Chinaunix首页 | 论坛 | 博客
  • 博客访问: 2160957
  • 博文数量: 317
  • 博客积分: 5670
  • 博客等级: 大校
  • 技术积分: 3677
  • 用 户 组: 普通用户
  • 注册时间: 2008-08-10 17:51
文章分类

全部博文(317)

文章存档

2016年(2)

2015年(44)

2014年(68)

2013年(42)

2012年(23)

2011年(51)

2010年(67)

2009年(17)

2008年(3)

分类: LINUX

2014-09-25 03:26:05

APACHE安装配置说明

http://blog.chinaunix.net/uid-20784749-id-1844507.html

一、软件下载

1apache或者

二、环境检查

# rpm -qa|grep zlib
zlib-devel-1.2.3-3
zlib-1.2.3-3
# rpm -qa|grep ssl
openssl-devel-0.9.8b-10.el5
openssl-0.9.8b-10.el5

如果需要依赖包,安装其对应的devel包即可,此处仅用到zlibssl。另,如果有httpd包,要先卸载掉或停止其服务。

三、编译安装

1、针对安装目的的说明(来自INSTALL文件)

如果是开发者则使用此选项,--with-included-apr利于连接apache的代码或者是调试apache,其消除了由于版本或者编译中跟APR或者APR-util代码产生的不匹配;

如果从子版本编译apache,要先运行buildconf(需要PythonGNU autoconflibtool),然后运行configure。发行包不用。

如果要在FreeBSD5.4之前编译时包含apachethreaded MPM,需要使用--enable-threads--with-mpm 参数

Mac上编译子版本,要使用GNU Libtool 1.4.2及以上版本

2、关于SSL加密和正则表达式(来自文件README

    Apache2.0及以上版本在目录modules/ssl/下包含了mod_ssl模块用于配置和监听ssl网络接口的连接。(另外,一些apr- util版本在目录srclib/apr-util/ssl/下提供了ssl网络接口)带有单词crypto的包的名字,可能包含openssl加密库的 目标代码。如果apache的加密功能不理想或者要排除再重分配,则可以使用包的名字包含nossl的发布包。

    Apache使用PCRE包包含的正则表达式。

3、对configure参数的说明

配置帮助表:

-h, --help

显示帮助信息

display this help and exit

--help=short

short参数将只显示正在运行的当前脚本的选项,而不能列出适用于Apache配置脚本所运行的外部配置脚本的选项

display options specific to this package

--help=recursive

使用recursive参数将显示所有程序包的简短描述

display the short help of all the included packages

-V, --version

显示版本

display version information and exit

-q, --quiet, --silent

不显示checking……信息

do not print`checking...' messages

--cache-file=FILE

在指定文件中存储测试结果

cache test results in FILE [disabled]

-C, --config-cache

在文件config.cache中存储测试结果

alias for `--cache file=config.cache'

-n, --no-create

configure脚本运行结束后不输出结果文件,常用于正式编译前的测试。

do not create output files

--srcdir=DIR

源文件库所在目录

find the sources in DIR [configure dir or `..']

 

安装目录:

--prefix=PREFIX

体系无关文件的顶级安装目录PREFIX ,也就Apache的安装目录

install architecture-independent files in PREFIX[/usr/local/apache2]

--exec-prefix=EPREFIX

体系相关文件的顶级安装目录EPREFIX ,把体系相关的文件安装到不同的位置可以方便地在不同主机之间共享体系相关的文件

install architecture-dependent files in EPREFIX[PREFIX]

默认情况下,make install 将会把所有文件分别安装到/usr/local/apache2/bin , /usr/local/apache2/lib 目录下。可以用 --prefix 指定一个不同于/usr/local/apache2的安装前缀,比如:--prefix=$HOME
By default, `make install' will install all the files in
`/usr/local/apache2/bin', `/usr/local/apache2/lib' etc.  You can specify
an installation prefix other than `/usr/local/apache2' using `--prefix',
for instance `--prefix=$HOME'.

详细安装目录设置:

默认安装目录参考config.layout,其中RHEL的默认目录设置如下:
    prefix:        /usr
    exec_prefix:   ${prefix}
    bindir:        ${prefix}/bin
    sbindir:       ${prefix}/sbin
    libdir:        ${prefix}/lib
    libexecdir:    ${prefix}/lib/apache
    mandir:        ${prefix}/man
    sysconfdir:    /etc/httpd/conf
    datadir:       /var/www
    installbuilddir: ${datadir}/build
    errordir:      ${datadir}/error
    iconsdir:      ${datadir}/icons
    htdocsdir:     ${datadir}/html
    manualdir:     ${datadir}/manual
    cgidir:        ${datadir}/cgi-bin
    includedir:    ${prefix}/include/apache
    localstatedir: /var
    runtimedir:    ${localstatedir}/run
    logfiledir:    ${localstatedir}/log/httpd
    proxycachedir: ${localstatedir}/cache/httpd

自设定详细安装目录

--bindir=DIR

用户可执行目录DIR。用于存放对网站管理员很有帮助的htpasswd, dbmmanage之类的支持程序

user executables [EPREFIX/bin]

--sbindir=DIR

系统管理员可执行目录DIR ,用于存放运行HTTP服务器所必须的httpd, apachectl, suexec之类的服务程序

system admin executables [EPREFIX/sbin]

--libexecdir=DIR

程序可执行目录DIR ,也就是动态加载模块目录

program executables [EPREFIX/libexec]

--sysconfdir=DIR

只读的单一机器数据目录DIR ,用于存放httpd.confmime.types之类的服务器配置文件

read-only single-machine data [PREFIX/etc]

--sharedstatedir=DIR

可改写的体系无关数据目录DIR

modifiable architecture-independent data [PREFIX/com]

--localstatedir=DIR

可改写的单一机器数据目录DIR

modifiable single-machine data [PREFIX/var]

--libdir=DIR

对象代码库目录DIR

object code libraries [EPREFIX/lib]

--includedir=DIR

ApacheC头文件目录DIR

C header files [PREFIX/include]

--oldincludedir=DIR

gccC头文件目录DIR

C header files for non-gcc [/usr/include]

--datarootdir=DIR

Web服务器只读的体系无关数据根目录

read-only arch.-independent data root [PREFIX/share]

--datadir=DIR

Web服务器只读的体系无关数据目录DIR

read-only architecture-independent data [DATAROOTDIR]

--infodir=DIR

信息文档目录DIR

info documentation [DATAROOTDIR/info]

--localedir=DIR

地区相关数据DIR

locale-dependent data [DATAROOTDIR/locale]

--mandir=DIR

手册文档目录DIR

man documentation [DATAROOTDIR/man]

--docdir=DIR

手册目录

documentation root [DATAROOTDIR/doc/PACKAGE]

--htmldir=DIR

HTML格式帮助文档目录

html documentation [DOCDIR]

--dvidir=DIR

dvi格式帮助文档目录

dvi documentation [DOCDIR]

--pdfdir=DIR

pdf格式帮助文档目录

pdf documentation [DOCDIR]

--psdir=DIR

ps格式帮助文档目录

ps documentation [DOCDIR]

交叉编译选项:

这些选项用于交叉编译在其他平台上运行的Apache HTTP服务器。在同一平台上编译和运行Apache HTTP服务器通常不需要使用这些选项,脚本会自动检测并设置。

--build=BUILD

指定编译工具所在系统的系统类型BUILD

configure for building on BUILD [guessed]

--host=HOST

指定Apache HTTP服务器将要进行交叉编译时运行的目标系统类型HOST

cross-compile to build programs to run on HOST [BUILD]

--target=TARGET

指定交叉编译所产生的目标代码类型

configure for building compilers for TARGET [HOST]

 

特征选项:

 

注:

1、模块列表:

基本(B)模块默认包含,必须明确禁用;扩展(E)/实验(X)模块默认不包含,必须明确启用

模块名称

状态

简要描述

(B)

基于媒体类型或请求方法,为执行CGI脚本而提供

(B)

提供从文件系统的不同部分到文档树的映射和URL重定向

(B)

发送自己包含HTTP头内容的文件

(B)

使用基本认证

(B)

在未正确配置认证模块的情况下简单拒绝一切认证信息

(B)

使用纯文本文件为认证提供支持

(B)

在未正确配置授权支持模块的情况下简单拒绝一切授权请求

(B)

使用纯文本文件为组提供授权支持

(B)

供基于主机名、IP地址、请求特征的访问控制

(B)

基于每个用户提供授权支持

(B)

自动对目录中的内容生成列表,类似于"ls""dir"命令

(B)

(B)

(B)

指定目录索引文件以及为目录提供"尾斜杠"重定向

(B)

允许Apache修改或清除传送到CGI脚本和SSI页面的环境变量

(B)

根据上下文实际情况对输出过滤器进行动态配置

mod_imagemap

(B)

处理服务器端图像映射

(B)

实现服务端包含文档(SSI)处理

(B)

