<-
Apache > HTTP Server > Documentation > Version 2.4 > Modules

Apache Core Features

Available Languages:  de  |  en  |  es  |  fr  |  ja  |  tr 

Description:Core Apache HTTP Server features that are always available
Status:Core

Directives

top

AcceptFilter Directive

Description:Configures optimizations for a Protocol's Listener Sockets
Syntax:AcceptFilter protocol accept_filter
Context:server config
Status:Core
Module:core

This directive enables operating system specific optimizations for a listening socket by the Protocol type. The basic premise is for the kernel to not send a socket to the server process until either data is received or an entire HTTP Request is buffered. Only FreeBSD's Accept Filters, Linux's more primitive TCP_DEFER_ACCEPT, and Windows' optimized AcceptEx() are currently supported.

Using none for an argument will disable any accept filters for that protocol. This is useful for protocols that require a server send data first, such as ftp: or nntp:

AcceptFilter nntp none

The default protocol names are https for port 443 and http for all other ports. To specify another protocol is being used with a listening port, add the protocol argument to the Listen directive.

The default values on FreeBSD are:

AcceptFilter http httpready
AcceptFilter https dataready

The httpready accept filter buffers entire HTTP requests at the kernel level. Once an entire request is received, the kernel then sends it to the server. See the accf_http(9) man page for more details. Since HTTPS requests are encrypted only the accf_data(9) filter is used.

The default values on Linux are:

AcceptFilter http data
AcceptFilter https data

Linux's TCP_DEFER_ACCEPT does not support buffering http requests. Any value besides none will enable TCP_DEFER_ACCEPT on that listener. For more details see the Linux tcp(7) man page.

The default values on Windows are:

AcceptFilter http data
AcceptFilter https data

Window's mpm_winnt interprets the AcceptFilter to toggle the AcceptEx() API, and does not support http protocol buffering. There are two values which utilize the Windows AcceptEx() API and will recycle network sockets between connections. data waits until data has been transmitted as documented above, and the initial data buffer and network endpoint addresses are all retrieved from the single AcceptEx() invocation. connect will use the AcceptEx() API, also retrieve the network endpoint addresses, but like none the connect option does not wait for the initial data transmission.

On Windows, none uses accept() rather than AcceptEx() and will not recycle sockets between connections. This is useful for network adapters with broken driver support, as well as some virtual network providers such as vpn drivers, or spam, virus or spyware filters.

See also

top

AcceptPathInfo Directive

Description:Resources accept trailing pathname information
Syntax:AcceptPathInfo On|Off|Default
Default:AcceptPathInfo Default
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Core
Module:core

This directive controls whether requests that contain trailing pathname information that follows an actual filename (or non-existent file in an existing directory) will be accepted or rejected. The trailing pathname information can be made available to scripts in the PATH_INFO environment variable.

For example, assume the location /test/ points to a directory that contains only the single file here.html. Then requests for /test/here.html/more and /test/nothere.html/more both collect /more as PATH_INFO.

The three possible arguments for the AcceptPathInfo directive are:

Off
A request will only be accepted if it maps to a literal path that exists. Therefore a request with trailing pathname information after the true filename such as /test/here.html/more in the above example will return a 404 NOT FOUND error.
On
A request will be accepted if a leading path component maps to a file that exists. The above example /test/here.html/more will be accepted if /test/here.html maps to a valid file.
Default
The treatment of requests with trailing pathname information is determined by the handler responsible for the request. The core handler for normal files defaults to rejecting PATH_INFO requests. Handlers that serve scripts, such as cgi-script and isapi-handler, generally accept PATH_INFO by default.

