全部博文(317)
分类: LINUX
2014-09-25 03:26:05
http://blog.chinaunix.net/uid-20784749-id-1844507.html
一、软件下载
1、apache:或者
二、环境检查
# rpm -qa|grep zlib
zlib-devel-1.2.3-3
zlib-1.2.3-3
# rpm -qa|grep ssl
openssl-devel-0.9.8b-10.el5
openssl-0.9.8b-10.el5
如果需要依赖包,安装其对应的devel包即可,此处仅用到zlib和ssl。另,如果有httpd包,要先卸载掉或停止其服务。
三、编译安装
1、针对安装目的的说明(来自INSTALL文件)
如果是开发者则使用此选项,--with-included-apr利于连接apache的代码或者是调试apache,其消除了由于版本或者编译中跟APR或者APR-util代码产生的不匹配;
如果从子版本编译apache,要先运行buildconf(需要Python,GNU autoconf和libtool),然后运行configure。发行包不用。
如果要在FreeBSD5.4之前编译时包含apache的threaded MPM,需要使用--enable-threads和--with-mpm 参数
在Mac上编译子版本,要使用GNU Libtool 1.4.2及以上版本
2、关于SSL加密和正则表达式(来自文件README)
Apache2.0及以上版本在目录modules/ssl/下包含了mod_ssl模块用于配置和监听ssl网络接口的连接。(另外,一些apr- util版本在目录srclib/apr-util/ssl/下提供了ssl网络接口)带有单词crypto的包的名字,可能包含openssl加密库的 目标代码。如果apache的加密功能不理想或者要排除再重分配,则可以使用包的名字包含nossl的发布包。
Apache使用PCRE包包含的正则表达式。
3、对configure参数的说明
配置帮助表:
-h, --help |
显示帮助信息 |
display this help and exit |
--help=short |
用short参数将只显示正在运行的当前脚本的选项,而不能列出适用于Apache配置脚本所运行的外部配置脚本的选项 |
display options specific to this package |
--help=recursive |
使用recursive参数将显示所有程序包的简短描述 |
display the short help of all the included packages |
-V, --version |
显示版本 |
display version information and exit |
-q, --quiet, --silent |
不显示checking……信息 |
do not print`checking...' messages |
--cache-file=FILE |
在指定文件中存储测试结果 |
cache test results in FILE [disabled] |
-C, --config-cache |
在文件config.cache中存储测试结果 |
alias for `--cache file=config.cache' |
-n, --no-create |
configure脚本运行结束后不输出结果文件,常用于正式编译前的测试。 |
do not create output files |
--srcdir=DIR |
源文件库所在目录 |
find the sources in DIR [configure dir or `..'] |
安装目录:
--prefix=PREFIX |
体系无关文件的顶级安装目录PREFIX ,也就Apache的安装目录 |
install architecture-independent files in PREFIX[/usr/local/apache2] |
--exec-prefix=EPREFIX |
体系相关文件的顶级安装目录EPREFIX ,把体系相关的文件安装到不同的位置可以方便地在不同主机之间共享体系相关的文件 |
install architecture-dependent files in EPREFIX[PREFIX] |
默认情况下,make install 将会把所有文件分别安装到/usr/local/apache2/bin
, /usr/local/apache2/lib 目录下。可以用 --prefix 指定一个不同于/usr/local/apache2的安装前缀,比如:--prefix=$HOME 。
By default, `make install' will install all the files in
`/usr/local/apache2/bin', `/usr/local/apache2/lib' etc. You can specify
an installation prefix other than `/usr/local/apache2' using `--prefix',
for instance `--prefix=$HOME'.
详细安装目录设置:
默认安装目录参考config.layout,其中RHEL的默认目录设置如下:
prefix: /usr
exec_prefix: ${prefix}
bindir:
${prefix}/bin
sbindir: ${prefix}/sbin
libdir:
${prefix}/lib
libexecdir: ${prefix}/lib/apache
mandir:
${prefix}/man
sysconfdir: /etc/httpd/conf
datadir: /var/www
installbuilddir: ${datadir}/build
errordir: ${datadir}/error
iconsdir: ${datadir}/icons
htdocsdir: ${datadir}/html
manualdir: ${datadir}/manual
cgidir:
${datadir}/cgi-bin
includedir: ${prefix}/include/apache
localstatedir: /var
runtimedir: ${localstatedir}/run
logfiledir: ${localstatedir}/log/httpd
proxycachedir: ${localstatedir}/cache/httpd
自设定详细安装目录
--bindir=DIR |
用户可执行目录DIR。用于存放对网站管理员很有帮助的htpasswd, dbmmanage之类的支持程序 |
user executables [EPREFIX/bin] |
--sbindir=DIR |
系统管理员可执行目录DIR ,用于存放运行HTTP服务器所必须的httpd, apachectl, suexec之类的服务程序 |
system admin executables [EPREFIX/sbin] |
--libexecdir=DIR |
程序可执行目录DIR ,也就是动态加载模块目录 |
program executables [EPREFIX/libexec] |
--sysconfdir=DIR |
只读的单一机器数据目录DIR ,用于存放httpd.conf和mime.types之类的服务器配置文件 |
read-only single-machine data [PREFIX/etc] |
--sharedstatedir=DIR |
可改写的体系无关数据目录DIR |
modifiable architecture-independent data [PREFIX/com] |
--localstatedir=DIR |
可改写的单一机器数据目录DIR |
modifiable single-machine data [PREFIX/var] |
--libdir=DIR |
对象代码库目录DIR |
object code libraries [EPREFIX/lib] |
--includedir=DIR |
Apache的C头文件目录DIR |
C header files [PREFIX/include] |
--oldincludedir=DIR |
非gcc的C头文件目录DIR |
C header files for non-gcc [/usr/include] |
--datarootdir=DIR |
Web服务器只读的体系无关数据根目录 |
read-only arch.-independent data root [PREFIX/share] |
--datadir=DIR |
Web服务器只读的体系无关数据目录DIR |
read-only architecture-independent data [DATAROOTDIR] |
--infodir=DIR |
信息文档目录DIR |
info documentation [DATAROOTDIR/info] |
--localedir=DIR |
地区相关数据DIR |
locale-dependent data [DATAROOTDIR/locale] |
--mandir=DIR |
手册文档目录DIR |
man documentation [DATAROOTDIR/man] |
--docdir=DIR |
手册目录 |
documentation root [DATAROOTDIR/doc/PACKAGE] |
--htmldir=DIR |
HTML格式帮助文档目录 |
html documentation [DOCDIR] |
--dvidir=DIR |
dvi格式帮助文档目录 |
dvi documentation [DOCDIR] |
--pdfdir=DIR |
pdf格式帮助文档目录 |
pdf documentation [DOCDIR] |
--psdir=DIR |
ps格式帮助文档目录 |
ps documentation [DOCDIR] |
交叉编译选项:
这些选项用于交叉编译在其他平台上运行的Apache HTTP服务器。在同一平台上编译和运行Apache HTTP服务器通常不需要使用这些选项,脚本会自动检测并设置。
--build=BUILD |
指定编译工具所在系统的系统类型BUILD |
configure for building on BUILD [guessed] |
--host=HOST |
指定Apache HTTP服务器将要进行交叉编译时运行的目标系统类型HOST |
cross-compile to build programs to run on HOST [BUILD] |
--target=TARGET |
指定交叉编译所产生的目标代码类型 |
configure for building compilers for TARGET [HOST] |
特征选项:
注:
1、模块列表:
基本(B)模块默认包含,必须明确禁用;扩展(E)/实验(X)模块默认不包含,必须明确启用