仅限于在Windows平台上实现ISAPI扩展

(B)

允许记录日志和定制日志文件格式

(B)

根据文件扩展名决定应答的行为(处理器/过滤器)和内容(MIME类型/语言/字符集/编码)

(B)

(B)

仅限于在NetWare平台上实现SSL加密支持

(B)

根据客户端请求头字段设置环境变量

(B)

生成描述服务器状态的Web页面

(B)

允许用户从自己的主目录中提供页面(使用"/~username")

(X)

使用MD5摘要认证(更安全,但是只有最新的浏览器才支持)

(E)

基于实际认证支持者创建扩展的认证支持者,并为它起一个别名以便于引用

(E)

提供匿名用户认证支持

(E)

使用SQL数据库为认证提供支持

(E)

使用DBM数据库为认证提供支持

(E)

允许使用一个LDAP目录存储用户名和密码数据库来执行基本认证和授权

(E)

使用DBM数据库文件为组提供授权支持

(E)

基于文件的所有者进行授权

(E)

基于URI键的内容动态缓冲(内存或磁盘)

(E)

允许Apache使用CERN httpd元文件,从而可以在发送文件时对头进行修改

(X)

允许对页面进行字符集转换

(E)

(E)

(E)

(E)

管理SQL数据库连接,为需要数据库功能的模块提供支持

(E)

压缩发送给客户端的内容

(E)

基于磁盘的缓冲管理器

(E)

将所有I/O操作转储到错误日志中

(X)

一个很简单的协议演示模块

(X)

一个很简单的Apache模块API演示模块

(E)

允许通过配置文件控制HTTP"Expires:""Cache-Control:"头内容

(E)

使用外部程序作为过滤器

(X)

提供文件描述符缓存支持,从而提高Apache性能

(E)

允许通过配置文件控制任意的HTTP请求和应答头信息

(E)

实现RFC1413规定的ident查找

(E)

生成Apache配置情况的Web页面

(E)

为其它LDAP模块提供LDAP连接池和结果缓冲服务

(E)

实现"对比日志",即在请求被处理之前和处理完成之后进行两次记录

(E)

对每个请求的输入/输出字节数以及HTTP头进行日志记录

(E)

基于内存的缓冲管理器

(E)

通过读取部分文件内容自动猜测文件的MIME类型

(E)

提供HTTP/1.1的代理/网关功能支持

(E)

(E)

(E)

(E)

(E)

(E)

一个基于一定规则的实时重写URL请求的引擎

(E)

允许运行时加载DSO模块

(E)

自动纠正URL中的拼写错误

(E)

使用安全套接字层(SSL)和传输层安全(TLS)协议实现高强度加密传输

(E)

(E)

为每个请求生成唯一的标识以便跟踪

(E)

使用Session跟踪用户(会发送很多Cookie),以记录用户的点击流

(E)

提供基于版本的配置段支持

(E)

提供大批量虚拟主机的动态配置支持

2Apache HTTP服务器是一个模块化的软件,管理员可以通过选择服务器中包含的模块进行功能增减。模块可以在编译时被静态包含进httpd二进制文件,也可以编译 成独立于httpd二进制文件的动态共享对象(DSO)DSO模块可以与服务器一起编译,也可以用Apache扩展工具(apxs)单独编译。

3ISAPI 服务器扩展是可以被 HTTP 服务器加载和调用的 DLLInternet 服务器扩展也称为 Internet 服务器应用程序 (ISA),用于增强符合 Internet 服务器 API (ISAPI) 的服务器的功能。ISA 通过浏览器应用程序调用,并且将相似的功能提供给通用网关接口 (CGI) 应用程序。

可选包选项:

--with-PACKAGE[=ARG]

包含包的语法

use PACKAGE [ARG=yes]

--without-PACKAGE

不使用该包语法

do not use PACKAGE (same as --with-PACKAGE=no)

--with-included-apr

捆绑拷贝apr/apr-util信息

Use bundled copies of APR/APR-Util

--with-apr=PATH

apr的安装目录

prefix for installed APR or the full path to

--with-apr-util=PATH

apu的安装目录

prefix for installed APU or the full path to apu-config

--with-pcre=PATH

使用扩展的PCRE正则表达式库

Use external PCRE library

--with-port=PORT

监听端口

Port on which to listen (default is 80)

--with-sslport=SSLPORT

ssl的监听端口

Port on which to securelisten (default is 443)

--with-z=DIR

zlib的库文件位置

use a specific zlib library

--with-sslc=DIR

RSA SSL-C SSL/TLS软件包目录

RSA SSL-C SSL/TLS toolkit

--with-ssl=DIR

openssl包的位置。

OpenSSL SSL/TLS toolkit

--with-mpm=MPM

选择apache所使用的处理模块。(注1

Choose the process model for Apache to use.MPM={beos|event|worker|prefork|mpmt_os2}

--with-module=module-type:module-file

添加第三方模块。(注2

Enable module-file in the modules/directory.

--with-program-name

指定可执行程序的名字[默认为:httpd],若使用此选项则默认配置文件的名字将同时变成"NAME.conf"

alternate executable name

--with-suexec-bin

suexec二进制文件目录[默认--sbindir]

Path to suexec binary

--with-suexec-calle

允许调用suexec的用户,改用户必须和运行httpd子进程的用户相同

User allowed to call SuExec

--with-suexec-userdir

用户主目录下允许suexec对其中的文件具有执行权限的子目录,仅在将suexec和用户网站目录(mod_userdir提供支持)一起使用的情况下才需要设置此选项[public_html]

User subdirectory

--with-suexec-docroot

允许suexec对其中的文件具有执行权限的根目录[--datadir/htdocs]

SuExec root directory

--with-suexec-uidmin

允许执行suexec的最小UID[100]

Minimal allowed UID

--with-suexec-gidmin

允许执行suexec的最小GID[100]

Minimal allowed GID

--with-suexec-logfile

suexec日志文件名[默认文件名为:suexec_log ,位于--logfiledir目录下]

Set the logfile

--with-suexec-safepath

suexec"安全"PATH环境变量的值[/usr/local/bin:/usr/bin:/bin]

Set the safepath

注:1MPM是你想要使用的多路处理模块的名字。如果你不使用这个选项,那么将会使用对应于各平台的默认MPM

2module-file是模块的源代码文件名,该文件必须位于Apahe源代码目录树的"modules/module-type"目录下,如 果configure没有在那里找到module-file ,则将它看作一个绝对路径名并尝试将其复制到"modules/module-type"目录中,如果"modules/module-type"目录不 存在,configure将新建一个"modules/module-type"目录并在其中放置一个标准的Makefile.in文件。这种方法有两个 明显的缺陷:模块的源代码必须是单一文件;模块只能静态连接进核心,而不能作为DSO模块。所以一般并不使用此方法,而是使用apxs(Apache扩展 工具)来添加第三方模块支持。

编译器选项:

CC

指定的C编译器

C compiler command

CFLAGS

C编译器的FLAGS

C compiler flags

LDFLAGS

连接器flags,比如使用"-L-Llibdir"指定一个非标准的库文件目录libdir

linker flags, e.g. -L if you have libraries in a nonstandard directory

LIBS

设定线程模型

libraries to pass to the linker, e.g. -l

CPPFLAGS

C/C++预处理程序flags,比如使用"-Iincludedir"指定一个非标准的头文件目录includedir

C/C++/Objective C preprocessor flags, e.g. -I if

you have headers in a nonstandard directory

CPP

C预处理程序

C preprocessor

4、编译安装

./configure --prefix=/usr/local/apache --enable-authn-dbm --enable-authz-dbm --enable-ssl --enable-vhost-alias --enable-rewrite --enable-so --enable-charset-lite --enable-deflate --with-z --with-ssl --with-mpm=prefork

make

make install

四、服务配置

1、配置文件概述

1>Apache的配置文件是包含若干指令的纯文本文件。主配置文件通常叫httpd.conf ,其位置是编译时确定的,但可以用命令行参数 -f 来改变。Apache配置文件的每一行包含一个指令,在行尾使用反斜杠"\"可以表示续行,但是反斜杠与下一行之间不能有任何其他字符(包括空白字符)。 配置文件中的指令是不区分大小写的,但是指令的参数(argument)通常是大小写敏感的。以"#"开头的行被视为注解并被忽略。注解不能出现在指令的 后边。空白行和指令前的空白字符将被忽略,因此可以采用缩进以保持配置层次的清晰。主配置文件更改后重新启动Apache后才会生效。可以用 apachectl configtest 或者命令行选项 -t 检查配置文件中的错误,而无须启动Apache服务器。