The primary purpose of the AcceptPathInfo directive is to allow you to override the handler's choice of accepting or rejecting PATH_INFO. This override is required, for example, when you use a filter, such as INCLUDES, to generate content based on PATH_INFO. The core handler would usually reject the request, so you can use the following configuration to enable such a script:

<Files "mypaths.shtml">
  Options +Includes
  SetOutputFilter INCLUDES
  AcceptPathInfo On
</Files>
top

AccessFileName Directive

Description:Name of the distributed configuration file
Syntax:AccessFileName filename [filename] ...
Default:AccessFileName .htaccess
Context:server config, virtual host
Status:Core
Module:core

While processing a request the server looks for the first existing configuration file from this list of names in every directory of the path to the document, if distributed configuration files are enabled for that directory. For example:

AccessFileName .acl

before returning the document /usr/local/web/index.html, the server will read /.acl, /usr/.acl, /usr/local/.acl and /usr/local/web/.acl for directives, unless they have been disabled with

<Directory />
    AllowOverride None
</Directory>

See also

top

AddDefaultCharset Directive

Description:Default charset parameter to be added when a response content-type is text/plain or text/html
Syntax:AddDefaultCharset On|Off|charset
Default:AddDefaultCharset Off
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Core
Module:core

This directive specifies a default value for the media type charset parameter (the name of a character encoding) to be added to a response if and only if the response's content-type is either text/plain or text/html. This should override any charset specified in the body of the response via a META element, though the exact behavior is often dependent on the user's client configuration. A setting of AddDefaultCharset Off disables this functionality. AddDefaultCharset On enables a default charset of iso-8859-1. Any other value is assumed to be the charset to be used, which should be one of the IANA registered charset values for use in Internet media types (MIME types). For example:

AddDefaultCharset utf-8

AddDefaultCharset should only be used when all of the text resources to which it applies are known to be in that character encoding and it is too inconvenient to label their charset individually. One such example is to add the charset parameter to resources containing generated content, such as legacy CGI scripts, that might be vulnerable to cross-site scripting attacks due to user-provided data being included in the output. Note, however, that a better solution is to just fix (or delete) those scripts, since setting a default charset does not protect users that have enabled the "auto-detect character encoding" feature on their browser.

See also

top

AllowEncodedSlashes Directive

Description:Determines whether encoded path separators in URLs are allowed to be passed through
Syntax:AllowEncodedSlashes On|Off|NoDecode
Default:AllowEncodedSlashes Off
Context:server config, virtual host
Status:Core
Module:core
Compatibility: NoDecode option available in 2.3.12 and later.

The AllowEncodedSlashes directive allows URLs which contain encoded path separators (%2F for / and additionally %5C for \ on according systems) to be used in the path info.

With the default value, Off, such URLs are refused with a 404 (Not found) error.

With the value On, such URLs are accepted, and encoded slashes are decoded like all other encoded characters.

With the value NoDecode, such URLs are accepted, but encoded slashes are not decoded but left in their encoded state.

Turning AllowEncodedSlashes On is mostly useful when used in conjunction with PATH_INFO.

Note

If encoded slashes are needed in path info, use of NoDecode is strongly recommended as a security measure. Allowing slashes to be decoded could potentially allow unsafe paths.

See also

top

AllowOverride Directive

Description:Types of directives that are allowed in .htaccess files
Syntax:AllowOverride All|None|directive-type [directive-type] ...
Default:AllowOverride None (2.3.9 and later), AllowOverride All (2.3.8 and earlier)
Context:directory
Status:Core
Module:core

When the server finds an .htaccess file (as specified by AccessFileName) it needs to know which directives declared in that file can override earlier configuration directives.

Only available in <Directory> sections

AllowOverride is valid only in <Directory> sections specified without regular expressions, not in <Location>, <DirectoryMatch> or <Files> sections.

When this directive is set to None and AllowOverrideList is set to None .htaccess files are completely ignored. In this case, the server will not even attempt to read .htaccess files in the filesystem.

When this directive is set to All, then any directive which has the .htaccess Context is allowed in .htaccess files.

The directive-type can be one of the following groupings of directives.

