog /var/log/httpd/hostname-access.log combined env=!dontlog

#top LogFormat¶

Zobacz także LogFormat dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID

Dokumentacja Apache: LogFormat (common)
Dokumentacja Apache: LogFormat (combined)
Dokumentacja Apache: Custom Log Formats
Składnia: LogFormat "format string" nickname
Context: server config
Opis: Logging of the requests made to the server

EXAMPLES

# common
LogFormat "%h %l %u %t \"%r\" %>s %b" common

# combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common

# vcombined - useful for default virtual hosts to log HTTP Header "Host:"
LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vcombined

# combined and vcombined version for requests behind proxy
SetEnvIf Remote_Addr "^(.*)$" ENVRemote=$1
SetEnvIf X-Forwarded-For "^([0-9][0-9\.]*)" ENVRemote=$1
LogFormat "%{ENVRemote}e %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedpe
LogFormat "%V %{ENVRemote}e %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vcombinedpe

#top server status¶

Zobacz także server status dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID

Dokumentacja Apache: Enabling Status Support
Składnia: SetHandler server-status
Context: server config, virtual host
Opis: To enable status reports only for browsers from the example.com domain add this code to your httpd.conf configuration file

Dokumentacja Apache: ExtendedStatus Directive
Składnia: ExtendedStatus On|Off
Context: server config
Opis: Keep track of extended status information for each request

Dokumentacja Apache: SeeRequestTail Directive
Składnia: SeeRequestTail On|Off (Available in Apache 2.2.7 and later.)
Context: server config
Opis: Determine if mod_status displays the first 63 characters of a request or the last 63, assuming the request itself is greater than 63 chars.

EXAMPLES
To enable status reports only for browsers from the example.com domain add this code to your httpd.conf configuration file

ExtendedStatus On
SeeRequestTail Off
<Location /server-status>
SetHandler server-status

Order Deny,Allow
Deny from all
Allow from .example.com
</Location>

You can now access server statistics by using a Web browser to access the page http://your.server.name/server-status

Wynik wywołania adresu monitorowania http://cen05dev.xen.wbcd.pl/server-status:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html><head>
<title>Apache Status</title>
</head><body>
<h1>Apache Server Status for cen05dev.xen.wbcd.pl</h1>

<dl><dt>Server Version: Apache</dt>
<dt>Server Built: Jan 21 2009 22:01:41
</dt></dl><hr /><dl>
<dt>Current Time: Tuesday, 05-Apr-2016 19:38:20 CEST</dt>
<dt>Restart Time: Tuesday, 05-Apr-2016 14:05:36 CEST</dt>
<dt>Parent Server Generation: 31</dt>
<dt>Server uptime:  5 hours 32 minutes 43 seconds</dt>
<dt>Total accesses: 96 - Total Traffic: 358 kB</dt>
<dt>CPU Usage: u.01 s.04 cu0 cs0 - .00025% CPU load</dt>
<dt>.00481 requests/sec - 18 B/second - 3818 B/request</dt>
<dt>1 requests currently being processed, 7 idle workers</dt>
</dl><pre>W_______........................................................
................................................................
................................................................
................................................................
</pre>
<p>Scoreboard Key:<br />
"<strong><code>_</code></strong>" Waiting for Connection,
"<strong><code>S</code></strong>" Starting up,
"<strong><code>R</code></strong>" Reading Request,<br />
"<strong><code>W</code></strong>" Sending Reply,
"<strong><code>K</code></strong>" Keepalive (read),
"<strong><code>D</code></strong>" DNS Lookup,<br />
"<strong><code>C</code></strong>" Closing connection,
"<strong><code>L</code></strong>" Logging,
"<strong><code>G</code></strong>" Gracefully finishing,<br />
"<strong><code>I</code></strong>" Idle cleanup of worker,
"<strong><code>.</code></strong>" Open slot with no current process</p>
<p />


<table border="0"><tr><th>Srv</th><th>PID</th><th>Acc</th><th>M</th><th>CPU
</th><th>SS</th><th>Req</th><th>Conn</th><th>Child</th><th>Slot</th><th>Client</th><th>VHost</th><th>Request</th></tr>

<tr><td><strong>0-31</strong></td><td>15580</td><td>0/12/12</td><td><strong>W</strong>
</td><td>0.00</td><td>0</td><td>0</td><td>0.0</td><td>0.05</td><td>0.05
</td><td>10.0.0.3</td><td nowrap>cen05dev.xen.wbcd.pl</td><td nowrap>GET /server-status HTTP/1.0</td></tr>