2>配置文件中可以用Include指令和通配符附加许多其他配置文件。任何配置文件都可以使用任何指令。

3>服务器还会读取一个包含MIME文件类型的文件,其文件名由TypesConfig指令确定,默认值是mime.types

4>Apache是模块化的服务器,这意味着核心中只包含实现最基本功能的模块。扩展功能可 以作为模块动态加载。默认情况下,只有base组的模块被编译进了服务器。如果服务器在编译时包含了DSO模块,那么各模块可以独立编译,并可随时用 LoadModule指令加载;否则,要增加或删除模块必须重新编译整个Apache。用于特定模块的指令可以用指令包 含起来,使之有条件地生效。命令行参数 -l 可以查看已经编译到服务器中的模块。

2、配置文件说明

###################文件说明###################
# This is the main Apache HTTP server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See <
> for detailed information.
# In particular, see
# <
>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned. 
###################
配置说明##########################
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/foo_log"
# with ServerRoot set to "/usr/local/apache" will be interpreted by the
# server as "/usr/local/apache/logs/foo_log".
#
如果包含的配置文件以根目录/开始,则使用指出的明确路径,要是非根目录开始,则路径为:查找路径=ServerRoot目录+所写目录
##################
软件主目录################
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path.  If you point
# ServerRoot at a non-local disk, be sure to point the LockFile directive
# at a local disk.  If you wish to share the same ServerRoot for multiple
# httpd daemons, you will need to change at least LockFile and PidFile.
#
#ServerRoot
:服务配置文件,日志,错误日志等的根目录,即软件所在目录。
#
注意不要再目录后加/,如果目录非本地磁盘,要先在本地磁盘使用LockFile指令来指明。如果要为多个httpd程序共享根目录,需要至少改变LockFilePidFile。即,要保证apache的进程文件的独占性。
ServerRoot "/usr/local/apache"
#################
监听端口和IP############################
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
#apache
程序运行的监听IP地址和端口,即http访问地址+端口,默认80
Listen 80
#####################
要加载的DSO模块##########################
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
需要动态加载的DSO模块写在这里以使程序启动时加载。格式如例子所述,静态编译的模块不需要写在这里,由httpd -l来加载静态模块
# Example:
# LoadModule foo_module modules/mod_foo.so
#



#
NetWarewinnt模式下
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch. 
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
####################
软件运行用户设定###################
#
如果要更换不同的用户或组来运行apache,你必须先以root运行,然后他将会切换到所设置用户。跟大多数的系统服务一样,为apache单独建立一 个用户和组来运行它是一个很好的做法。(注意,此项是设置在非NetWare和非win系统下才需配置,否则无需配置)
User daemon
Group daemon



######################Apache
主配置部分###############
###############
概要说明##########
# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# definition.  These values also provide defaults for
# any containers you may define later in the file.
#
# All of these directives may appear inside containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
#
主站点的配置选项,该选项的配置为主机配置的默认值,如果定义了虚拟主机,里面的命令会覆盖此处的值,否则使用该处配置的值。
#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed.  This address appears on some server-generated pages, such
# as error documents.  e.g.

##############
服务器联系人#############
ServerAdmin

##################服务器网站域名指定###############
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
服务器域名指定。这里一般可以自动识别,也可以给出域名和端口以明确指定(虚拟主机多用此选项),如果没有注册DNS,可以使用IP地址。
#ServerName

################网站根目录#############
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
站点根目录。一般网站请求直接来此处寻找网页,但是动态链接或别名可能被使用从而指向其他地点。
DocumentRoot "/usr/local/apache/htdocs"

##################网站目录全局设置##############
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#apache
能访问的每一个目录都可以配置哪些特性能开启禁用,特性设置对子目录有效。默认给出的是一个非常严格的特性设置。
# First, we configure the "default" to be a very restrictive set of
# features. 
#
#Options
指令控制了在特定目录中将使用哪些服务器特性。其值如下:None All Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#option
可以为None ,在这种情况下,将不启用任何额外特性。或设置为以下选项中的一个或多个:
#All
:除MultiViews之外的所有特性。这是默认设置。
#ExecCGI
:允许使用mod_cgi执行CGI脚本。
#FollowSymLinks
:服务器允许在此目录中使用符号连接。 注意:即使服务器会使用符号连接,但它不会改变用于匹配段的路径名。
#Includes
:允许使用mod_include提供的服务器端包含。
#IncludesNOEXEC
:允许服务器端包含,但禁用"#exec cmd""#exec cgi"。但仍可以从ScriptAlias目录使用"#include virtual"虚拟CGI脚本。
#Indexes
:如果一个映射到目录的URL被请求,而此目录中又没有DirectoryIndex(例如:index.html),那么服务器会返回由mod_autoindex生成的一个格式化后的目录列表。
#MultiViews
:允许使用mod_negotiation提供内容协商的"多重视图"(MultiViews)
#SymLinksIfOwnerMatch
:服务器仅在符号连接与其目的目录或文件的拥有者具有相同的uid时才使用它。
#
一般来说,如果一个目录被多次设置了Options ,则最特殊的一个会被完全接受(其它的被忽略),而各个可选项的设定彼此并不融合。然而,如果所有作用于Options指令的可选项前都加有"+" "-"符号,此可选项将被合并。所有前面加有"+"号的可选项将强制覆盖当前的可选项设置,而所有前面有"-"号的可选项将强制从当前可选项设置中去 除。

#AllowOverride指令控制允许存在于.htaccess文件中的指令类型,其值如下:Options FileInfo AuthConfig Limit All None
#
当服务器发现一个.htaccess文件(AccessFileName指定)时,它需要知道在这个文件中声明的哪些指令能覆盖在此之前指定的配置指 令。AllowOverride仅在不包含正则表达式的配置段中才是有效的。在, , 配置段中都是无效的。如果此指令被设置为None ,那么.htaccess文件将被完全忽略。事实上,服务器根本不会读取.htaccess文件。当此指令设置为 All时,所有具有".htaccess"作用域的指令都允许出现在.htaccess文件中。
#
选项:
#AuthConfig
:允许使用与认证授权相关的指令(AuthDBMGroupFile, AuthDBMUserFile, AuthGroupFile, AuthName, AuthType, AuthUserFile, Require, )
#FileInfo
: 允许使用控制文档类型的指令(DefaultType, ErrorDocument, ForceType, LanguagePriority, SetHandler, SetInputFilter, SetOutputFilter, mod_mime中的 Add* Remove* 指令等等)、控制文档元数据的指令(Header, RequestHeader, SetEnvIf, SetEnvIfNoCase, BrowserMatch, CookieExpires, CookieDomain, CookieStyle, CookieTracking, CookieName)mod_rewrite中的指令(RewriteEngine, RewriteOptions, RewriteBase, RewriteCond, RewriteRule)mod_actions中的Action指令。
#Indexes
:允许使用控制目录索引 的指令(AddDescription, AddIcon, AddIconByEncoding, AddIconByType, DefaultIcon, DirectoryIndex, FancyIndexing, HeaderName, IndexIgnore, IndexOptions, ReadmeName, )
#Limit:
允许使用控制主机访问的指令(Allow, Deny, Order)
#Options[=Option,...]
允许使用控制指定目录功能的指令(OptionsXBitHack)。可以在等号后面附加一个逗号分隔的(无空格的)Options选项列表,用来控制允许Options指令使用哪些选项。

#Order指令:控制是否允许从服务器上获取东西,即控制默认的访问状态与AllowDeny指令生效的顺序
#Allow
指令:控制哪些主机能够访问服务器
#Deny
指令:控制哪些主机被禁止访问服务器

    Options FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all

#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#

################网站主根目录设置############
# This should be changed to whatever you set DocumentRoot to.
#
此处用于更改你将要设置的站点根目录

    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    #

    # for more information.
    #
    Options Indexes FollowSymLinks

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    #
    AllowOverride None

    #
    # Controls who can get stuff from this server.
    #
    Order allow,deny
    Allow from all

####################网站主页索引##############
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
在目录被请求是查找的主文件。即设置网站主页格式。

    DirectoryIndex index.html

###################ht文件等是否被查看设定##############
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
如下配置保护正则表达式中所描述的文件不被web所查看
#Satisfy
指令:同时使用AllowRequire时的访问策略。参数可以设置为 All Any 。这个指令仅在某个特定区域的访问控制同时被用户名/密码和客户端主机地址进行限定的时候起作用。默认行为(All)采取客户端首先通过地址访问限制并且 输入有效的用户名和密码的方式。使用可选项 Any 将使客户端在通过主机限制或是输入一个有效的用户名和密码两种方式之一得到访问权限。这样,就可以通过密码来限制一个区域的访问,但允许某些特定地址的客 户端访问时不需要输入密码。

    Order allow,deny
    Deny from all
    Satisfy All

#################错误日志存储地点##############
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a
# container, that host's errors will be logged there and not here.
#
错误日志。如果虚拟主机未配置错误日志参数,则都写着次数,如果虚拟主机配置了此参数,则使用虚拟主机参数所定义的文件。
ErrorLog "logs/error_log"

##################日志存储级别(即日志内容和格式)####################
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
控制记录到日志的消息的级别。可选值有debug, info, notice, warn, error, crit, alert, emerg.
LogLevel warn