AuthConfig
Allow use of the authorization directives (AuthDBMGroupFile, AuthDBMUserFile, AuthGroupFile, AuthName, AuthType, AuthUserFile, Require, etc.).
FileInfo
Allow use of the directives controlling document types (ErrorDocument, ForceType, LanguagePriority, SetHandler, SetInputFilter, SetOutputFilter, and mod_mime Add* and Remove* directives), document meta data (Header, RequestHeader, SetEnvIf, SetEnvIfNoCase, BrowserMatch, CookieExpires, CookieDomain, CookieStyle, CookieTracking, CookieName), mod_rewrite directives (RewriteEngine, RewriteOptions, RewriteBase, RewriteCond, RewriteRule), mod_alias directives (Redirect, RedirectTemp, RedirectPermanent, RedirectMatch), and Action from mod_actions.
Indexes
Allow use of the directives controlling directory indexing (AddDescription, AddIcon, AddIconByEncoding, AddIconByType, DefaultIcon, DirectoryIndex, FancyIndexing, HeaderName, IndexIgnore, IndexOptions, ReadmeName, etc.).
Limit
Allow use of the directives controlling host access (Allow, Deny and Order).
Nonfatal=[Override|Unknown|All]
Allow use of AllowOverride option to treat syntax errors in .htaccess as non-fatal: instead of causing an Internal Server Error, disallowed or unrecognised directives will be ignored and a warning logged:
  • Nonfatal=Override treats directives forbidden by AllowOverride as non-fatal.
  • Nonfatal=Unknown treats unknown directives as non-fatal. This covers typos and directives implemented by a module that's not present.
  • Nonfatal=All treats both the above as non-fatal.

Note that a syntax error in a valid directive will still cause an internal server error.

Security

Nonfatal errors may have security implications for .htaccess users. For example, if AllowOverride disallows AuthConfig, users' configuration designed to restrict access to a site will be disabled.
Options[=Option,...]
Allow use of the directives controlling specific directory features (Options and XBitHack). An equal sign may be given followed by a comma (but no spaces) separated lists of options that may be set using the Options command.

Implicit disabling of Options

Even though the list of options that may be used in .htaccess files can be limited with this directive, as long as any Options directive is allowed any other inherited option can be disabled by using the non-relative syntax. In other words, this mechanism cannot force a specific option to remain set while allowing any others to be set.

AllowOverride Options=Indexes,MultiViews

Example:

AllowOverride AuthConfig Indexes

In the example above all directives that are neither in the group AuthConfig nor Indexes cause an internal server error.

For security and performance reasons, do not set AllowOverride to anything other than None in your <Directory /> block. Instead, find (or create) the <Directory> block that refers to the directory where you're actually planning to place a .htaccess file.

See also

top

AllowOverrideList Directive

Description:Individual directives that are allowed in .htaccess files
Syntax:AllowOverrideList None|directive [directive-type] ...
Default:AllowOverrideList None
Context:directory
Status:Core
Module:core

When the server finds an .htaccess file (as specified by AccessFileName) it needs to know which directives declared in that file can override earlier configuration directives.

Only available in <Directory> sections

AllowOverrideList is valid only in <Directory> sections specified without regular expressions, not in <Location>, <DirectoryMatch> or <Files> sections.

When this directive is set to None and AllowOverride is set to None, then .htaccess files are completely ignored. In this case, the server will not even attempt to read .htaccess files in the filesystem.

Example:

AllowOverride None
AllowOverrideList Redirect RedirectMatch

In the example above only the Redirect and RedirectMatch directives are allowed. All others will cause an internal server error.

Example:

AllowOverride AuthConfig
AllowOverrideList CookieTracking CookieName

In the example above AllowOverride grants permission to the AuthConfig directive grouping and AllowOverrideList grants permission to only two directives from the FileInfo directive grouping. All others will cause an internal server error.