<tr><td><strong>1-31</strong></td><td>15581</td><td>0/12/12</td><td>_
</td><td>0.01</td><td>20</td><td>2</td><td>0.0</td><td>0.04</td><td>0.04
</td><td>xnd.nat.wbcd.pl</td><td nowrap>cen05dev.xen.wbcd.pl</td><td nowrap>GET /server-status HTTP/1.1</td></tr>

<tr><td><strong>2-31</strong></td><td>15582</td><td>0/12/12</td><td>_
</td><td>0.00</td><td>19</td><td>1</td><td>0.0</td><td>0.04</td><td>0.04
</td><td>xnd.nat.wbcd.pl</td><td nowrap>cen05dev.xen.wbcd.pl</td><td nowrap>GET /server-status HTTP/1.1</td></tr>

<tr><td><strong>3-31</strong></td><td>15583</td><td>0/12/12</td><td>_
</td><td>0.01</td><td>10</td><td>4</td><td>0.0</td><td>0.04</td><td>0.04
</td><td>xnd.nat.wbcd.pl</td><td nowrap>cen05dev.xen.wbcd.pl</td><td nowrap>GET /server-status HTTP/1.1</td></tr>

<tr><td><strong>4-31</strong></td><td>15584</td><td>0/12/12</td><td>_
</td><td>0.01</td><td>9</td><td>4</td><td>0.0</td><td>0.04</td><td>0.04
</td><td>xnd.nat.wbcd.pl</td><td nowrap>cen05dev.xen.wbcd.pl</td><td nowrap>GET /server-status HTTP/1.1</td></tr>

<tr><td><strong>5-31</strong></td><td>15585</td><td>0/12/12</td><td>_
</td><td>0.01</td><td>9</td><td>1</td><td>0.0</td><td>0.04</td><td>0.04
</td><td>xnd.nat.wbcd.pl</td><td nowrap>cen05dev.xen.wbcd.pl</td><td nowrap>GET /server-status HTTP/1.1</td></tr>

<tr><td><strong>6-31</strong></td><td>15586</td><td>0/12/12</td><td>_
</td><td>0.00</td><td>8</td><td>1</td><td>0.0</td><td>0.04</td><td>0.04
</td><td>xnd.nat.wbcd.pl</td><td nowrap>cen05dev.xen.wbcd.pl</td><td nowrap>GET /server-status HTTP/1.1</td></tr>

<tr><td><strong>7-31</strong></td><td>15587</td><td>0/12/12</td><td>_
</td><td>0.01</td><td>7</td><td>1</td><td>0.0</td><td>0.04</td><td>0.04
</td><td>xnd.nat.wbcd.pl</td><td nowrap>cen05dev.xen.wbcd.pl</td><td nowrap>GET /server-status HTTP/1.1</td></tr>

</table>
 <hr /> <table>
 <tr><th>Srv</th><td>Child Server number - generation</td></tr>
 <tr><th>PID</th><td>OS process ID</td></tr>
 <tr><th>Acc</th><td>Number of accesses this connection / this child / this slot</td></tr>
 <tr><th>M</th><td>Mode of operation</td></tr>
<tr><th>CPU</th><td>CPU usage, number of seconds</td></tr>
<tr><th>SS</th><td>Seconds since beginning of most recent request</td></tr>
 <tr><th>Req</th><td>Milliseconds required to process most recent request</td></tr>
 <tr><th>Conn</th><td>Kilobytes transferred this connection</td></tr>
 <tr><th>Child</th><td>Megabytes transferred this child</td></tr>
 <tr><th>Slot</th><td>Total megabytes transferred this slot</td></tr>
 </table>
<hr>
<table cellspacing=0 cellpadding=0>
<tr><td bgcolor="#000000">
</td></tr>olor="#ffffff" face="Arial,Helvetica">SSL/TLS Session Cache Status:</font></b>
<tr><td bgcolor="#ffffff">
cache type: <strong>SHMCB</strong>, shared memory: <strong>512000</strong> bytes, current sessions: <strong>0</strong><br>sub-caches: <strong>32</strong>, indexes per sub-cache: <strong>133</strong><br>index usage: <strong>0%</strong>, cache usage: <strong>0%</strong><br>total sessions stored since starting: <strong>0</strong><br>total sessions expired since starting: <strong>0</strong><br>total (pre-expiry) sessions scrolled out of the cache: <strong>0</strong><br>total retrieves since starting: <strong>0</strong> hit, <strong>0</strong> miss<br>total removes since starting: <strong>0</strong> hit, <strong>0</strong> miss<br></td></tr>
</table>
</body></html>