    #
    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).
    #
#
下面的指令定义了一些为用户指令而使用的别名的格式。Apache配置中,LogFormat可用变量格式字符串 描述
#%%
百分号(Apache2.0.44或更高的版本)
#%a
远端IP地址
#%A
本机IP地址
#%B
HTTP头以外传送的字节数
#%b
CLF格式显示的除HTTP头以外传送的字节数,也就是当没有字节传送时显示'-'而不是0
#%{Foobar}C
在请求中传送给服务端的cookieFoobar的内容。
#%D
服务器处理本请求所用时间,以微为单位。
#%{FOOBAR}e
环境变量FOOBAR的值
#%f
文件名
#%h
远端主机
#%H
请求使用的协议
#%{Foobar}i
发送到服务器的请求头Foobar:的内容。
#%l
远端登录名(identd而来,如果支持的话),除非IdentityCheck设为"On",否则将得到一个"-"
#%m
请求的方法
#%{Foobar}n
来自另一个模块的注解Foobar的内容。
#%{Foobar}o
应答头Foobar:的内容。
#%p
服务器服务于该请求的标准端口。
#%P
为本请求提供服务的子进程的PID
#%{format}P
服务于该请求的PIDTID(线程ID)format的取值范围为:pidtid(2.0.46及以后版本)以及hextid(需要APR1.2.0及以上版本)
#%q
查询字符串(若存在则由一个"?"引导,否则返回空串)
#%r
请求的第一行
#%s
状态。对于内部重定向的请求,这个状态指的是原始请求的状态,---%>s则指的是最后请求的状态。
#%t
时间,用普通日志时间格式(标准英语格式)
#%{format}t
时间,用strftime(3)指定的格式表示的时间。(默认情况下按本地化格式)
#%T
处理完请求所花时间,以秒为单位。
#%u
远程用户名(根据验证信息而来;如果返回status(%s)401,可能是假的)
#%U
请求的URL路径,不包含查询字符串。
#%v
对该请求提供服务的标准ServerName
#%V
根据UseCanonicalName指令设定的服务器名称。
#%X
请求完成时的连接状态:X= 连接在应答完成前中断。
#+=
应答传送完后继续保持连接。
#-=
应答传送完后关闭连接。

#(1.3以后的版本中,这个指令是%c,但这样就和过去的SSL语法:%{var}c冲突了)
 
#%I
接收的字节数,包括请求头的数据,并且不能为零。要使用这个指令你必须启用mod_logio模块。
#%O
发送的字节数,包括请求头的数据,并且不能为零。要使用这个指令你必须启用mod_logio模块。
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

   
      # You need to enable mod_logio.c to use %I and %O
      #
使用此模块要加载mod_logio模块
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
   

    #
    # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a
    # container, they will be logged here.  Contrariwise, if you *do*
    # define per- access logfiles, transactions will be
    # logged therein and *not* in this file.
    #
访问日志文件(普通文件格式)的位置。如果虚拟主机内定义了,则使用虚拟主机的定义,否则使用此处的定义
    CustomLog "logs/access_log" common

    #
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    #
如果您喜欢访问代理日志文件和referer信息(综合日志文件格式),你可以使用下面的指令。
    #CustomLog "logs/access_log" combined

#############################
域名重定向设定#####################

    #
    # Redirect: Allows you to tell clients about documents that used to
    # exist in your server's namespace, but do not anymore. The client
    # will make a new request for the document at its new location.
    # Example:
    # Redirect permanent /foo

    #
重定向:允许你告诉曾经存在于您的服务器的网站文档,但不是现在。客户端会收到那个旧文件所在的新位置。
    #
    # Alias: Maps web paths into filesystem paths and is used to
    # access content that does not live under the DocumentRoot.
    # Example:
    # Alias /webpath /full/filesystem/path
    #
映射web路径到文件系统路径下,用于访问那些不在网站根目录下的文件
    # If you include a trailing / on /webpath then the server will
    # require it to be present in the URL.  You will also likely
    # need to provide a section to allow access to
    # the filesystem path.
    #
如果你使用站点路径,服务器将请求现存的url路径,你可能需要提供个 部分以允许访问物理路径。
    #
    # ScriptAlias: This controls which directories contain server scripts.
    # ScriptAliases are essentially the same as Aliases, except that
    # documents in the target directory are treated as applications and
    # run by the server when requested rather than as documents sent to the
    # client.  The same rules about trailing "/" apply to ScriptAlias
    # directives as to Alias.
    #ScriptAlias
指令:此控制哪个目录包含服务器脚本。
    #ScriptAliases
实质上基本与别名相同,除了在目标目录中的文件当发生请求访问时被视为应用程序并在服务器运行,而不是文件被发送到客户端。对尾随同样的规则“/”适用于在ScriptAlias指令和Alias
    ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/"


############################CGI
守护进程设定####################

    #
    # ScriptSock: On threaded servers, designate the path to the UNIX
    # socket used to communicate with the CGI daemon of mod_cgid.
    #ScriptSock
:在线程服务器上,指定的路径到UNIX接口可以用来与mod_cgidCGI守护进程通信。
    #Scriptsock logs/cgisock

#
# "/usr/local/apache/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
如果配置了ScriptAliased,要把"/usr/local/apache/cgi-bin"改成你的ScriptAliased CGI所在的目录

    AllowOverride None
    Options None
    Order allow,deny
    Allow from all

#######################MIME类型设定######################
# DefaultType: the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value.  If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#
默认类型:如果服务器不能从扩展名决定文档类型,将使用此处定义的默认类型。如果服务器包含了很多文本或html文档"text/plain" 是一个很好的值。如果你的内容大部分是二进制文件,例如应用程序或镜像,你可以使用"application/octet-stream" 来使浏览器显示为二进制文件类型。
DefaultType text/plain


    #
    # TypesConfig points to the file containing the list of mappings from
    # filename extension to MIME-type.
    #TypesConfig
列表指明通过文件扩展名所映射的MIME类型
    TypesConfig conf/mime.types

    #
    # AddType allows you to add to or override the MIME configuration
    # file specified in TypesConfig for specific file types.
    #AddType
允许你添加或覆盖在TypesConfig中所指定的文件类型的MIME类型的配置
    #AddType application/x-gzip .tgz
    #
    # AddEncoding allows you to have certain browsers uncompress
    # information on the fly. Note: Not all browsers support this.
    #AddEncoding
允许你使某些浏览器在传输过程中解压信息。注意:不是所有浏览器都支持。
    #AddEncoding x-compress .Z
    #AddEncoding x-gzip .gz .tgz
    #
    # If the AddEncoding directives above are commented-out, then you
    # probably should define those extensions to indicate media types:
    #
如果如上的AddEncoding指令注释掉了,你可能应该定义这些扩展媒体类型说明
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz

    #
    # AddHandler allows you to map certain file extensions to "handlers":
    # actions unrelated to filetype. These can be either built into the server
    # or added with the Action directive (see below)
    #AddHandler
允许某些文件扩展名映射到“handlers”:行为无关的文件类型。这些可以是内置到服务器或操作指令增加(见下文)。要使用 ScriptAliased目录以外的CGI脚本的(你还需要添加“ExecCGI”“Options”指令。)
    # To use CGI scripts outside of ScriptAliased directories:
    # (You will also need to add "ExecCGI" to the "Options" directive.)
    #
    #AddHandler cgi-script .cgi

    # For type maps (negotiated resources):为类型映射(谈判源)
    #AddHandler type-map var

    #
    # Filters allow you to process content before it is sent to the client.
    #
过滤器允许内容被发送到客户端前被处理。为在解析.shtml文件服务器端包含(ssl)文件。(你也需要添加IncludeOptions指令中)  
    # To parse .shtml files for server-side includes (SSI):
    # (You will also need to add "Includes" to the "Options" directive.)
    #
    #AddType text/html .shtml
    #AddOutputFilter INCLUDES .shtml

#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type.  The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#mod_mime_magic
模块允许服务器使用从文件本身的内容中各个暗示来决定其类型。MIMEMagicFile指令告诉模块在哪里找到暗示定义的位置。
#MIMEMagicFile conf/magic

#########################访问错误重定向######################
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
定制的错误响应有三种:1)纯文本2)本地重定向3)外部重定向,下面是例子
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402

#

########################MMAP设定####################
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall is used to deliver
# files.  This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
#EnableMMAP
EnableSendfile:在支持它的系统上,内存映射或发送文件系统调用是用来提供文件系统。这通常提供了服务器性能,再在关闭时必须从挂载的文件系统或者所支持该功能的函数中保存,否则可能损坏您的系统。
#EnableMMAP off
#EnableSendfile off
############################
其他导入的配置文件################
# Supplemental configuration
#
# The configuration files in the conf/extra/ directory can be
# included to add extra features or to modify the default configuration of
# the server, or you may simply copy their contents here and change as
# necessary.
#
参考配置
#
conf/extra目录下的配置文件可以添加特性或者修改服务器上的默认配置,或者你可以简单的拷贝内容然后根据需要更改。