模块名称 |
状态 |
简要描述 |
|
(B) |
基于媒体类型或请求方法,为执行CGI脚本而提供 |
|
(B) |
提供从文件系统的不同部分到文档树的映射和URL重定向 |
|
(B) |
发送自己包含HTTP头内容的文件 |
|
(B) |
使用基本认证 |
|
(B) |
在未正确配置认证模块的情况下简单拒绝一切认证信息 |
|
(B) |
使用纯文本文件为认证提供支持 |
|
(B) |
在未正确配置授权支持模块的情况下简单拒绝一切授权请求 |
|
(B) |
使用纯文本文件为组提供授权支持 |
|
(B) |
供基于主机名、IP地址、请求特征的访问控制 |
|
(B) |
基于每个用户提供授权支持 |
|
(B) |
自动对目录中的内容生成列表,类似于"ls"或"dir"命令 |
|
(B) |
|
|
(B) |
|
|
(B) |
指定目录索引文件以及为目录提供"尾斜杠"重定向 |
|
(B) |
允许Apache修改或清除传送到CGI脚本和SSI页面的环境变量 |
|
(B) |
根据上下文实际情况对输出过滤器进行动态配置 |
(B) |
处理服务器端图像映射 |
|
|
(B) |
实现服务端包含文档(SSI)处理 |
|
(B) |
仅限于在Windows平台上实现ISAPI扩展 |
|
(B) |
允许记录日志和定制日志文件格式 |
|
(B) |
根据文件扩展名决定应答的行为(处理器/过滤器)和内容(MIME类型/语言/字符集/编码) |
|
(B) |
|
|
(B) |
仅限于在NetWare平台上实现SSL加密支持 |
|
(B) |
根据客户端请求头字段设置环境变量 |
|
(B) |
生成描述服务器状态的Web页面 |
|
(B) |
允许用户从自己的主目录中提供页面(使用"/~username") |
|
(X) |
使用MD5摘要认证(更安全,但是只有最新的浏览器才支持) |
|
(E) |
基于实际认证支持者创建扩展的认证支持者,并为它起一个别名以便于引用 |
|
(E) |
提供匿名用户认证支持 |
|
(E) |
使用SQL数据库为认证提供支持 |
|
(E) |
使用DBM数据库为认证提供支持 |
|
(E) |
允许使用一个LDAP目录存储用户名和密码数据库来执行基本认证和授权 |
|
(E) |
使用DBM数据库文件为组提供授权支持 |
|
(E) |
基于文件的所有者进行授权 |
|
(E) |
基于URI键的内容动态缓冲(内存或磁盘) |
|
(E) |
允许Apache使用CERN httpd元文件,从而可以在发送文件时对头进行修改 |
|
(X) |
允许对页面进行字符集转换 |
|
(E) |
|
|
(E) |
|
|
(E) |
|
|
(E) |
管理SQL数据库连接,为需要数据库功能的模块提供支持 |
|
(E) |
压缩发送给客户端的内容 |
|
(E) |
基于磁盘的缓冲管理器 |
|
(E) |
将所有I/O操作转储到错误日志中 |
|
(X) |
一个很简单的协议演示模块 |
|
(X) |
一个很简单的Apache模块API演示模块 |
|
(E) |
允许通过配置文件控制HTTP的"Expires:"和"Cache-Control:"头内容 |
|
(E) |
使用外部程序作为过滤器 |
|
(X) |
提供文件描述符缓存支持,从而提高Apache性能 |
|
(E) |
允许通过配置文件控制任意的HTTP请求和应答头信息 |
|
(E) |
实现RFC1413规定的ident查找 |
|
(E) |
生成Apache配置情况的Web页面 |
|
(E) |
为其它LDAP模块提供LDAP连接池和结果缓冲服务 |
|
(E) |
实现"对比日志",即在请求被处理之前和处理完成之后进行两次记录 |
|
(E) |
对每个请求的输入/输出字节数以及HTTP头进行日志记录 |
|
(E) |
基于内存的缓冲管理器 |
|
(E) |
通过读取部分文件内容自动猜测文件的MIME类型 |
|
(E) |
提供HTTP/1.1的代理/网关功能支持 |
|
(E) |
|
|
(E) |
|
|
(E) |
|
|
(E) |
|
|
(E) |
|
|
(E) |
一个基于一定规则的实时重写URL请求的引擎 |
|
(E) |
允许运行时加载DSO模块 |
|
(E) |
自动纠正URL中的拼写错误 |
|
(E) |
使用安全套接字层(SSL)和传输层安全(TLS)协议实现高强度加密传输 |
|
(E) |
|
|
(E) |
为每个请求生成唯一的标识以便跟踪 |
|
(E) |
使用Session跟踪用户(会发送很多Cookie),以记录用户的点击流 |
|
(E) |
提供基于版本的配置段支持 |
|
(E) |
提供大批量虚拟主机的动态配置支持 |
2、Apache HTTP服务器是一个模块化的软件,管理员可以通过选择服务器中包含的模块进行功能增减。模块可以在编译时被静态包含进httpd二进制文件,也可以编译 成独立于httpd二进制文件的动态共享对象(DSO)。DSO模块可以与服务器一起编译,也可以用Apache扩展工具(apxs)单独编译。
3、ISAPI 服务器扩展是可以被 HTTP 服务器加载和调用的 DLL。Internet 服务器扩展也称为 Internet 服务器应用程序 (ISA),用于增强符合 Internet 服务器 API (ISAPI) 的服务器的功能。ISA 通过浏览器应用程序调用,并且将相似的功能提供给通用网关接口 (CGI) 应用程序。
可选包选项:
--with-PACKAGE[=ARG] |
包含包的语法 |
use PACKAGE [ARG=yes] |
--without-PACKAGE |
不使用该包语法 |
do not use PACKAGE (same as --with-PACKAGE=no) |
--with-included-apr |
捆绑拷贝apr/apr-util信息 |
Use bundled copies of APR/APR-Util |
--with-apr=PATH |
apr的安装目录 |
prefix for installed APR or the full path to |
--with-apr-util=PATH |
apu的安装目录 |
prefix for installed APU or the full path to apu-config |
--with-pcre=PATH |
使用扩展的PCRE正则表达式库 |
Use external PCRE library |
--with-port=PORT |
监听端口 |
Port on which to listen (default is 80) |
--with-sslport=SSLPORT |
ssl的监听端口 |
Port on which to securelisten (default is 443) |
--with-z=DIR |
zlib的库文件位置 |
use a specific zlib library |
--with-sslc=DIR |
RSA SSL-C SSL/TLS软件包目录 |
RSA SSL-C SSL/TLS toolkit |
--with-ssl=DIR |
openssl包的位置。 |
OpenSSL SSL/TLS toolkit |
--with-mpm=MPM |
选择apache所使用的处理模块。(注1) |
Choose the process model for Apache to use.MPM={beos|event|worker|prefork|mpmt_os2} |
--with-module=module-type:module-file |
添加第三方模块。(注2) |
Enable module-file in the
modules/ |
--with-program-name |
指定可执行程序的名字[默认为:httpd],若使用此选项则默认配置文件的名字将同时变成"NAME.conf"。 |
alternate executable name |
--with-suexec-bin |
suexec二进制文件目录[默认--sbindir] |
Path to suexec binary |
--with-suexec-calle |
允许调用suexec的用户,改用户必须和运行httpd子进程的用户相同 |
User allowed to call SuExec |
--with-suexec-userdir |
用户主目录下允许suexec对其中的文件具有执行权限的子目录,仅在将suexec和用户网站目录(由mod_userdir提供支持)一起使用的情况下才需要设置此选项[public_html] |
User subdirectory |
--with-suexec-docroot |
允许suexec对其中的文件具有执行权限的根目录[--datadir/htdocs] |
SuExec root directory |
--with-suexec-uidmin |
允许执行suexec的最小UID[100] |
Minimal allowed UID |
--with-suexec-gidmin |
允许执行suexec的最小GID[100] |
Minimal allowed GID |
--with-suexec-logfile |
suexec日志文件名[默认文件名为:suexec_log ,位于--logfiledir目录下] |
Set the logfile |
--with-suexec-safepath |
对suexec"安全"的PATH环境变量的值[/usr/local/bin:/usr/bin:/bin] |
Set the safepath |
注:1、MPM是你想要使用的多路处理模块的名字。如果你不使用这个选项,那么将会使用对应于各平台的默认MPM。
2、module-file是模块的源代码文件名,该文件必须位于Apahe源代码目录树的"modules/module-type"目录下,如 果configure没有在那里找到module-file ,则将它看作一个绝对路径名并尝试将其复制到"modules/module-type"目录中,如果"modules/module-type"目录不 存在,configure将新建一个"modules/module-type"目录并在其中放置一个标准的Makefile.in文件。这种方法有两个 明显的缺陷:模块的源代码必须是单一文件;模块只能静态连接进核心,而不能作为DSO模块。所以一般并不使用此方法,而是使用apxs(Apache扩展 工具)来添加第三方模块支持。
编译器选项:
CC |
指定的C编译器 |
C compiler command |
CFLAGS |
C编译器的FLAGS |
C compiler flags |
LDFLAGS |
连接器flags,比如使用"-L-Llibdir"指定一个非标准的库文件目录libdir |
linker flags, e.g. -L |
LIBS |
设定线程模型 |
libraries to pass to the linker, e.g.