#top Modules¶

#top mod-logging¶

Zobacz także mod-logging dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID

Dokumentacja Apache: mod_log_config - Logging of the requests made to the server
Dokumentacja Apache: mod_log_forensic - Forensic Logging of the requests made to the server
Dokumentacja Apache: mod_logio - Logging of input and output bytes per request
Dokumentacja Apache: mod_dumpio - Dumps all I/O to error log as desired

#top mod-misc¶

#top mod-auth¶

Zobacz także mod-auth dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID

Dokumentacja Apache: mod_authn_default
Dokumentacja Apache: mod_authn_alias
Dokumentacja Apache: mod_authn_file
Dokumentacja Apache: mod_auth_basic
Dokumentacja Apache: mod_auth_digest
Dokumentacja Apache: mod_authn_dbm
Dokumentacja Apache: mod_authn_dbd
Dokumentacja Apache: mod_authnz_ldap
Dokumentacja Apache: mod_authz_dbm
Dokumentacja Apache: mod_authz_default
Dokumentacja Apache: mod_authz_groupfile
Dokumentacja Apache: mod_authz_host
Dokumentacja Apache: mod_authz_owner
Dokumentacja Apache: mod_authz_user

#top mod-headers¶

Zobacz także mod-headers dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID

Dokumentacja Apache: mod_headers - Customization of HTTP request and response headers
Dokumentacja Apache: mod_expires - Generation of Expires and Cache-Control HTTP headers according to user-specified criteria
Dokumentacja Apache: mod_mime - Associates the requested filename's extensions with the file's behavior (handlers and filters) and content (mime-type, language, character set and encoding)
Dokumentacja Apache: mod_mime_magic - Determines the MIME type of a file by looking at a few bytes of its contents
Dokumentacja Apache: mod_negotiation - Provides for content negotiation

#top mod-proxy¶

Zobacz także mod-proxy dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID

Dokumentacja Apache: mod_proxy - HTTP/1.1 proxy/gateway server
Dokumentacja Apache: mod_proxy_http - HTTP support module for mod_proxy
Dokumentacja Apache: mod_proxy_ftp - FTP support module for mod_proxy
Dokumentacja Apache: mod_proxy_connect - mod_proxy extension for CONNECT request handling
Dokumentacja Apache: mod_proxy_scgi - SCGI gateway module for mod_proxy
Dokumentacja Apache: mod_proxy_ajp - AJP support module for mod_proxy
Dokumentacja Apache: mod_proxy_balancer - mod_proxy extension for load balancing

EXAMPLES
Kopia lustrzana strony przy użyciu proxy: po otwarciu adresu http://example.org/
pojawi się treść znajdująca się pod adresem http://example.com/

<VirtualHost *:80>
ServerName example.org
[...]
# ProxyRequests On
ProxyRequests Off
# ProxyVia On
ProxyVia Off
RewriteEngine on
RewriteRule ^/(.*)$        http://example.com/$1 [P]
</VirtualHost>

Wersja szyfrowana zarówno lokalna jak również zdalna.
Kopia lustrzana strony przy użyciu proxy: po otwarciu adresu https://example.org/
pojawi się treść znajdująca się pod adresem https://example.com/

<VirtualHost *:443>
ServerName example.org
[...]
# ProxyRequests On
ProxyRequests Off
SSLProxyEngine on
# ProxyVia On
ProxyVia Off
RewriteEngine on
RewriteRule ^/(.*)$        https://example.com/$1 [P]
</VirtualHost>

Kopia lustrzana wybranej podstrony przy użyciu mod_rewrite: po otwarciu adresu http://net.wbcd.pl/lg
pojawi się treść znajdująca się pod adresem http://net.cen06x64.xen.wbcd.pl/lg
Pozostała treść znajdująca się pod adresem http://net.wbcd.pl/ jest serwowana
bezpośrednio przez serwer zawierający niniejszą konfigurację.