# Server-pool management (MPM specific)服务器池管理(MPM
#Include conf/extra/httpd-mpm.conf

# Multi-language error messages多语言错误信息
#Include conf/extra/httpd-multilang-errordoc.conf

# Fancy directory listings目录列表
#Include conf/extra/httpd-autoindex.conf

# Language settings语言设定
#Include conf/extra/httpd-languages.conf

# User home directories用户目录设定
#Include conf/extra/httpd-userdir.conf

# Real-time info on requests and configuration实时信息的要求和配置
#Include conf/extra/httpd-info.conf

# Virtual hosts虚拟主机配置
#Include conf/extra/httpd-vhosts.conf

# Local access to the Apache HTTP Server Manual本地访问Apache HTTP服务器手册
#Include conf/extra/httpd-manual.conf

# Distributed authoring and versioning (WebDAV)WebDAV配置
#Include conf/extra/httpd-dav.conf

# Various default settings各种默认设置
#Include conf/extra/httpd-default.conf
#############################SSL
设定###############################
# Secure (SSL/TLS) connections
加密连接设置
#Include conf/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
#       starting without SSL on platforms with no /dev/random equivalent
#       but a statically compiled-in mod_ssl.
#
注意:要支持如下功能必须存在在没有ssl的平台上(和no /dev/random 等价),而是静态编译了mod_ssl
#
伪随机数生成器(PRNG)播种源

SSLRandomSeed startup builtin
使用内建方式启动
SSLRandomSeed connect builtin
使用内建方式连接

3、附加配置文件说明

httpd-autoindex.conf(控制目录列表显示)

#
# Directives controlling the display of server-generated directory listings.
#
这些指令控制服务器显示生成的目录列表,需要mod_autoindex, mod_alias模块
# Required modules: mod_autoindex, mod_alias
#
# To see the listing of a directory, the Options directive for the
# directory must include "Indexes", and the directory must not contain
# a file matching those listed in the DirectoryIndex directive.
#
要查看一个目录列表,目录的Options指令必须包括索引,并且目录不能包含一个DirectoryIndex指令列出的文件。

#
# IndexOptions: Controls the appearance of server-generated directory
# listings.
#IndexOptions
控制服务器目录列表的生成
IndexOptions FancyIndexing HTMLTable VersionSort

# We include the /icons/ alias for FancyIndexed directory listings.  If
# you do not use FancyIndexing, you may comment this out.
#
通过使用为/icons/为目录列表做别名。如果不使用FancyIndexing,则注释掉此项。
Alias /icons/ "/usr/local/apache/icons/"


    Options Indexes MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all

#
# AddIcon* directives tell the server which icon to show for different
# files or filename extensions.  These are only displayed for
# FancyIndexed directories.
#AddIcon *
指令告诉服务器显示不同的文件或文件扩展名的图标。这只是为显示FancyIndexed指令
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*

AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core

AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^

#
# DefaultIcon is which icon to show for files which do not have an icon
# explicitly set.
#
设置默认的(即不识别的扩展名)图标。
DefaultIcon /icons/unknown.gif

#
# AddDescription allows you to place a short description after a file in
# server-generated indexes.  These are only displayed for FancyIndexed
# directories.
# Format: AddDescription "description" filename
#AddDescription
允许您为服务器上在文件中生成的索引创建一个简短的说明。这只是显示为FancyIndexed指令。格式:AddDescription“说明文件类型
#AddDescription "GZIP compressed document" .gz
#AddDescription "tar archive" .tar
#AddDescription "GZIP compressed tar archive" .tgz

#
# ReadmeName is the name of the README file the server will look for by
# default, and append to directory listings.
#
# HeaderName is the name of a file which should be prepended to
# directory indexes.
#ReadmeName
README文件的名称,服务器默认情况下将寻找并追加到目录列表。HeaderName是应追加到目录列表的文件名
ReadmeName README.html
HeaderName HEADER.html

#
# IndexIgnore is a set of filenames which directory indexing should ignore
# and not include in the listing.  Shell-style wildcarding is permitted.
#IndexIgnore
要忽略的文件。允许使用shell的通配符
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

httpd-vhosts.conf(虚拟主机配置)

#
# Virtual Hosts
#
# If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
如果要保留多个域名/主机 在你的服务器上,你可以为它们设置虚拟主机。大部分的配置使用基于域名的虚拟主机,所以不需要担心IP地址问题,这一点可以在下面通过星号来表示。
# Please see the documentation at
# <
>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.
#
你可以使用-S指令来验证你的虚拟主机文件配置。

#
# Use name-based virtual hosting.
#
NameVirtualHost *:80

#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any block.
#
虚拟主机示例:大部分的Apache指令可以放在虚拟主机容器中。第一个就是个模板。

    ServerAdmin

    DocumentRoot "/usr/local/apache/docs/dummy-host.example.com"
    ServerName dummy-host.example.com
    ServerAlias

    ErrorLog "logs/dummy-host.example.com-error_log"
    CustomLog "logs/dummy-host.example.com-access_log" common


    ServerAdmin

    DocumentRoot "/usr/local/apache/docs/dummy-host2.example.com"
    ServerName dummy-host2.example.com
    ErrorLog "logs/dummy-host2.example.com-error_log"
    CustomLog "logs/dummy-host2.example.com-access_log" common

httpd-userdir.conf(用户主目录作为网站)

# Settings for user home directories
#
# Required module: mod_userdir

#用户主目录设置:目录名是当一个请求到达时追加到用户的家目录。注意你必须为这些目录设置默认的访问控制
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.  Note that you must also set
# the default access control for these directories, as in the example below.
#
UserDir public_html

#
# Control access to UserDir directories.  The following is an example
# for a site where these directories are restricted to read-only.
#
用户目录的控制访问。下面是个例子

    AllowOverride FileInfo AuthConfig Limit Indexes
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
   
        Order allow,deny
        Allow from all
   

   
        Order deny,allow
        Deny from all
   


#
参考

httpd-manual.conf(服务器文件访问)

#在服务器上提供文件访问
# Provide access to the documentation on your server as

# The documentation is always available at

#
# Required modules: mod_alias, mod_setenvif, mod_negotiation
#

AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br|ru|tr))?(/.*)?$ "/usr/local/apache/manual$1"


    Options Indexes
    AllowOverride None
    Order allow,deny
    Allow from all

   
        SetHandler type-map
   

    # .tr is text/troff in mime.types!
   
        ForceType text/html
   

    SetEnvIf Request_URI ^/manual/(de|en|es|fr|ja|ko|pt-br|ru|tr)/ prefer-language=$1
    RedirectMatch 301 ^/manual(?:/(de|en|es|fr|ja|ko|pt-br|ru|tr)){2,}(/.*)?$ /manual/$1$2

    LanguagePriority en de es fr ja ko pt-br ru tr
    #
可用语言类型
    ForceLanguagePriority Prefer Fallback
    #
首先从上面取一个可用的语言类型,若找不到,则机器试图使用最接近的语言

httpd-dav.confDAV配置)

#
# Distributed authoring and versioning (WebDAV)
#
# Required modules: mod_dav, mod_dav_fs, mod_setenvif, mod_alias
#                   mod_auth_digest, mod_authn_file
#

# The following example gives DAV write access to a directory called
# "uploads" under the ServerRoot directory.
#
下面的例子给出了使用DAV在根目录下上传文件的例子。在httpd.conf中指定的用户或组需要对DavLockDB中的目录有写权限,并且在任何目录中,要指定Dav On
# The User/Group specified in httpd.conf needs to have write permissions
# on the directory where the DavLockDB is placed and on any directory where
# "Dav On" is specified.