-l |
CPPFLAGS |
C/C++预处理程序flags,比如使用"-Iincludedir"指定一个非标准的头文件目录includedir |
C/C++/Objective C preprocessor flags, e.g.
-I |
you have headers in a nonstandard directory
|
||
CPP |
C预处理程序 |
C preprocessor |
4、编译安装
./configure --prefix=/usr/local/apache --enable-authn-dbm --enable-authz-dbm --enable-ssl --enable-vhost-alias --enable-rewrite --enable-so --enable-charset-lite --enable-deflate --with-z --with-ssl --with-mpm=prefork
make
make install
四、服务配置
1、配置文件概述
1>Apache的配置文件是包含若干指令的纯文本文件。主配置文件通常叫httpd.conf ,其位置是编译时确定的,但可以用命令行参数 -f 来改变。Apache配置文件的每一行包含一个指令,在行尾使用反斜杠"\"可以表示续行,但是反斜杠与下一行之间不能有任何其他字符(包括空白字符)。 配置文件中的指令是不区分大小写的,但是指令的参数(argument)通常是大小写敏感的。以"#"开头的行被视为注解并被忽略。注解不能出现在指令的 后边。空白行和指令前的空白字符将被忽略,因此可以采用缩进以保持配置层次的清晰。主配置文件更改后重新启动Apache后才会生效。可以用 apachectl configtest 或者命令行选项 -t 检查配置文件中的错误,而无须启动Apache服务器。
2>配置文件中可以用Include指令和通配符附加许多其他配置文件。任何配置文件都可以使用任何指令。
3>服务器还会读取一个包含MIME文件类型的文件,其文件名由TypesConfig指令确定,默认值是mime.types。
4>Apache是模块化的服务器,这意味着核心中只包含实现最基本功能的模块。扩展功能可
以作为模块动态加载。默认情况下,只有base组的模块被编译进了服务器。如果服务器在编译时包含了DSO模块,那么各模块可以独立编译,并可随时用 LoadModule指令加载;否则,要增加或删除模块必须重新编译整个Apache。用于特定模块的指令可以用
2、配置文件说明
###################文件说明###################
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <> for detailed information.
# In particular, see
# <>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are
unsure
# consult the online docs. You have been warned.
###################配置说明##########################
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or
"drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so
"logs/foo_log"
# with ServerRoot set to "/usr/local/apache" will be interpreted by
the
# server as "/usr/local/apache/logs/foo_log".
#如果包含的配置文件以根目录/开始,则使用指出的明确路径,要是非根目录开始,则路径为:查找路径=ServerRoot目录+所写目录
##################软件主目录################
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path. If you point
# ServerRoot at a non-local disk, be sure to point the LockFile directive
# at a local disk. If you wish to share the same ServerRoot for multiple
# httpd daemons, you will need to change at least LockFile and PidFile.
#
#ServerRoot:服务配置文件,日志,错误日志等的根目录,即软件所在目录。
#注意不要再目录后加/,如果目录非本地磁盘,要先在本地磁盘使用LockFile指令来指明。如果要为多个httpd程序共享根目录,需要至少改变LockFile和PidFile。即,要保证apache的进程文件的独占性。
ServerRoot "/usr/local/apache"
#################监听端口和IP############################
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
#apache
Listen 80
#####################要加载的DSO模块##########################
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#需要动态加载的DSO模块写在这里以使程序启动时加载。格式如例子所述,静态编译的模块不需要写在这里,由httpd -l来加载静态模块
# Example:
# LoadModule foo_module modules/mod_foo.so
#
#
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
####################软件运行用户设定###################
# 如果要更换不同的用户或组来运行apache,你必须先以root运行,然后他将会切换到所设置用户。跟大多数的系统服务一样,为apache单独建立一 个用户和组来运行它是一个很好的做法。(注意,此项是设置在非NetWare和非win系统下才需配置,否则无需配置)
User daemon
Group daemon
######################Apache主配置部分###############
###############概要说明##########
# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
#
# any
#
# All of these directives may appear inside
# in which case these default settings will be overridden for the
# virtual host being defined.
#
#
#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g.
##############服务器联系人#############
ServerAdmin
##################服务器网站域名指定###############
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#服务器域名指定。这里一般可以自动识别,也可以给出域名和端口以明确指定(虚拟主机多用此选项),如果没有注册DNS,可以使用IP地址。
#ServerName
################网站根目录#############
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#站点根目录。一般网站请求直接来此处寻找网页,但是动态链接或别名可能被使用从而指向其他地点。
DocumentRoot "/usr/local/apache/htdocs"
##################网站目录全局设置##############
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#apache能访问的每一个目录都可以配置哪些特性能开启禁用,特性设置对子目录有效。默认给出的是一个非常严格的特性设置。
# First, we configure the "default" to be a very restrictive set of
# features.
#
#Options指令控制了在特定目录中将使用哪些服务器特性。其值如下:None All Indexes
Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#option可以为None ,在这种情况下,将不启用任何额外特性。或设置为以下选项中的一个或多个:
#All :除MultiViews之外的所有特性。这是默认设置。
#ExecCGI:允许使用mod_cgi执行CGI脚本。
#FollowSymLinks:服务器允许在此目录中使用符号连接。 注意:即使服务器会使用符号连接,但它不会改变用于匹配
#Includes:允许使用mod_include提供的服务器端包含。
#IncludesNOEXEC:允许服务器端包含,但禁用"#exec cmd"和"#exec cgi"。但仍可以从ScriptAlias目录使用"#include virtual"虚拟CGI脚本。
#Indexes:如果一个映射到目录的URL被请求,而此目录中又没有DirectoryIndex(例如:index.html),那么服务器会返回由mod_autoindex生成的一个格式化后的目录列表。
#MultiViews:允许使用mod_negotiation提供内容协商的"多重视图"(MultiViews)。
#SymLinksIfOwnerMatch:服务器仅在符号连接与其目的目录或文件的拥有者具有相同的uid时才使用它。
# 一般来说,如果一个目录被多次设置了Options ,则最特殊的一个会被完全接受(其它的被忽略),而各个可选项的设定彼此并不融合。然而,如果所有作用于Options指令的可选项前都加有"+" 或"-"符号,此可选项将被合并。所有前面加有"+"号的可选项将强制覆盖当前的可选项设置,而所有前面有"-"号的可选项将强制从当前可选项设置中去 除。
#AllowOverride指令控制允许存在于.htaccess文件中的指令类型,其值如下:Options FileInfo
AuthConfig Limit All None
# 当服务器发现一个.htaccess文件(由AccessFileName指定)时,它需要知道在这个文件中声明的哪些指令能覆盖在此之前指定的配置指
令。AllowOverride仅在不包含正则表达式的
#选项:
#AuthConfig:允许使用与认证授权相关的指令(AuthDBMGroupFile,
AuthDBMUserFile, AuthGroupFile, AuthName, AuthType, AuthUserFile, Require, 等)。
#FileInfo: 允许使用控制文档类型的指令(DefaultType, ErrorDocument,
ForceType, LanguagePriority, SetHandler, SetInputFilter, SetOutputFilter,
mod_mime中的 Add* 和 Remove* 指令等等)、控制文档元数据的指令(Header, RequestHeader,
SetEnvIf, SetEnvIfNoCase, BrowserMatch, CookieExpires, CookieDomain,
CookieStyle, CookieTracking, CookieName)、mod_rewrite中的指令(RewriteEngine, RewriteOptions, RewriteBase, RewriteCond,
RewriteRule)和mod_actions中的Action指令。
#Indexes:允许使用控制目录索引 的指令(AddDescription, AddIcon,
AddIconByEncoding, AddIconByType, DefaultIcon, DirectoryIndex, FancyIndexing,
HeaderName, IndexIgnore, IndexOptions, ReadmeName, 等)。
#Limit:允许使用控制主机访问的指令(Allow, Deny, Order)。
#Options[=Option,...]允许使用控制指定目录功能的指令(Options和XBitHack)。可以在等号后面附加一个逗号分隔的(无空格的)Options选项列表,用来控制允许Options指令使用哪些选项。
#Order指令:控制是否允许从服务器上获取东西,即控制默认的访问状态与Allow和Deny指令生效的顺序
#Allow指令:控制哪些主机能够访问服务器
#Deny指令:控制哪些主机被禁止访问服务器
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#
################网站主根目录设置############
# This should be changed to whatever you set DocumentRoot to.
#此处用于更改你将要设置的站点根目录
#
# Possible values for the Options directive are
"None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks
SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named
*explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important.