<VirtualHost *:80>
ServerName net.wbcd.pl
[...]
#ProxyRequests On
ProxyRequests Off
#ProxyVia On
ProxyVia Off
ProxyTimeout 300
RewriteEngine on
RewriteRule ^/(lg.*)$        http://net.cen06x64.xen.wbcd.pl/$1 [P]
RewriteRule ^/(watchhttp.*)$ http://net.cen06x64.xen.wbcd.pl/$1 [P]
</VirtualHost>

Równoważenie obciązenia poprzez kierowanie ruchu do kilku serwerów backend
(sticky session cookie: klient będzie zawsze kierowany do tego samego serwera).

Another example of how to provide load balancing with stickyness using mod_headers,
even if the back-end server does not set a suitable session cookie:

<VirtualHost *:80>
ServerName cen0Xdev
ServerAlias cen05dev.xen.wbcd.pl
ServerAlias cen06dev.xen.wbcd.pl
[...]
Header add Set-Cookie "HOSTID=.%{BALANCER_WORKER_HOST}e; path=/" env=BALANCER_HOST_CHANGED
<Proxy httpbalance://cen0Xdev01>
BalancerMember http://10.41.0.54:80 host=1
BalancerMember http://10.41.0.56:80 host=2
ProxySet stickysession=HOSTID
</Proxy>
ProxyPass / httpbalance://cen0Xdev01
</VirtualHost>

#top Access Restrictions¶

#top AccessAllow¶

Zobacz także AccessAllow dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID

Dokumentacja Apache: Access Control (2.2) | Access Control (2.4)

Dokumentacja Apache: Order
Składnia: Order ordering
Context: directory, .htaccess
Domyślna wartość: AllowOverride All (W konfiguracji serwera może być ustawiona domyślna (zalecana) wartość: AllowOverride None)
Opis:

Dokumentacja Apache: Allow (2.2)
Składnia: Allow from all|host|env=[!]env-variable [host|env=[!]env-variable] ...
Context: directory, .htaccess
Opis:

Dokumentacja Apache: Require (2.4)
Składnia: Require [not] entity-name [entity-name] ...
Context: directory, .htaccess
Opis:

Dokumentacja Apache: AllowOverride
Składnia: AllowOverride All|None|directive-type [directive-type] ...
Context: directory
Opis:

Dokumentacja Apache: Limit
Składnia: <Limit method [method] ... > ... </Limit>
Context: server config, virtual host, directory, .htaccess
Opis:

Dokumentacja Apache: LimitExcept
Składnia: <LimitExcept method [method] ... > ... </LimitExcept>
Context: server config, virtual host, directory, .htaccess
Opis:

Dokumentacja Apache: RemoteIPHeader (2.4)
Składnia: RemoteIPHeader header-field
Context: server config, virtual host
Opis:

EXAMPLES
Access X-Forwarded-For:
httpd 2.2

SetEnvIF X-Forwarded-For "(,| |^)192\.168\.1\.1(,| |$)" PermitIP
SetEnvIF X-Forwarded-For "(,| |^)172\.16\.1\.1(,| |$)" PermitIP
SetEnvIF X-Forwarded-For "(,| |^)10\.1\.1\.1(,| |$)" PermitIP
Order deny,allow
Deny from all
Allow from env=PermitIP

httpd 2.4

RemoteIPHeader X-Forwarded-For
Require ip 192.168.1.1
Require ip 172.16.1.1
Require ip 10.1.1.1

#SetEnvIfExpr "-R '10.0.0.0/8' || -R '172.16.0.0/12' || -R '192.168.0.0/16'" rfc1918
SetEnvIfExpr "-R '192.168.1.1'" PermitIP
SetEnvIfExpr "-R '172.16.1.1'" PermitIP
SetEnvIfExpr "-R '10.1.1.1'" PermitIP

#top AccessDeny¶

#top headers¶

#top HTTP Header Add¶

Header add MyHeader "Hello From Apache"

#top HTTP Header Set¶

Header set MyHeader "Hello From Apache"

#top HTTP Header Remove¶

Header unset MyHeader
Header unset Vary

#top Header Access¶

#top Header MIME¶

#top TLS Engine¶

Dokumentacja Apache: Apache Module mod_ssl

#top TLS Enable¶

Zobacz także TLS Enable dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID

Dokumentacja Apache: SSLEngine Directive
Składnia: SSLEngine on|off|optional
Context: server config, virtual host
Opis: This directive toggles the usage of the SSL/TLS Protocol Engine. This should be used inside a <VirtualHost> section to enable SSL/TLS for a that virtual host. By default the SSL/TLS Protocol Engine is disabled for both the main server and all configured virtual hosts.