DavLockDB "/usr/local/apache/var/DavLock"

Alias /uploads "/usr/local/apache/uploads"


    Dav On

    Order Allow,Deny
    Allow from all

    AuthType Digest
    AuthName DAV-upload

    # You can use the htdigest program to create the password database:
    #   htdigest -c "/usr/local/apache/user.passwd" DAV-upload admin
    #
你可以使用htdigest程序创建个密码数据库。
    AuthUserFile "/usr/local/apache/user.passwd"
    AuthDigestProvider file

    # Allow universal read-access, but writes are restricted
    # to the admin user.
    #
允许普遍读访问,但仅限于写的管理员用户
   
        require user admin
   

#
# The following directives disable redirects on non-GET requests for
# a directory that does not include the trailing slash.  This fixes a
# problem with several clients that do not appropriately handle
# redirects for folders with DAV methods.
#
下面的指令禁用了在对不包括尾部有斜线的目录非get请求的重定向。这些修正了一些客户端不能对DAV方法的文件夹妥善处理重定向。
#
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully

httpd-info.conf(服务器信息报告)

#
# Get information about the requests being processed by the server
# and the configuration of the server.
#
获取服务器当前处理的请求和服务器配置的信息
# Required modules: mod_status (for the server-status handler),
#                   mod_info (for the server-info handler)

#允许使用网址通过mod_status生成服务器状态报告。
# Allow server status reports generated by mod_status,
# with the URL of

# Change the ".example.com" to match your domain to enable.


    SetHandler server-status
    Order deny,allow
    Deny from all
    Allow from .example.com

#
# ExtendedStatus controls whether Apache will generate "full" status
# information (ExtendedStatus On) or just basic information (ExtendedStatus
# Off) when the "server-status" handler is called. The default is Off.
#ExtendedStatus
控制apache是否允许生成全部的状态信息。on生成所有信息,off是基本信息,默认off
#ExtendedStatus On

#允许通过网址 显示远程服务器配置报告
# Allow remote server configuration reports, with the URL of
(requires that mod_info.c be loaded).
# Change the ".example.com" to match your domain to enable.
#

    SetHandler server-info
    Order deny,allow
    Deny from all
    Allow from .example.com

httpd-default.confhttp默认参数)

#
# This configuration file reflects default settings for Apache HTTP Server.
#
# You may change these, but chances are that you may not need to.
#
这个配置文件反应的是apache的默认配置,但是一般可能用不到

#
# Timeout: The number of seconds before receives and sends time out.
#
在收到和发送前的超时时间
Timeout 300

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
是否允许持续连接。off不允许。
KeepAlive On

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
允许在一个持续连接中最大的请求数量。0不限制。为了性能,不建议设置的数值太高。
MaxKeepAliveRequests 100

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
等待来自同一个连接的同一个客户端的下一个请求的秒数
KeepAliveTimeout 5

#
# UseCanonicalName: Determines how Apache constructs self-referencing
# URLs and the SERVER_NAME and SERVER_PORT variables.
# When set "Off", Apache will use the Hostname and Port supplied
# by the client.  When set "On", Apache will use the value of the
# ServerName directive.
#UseCanonicalName
指令:决定Apache如何构造自引用的URLSERVER_NAMESERVER_PORT变量。当设置为关闭Apache会使用由客户提供 的主机名和端口。当设置为“On”Apache会使用ServerName指令的值。
UseCanonicalName Off

#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
#
需要在目录中额外配置指令的文件。
AccessFileName .htaccess

#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
#
该指令配置服务器HTTP响应头返回内容。默认值为'全部'这发出关于操作系统的类型和模块编译的资料。可选值有Full | OS | Minor | Minimal | Major | Prodfull最多,prod最少。
ServerTokens Full

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
#
可以选择性的添加一行包含服务器版本和虚拟主机名的生成页面(包含内部错误文档,ftp目录列表,mod_statusmod_info输出等,但是不包括CGI生成文档或者用户错误文档)。Email选项会发送邮件给服务器管理员。
ServerSignature On

#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g.,
(on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
记录客户端的域名(on)或者他们的IP地址(off)。默认是off因为记录域名需要请求DNS
HostnameLookups Off

httpd-languages.conf(语言类型设定)

#为主机设置不同语言
# Settings for hosting different languages.
#
# Required modules: mod_mime, mod_negotiation

# DefaultLanguage and AddLanguage allows you to specify the language of
# a document. You can then use content negotiation to give a browser a
# file in a language the user can understand.
#DefaultLanguage
AddLanguage运行你指定文档的语言。你可以然后使用这些内容来给与浏览文件时协商一个合适语言。
# Specify a default language. This means that all data
# going out without a specific language tag (see below) will
# be marked with this one. You probably do NOT want to set
# this unless you are sure it is correct for all cases.
#
指定一个默认的语言。这意味着所有没有指定语言标识的出去的数据将使用此语言。你可能不希望设置这个除非你确定它在所有情况下是正确的。
# * It is generally better to not mark a page as
# * being a certain language than marking it with the wrong
# * language!
#
通常不对页面设置语言总比设置一个错误的语言要好的多。
# DefaultLanguage nl
#
# Note 1: The suffix does not have to be the same as the language
# keyword --- those with documents in Polish (whose net-standard
# language code is pl) may wish to use "AddLanguage pl .po" to
# avoid the ambiguity with the common suffix for perl scripts.
#
后缀与语言标志不同的可能需要使用AddLanguage来避免与perl脚本的普通后缀含糊
# Note 2: The example entries below illustrate that in some cases
# the two character 'Language' abbreviation is not identical to
# the two character 'Country' code for its country,
# E.g. 'Danmark/dk' versus 'Danish/da'.
#
下面的例子说明了在某些情况下双字符语言缩写与其对应的国家的双字符不匹配的情况。
# Note 3: In the case of 'ltz' we violate the RFC by using a three char
# specifier. There is 'work in progress' to fix this and get
# the reference data for rfc1766 cleaned up.
#
在某些情况下,我们违背RFC而使用了三个字符。'work in progress'来规定这些并且得到这些参考数据在rfc1766清理。
# Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl)
# English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de)
# Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja)
# Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn)
# Norwegian (no) - Polish (pl) - Portugese (pt)
# Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv)
# Turkish (tr) - Simplified Chinese (zh-CN) - Spanish (es)
# Traditional Chinese (zh-TW)
#
AddLanguage ca .ca
AddLanguage cs .cz .cs
AddLanguage da .dk
AddLanguage de .de
AddLanguage el .el
AddLanguage en .en
AddLanguage eo .eo
AddLanguage es .es
AddLanguage et .et
AddLanguage fr .fr
AddLanguage he .he
AddLanguage hr .hr
AddLanguage it .it
AddLanguage ja .ja
AddLanguage ko .ko
AddLanguage ltz .ltz
AddLanguage nl .nl
AddLanguage nn .nn
AddLanguage no .no
AddLanguage pl .po
AddLanguage pt .pt
AddLanguage pt-BR .pt-br
AddLanguage ru .ru
AddLanguage sv .sv
AddLanguage tr .tr
AddLanguage zh-CN .zh-cn
AddLanguage zh-TW .zh-tw

# LanguagePriority allows you to give precedence to some languages
# in case of a tie during content negotiation.
#LanguagePriority
允许你在试图内容协商时提供一些优先的语言。列出的语言次序依次递减。默认的按字母排序,或许可以根据需要更改。
# Just list the languages in decreasing order of preference. We have
# more or less alphabetized them here. You probably want to change this.
#
LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv tr zh-CN zh-TW

#
# ForceLanguagePriority allows you to serve a result page rather than
# MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback)
# [in case no accepted languages matched the available variants]
#
首先取一个可用的语言类型,若找不到,则机器试图使用最接近的语言
ForceLanguagePriority Prefer Fallback

#
# Commonly used filename extensions to character sets. You probably
# want to avoid clashes with the language extensions, unless you
# are good at carefully testing your setup after each change.
# See
for the
# official list of charset names and their respective RFCs.
#
通常情况下使用文件扩展名来判断字符设置。你可能想避免与语言扩展名产生冲突,除非你在每次改变后很仔细的测试了。可以通过网址查看官方的字符名和对应的RFC
AddCharset us-ascii.ascii .us-ascii
AddCharset ISO-8859-1  .iso8859-1  .latin1
AddCharset ISO-8859-2  .iso8859-2  .latin2 .cen
AddCharset ISO-8859-3  .iso8859-3  .latin3
AddCharset ISO-8859-4  .iso8859-4  .latin4
AddCharset ISO-8859-5  .iso8859-5  .cyr .iso-ru
AddCharset ISO-8859-6  .iso8859-6  .arb .arabic
AddCharset ISO-8859-7  .iso8859-7  .grk .greek
AddCharset ISO-8859-8  .iso8859-8  .heb .hebrew
AddCharset ISO-8859-9  .iso8859-9  .latin5 .trk
AddCharset ISO-8859-10  .iso8859-10  .latin6
AddCharset ISO-8859-13  .iso8859-13
AddCharset ISO-8859-14  .iso8859-14  .latin8
AddCharset ISO-8859-15  .iso8859-15  .latin9
AddCharset ISO-8859-16  .iso8859-16  .latin10
AddCharset ISO-2022-JP .iso2022-jp .jis
AddCharset ISO-2022-KR .iso2022-kr .kis
AddCharset ISO-2022-CN .iso2022-cn .cis
AddCharset Big5.Big5   .big5 .b5
AddCharset cn-Big5 .cn-big5
# For russian, more than one charset is used (depends on client, mostly):
AddCharset WINDOWS-1251 .cp-1251   .win-1251
AddCharset CP866   .cp866
AddCharset KOI8  .koi8
AddCharset KOI8-E  .koi8-e
AddCharset KOI8-r  .koi8-r .koi8-ru
AddCharset KOI8-U  .koi8-u
AddCharset KOI8-ru .koi8-uk .ua
AddCharset ISO-10646-UCS-2 .ucs2
AddCharset ISO-10646-UCS-4 .ucs4
AddCharset UTF-7   .utf7
AddCharset UTF-8   .utf8
AddCharset UTF-16  .utf16
AddCharset UTF-16BE .utf16be
AddCharset UTF-16LE .utf16le
AddCharset UTF-32  .utf32
AddCharset UTF-32BE .utf32be
AddCharset UTF-32LE .utf32le
AddCharset euc-cn  .euc-cn
AddCharset euc-gb  .euc-gb
AddCharset euc-jp  .euc-jp
AddCharset euc-kr  .euc-kr
#Not sure how euc-tw got in - IANA doesn't list it???
AddCharset EUC-TW  .euc-tw
AddCharset gb2312  .gb2312 .gb
AddCharset iso-10646-ucs-2 .ucs-2 .iso-10646-ucs-2
AddCharset iso-10646-ucs-4 .ucs-4 .iso-10646-ucs-4
AddCharset shift_jis   .shift_jis .sjis

httpd-multilang-errordoc.conf(多语言错误文档设定)