See also

top

CGIMapExtension Directive

Description:Technique for locating the interpreter for CGI scripts
Syntax:CGIMapExtension cgi-path .extension
Context:directory, .htaccess
Override:FileInfo
Status:Core
Module:core
Compatibility:NetWare only

This directive is used to control how Apache httpd finds the interpreter used to run CGI scripts. For example, setting CGIMapExtension sys:\foo.nlm .foo will cause all CGI script files with a .foo extension to be passed to the FOO interpreter.

top

ContentDigest Directive

Description:Enables the generation of Content-MD5 HTTP Response headers
Syntax:ContentDigest On|Off
Default:ContentDigest Off
Context:server config, virtual host, directory, .htaccess
Override:Options
Status:Core
Module:core

This directive enables the generation of Content-MD5 headers as defined in RFC1864 respectively RFC2616.

MD5 is an algorithm for computing a "message digest" (sometimes called "fingerprint") of arbitrary-length data, with a high degree of confidence that any alterations in the data will be reflected in alterations in the message digest.

The Content-MD5 header provides an end-to-end message integrity check (MIC) of the entity-body. A proxy or client may check this header for detecting accidental modification of the entity-body in transit. Example header:

Content-MD5: AuLb7Dp1rqtRtxz2m9kRpA==

Note that this can cause performance problems on your server since the message digest is computed on every request (the values are not cached).

Content-MD5 is only sent for documents served by the core, and not by any module. For example, SSI documents, output from CGI scripts, and byte range responses do not have this header.

top

DefaultRuntimeDir Directive

Description:Base directory for the server run-time files
Syntax:DefaultRuntimeDir directory-path
Default:DefaultRuntimeDir DEFAULT_REL_RUNTIMEDIR (logs/)
Context:server config
Status:Core
Module:core
Compatibility:Available in Apache 2.4.2 and later

The DefaultRuntimeDir directive sets the directory in which the server will create various run-time files (shared memory, locks, etc.). If set as a relative path, the full path will be relative to ServerRoot.

Example

DefaultRuntimeDir scratch/

The default location of DefaultRuntimeDir may be modified by changing the DEFAULT_REL_RUNTIMEDIR #define at build time.

Note: ServerRoot should be specified before this directive is used, otherwise the default value of ServerRoot would be used to set the base directory.

See also

top

DefaultType Directive

Description:This directive has no effect other than to emit warnings if the value is not none. In prior versions, DefaultType would specify a default media type to assign to response content for which no other media type configuration could be found.
Syntax:DefaultType media-type|none
Default:DefaultType none
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Core
Module:core
Compatibility:The argument none is available in Apache httpd 2.2.7 and later. All other choices are DISABLED for 2.3.x and later.

This directive has been disabled. For backwards compatibility of configuration files, it may be specified with the value none, meaning no default media type. For example:

DefaultType None

DefaultType None is only available in httpd-2.2.7 and later.

Use the mime.types configuration file and the AddType to configure media type assignments via file extensions, or the ForceType directive to configure the media type for specific resources. Otherwise, the server will send the response without a Content-Type header field and the recipient may attempt to guess the media type.

top

Define Directive

Description:Define a variable
Syntax:Define parameter-name [parameter-value]
Context:server config, virtual host, directory
Status:Core
Module:core

In its one parameter form, Define is equivalent to passing the -D argument to httpd. It can be used to toggle the use of <IfDefine> sections without needing to alter -D arguments in any startup scripts.

In addition to that, if the second parameter is given, a config variable is set to this value. The variable can be used in the configuration using the ${VAR} syntax. The variable is always globally defined and not limited to the scope of the surrounding config section.

<IfDefine TEST>
  Define servername test.example.com
</IfDefine>
<IfDefine !TEST>
  Define servername www.example.com
  Define SSL
</IfDefine>

DocumentRoot /var/www/${servername}/htdocs

Variable names may not contain colon ":" characters, to avoid clashes with RewriteMap's syntax.

top

<Directory> Directive

Description:Enclose a group of directives that apply only to the named file-system directory, sub-directories, and their contents.
Syntax:<Directory directory-path> ... </Directory>
Context:server config, virtual host
Status:Core
Module:core