EXAMPLES

<VirtualHost _default_:443>
[...]
SSLEngine on
[...]
</VirtualHost>

#top TLS Cert/Key File¶

Zobacz także TLS Cert/Key File dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID

Dokumentacja Apache: SSLCertificateFile Directive
Dokumentacja Apache: SSLCertificateKeyFile Directive
Dokumentacja Apache: SSLCertificateChainFile Directive
Dokumentacja Apache: SSLCACertificateFile Directive
Dokumentacja Apache: SSLCARevocationFile Directive
Składnia: SSLCertificateFile file-path
Składnia: SSLCertificateKeyFile file-path
Składnia: SSLCertificateChainFile file-path
Składnia: SSLCACertificateFile file-path
Składnia: SSLCARevocationFile file-path
Context: server config, virtual host
Opis: This directive toggles the usage of the SSL/TLS Protocol Engine. This should be used inside a <VirtualHost> section to enable SSL/TLS for a that virtual host. By default the SSL/TLS Protocol Engine is disabled for both the main server and all configured virtual hosts.

EXAMPLES

<VirtualHost _default_:443>
[...]
SSLEngine on
[...]
SSLCertificateFile    /etc/pki/tls/certs/wildcard.wbcd.pl.crt
SSLCertificateKeyFile /etc/pki/tls/certs/wildcard.wbcd.pl.key
SSLCertificateChainFile /etc/pki/tls/certs/RapidSSL_CA.crt
SSLCACertificateFile  /etc/pki/tls/certs/ca-bundle.crt
[...]
</VirtualHost>

#top TLS Protocols¶

Zobacz także TLS Protocols dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID

Dokumentacja Apache: SSLProtocol Directive
Składnia: SSLProtocol [+|-]protocol ...
Context: server config, virtual host
Opis: This directive can be used to control the SSL protocol flavors mod_ssl should use when establishing its server environment. Clients then can only connect with one of the provided protocols.

EXAMPLES
mod_ssl

<VirtualHost _default_:443>
[...]
SSLEngine on
[...]
# Włączenie wszystkich obsługiwanych protokołów oprócz SSLv2 and SSLv3 (Wyłączenie protokołów w wersji SSLv2 i SSLv3)
SSLProtocol All -SSLv2 -SSLv3
[...]
</VirtualHost>

<VirtualHost _default_:443>
[...]
SSLEngine on
[...]
# Wyłączenie wszystkich protokołów oprócz TLSv1.x (dla dystrybucji Linux RHEL 5.* / CentOS 5.*)
SSLProtocol -All +TLSv1
# Wyłączenie wszystkich protokołów oprócz TLSv1.x (dla dystrybucji Linux RHEL 6.* / CentOS 6.* i późniejszych)
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
[...]
</VirtualHost>

mod_nss

<VirtualHost _default_:443>
[...]
SSLEngine on
[...]
# Włączenie tylko protokołów TLSv1.x (dla dystrybucji Linux RHEL 5.* / CentOS 6.*)
NSSProtocol TLSv1.0
# Włączenie tylko protokołów TLSv1.x (dla dystrybucji Linux RHEL 6.* / CentOS 6.* i późniejszych)
NSSProtocol TLSv1.0,TLSv1.1
[...]
</VirtualHost>

#top TLS CipherSuite¶

Zobacz także TLS CipherSuite dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID

Dokumentacja Apache: SSLCipherSuite Directive
Składnia: SSLCipherSuite cipher-spec
Context:server config, virtual host, directory, .htaccess
Opis: This complex directive uses a colon-separated cipher-spec string consisting of OpenSSL cipher specifications to configure the Cipher Suite the client is permitted to negotiate in the SSL handshake phase. Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the standard SSL handshake when a connection is established. In per-directory context it forces a SSL renegotiation with the reconfigured Cipher Suite after the HTTP request was read but before the HTTP response is sent.