#下面的配置通过内容协商实现了多语言错误文档
# The configuration below implements multi-language error documents through
# content-negotiation.
#
# Required modules: mod_alias, mod_include, mod_negotiation
#
# We use Alias to redirect any /error/HTTP_.html.var response to
# our collection of by-error message multi-language collections.  We use
# includes to substitute the appropriate text.
#
我们使用Alias来重定向任何错误页面来反映到我们通过错误信息收集的多语言的结果集。我们使用包括适当的文本。你可以通过使用Alias /error/include/ "/your/include/path/"来修改错误错误信息的外观而不用修改任何错误页面。
# You can modify the messages' appearance without changing any of the
# default HTTP_.html.var files by adding the line:
#
#   Alias /error/include/ "/your/include/path/"
#
包括在任何虚拟主机上,你可以通过以/usr/local/apache/error/include/开始的文件并且拷贝他们到你的/your /include/path/目录来创建你自己的文件设置。默认包含的文件将显示你的apache的版本号和你的管理员邮件地址而与 ServerSignature无关。
# which allows you to create your own set of files by starting with the
# /usr/local/apache/error/include/ files and copying them to /your/include/path/,
# even on a per-VirtualHost basis.  The default include files will display
# your Apache version number and your ServerAdmin email address regardless
# of the setting of ServerSignature.

Alias /error/ "/usr/local/apache/error/"


    AllowOverride None
    Options IncludesNoExec
    AddOutputFilter Includes html
    AddHandler type-map var
    Order allow,deny
    Allow from all
    LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
    ForceLanguagePriority Prefer Fallback

ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
ErrorDocument 410 /error/HTTP_GONE.html.var
ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var

httpd-mpm.confmpm管理)

#服务池管理
# Server-Pool Management (MPM specific)
#

#服务进程的pid号所存储的文件。
# PidFile: The file in which the server should record its process
# identification number when it starts.
#
# Note that this is the default PidFile for most MPMs.
#

    PidFile "logs/httpd.pid"

#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
设置需要串行访问的文件锁。它必须存储在本地。


LockFile "logs/accept.lock"

#
# Only one of the below sections will be relevant on your
# installed httpd.  Use "apachectl -l" to find out the
# active mpm.
#
在下面的章节中,只有一个跟你安装apache时是有关的。使用apachectl -l可以查看活动mpm
#
各类型MPM参数设定。
# prefork MPM
# StartServers: number of server processes to start
服务进程启动数量
# MinSpareServers: minimum number of server processes which are kept spare
保持备用的服务进程的最少数量
# MaxSpareServers: maximum number of server processes which are kept spare
保持备用的服务进程的最大数量
# MaxClients: maximum number of server processes allowed to start
允许启动的服务进程数量
# MaxRequestsPerChild: maximum number of requests a server process serves
一个服务进程服务的最大请求数

    StartServers          5
    MinSpareServers       5
    MaxSpareServers      10
    MaxClients          150
    MaxRequestsPerChild   0

# worker MPM
# StartServers: initial number of server processes to start
最初服务启动时创建的服务进程数
# MaxClients: maximum number of simultaneous client connections
客户端并发连接的最大数量
# MinSpareThreads: minimum number of worker threads which are kept spare
存放备用的线程最小值
# MaxSpareThreads: maximum number of worker threads which are kept spare
存放备用的线程最大值
# ThreadsPerChild: constant number of worker threads in each server process
每个服务进程的工作线程的常量值
# MaxRequestsPerChild: maximum number of requests a server process serves
一个服务进程服务的最大请求数

    StartServers          2
    MaxClients          150
    MinSpareThreads      25
    MaxSpareThreads      75
    ThreadsPerChild      25
    MaxRequestsPerChild   0

# BeOS MPM
# StartThreads: how many threads do we initially spawn?
最初生成的线程数。
# MaxClients:   max number of threads we can have (1 thread == 1 client)
我们所拥有的最大线程数
# MaxRequestsPerThread: maximum number of requests each thread will process
每个线程所处理的最大请求数

    StartThreads            10
    MaxClients              50
    MaxRequestsPerThread 10000

# NetWare MPM
# ThreadStackSize: Stack size allocated for each worker thread
分配给每个工作线程的堆栈大小
# StartThreads: Number of worker threads launched at server startup
在服务启动时推出的线程数量
# MinSpareThreads: Minimum number of idle threads, to handle request spikes
最小空闲线程数,此项用来处理请求尖峰的
# MaxSpareThreads: Maximum number of idle threads
最大线程数
# MaxThreads: Maximum number of worker threads alive at the same time
同一时间存活的最大线程数目
# MaxRequestsPerChild: Maximum  number of requests a thread serves. It is
#                      recommended that the default value of 0 be set for this
#                      directive on NetWare.  This will allow the thread to
#                      continue to service requests indefinitely.      
#
请求线程服务的最大数量。在NetWare上通常设置为0。这将允许线程服务请求继续下去,无限期。

    ThreadStackSize      65536
    StartThreads       250
    MinSpareThreads      25
    MaxSpareThreads      250
    MaxThreads        1000
    MaxRequestsPerChild    0
    MaxMemFree        100

# OS/2 MPM
# StartServers: Number of server processes to maintain
服务进程保持的数量
# MinSpareThreads: Minimum number of idle threads per process,
#                  to handle request spikes
最小空闲线程数,此项用来处理请求尖峰的
# MaxSpareThreads: Maximum number of idle threads per process
最大空闲线程数
# MaxRequestsPerChild: Maximum number of connections per server process
每个服务处理的最大连接数

    StartServers        2
    MinSpareThreads      5
    MaxSpareThreads      10
    MaxRequestsPerChild     0

# WinNT MPM
# ThreadsPerChild: constant number of worker threads in the server process
在服务进程中工作线程的常数值
# MaxRequestsPerChild: maximum  number of requests a server process serves
服务进程所服务的最大请求数目

    ThreadsPerChild      150
    MaxRequestsPerChild    0

httpd-ssl.confSSL配置文件)

#SSL配置文件
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see <
>
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned. 
#

#
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#
伪随机数生成器(PRNG):配置一个或多个来源来产生SSL库的PRNG。种子数据应具备良好的随机质量。警告!在某些平台/dev/random 块,如果没有足够的熵可用。那么这意味着你不能使用/dev/random 设备,因为这会导致很长的连接时间(持续它需要进行更多熵可用)。但通常这些平台提供额外/ dev / urandom设备装置不会阻止块。所以,如果有的话,使用此代替。阅读更多细节mod_ssl的用户手册。
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512


#SSL
监听端口。注意IPv6需要监听需要设定下面的两个指令。
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
#       Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
#
Listen 443

##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##
下面的配置在主服务和虚拟主机中均生效。

#
#   Some MIME-types for downloading Certificates and CRLs
#
证书和CRLsMIME类型设定。
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
#
密码对话框:配置密码对话框的输入程序。筛选对话框程序必须在标准输出上提供密码短语。builtin是内建的终端对话框
SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism
#   to use and second the expiring timeout (in seconds).
#
进程间的会话缓存:一是会话缓存机制,而是超时时间。
#SSLSessionCache         "dbm:/usr/local/apache/logs/ssl_scache"
SSLSessionCache        "shmcb:/usr/local/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300

#   Semaphore:
#   Configure the path to the mutual exclusion semaphore the
#   SSL engine uses internally for inter-process synchronization.
#
配置内部进程同步所使用的SSL引擎互斥信号的路径
SSLMutex  "file:/usr/local/apache/logs/ssl_mutex"

##
## SSL Virtual Host Context
##SSL
虚拟主机配置内容

#   General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs"
ServerName

ServerAdmin

ErrorLog "/usr/local/apache/logs/error_log"
TransferLog "/usr/local/apache/logs/access_log"

#   SSL Engine Switch:SSL是否启用
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   SSL Cipher Suite:列出运行客户端协商的密码。
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