Please see
#
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in
.htaccess files.
# It can be "All", "None", or any
combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all
####################网站主页索引##############
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#在目录被请求是查找的主文件。即设置网站主页格式。
DirectoryIndex index.html
###################ht文件等是否被查看设定##############
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#如下配置保护正则表达式中所描述的文件不被web所查看
#Satisfy 指令:同时使用Allow和Require时的访问策略。参数可以设置为 All 或 Any 。这个指令仅在某个特定区域的访问控制同时被用户名/密码和客户端主机地址进行限定的时候起作用。默认行为(All)采取客户端首先通过地址访问限制并且
输入有效的用户名和密码的方式。使用可选项 Any 将使客户端在通过主机限制或是输入一个有效的用户名和密码两种方式之一得到访问权限。这样,就可以通过密码来限制一个区域的访问,但允许某些特定地址的客
户端访问时不需要输入密码。
Order allow,deny
Deny from all
Satisfy All
#################错误日志存储地点##############
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a
# container, that host's errors will be logged there and not here.
#
ErrorLog "logs/error_log"
##################日志存储级别(即日志内容和格式)####################
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#控制记录到日志的消息的级别。可选值有debug, info, notice, warn, error,
crit, alert, emerg.
LogLevel warn
#
# The following directives define some format nicknames for
use with
# a CustomLog directive (see below).
#
#
#%% 百分号(Apache2.0.44或更高的版本)
#%a 远端IP地址
#%A 本机IP地址
#%B 除HTTP头以外传送的字节数
#%b 以CLF格式显示的除HTTP头以外传送的字节数,也就是当没有字节传送时显示'-'而不是0。
#%{Foobar}C 在请求中传送给服务端的cookieFoobar的内容。
#%D 服务器处理本请求所用时间,以微为单位。
#%{FOOBAR}e 环境变量FOOBAR的值
#%f 文件名
#%h 远端主机
#%H 请求使用的协议
#%{Foobar}i 发送到服务器的请求头Foobar:的内容。
#%l 远端登录名(由identd而来,如果支持的话),除非IdentityCheck设为"On",否则将得到一个"-"。
#%m 请求的方法
#%{Foobar}n 来自另一个模块的注解Foobar的内容。
#%{Foobar}o 应答头Foobar:的内容。
#%p 服务器服务于该请求的标准端口。
#%P 为本请求提供服务的子进程的PID。
#%{format}P 服务于该请求的PID或TID(线程ID),format的取值范围为:pid和tid(2.0.46及以后版本)以及hextid(需要APR1.2.0及以上版本)
#%q 查询字符串(若存在则由一个"?"引导,否则返回空串)
#%r 请求的第一行
#%s 状态。对于内部重定向的请求,这个状态指的是原始请求的状态,---%>s则指的是最后请求的状态。
#%t 时间,用普通日志时间格式(标准英语格式)
#%{format}t 时间,用strftime(3)指定的格式表示的时间。(默认情况下按本地化格式)
#%T 处理完请求所花时间,以秒为单位。
#%u 远程用户名(根据验证信息而来;如果返回status(%s)为401,可能是假的)
#%U 请求的URL路径,不包含查询字符串。
#%v 对该请求提供服务的标准ServerName。
#%V 根据UseCanonicalName指令设定的服务器名称。
#%X 请求完成时的连接状态:X= 连接在应答完成前中断。
#+= 应答传送完后继续保持连接。
#-= 应答传送完后关闭连接。
#(在1.3以后的版本中,这个指令是%c,但这样就和过去的SSL语法:%{var}c冲突了)
#%I 接收的字节数,包括请求头的数据,并且不能为零。要使用这个指令你必须启用mod_logio模块。
#%O 发送的字节数,包括请求头的数据,并且不能为零。要使用这个指令你必须启用mod_logio模块。
LogFormat "%h %l %u %t \"%r\" %>s %b
\"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b"
common
# You need to enable mod_logio.c to use %I and
%O
#
LogFormat "%h %l %u %t \"%r\"
%>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O"
combinedio
#
# The location and format of the access logfile (Common
Logfile Format).
# If you do not define any access logfiles within a
# container, they will be logged here. Contrariwise,
if you *do*
# define per-
# logged therein and *not* in this file.
#
CustomLog "logs/access_log" common
#
# If you prefer a logfile with access, agent, and referer
information
# (Combined Logfile Format) you can use the following
directive.
#如果您喜欢访问代理日志文件和referer信息(综合日志文件格式),你可以使用下面的指令。
#CustomLog "logs/access_log" combined
#############################域名重定向设定#####################
#
# Redirect: Allows you to tell clients about documents that
used to
# exist in your server's namespace, but do not anymore. The
client
# will make a new request for the document at its new
location.
# Example:
# Redirect permanent /foo
#重定向:允许你告诉曾经存在于您的服务器的网站文档,但不是现在。客户端会收到那个旧文件所在的新位置。
#
# Alias: Maps web paths into filesystem paths and is used to
# access content that does not live under the DocumentRoot.
# Example:
# Alias /webpath /full/filesystem/path
#映射web路径到文件系统路径下,用于访问那些不在网站根目录下的文件
# If you include a trailing / on /webpath then the server
will
# require it to be present in the URL. You will also
likely
# need to provide a
# the filesystem path.
#
#
# ScriptAlias: This controls which directories contain
server scripts.
# ScriptAliases are essentially the same as Aliases, except
that
# documents in the target directory are treated as
applications and
# run by the server when requested rather than as documents
sent to the
# client. The same rules about trailing "/"
apply to ScriptAlias
# directives as to Alias.
#ScriptAlias指令:此控制哪个目录包含服务器脚本。
#ScriptAliases实质上基本与别名相同,除了在目标目录中的文件当发生请求访问时被视为应用程序并在服务器运行,而不是文件被发送到客户端。对尾随同样的规则“/”适用于在ScriptAlias指令和Alias。
ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/"
############################CGI守护进程设定####################
#
# ScriptSock: On threaded servers, designate the path to the
UNIX
# socket used to communicate with the CGI daemon of
mod_cgid.
#ScriptSock
#Scriptsock logs/cgisock
#
# "/usr/local/apache/cgi-bin" should be changed to whatever your
ScriptAliased
# CGI directory exists, if you have that configured.
#如果配置了ScriptAliased,要把"/usr/local/apache/cgi-bin"改成你的ScriptAliased
CGI所在的目录
AllowOverride None
Options None
Order allow,deny
Allow from all
#######################MIME类型设定######################
# DefaultType: the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain"
is
# a good value. If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead
to
# keep browsers from trying to display binary files as though they are
# text.
# 默认类型:如果服务器不能从扩展名决定文档类型,将使用此处定义的默认类型。如果服务器包含了很多文本或html文档"text/plain" 是一个很好的值。如果你的内容大部分是二进制文件,例如应用程序或镜像,你可以使用"application/octet-stream" 来使浏览器显示为二进制文件类型。
DefaultType text/plain
#
# TypesConfig points to the file containing the list of
mappings from
# filename extension to MIME-type.
#TypesConfig
TypesConfig conf/mime.types
#
# AddType allows you to add to or override the MIME
configuration
# file specified in TypesConfig for specific file types.
#AddType允许你添加或覆盖在TypesConfig中所指定的文件类型的MIME类型的配置
#AddType application/x-gzip .tgz
#
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support
this.
#AddEncoding允许你使某些浏览器在传输过程中解压信息。注意:不是所有浏览器都支持。
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz
#
# If the AddEncoding directives above are commented-out,
then you
# probably should define those extensions to indicate media
types:
#如果如上的AddEncoding指令注释掉了,你可能应该定义这些扩展媒体类型说明
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
#
# AddHandler allows you to map certain file extensions to
"handlers":
# actions unrelated to filetype. These can be either built
into the server
# or added with the Action directive (see below)
#AddHandler允许某些文件扩展名映射到“handlers”:行为无关的文件类型。这些可以是内置到服务器或操作指令增加(见下文)。要使用 ScriptAliased目录以外的CGI脚本的(你还需要添加“ExecCGI”到“Options”指令。)
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the
"Options" directive.)
#
#AddHandler cgi-script .cgi
# For type maps (negotiated
resources):为类型映射(谈判源)
#AddHandler type-map var
#
# Filters allow you to process content before it is sent to
the client.