<Directory> and </Directory> are used to enclose a group of directives that will apply only to the named directory, sub-directories of that directory, and the files within the respective directories. Any directive that is allowed in a directory context may be used. Directory-path is either the full path to a directory, or a wild-card string using Unix shell-style matching. In a wild-card string, ? matches any single character, and * matches any sequences of characters. You may also use [] character ranges. None of the wildcards match a `/' character, so <Directory /*/public_html> will not match /home/user/public_html, but <Directory /home/*/public_html> will match. Example:

<Directory "/usr/local/httpd/htdocs">
  Options Indexes FollowSymLinks
</Directory>

Be careful with the directory-path arguments: They have to literally match the filesystem path which Apache httpd uses to access the files. Directives applied to a particular <Directory> will not apply to files accessed from that same directory via a different path, such as via different symbolic links.

Regular expressions can also be used, with the addition of the ~ character. For example:

<Directory ~ "^/www/[0-9]{3}">

</Directory>

would match directories in /www/ that consisted of three numbers.

If multiple (non-regular expression) <Directory> sections match the directory (or one of its parents) containing a document, then the directives are applied in the order of shortest match first, interspersed with the directives from the .htaccess files. For example, with

<Directory />
  AllowOverride None
</Directory>

<Directory "/home">
  AllowOverride FileInfo
</Directory>

for access to the document /home/web/dir/doc.html the steps are:

Regular expressions are not considered until after all of the normal sections have been applied. Then all of the regular expressions are tested in the order they appeared in the configuration file. For example, with

<Directory ~ "abc$">
  # ... directives here ...
</Directory>

the regular expression section won't be considered until after all normal <Directory>s and .htaccess files have been applied. Then the regular expression will match on /home/abc/public_html/abc and the corresponding <Directory> will be applied.

Note that the default access for <Directory /> is to permit all access. This means that Apache httpd will serve any file mapped from an URL. It is recommended that you change this with a block such as

<Directory />
  Require all denied
</Directory>

and then override this for directories you want accessible. See the Security Tips page for more details.

The directory sections occur in the apache2.conf file. <Directory> directives cannot nest, and cannot appear in a <Limit> or <LimitExcept> section.

See also

top

<DirectoryMatch> Directive

Description:Enclose directives that apply to the contents of file-system directories matching a regular expression.
Syntax:<DirectoryMatch regex> ... </DirectoryMatch>
Context:server config, virtual host
Status:Core
Module:core

<DirectoryMatch> and </DirectoryMatch> are used to enclose a group of directives which will apply only to the named directory (and the files within), the same as <Directory>. However, it takes as an argument a regular expression. For example:

<DirectoryMatch "^/www/(.+/)?[0-9]{3}">
    # ...
</DirectoryMatch>

would match directories in /www/ that consisted of three numbers.

Compatability

Prior to 2.3.9, this directive implicitly applied to sub-directories (like <Directory>) and could not match the end of line symbol ($). In 2.3.9 and later, only directories that match the expression are affected by the enclosed directives.

Trailing Slash

This directive applies to requests for directories that may or may not end in a trailing slash, so expressions that are anchored to the end of line ($) must be written with care.

From 2.4.8 onwards, named groups and backreferences are captured and written to the environment with the corresponding name prefixed with "MATCH_" and in upper case. This allows elements of paths to be referenced from within expressions and modules like mod_rewrite. In order to prevent confusion, numbered (unnamed) backreferences are ignored. Use named groups instead.

<DirectoryMatch ^/var/www/combined/(?<sitename>[^/]+)>
    require ldap-group cn=%{env:MATCH_SITENAME},ou=combined,o=Example
</DirectoryMatch>

See also

top

DocumentRoot Directive

Description:Directory that forms the main document tree visible from the web
Syntax:DocumentRoot directory-path
Default:DocumentRoot /usr/local/apache/htdocs
Context:server config, virtual host
Status:Core
Module:core

This directive sets the directory from which httpd will serve files. Unless matched by a directive like Alias, the server appends the path from the requested URL to the document root to make the path to the document. Example:

DocumentRoot "/usr/web"

then an access to http://my.example.com/index.html refers to /usr/web/index.html. If the directory-path is not absolute then it is assumed to be relative to the ServerRoot.