Dokumentacja Apache: SSLHonorCipherOrder Directive
Składnia: SSLHonorCipherOrder flag
Context: server config, virtual host
Opis: Option to prefer the server's cipher preference order

EXAMPLES

<VirtualHost _default_:443>
[...]
SSLEngine on
[...]
# Domyślna wartość
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
[...]
</VirtualHost>

<VirtualHost _default_:443>
[...]
SSLEngine on
[...]
# Wyłączenie RC4 oraz innych Key-eXchange ze względów bezpieczeństwa (Obsługa RC4 nie jest zalecana ze względów bezpieczeństwa)
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!RC4:!RSA:!NULL:!aNULL:!eNULL:!EXP:+HIGH:+TLSv1
# Włączenie preferowania CipherSuite wysyłanego przez serwer (domyślnie używana jest preferencja wysyłana przez klienta)
SSLHonorCipherOrder on
[...]
</VirtualHost>

#top TLS Compression¶

Zobacz także TLS Compression dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID

Dokumentacja Apache: SSLCompression Directive
Składnia: SSLCompression on|off
Context: server config, virtual host
Opis: Available in httpd 2.2.24 and later, if using OpenSSL 0.9.8 or later; virtual host scope available if using OpenSSL 1.0.0 or later. The default used to be on in versions 2.2.24 to 2.2.25.
Opcja SSLCompression dostępna jest w wersji 2.2.24 i późniejszych. We wcześniejszych wersjach apache dostępnych w dystrybucjach Linux począwszy od dystrybucji RHEL 5.3 / CentOS 5.3, RHEL 6.* / CentOS 6.*, Fedora wersja biblioteki OpenSSL zawiera patch implementujący w bibliotece sprawdzanie obecności zmiennej środowiskowej OPENSSL_NO_DEFAULT_ZLIB, której obecność powoduje wyłączenie obsług kompresji w warstwie SSL.

EXAMPLES

<VirtualHost _default_:443>
[...]
SSLEngine on
[...]
# Wyłączenie kompresji w warstwie SSL (Obsługa kompresji w warstwie SSL nie jest zalecana ze względów bezpieczeństwa)
SSLCompression off
[...]
</VirtualHost>

<VirtualHost _default_:443>
[...]
SSLEngine on
[...]
# Włączenie kompresji w warstwie SSL
SSLCompression on
[...]
</VirtualHost>

Wyłączenie kompresji poprzez zmienną środowiskową OPENSSL_NO_DEFAULT_ZLIB dla wcześniejszych wersji apache dostępnych w dystrybucjach Linux począwszy od dystrybucji RHEL 5.3 / CentOS 5.3 z uaktualnioną wersją biblioteki OpenSSL.
Deklaracja zmiennej środowiskowej w pliku /etc/sysconfig/httpd powodująca wyłączenie kompresji w bibliotece OpenSSL:

# Wyłączenie kompresji w warstwie SSL (Obsługa kompresji w warstwie SSL nie jest zalecana ze względów bezpieczeństwa)
OPENSSL_NO_DEFAULT_ZLIB=1

#top TLS Options¶

Zobacz także TLS Options dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID

Dokumentacja Apache: SSLOptions Directive
Składnia: SSLOptions [+|-]option ...
Context: server config, virtual host, directory, .htaccess
Opis: This directive can be used to control various run-time options on a per-directory basis. Normally, if multiple SSLOptions could apply to a directory, then the most specific one is taken completely; the options are not merged. However if all the options on the SSLOptions directive are preceded by a plus (+) or minus (-) symbol, the options are merged. Any options preceded by a + are added to the options currently in force, and any options preceded by a - are removed from the options currently in force.

EXAMPLES

<VirtualHost _default_:443>
[...]
SSLEngine on
[...]
# Włączenie dodatkowych opcji w warstwie SSL
SSLOptions +FakeBasicAuth +StrictRequire +OptRenegotiate
<Files ~ "\.(cgi|shtml)$">
SSLOptions +StdEnvVars +ExportCertData
</Files>
[...]
</VirtualHost>

<VirtualHost _default_:443>
[...]
SSLEngine on
[...]
# Wyłączenie dodatkowych opcji w warstwie SSL
SSLOptions -FakeBasicAuth -StrictRequire -OptRenegotiate
<Files ~ "\.(cgi|shtml)$">
SSLOptions -StdEnvVars -ExportCertData
</Files>
[...]
</VirtualHost>

Zmodyfikowany ostatnio: 2018/01/04 19:49:27 (6 lat temu), textsize: 49,4 kB, htmlsize: 84,7 kB

Zapraszam do komentowania, zgłaszania sugestii, propozycji, własnych przykładów, ...

Dodaj komentarzKomentarze użytkowników