#过滤器允许内容被发送到客户端前被处理。为在解析.shtml文件服务器端包含(ssl)文件。(你也需要添加Include到Options指令中)
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the
"Options" directive.)
#
#AddType text/html .shtml
#AddOutputFilter INCLUDES .shtml
#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#mod_mime_magic模块允许服务器使用从文件本身的内容中各个暗示来决定其类型。MIMEMagicFile指令告诉模块在哪里找到暗示定义的位置。
#MIMEMagicFile conf/magic
#########################访问错误重定向######################
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#定制的错误响应有三种:1)纯文本2)本地重定向3)外部重定向,下面是例子
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402
#
########################MMAP设定####################
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall is used to deliver
# files. This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
#EnableMMAP和EnableSendfile:在支持它的系统上,内存映射或发送文件系统调用是用来提供文件系统。这通常提供了服务器性能,再在关闭时必须从挂载的文件系统或者所支持该功能的函数中保存,否则可能损坏您的系统。
#EnableMMAP off
#EnableSendfile off
############################其他导入的配置文件################
# Supplemental configuration
#
# The configuration files in the conf/extra/ directory can be
# included to add extra features or to modify the default configuration of
# the server, or you may simply copy their contents here and change as
# necessary.
#参考配置
#在conf/extra目录下的配置文件可以添加特性或者修改服务器上的默认配置,或者你可以简单的拷贝内容然后根据需要更改。
# Server-pool management (MPM specific)服务器池管理(MPM)
#Include conf/extra/httpd-mpm.conf
# Multi-language error messages多语言错误信息
#Include conf/extra/httpd-multilang-errordoc.conf
# Fancy directory listings目录列表
#Include conf/extra/httpd-autoindex.conf
# Language settings语言设定
#Include conf/extra/httpd-languages.conf
# User home directories用户目录设定
#Include conf/extra/httpd-userdir.conf
# Real-time info on requests and configuration实时信息的要求和配置
#Include conf/extra/httpd-info.conf
# Virtual hosts虚拟主机配置
#Include conf/extra/httpd-vhosts.conf
# Local access to the Apache HTTP Server Manual本地访问Apache HTTP服务器手册
#Include conf/extra/httpd-manual.conf
# Distributed authoring and versioning (WebDAV)WebDAV配置
#Include conf/extra/httpd-dav.conf
# Various default settings各种默认设置
#Include conf/extra/httpd-default.conf
#############################SSL设定###############################
# Secure (SSL/TLS) connections加密连接设置
#Include conf/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
# starting without SSL on platforms with no
/dev/random equivalent
# but a statically compiled-in mod_ssl.
#注意:要支持如下功能必须存在在没有ssl的平台上(和no
/dev/random 等价),而是静态编译了mod_ssl。
#伪随机数生成器(PRNG)播种源
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin使用内建方式连接
3、附加配置文件说明
httpd-autoindex.conf(控制目录列表显示)
#
# Directives controlling the display of server-generated directory listings.
#这些指令控制服务器显示生成的目录列表,需要mod_autoindex,
mod_alias模块
# Required modules: mod_autoindex, mod_alias
#
# To see the listing of a directory, the Options directive for the
# directory must include "Indexes", and the directory must not
contain
# a file matching those listed in the DirectoryIndex directive.
#要查看一个目录列表,目录的Options指令必须包括“索引”,并且目录不能包含一个DirectoryIndex指令列出的文件。
#
# IndexOptions: Controls the appearance of server-generated directory
# listings.
#IndexOptions控制服务器目录列表的生成
IndexOptions FancyIndexing HTMLTable VersionSort
# We include the /icons/ alias for FancyIndexed directory
listings. If
# you do not use FancyIndexing, you may comment this out.
#通过使用为/icons/为目录列表做别名。如果不使用FancyIndexing,则注释掉此项。
Alias /icons/ "/usr/local/apache/icons/"
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
#
# AddIcon* directives tell the server which icon to show for different
# files or filename extensions. These are only displayed for
# FancyIndexed directories.
#AddIcon *指令告诉服务器显示不同的文件或文件扩展名的图标。这只是为显示FancyIndexed指令
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core
AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^
#
# DefaultIcon is which icon to show for files which do not have an icon
# explicitly set.
#设置默认的(即不识别的扩展名)图标。
DefaultIcon /icons/unknown.gif
#
# AddDescription allows you to place a short description after a file in
# server-generated indexes. These are only displayed for FancyIndexed
# directories.
# Format: AddDescription "description" filename
#AddDescription允许您为服务器上在文件中生成的索引创建一个简短的说明。这只是显示为FancyIndexed指令。格式:AddDescription“说明”文件类型
#AddDescription "GZIP compressed document" .gz
#AddDescription "tar archive" .tar
#AddDescription "GZIP compressed tar archive" .tgz
#
# ReadmeName is the name of the README file the server will look for by
# default, and append to directory listings.
#
# HeaderName is the name of a file which should be prepended to
# directory indexes.
#ReadmeName是README文件的名称,服务器默认情况下将寻找并追加到目录列表。HeaderName是应追加到目录列表的文件名
ReadmeName README.html
HeaderName HEADER.html
#
# IndexIgnore is a set of filenames which directory indexing should ignore
# and not include in the listing. Shell-style wildcarding is permitted.
#IndexIgnore要忽略的文件。允许使用shell的通配符
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
httpd-vhosts.conf(虚拟主机配置)
#
# Virtual Hosts
#
# If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#如果要保留多个域名/主机 在你的服务器上,你可以为它们设置虚拟主机。大部分的配置使用基于域名的虚拟主机,所以不需要担心IP地址问题,这一点可以在下面通过星号来表示。
# Please see the documentation at
# <>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.
#你可以使用-S指令来验证你的虚拟主机文件配置。
#
# Use name-based virtual hosting.
#
NameVirtualHost *:80
#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any
#
ServerAdmin
DocumentRoot
"/usr/local/apache/docs/dummy-host.example.com"
ServerName dummy-host.example.com
ServerAlias
ErrorLog "logs/dummy-host.example.com-error_log"
CustomLog "logs/dummy-host.example.com-access_log"
common
ServerAdmin
DocumentRoot
"/usr/local/apache/docs/dummy-host2.example.com"
ServerName dummy-host2.example.com
ErrorLog "logs/dummy-host2.example.com-error_log"
CustomLog
"logs/dummy-host2.example.com-access_log" common
httpd-userdir.conf(用户主目录作为网站)
# Settings for user home directories
#
# Required module: mod_userdir
#用户主目录设置:目录名是当一个请求到达时追加到用户的家目录。注意你必须为这些目录设置默认的访问控制
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received. Note that you must also set
# the default access control for these directories, as in the example below.
#
UserDir public_html
#
# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.
#用户目录的控制访问。下面是个例子
AllowOverride FileInfo AuthConfig Limit Indexes
Options MultiViews Indexes SymLinksIfOwnerMatch
IncludesNoExec
Order allow,deny
Allow from all
Order deny,allow
Deny from all
#参考
httpd-manual.conf(服务器文件访问)
#在服务器上提供文件访问
# Provide access to the documentation on your server as
#
# The documentation is always available at
#
#
# Required modules: mod_alias, mod_setenvif, mod_negotiation
#
AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br|ru|tr))?(/.*)?$ "/usr/local/apache/manual$1"
Options Indexes
AllowOverride None
Order allow,deny
Allow from all
SetHandler type-map
# .tr is text/troff in mime.types!
ForceType text/html
SetEnvIf Request_URI
^/manual/(de|en|es|fr|ja|ko|pt-br|ru|tr)/ prefer-language=$1
RedirectMatch 301
^/manual(?:/(de|en|es|fr|ja|ko|pt-br|ru|tr)){2,}(/.*)?$ /manual/$1$2
LanguagePriority en de es fr ja ko
pt-br ru tr
#可用语言类型
ForceLanguagePriority Prefer Fallback
#首先从上面取一个可用的语言类型,若找不到,则机器试图使用最接近的语言
httpd-dav.conf(DAV配置)