The DocumentRoot should be specified without a trailing slash.

See also

top

<Else> Directive

Description:Contains directives that apply only if the condition of a previous <If> or <ElseIf> section is not satisfied by a request at runtime
Syntax:<Else> ... </Else>
Context:server config, virtual host, directory, .htaccess
Override:All
Status:Core
Module:core

The <Else> applies the enclosed directives if and only if the most recent <If> or <ElseIf> section in the same scope has not been applied. For example: In

<If "-z req('Host')">
  # ...
</If>
<Else>
  # ...
</Else>

The <If> would match HTTP/1.0 requests without a Host: header and the <Else> would match requests with a Host: header.

See also

top

<ElseIf> Directive

Description:Contains directives that apply only if a condition is satisfied by a request at runtime while the condition of a previous <If> or <ElseIf> section is not satisfied
Syntax:<ElseIf expression> ... </ElseIf>
Context:server config, virtual host, directory, .htaccess
Override:All
Status:Core
Module:core

The <ElseIf> applies the enclosed directives if and only if both the given condition evaluates to true and the most recent <If> or <ElseIf> section in the same scope has not been applied. For example: In

<If "-R '10.1.0.0/16'">
  #...
</If>
<ElseIf "-R '10.0.0.0/8'">
  #...
</ElseIf>
<Else>
  #...
</Else>

The <ElseIf> would match if the remote address of a request belongs to the subnet 10.0.0.0/8 but not to the subnet 10.1.0.0/16.

See also

top

EnableMMAP Directive

Description:Use memory-mapping to read files during delivery
Syntax:EnableMMAP On|Off
Default:EnableMMAP On
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Core
Module:core

This directive controls whether the httpd may use memory-mapping if it needs to read the contents of a file during delivery. By default, when the handling of a request requires access to the data within a file -- for example, when delivering a server-parsed file using mod_include -- Apache httpd memory-maps the file if the OS supports it.

This memory-mapping sometimes yields a performance improvement. But in some environments, it is better to disable the memory-mapping to prevent operational problems:

For server configurations that are vulnerable to these problems, you should disable memory-mapping of delivered files by specifying:

EnableMMAP Off

For NFS mounted files, this feature may be disabled explicitly for the offending files by specifying:

<Directory "/path-to-nfs-files">
  EnableMMAP Off
</Directory>
top

EnableSendfile Directive

Description:Use the kernel sendfile support to deliver files to the client
Syntax:EnableSendfile On|Off
Default:EnableSendfile Off
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Core
Module:core
Compatibility:Default changed to Off in version 2.3.9.

This directive controls whether httpd may use the sendfile support from the kernel to transmit file contents to the client. By default, when the handling of a request requires no access to the data within a file -- for example, when delivering a static file -- Apache httpd uses sendfile to deliver the file contents without ever reading the file if the OS supports it.

This sendfile mechanism avoids separate read and send operations, and buffer allocations. But on some platforms or within some filesystems, it is better to disable this feature to avoid operational problems:

For server configurations that are not vulnerable to these problems, you may enable this feature by specifying:

EnableSendfile On

For network mounted files, this feature may be disabled explicitly for the offending files by specifying:

<Directory "/path-to-nfs-files">
  EnableSendfile Off
</Directory>

Please note that the per-directory and .htaccess configuration of EnableSendfile is not supported by mod_cache_disk. Only global definition of EnableSendfile is taken into account by the module.

top

Error Directive

Description:Abort configuration parsing with a custom error message
Syntax:Error message
Context:server config, virtual host, directory, .htaccess
Status:Core
Module:core
Compatibility:2.3.9 and later

If an error can be detected within the configuration, this directive can be used to generate a custom error message, and halt configuration parsing. The typical use is for reporting required modules which are missing from the configuration.