#   Server Certificate:在一个PEM编码的证书中指出SSL证书文件。如果证书被加密,那么需要你需要被提示密码短语。
注意杀掉-HUP后将再次提示。记得如果同时用RSADSA证书,你要在并行配置两个(也允许使用DSA密码等)
#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that a kill -HUP will prompt again.  Keep
#   in mind that if you have both an RSA and a DSA certificate you
#   can configure both in parallel (to also allow the use of DSA
#   ciphers, etc.)
SSLCertificateFile "/usr/local/apache/conf/server.crt"
#SSLCertificateFile "/usr/local/apache/conf/server-dsa.crt"

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#
服务器私钥。如果key不能和证书结合,使用下面指令指定一个key文件。记得如果同时用RSADSA证书,你要在并行配置两个(也允许使用DSA密码等)
SSLCertificateKeyFile "/usr/local/apache/conf/server.key"
#SSLCertificateKeyFile "/usr/local/apache/conf/server-dsa.key"

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#
服务器证书链:服务器证书链包含并置的来自于证书链的PEM编码的CA证书。或者当CA证书直接追加到服务器证书时引用文件和SSLCertificateFile文件相同。
#SSLCertificateChainFile "/usr/local/apache/conf/server-ca.crt"

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#   Note: Inside SSLCACertificatePath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
#
证书颁发:设置CA证书的验证路径,即客户端身份验证或一个包含着所有信息的庞大文件(PEM编码)的路径。注:在SSLCACertificatePath中你要包含指向证书文件的哈希链接。使用提供的MakeFile文件在更改后更新哈希链接。
#SSLCACertificatePath "/usr/local/apache/conf/ssl.crt"
#SSLCACertificateFile "/usr/local/apache/conf/ssl.crt/ca-bundle.crt"

#   Certificate Revocation Lists (CRL):
#   Set the CA revocation path where to find CA CRLs for client
#   authentication or alternatively one huge file containing all
#   of them (file must be PEM encoded)
#   Note: Inside SSLCARevocationPath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
#
证书吊销列表(CRL):核证机关撤销设置路径,找到客户端身份验证又或者是一个庞大的其中包含所有信息的文件(文件必须PEM编码)。注:在 SSLCACertificatePath中你要包含指向证书文件的哈希链接。使用提供的MakeFile文件在更改后更新哈希链接。

#SSLCARevocationPath "/usr/local/apache/conf/ssl.crl"
#SSLCARevocationFile "/usr/local/apache/conf/ssl.crl/ca-bundle.crl"

#   Client Authentication (Type):
#   Client certificate verification type and depth.  Types are
#   none, optional, require and optional_no_ca.  Depth is a
#   number which specifies how deeply to verify the certificate
#   issuer chain before deciding the certificate is not valid.
#
客户端身份验证(类型):客户端证书验证的类型和深度。
类型有none, optional, require optional_no_ca。深度是一个数字,指明在决定该证书的证书颁发者链是否无效前如何深刻验证。
#SSLVerifyClient require
#SSLVerifyDepth  10

#   Access Control:
#   With SSLRequire you can do per-directory access control based
#   on arbitrary complex boolean expressions containing server
#   variable checks and other lookup directives.  The syntax is a
#   mixture between C and Perl.  See the mod_ssl documentation
#   for more details.
#
访问控制:随着SSLRequire你可以在每个目录设定任意复杂的包含服务器变量检查和其他指示表达式的查找的布尔表达式的访问控制。语法是与CPerl的混合物。更多细节见的mod_ssl的文档。
#
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#

#   SSL Engine Options:
#   Set various options for the SSL engine.
#   o FakeBasicAuth:
#     Translate the client X.509 into a Basic Authorisation.  This means that
#     the standard Auth/DBMAuth methods can be used for access control.  The
#     user name is the `one line' version of the client's X.509 certificate.
#     Note that no password is obtained from the user. Every entry in the user
#     file needs this password: `xxj31ZMTZzkVA'.
#   o ExportCertData:
#     This exports two additional environment variables: SSL_CLIENT_CERT and
#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
#     server (always existing) and the client (only existing when client
#     authentication is used). This can be used to import the certificates
#     into CGI scripts.
#   o StdEnvVars:
#     This exports the standard SSL/TLS related `SSL_*' environment variables.
#     Per default this exportation is switched off for performance reasons,
#     because the extraction step is an expensive operation and is usually
#     useless for serving static content. So one usually enables the
#     exportation for CGI and SSI requests only.
#   o StrictRequire:
#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
#     under a "Satisfy any" situation, i.e. when it applies access is denied
#     and no other module can change it.
#   o OptRenegotiate:
#     This enables optimized SSL connection renegotiation handling when SSL
#     directives are used in per-directory context.
#SSL
引擎选项
#StdEnvVars
#
如果开启此选项,那么与SSL相关的CGI/SSI标准环境变量将会被创建。出于性能考虑,这个选项默认关闭,因为提取这些变量值的过程是非常消耗资源的。一般仅为CGI/SSI脚本开启。
#CompatEnvVars
#
如果开启此选项,那么为了兼容其他SSL解决方案而添加的额外CGI/SSI环境变量将会被创建。请参考兼容性一节获取究竟将创建哪些变量的细节。
#ExportCertData
#
如果开启此选项,额外的CGI/SSI环境变量:SSL_SERVER_CERT, SSL_CLIENT_CERT, SSL_CLIENT_CERT_CHAIN_n(n=0,1,2,..)将被创建。这些变量包含了作用于当前HTTPS连接的PEM编码的服务器/客户 端X.509证书的相关信息,以及客户端证书链中所有证书的相关信息,它们可以被CGI脚本用来进行更深层次的证书检查。
#FakeBasicAuth
#
如果开启此选项,那么客户端X509证书中的特征名称(DN)字段的"Subject"(可以使用"openssl x509 -noout -subject -in certificate.crt"命令查看)将被转化为HTTP基本认证的用户名。这就意味着可以将标准Apache认证方法用于访问控制,同时需要主意 的是因为并没有从用户获取密码,所以每个用户名对应的密码都是"xxj31ZMTZzkVA",也即是"password"经过3DES加密后的结果。对 于那些基于MD5加密的系统(BSD系统),则需要使用"$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/"作为密码。
#StrictRequire
#
如果开启此选项,那么当SSLRequireSSLSSLRequire要求禁止访问时,将强制禁止访问。默认情况下,当设置了"Satisfy any"时,如果通过了SSLRequireSSLSSLRequire之外的其他访问控制检查,那么访问将被允许,这符合Satisfy指令的原意。 但是在"SSLOptions +StrictRequire"的情况下,你可以使用SSLRequireSSL/SSLRequireSSL连接上强制达到"Satisfy All"的效果。
#OptRenegotiate
#
默认情况下,当某个特定目录的SSL配置发生变化时,将会执行一个完整的SSL重新 握手和协商过程。如果开启此选项,那么将允许优化SSL连接的重新协商操作,也就是省略不必要的握手过程,而只是进行细粒度的参数检查(仍然是安全的)。 不过,在某些时候,只进行参数检查往往不是用户期望的结果,所以如果你想启用这个选项,请只对某些特定的目录启用。
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

    SSLOptions +StdEnvVars


    SSLOptions +StdEnvVars

#   SSL Protocol Adjustments:
#   The safe and default but still SSL/TLS standard compliant shutdown
#   approach is that mod_ssl sends the close notify alert but doesn't wait for
#   the close notify alert from client. When you need a different shutdown
#   approach you can use one of the following variables:
#   o ssl-unclean-shutdown:
#     This forces an unclean shutdown when the connection is closed, i.e. no
#     SSL close notify alert is send or allowed to received.  This violates
#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
#     this when you receive I/O errors because of the standard approach where
#     mod_ssl sends the close notify alert.
#   o ssl-accurate-shutdown:
#     This forces an accurate shutdown when the connection is closed, i.e. a
#     SSL close notify alert is send and mod_ssl waits for the close notify
#     alert of the client. This is 100% SSL/TLS standard compliant, but in
#     practice often causes hanging connections with brain-dead browsers. Use
#     this only for browsers where you know that their SSL implementation
#     works correctly.
#   Notice: Most problems of broken clients are also related to the HTTP
#   keep-alive facility, so you usually additionally want to disable
#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
#   "force-response-1.0" for this.
#SSL
协议调整:安全和默认,但仍符合SSL/TLS标准的关闭方法是,mod_ssl的发送关闭警报通知,但并不等待来自客户的通知。当你需要一个不同的关闭 的方法您可以使用以下变量之一:ssl-unclean-shutdown(浏览器会发生死机的情况用)和ssl-accurate- shutdown(确认浏览器不会死掉时使用)。
#
BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

#   Per-Server Logging:SSL访问日志。
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
#SSL
访问日志。
CustomLog "/usr/local/apache/logs/ssl_request_log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

                                 

五、服务维护

参考文件:

http://hi.baidu.com/gaoyanhui999/blog/item/5ff87624c58a7b34c89559e4.html

 

阅读(4461) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~