#
# Distributed authoring and versioning (WebDAV)
#
# Required modules: mod_dav, mod_dav_fs, mod_setenvif, mod_alias
#
mod_auth_digest, mod_authn_file
#
# The following example gives DAV write access to a
directory called
# "uploads" under the ServerRoot directory.
# 下面的例子给出了使用DAV在根目录下上传文件的例子。在httpd.conf中指定的用户或组需要对DavLockDB中的目录有写权限,并且在任何目录中,要指定Dav On
# The User/Group specified in httpd.conf needs to have write permissions
# on the directory where the DavLockDB is placed and on any directory where
# "Dav On" is specified.
DavLockDB "/usr/local/apache/var/DavLock"
Alias /uploads "/usr/local/apache/uploads"
Dav On
Order Allow,Deny
Allow from all
AuthType Digest
AuthName DAV-upload
# You can use the htdigest program to
create the password database:
# htdigest -c
"/usr/local/apache/user.passwd" DAV-upload admin
#你可以使用htdigest程序创建个密码数据库。
AuthUserFile "/usr/local/apache/user.passwd"
AuthDigestProvider file
# Allow universal read-access, but
writes are restricted
# to the admin user.
#允许普遍读访问,但仅限于写的管理员用户
require user admin
#
# The following directives disable redirects on non-GET requests for
# a directory that does not include the trailing slash. This fixes a
# problem with several clients that do not appropriately handle
# redirects for folders with DAV methods.
#下面的指令禁用了在对不包括尾部有斜线的目录非get请求的重定向。这些修正了一些客户端不能对DAV方法的文件夹妥善处理重定向。
#
BrowserMatch "Microsoft Data Access Internet Publishing Provider"
redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
httpd-info.conf(服务器信息报告)
#
# Get information about the requests being processed by the server
# and the configuration of the server.
# 获取服务器当前处理的请求和服务器配置的信息
# Required modules: mod_status (for the server-status handler),
#
mod_info (for the server-info handler)
#允许使用网址通过mod_status生成服务器状态报告。
# Allow server status reports generated by mod_status,
# with the URL of
# Change the ".example.com" to match your domain to enable.
SetHandler server-status
Order deny,allow
Deny from all
Allow from .example.com
#
# ExtendedStatus controls whether Apache will generate "full" status
# information (ExtendedStatus On) or just basic information (ExtendedStatus
# Off) when the "server-status" handler is called. The default is
Off.
#ExtendedStatus控制apache是否允许生成全部的状态信息。on生成所有信息,off是基本信息,默认off。
#ExtendedStatus On
#允许通过网址 显示远程服务器配置报告
# Allow remote server configuration reports, with the URL of
# (requires that mod_info.c be loaded).
# Change the ".example.com" to match your domain to enable.
#
SetHandler server-info
Order deny,allow
Deny from all
Allow from .example.com
httpd-default.conf(http默认参数)
#
# This configuration file reflects default settings for Apache HTTP Server.
#
# You may change these, but chances are that you may not need to.
#这个配置文件反应的是apache的默认配置,但是一般可能用不到
#
# Timeout: The number of seconds before receives and sends time out.
#在收到和发送前的超时时间
Timeout 300
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#是否允许持续连接。off不允许。
KeepAlive On
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#允许在一个持续连接中最大的请求数量。0不限制。为了性能,不建议设置的数值太高。
MaxKeepAliveRequests 100
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#等待来自同一个连接的同一个客户端的下一个请求的秒数
KeepAliveTimeout 5
#
# UseCanonicalName: Determines how Apache constructs self-referencing
# URLs and the SERVER_NAME and SERVER_PORT variables.
# When set "Off", Apache will use the Hostname and Port supplied
# by the client. When set "On", Apache will use the value of
the
# ServerName directive.
#UseCanonicalName 指令:决定Apache如何构造自引用的URL和SERVER_NAME和SERVER_PORT变量。当设置为“关闭”,Apache会使用由客户提供
的主机名和端口。当设置为“On”,Apache会使用ServerName指令的值。
UseCanonicalName Off
#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#需要在目录中额外配置指令的文件。
AccessFileName .htaccess
#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of: Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
#该指令配置服务器HTTP响应头返回内容。默认值为'全部'这发出关于操作系统的类型和模块编译的资料。可选值有Full | OS | Minor | Minimal | Major | Prod,full最多,prod最少。
ServerTokens Full
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#可以选择性的添加一行包含服务器版本和虚拟主机名的生成页面(包含内部错误文档,ftp目录列表,mod_status和mod_info输出等,但是不包括CGI生成文档或者用户错误文档)。Email选项会发送邮件给服务器管理员。
ServerSignature On
#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#记录客户端的域名(on)或者他们的IP地址(off)。默认是off因为记录域名需要请求DNS。
HostnameLookups Off
httpd-languages.conf(语言类型设定)
#为主机设置不同语言
# Settings for hosting different languages.
#
# Required modules: mod_mime, mod_negotiation
# DefaultLanguage and AddLanguage allows you to specify
the language of
# a document. You can then use content negotiation to give a browser a
# file in a language the user can understand.
#DefaultLanguage 和 AddLanguage运行你指定文档的语言。你可以然后使用这些内容来给与浏览文件时协商一个合适语言。
# Specify a default language. This means that all data
# going out without a specific language tag (see below) will
# be marked with this one. You probably do NOT want to set
# this unless you are sure it is correct for all cases.
#指定一个默认的语言。这意味着所有没有指定语言标识的出去的数据将使用此语言。你可能不希望设置这个除非你确定它在所有情况下是正确的。
# * It is generally better to not mark a page as
# * being a certain language than marking it with the wrong
# * language!
#通常不对页面设置语言总比设置一个错误的语言要好的多。
# DefaultLanguage nl
#
# Note 1: The suffix does not have to be the same as the language
# keyword --- those with documents in Polish (whose net-standard
# language code is pl) may wish to use "AddLanguage pl .po" to
# avoid the ambiguity with the common suffix for perl scripts.
#后缀与语言标志不同的可能需要使用AddLanguage来避免与perl脚本的普通后缀含糊
# Note 2: The example entries below illustrate that in some cases
# the two character 'Language' abbreviation is not identical to
# the two character 'Country' code for its country,
# E.g. 'Danmark/dk' versus 'Danish/da'.
#下面的例子说明了在某些情况下双字符语言缩写与其对应的国家的双字符不匹配的情况。
# Note 3: In the case of 'ltz' we violate the RFC by using a three char
# specifier. There is 'work in progress' to fix this and get
# the reference data for rfc1766 cleaned up.
#在某些情况下,我们违背RFC而使用了三个字符。'work
in progress'来规定这些并且得到这些参考数据在rfc1766清理。
# Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl)
# English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de)
# Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja)
# Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn)
# Norwegian (no) - Polish (pl) - Portugese (pt)
# Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv)
# Turkish (tr) - Simplified Chinese (zh-CN) - Spanish (es)
# Traditional Chinese (zh-TW)
#
AddLanguage ca .ca
AddLanguage cs .cz .cs
AddLanguage da .dk
AddLanguage de .de
AddLanguage el .el
AddLanguage en .en
AddLanguage eo .eo
AddLanguage es .es
AddLanguage et .et
AddLanguage fr .fr
AddLanguage he .he
AddLanguage hr .hr
AddLanguage it .it
AddLanguage ja .ja
AddLanguage ko .ko
AddLanguage ltz .ltz
AddLanguage nl .nl
AddLanguage nn .nn
AddLanguage no .no
AddLanguage pl .po
AddLanguage pt .pt
AddLanguage pt-BR .pt-br
AddLanguage ru .ru
AddLanguage sv .sv
AddLanguage tr .tr
AddLanguage zh-CN .zh-cn
AddLanguage zh-TW .zh-tw
# LanguagePriority allows you to give precedence to some
languages
# in case of a tie during content negotiation.
#LanguagePriority允许你在试图内容协商时提供一些优先的语言。列出的语言次序依次递减。默认的按字母排序,或许可以根据需要更改。
# Just list the languages in decreasing order of preference. We have
# more or less alphabetized them here. You probably want to change this.
#
LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl
pt pt-BR ru sv tr zh-CN zh-TW
#
# ForceLanguagePriority allows you to serve a result page rather than
# MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback)
# [in case no accepted languages matched the available variants]
#首先取一个可用的语言类型,若找不到,则机器试图使用最接近的语言
ForceLanguagePriority Prefer Fallback
#
# Commonly used filename extensions to character sets. You probably
# want to avoid clashes with the language extensions, unless you
# are good at carefully testing your setup after each change.
# See for the
# official list of charset names and their respective RFCs.
#通常情况下使用文件扩展名来判断字符设置。你可能想避免与语言扩展名产生冲突,除非你在每次改变后很仔细的测试了。可以通过网址查看官方的字符名和对应的RFC。
AddCharset us-ascii.ascii .us-ascii
AddCharset ISO-8859-1 .iso8859-1 .latin1
AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen
AddCharset ISO-8859-3 .iso8859-3 .latin3
AddCharset ISO-8859-4 .iso8859-4 .latin4
AddCharset ISO-8859-5 .iso8859-5 .cyr .iso-ru
AddCharset ISO-8859-6 .iso8859-6 .arb .arabic
AddCharset ISO-8859-7 .iso8859-7 .grk .greek
AddCharset ISO-8859-8 .iso8859-8 .heb .hebrew
AddCharset ISO-8859-9 .iso8859-9 .latin5 .trk
AddCharset ISO-8859-10 .iso8859-10 .latin6
AddCharset ISO-8859-13 .iso8859-13
AddCharset ISO-8859-14 .iso8859-14 .latin8
AddCharset ISO-8859-15 .iso8859-15 .latin9
AddCharset ISO-8859-16 .iso8859-16 .latin10
AddCharset ISO-2022-JP .iso2022-jp .jis
AddCharset ISO-2022-KR .iso2022-kr .kis
AddCharset ISO-2022-CN .iso2022-cn .cis
AddCharset Big5.Big5 .big5 .b5
AddCharset cn-Big5 .cn-big5
# For russian, more than one charset is used (depends on client, mostly):
AddCharset WINDOWS-1251 .cp-1251 .win-1251
AddCharset CP866 .cp866
AddCharset KOI8 .koi8
AddCharset KOI8-E .koi8-e
AddCharset KOI8-r .koi8-r .koi8-ru
AddCharset KOI8-U .koi8-u
AddCharset KOI8-ru .koi8-uk .ua
AddCharset ISO-10646-UCS-2 .ucs2
AddCharset ISO-10646-UCS-4 .ucs4
AddCharset UTF-7 .utf7
AddCharset UTF-8 .utf8
AddCharset UTF-16 .utf16
AddCharset UTF-16BE .utf16be
AddCharset UTF-16LE .utf16le
AddCharset UTF-32 .utf32
AddCharset UTF-32BE .utf32be
AddCharset UTF-32LE .utf32le
AddCharset euc-cn .euc-cn
AddCharset euc-gb .euc-gb
AddCharset euc-jp .euc-jp
AddCharset euc-kr .euc-kr
#Not sure how euc-tw got in - IANA doesn't list it???
AddCharset EUC-TW .euc-tw
AddCharset gb2312 .gb2312 .gb
AddCharset iso-10646-ucs-2 .ucs-2 .iso-10646-ucs-2
AddCharset iso-10646-ucs-4 .ucs-4 .iso-10646-ucs-4
AddCharset shift_jis .shift_jis .sjis
httpd-multilang-errordoc.conf(多语言错误文档设定)
#下面的配置通过内容协商实现了多语言错误文档
# The configuration below implements multi-language error documents through
# content-negotiation.
#
# Required modules: mod_alias, mod_include, mod_negotiation
#
# We use Alias to redirect any /error/HTTP_
# our collection of by-error message multi-language collections. We use
# includes to substitute the appropriate text.
#
# You can modify the messages' appearance without changing any of the
# default HTTP_
#
# Alias /error/include/ "/your/include/path/"
#
# which allows you to create your own set of files by starting with the
# /usr/local/apache/error/include/ files and copying them to
/your/include/path/,
# even on a per-VirtualHost basis. The default include files will display
# your Apache version number and your ServerAdmin email address regardless
# of the setting of ServerSignature.
Alias /error/ "/usr/local/apache/error/"
AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
AddHandler type-map var
Order allow,deny
Allow from all
LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv
tr
ForceLanguagePriority Prefer Fallback
ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
ErrorDocument 410 /error/HTTP_GONE.html.var
ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
httpd-mpm.conf(mpm管理)
#服务池管理
# Server-Pool Management (MPM specific)
#
#服务进程的pid号所存储的文件。
# PidFile: The file in which the server should record its process
# identification number when it starts.
#
# Note that this is the default PidFile for most MPMs.
#
PidFile "logs/httpd.pid"
#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#设置需要串行访问的文件锁。它必须存储在本地。
LockFile "logs/accept.lock"
#
# Only one of the below sections will be relevant on your
# installed httpd. Use "apachectl -l" to find out the
# active mpm.
#在下面的章节中,只有一个跟你安装apache时是有关的。使用apachectl -l可以查看活动mpm。
#各类型MPM参数设定。
# prefork MPM
# StartServers: number of server processes to start服务进程启动数量
# MinSpareServers: minimum number of server processes which are kept spare保持备用的服务进程的最少数量
# MaxSpareServers: maximum number of server processes which are kept spare保持备用的服务进程的最大数量
# MaxClients: maximum number of server processes allowed to start允许启动的服务进程数量
# MaxRequestsPerChild: maximum number of requests a server process serves一个服务进程服务的最大请求数
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 150
MaxRequestsPerChild 0
# worker MPM
# StartServers: initial number of server processes to start最初服务启动时创建的服务进程数
# MaxClients: maximum number of simultaneous client connections客户端并发连接的最大数量
# MinSpareThreads: minimum number of worker threads which are kept spare存放备用的线程最小值
# MaxSpareThreads: maximum number of worker threads which are kept spare存放备用的线程最大值
# ThreadsPerChild: constant number of worker threads in each server process每个服务进程的工作线程的常量值
# MaxRequestsPerChild: maximum number of requests a server process serves一个服务进程服务的最大请求数
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
# BeOS MPM
# StartThreads: how many threads do we initially spawn?最初生成的线程数。
# MaxClients: max number of threads we can have (1 thread == 1
client)我们所拥有的最大线程数
# MaxRequestsPerThread: maximum number of requests each thread will process每个线程所处理的最大请求数
StartThreads
10
MaxClients
50
MaxRequestsPerThread 10000
# NetWare MPM
# ThreadStackSize: Stack size allocated for each worker thread分配给每个工作线程的堆栈大小
# StartThreads: Number of worker threads launched at server startup在服务启动时推出的线程数量
# MinSpareThreads: Minimum number of idle threads, to handle request spikes最小空闲线程数,此项用来处理请求尖峰的
# MaxSpareThreads: Maximum number of idle threads最大线程数
# MaxThreads: Maximum number of worker threads alive at the same time同一时间存活的最大线程数目
# MaxRequestsPerChild: Maximum number of requests a thread serves. It is
#
recommended that the default value of 0 be set for this
#
directive on NetWare. This will allow the thread to
#
continue to service requests indefinitely.
#请求线程服务的最大数量。在NetWare上通常设置为0。这将允许线程服务请求继续下去,无限期。
ThreadStackSize 65536
StartThreads 250
MinSpareThreads 25
MaxSpareThreads 250
MaxThreads 1000
MaxRequestsPerChild 0
MaxMemFree 100
# OS/2 MPM
# StartServers: Number of server processes to maintain服务进程保持的数量
# MinSpareThreads: Minimum number of idle threads per process,
#
to handle request spikes最小空闲线程数,此项用来处理请求尖峰的
# MaxSpareThreads: Maximum number of idle threads per process最大空闲线程数
# MaxRequestsPerChild: Maximum number of connections per server process每个服务处理的最大连接数
StartServers 2
MinSpareThreads 5
MaxSpareThreads 10
MaxRequestsPerChild 0
# WinNT MPM
# ThreadsPerChild: constant number of worker threads in the server process在服务进程中工作线程的常数值
# MaxRequestsPerChild: maximum number of requests a server process serves服务进程所服务的最大请求数目
ThreadsPerChild 150
MaxRequestsPerChild 0
httpd-ssl.conf(SSL配置文件)
#SSL配置文件
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see <>
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are
unsure
# consult the online docs. You have been warned.
#
#
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
# 伪随机数生成器(PRNG):配置一个或多个来源来产生SSL库的PRNG。种子数据应具备良好的随机质量。警告!在某些平台/dev/random 块,如果没有足够的熵可用。那么这意味着你不能使用/dev/random 设备,因为这会导致很长的连接时间(持续它需要进行更多熵可用)。但通常这些平台提供额外/ dev /
urandom设备装置不会阻止块。所以,如果有的话,使用此代替。阅读更多细节mod_ssl的用户手册。
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
#SSL监听端口。注意IPv6需要监听需要设定下面的两个指令。
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
# Listen directives: "Listen
[::]:443" and "Listen 0.0.0.0:443"
#
Listen 443
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##下面的配置在主服务和虚拟主机中均生效。
#
# Some MIME-types for downloading Certificates and CRLs
#证书和CRLs的MIME类型设定。
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
#密码对话框:配置密码对话框的输入程序。筛选对话框程序必须在标准输出上提供密码短语。builtin是内建的终端对话框
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
#进程间的会话缓存:一是会话缓存机制,而是超时时间。
#SSLSessionCache
"dbm:/usr/local/apache/logs/ssl_scache"
SSLSessionCache
"shmcb:/usr/local/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
#配置内部进程同步所使用的SSL引擎互斥信号的路径
SSLMutex "file:/usr/local/apache/logs/ssl_mutex"
##
## SSL Virtual Host Context
##SSL虚拟主机配置内容
# General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs"
ServerName
ServerAdmin
ErrorLog "/usr/local/apache/logs/error_log"
TransferLog "/usr/local/apache/logs/access_log"
# SSL Engine Switch:SSL是否启用
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:列出运行客户端协商的密码。
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# Server Certificate:在一个PEM编码的证书中指出SSL证书文件。如果证书被加密,那么需要你需要被提示密码短语。
注意杀掉-HUP后将再次提示。记得如果同时用RSA和DSA证书,你要在并行配置两个(也允许使用DSA密码等)
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again.
Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
SSLCertificateFile "/usr/local/apache/conf/server.crt"
#SSLCertificateFile "/usr/local/apache/conf/server-dsa.crt"
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
#服务器私钥。如果key不能和证书结合,使用下面指令指定一个key文件。记得如果同时用RSA和DSA证书,你要在并行配置两个(也允许使用DSA密码等)
SSLCertificateKeyFile "/usr/local/apache/conf/server.key"
#SSLCertificateKeyFile "/usr/local/apache/conf/server-dsa.key"
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#服务器证书链:服务器证书链包含并置的来自于证书链的PEM编码的CA证书。或者当CA证书直接追加到服务器证书时引用文件和SSLCertificateFile文件相同。
#SSLCertificateChainFile "/usr/local/apache/conf/server-ca.crt"
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate
files. Use the provided
# Makefile to update the hash
symlinks after changes.
#证书颁发:设置CA证书的验证路径,即客户端身份验证或一个包含着所有信息的庞大文件(PEM编码)的路径。注:在SSLCACertificatePath中你要包含指向证书文件的哈希链接。使用提供的MakeFile文件在更改后更新哈希链接。
#SSLCACertificatePath "/usr/local/apache/conf/ssl.crt"
#SSLCACertificateFile "/usr/local/apache/conf/ssl.crt/ca-bundle.crt"
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate
files. Use the provided
# Makefile to update the hash
symlinks after changes.
# 证书吊销列表(CRL):核证机关撤销设置路径,找到客户端身份验证又或者是一个庞大的其中包含所有信息的文件(文件必须PEM编码)。注:在 SSLCACertificatePath中你要包含指向证书文件的哈希链接。使用提供的MakeFile文件在更改后更新哈希链接。
#SSLCARevocationPath
"/usr/local/apache/conf/ssl.crl"
#SSLCARevocationFile "/usr/local/apache/conf/ssl.crl/ca-bundle.crl"
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#客户端身份验证(类型):客户端证书验证的类型和深度。
类型有none, optional, require 和 optional_no_ca。深度是一个数字,指明在决定该证书的证书颁发者链是否无效前如何深刻验证。
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is
a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#访问控制:随着SSLRequire你可以在每个目录设定任意复杂的包含服务器变量检查和其他指示表达式的查找的布尔表达式的访问控制。语法是与C和Perl的混合物。更多细节见的mod_ssl的文档。
#
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and
%{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and
%{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and
%{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and
%{TIME_HOUR} >= 8 and %{TIME_HOUR} <=
20 ) \
# or %{REMOTE_ADDR}
=~ m/^192\.76\.162\.[0-9]+$/
#
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic
Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for
access control. The
# user name is the `one line' version of the client's
X.509 certificate.
# Note that no password is obtained from the user.
Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables:
SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded
certificates of the
# server (always existing) and the client (only
existing when client
# authentication is used). This can be used to import
the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*'
environment variables.
# Per default this exportation is switched off for
performance reasons,
# because the extraction step is an expensive operation
and is usually
# useless for serving static content. So one usually
enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or
"SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when
it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation
handling when SSL
# directives are used in per-directory context.
#SSL引擎选项
#StdEnvVars
#如果开启此选项,那么与SSL相关的CGI/SSI标准环境变量将会被创建。出于性能考虑,这个选项默认关闭,因为提取这些变量值的过程是非常消耗资源的。一般仅为CGI/SSI脚本开启。
#CompatEnvVars
#如果开启此选项,那么为了兼容其他SSL解决方案而添加的额外CGI/SSI环境变量将会被创建。请参考兼容性一节获取究竟将创建哪些变量的细节。
#ExportCertData
# 如果开启此选项,额外的CGI/SSI环境变量:SSL_SERVER_CERT,
SSL_CLIENT_CERT, SSL_CLIENT_CERT_CHAIN_n(n=0,1,2,..)将被创建。这些变量包含了作用于当前HTTPS连接的PEM编码的服务器/客户
端X.509证书的相关信息,以及客户端证书链中所有证书的相关信息,它们可以被CGI脚本用来进行更深层次的证书检查。
#FakeBasicAuth
# 如果开启此选项,那么客户端X509证书中的特征名称(DN)字段的"Subject"值(可以使用"openssl x509 -noout -subject -in certificate.crt"命令查看)将被转化为HTTP基本认证的用户名。这就意味着可以将标准Apache认证方法用于访问控制,同时需要主意 的是因为并没有从用户获取密码,所以每个用户名对应的密码都是"xxj31ZMTZzkVA",也即是"password"经过3DES加密后的结果。对 于那些基于MD5加密的系统(BSD系统),则需要使用"$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/"作为密码。
#StrictRequire
# 如果开启此选项,那么当SSLRequireSSL或SSLRequire要求禁止访问时,将强制禁止访问。默认情况下,当设置了"Satisfy any"时,如果通过了SSLRequireSSL或SSLRequire之外的其他访问控制检查,那么访问将被允许,这符合Satisfy指令的原意。
但是在"SSLOptions +StrictRequire"的情况下,你可以使用SSLRequireSSL和/或SSLRequire在SSL连接上强制达到"Satisfy All"的效果。
#OptRenegotiate
#默认情况下,当某个特定目录的SSL配置发生变化时,将会执行一个完整的SSL重新 握手和协商过程。如果开启此选项,那么将允许优化SSL连接的重新协商操作,也就是省略不必要的握手过程,而只是进行细粒度的参数检查(仍然是安全的)。 不过,在某些时候,只进行参数检查往往不是用户期望的结果,所以如果你想启用这个选项,请只对某些特定的目录启用。
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant
shutdown
# approach is that mod_ssl sends the close notify alert but doesn't
wait for
# the close notify alert from client. When you need a different
shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection
is closed, i.e. no
# SSL close notify alert is send or allowed to
received. This violates
# the SSL/TLS standard but is needed for some
brain-dead browsers. Use
# this when you receive I/O errors because of the
standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection
is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for
the close notify
# alert of the client. This is 100% SSL/TLS standard compliant,
but in
# practice often causes hanging connections with
brain-dead browsers. Use
# this only for browsers where you know that their SSL
implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the
HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable
"nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to
workaround
# their broken HTTP/1.1 implementation. Use variables
"downgrade-1.0" and
# "force-response-1.0" for this.
#SSL 协议调整:安全和默认,但仍符合SSL/TLS标准的关闭方法是,mod_ssl的发送关闭警报通知,但并不等待来自客户的通知。当你需要一个不同的关闭 的方法您可以使用以下变量之一:ssl-unclean-shutdown(浏览器会发生死机的情况用)和ssl-accurate-
shutdown(确认浏览器不会死掉时使用)。
#
BrowserMatch ".*MSIE.*" \
nokeepalive
ssl-unclean-shutdown \
downgrade-1.0
force-response-1.0
# Per-Server Logging:SSL访问日志。
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
#SSL访问日志。
CustomLog "/usr/local/apache/logs/ssl_request_log" \
"%t %h
%{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
五、服务维护
参考文件:
http://hi.baidu.com/gaoyanhui999/blog/item/5ff87624c58a7b34c89559e4.html