# Example
# ensure that mod_include is loaded
<IfModule !include_module>
  Error "mod_include is required by mod_foo.  Load it with LoadModule."
</IfModule>

# ensure that exactly one of SSL,NOSSL is defined
<IfDefine SSL>
<IfDefine NOSSL>
  Error "Both SSL and NOSSL are defined.  Define only one of them."
</IfDefine>
</IfDefine>
<IfDefine !SSL>
<IfDefine !NOSSL>
  Error "Either SSL or NOSSL must be defined."
</IfDefine>
</IfDefine>
top

ErrorDocument Directive

Description:What the server will return to the client in case of an error
Syntax:ErrorDocument error-code document
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Core
Module:core

In the event of a problem or error, Apache httpd can be configured to do one of four things,

  1. output a simple hardcoded error message
  2. output a customized message
  3. internally redirect to a local URL-path to handle the problem/error
  4. redirect to an external URL to handle the problem/error

The first option is the default, while options 2-4 are configured using the ErrorDocument directive, which is followed by the HTTP response code and a URL or a message. Apache httpd will sometimes offer additional information regarding the problem/error.

URLs can begin with a slash (/) for local web-paths (relative to the DocumentRoot), or be a full URL which the client can resolve. Alternatively, a message can be provided to be displayed by the browser. Examples:

ErrorDocument 500 http://foo.example.com/cgi-bin/tester
ErrorDocument 404 /cgi-bin/bad_urls.pl
ErrorDocument 401 /subscription_info.html
ErrorDocument 403 "Sorry can't allow you access today"
ErrorDocument 403 Forbidden!

Additionally, the special value default can be used to specify Apache httpd's simple hardcoded message. While not required under normal circumstances, default will restore Apache httpd's simple hardcoded message for configurations that would otherwise inherit an existing ErrorDocument.

ErrorDocument 404 /cgi-bin/bad_urls.pl

<Directory /web/docs>
  ErrorDocument 404 default
</Directory>

Note that when you specify an ErrorDocument that points to a remote URL (ie. anything with a method such as http in front of it), Apache HTTP Server will send a redirect to the client to tell it where to find the document, even if the document ends up being on the same server. This has several implications, the most important being that the client will not receive the original error status code, but instead will receive a redirect status code. This in turn can confuse web robots and other clients which try to determine if a URL is valid using the status code. In addition, if you use a remote URL in an ErrorDocument 401, the client will not know to prompt the user for a password since it will not receive the 401 status code. Therefore, if you use an ErrorDocument 401 directive then it must refer to a local document.

Microsoft Internet Explorer (MSIE) will by default ignore server-generated error messages when they are "too small" and substitute its own "friendly" error messages. The size threshold varies depending on the type of error, but in general, if you make your error document greater than 512 bytes, then MSIE will show the server-generated error rather than masking it. More information is available in Microsoft Knowledge Base article Q294807.

Although most error messages can be overridden, there are certain circumstances where the internal messages are used regardless of the setting of ErrorDocument. In particular, if a malformed request is detected, normal request processing will be immediately halted and the internal error message returned. This is necessary to guard against security problems caused by bad requests.

If you are using mod_proxy, you may wish to enable ProxyErrorOverride so that you can provide custom error messages on behalf of your Origin servers. If you don't enable ProxyErrorOverride, Apache httpd will not generate custom error documents for proxied content.

See also

top

ErrorLog Directive

Description:Location where the server will log errors
Syntax: ErrorLog file-path|syslog[:facility]
Default:ErrorLog logs/error_log (Unix) ErrorLog logs/error.log (Windows and OS/2)
Context:server config, virtual host
Status:Core
Module:core

The ErrorLog directive sets the name of the file to which the server will log any errors it encounters. If the file-path is not absolute then it is assumed to be relative to the ServerRoot.

ErrorLog "/var/log/httpd/error_log"

If the file-path begins with a pipe character "|" then it is assumed to be a command to spawn to handle the error log.

ErrorLog "|/usr/local/bin/httpd_errors"

See the notes on piped logs for more information.

Using syslog instead of a filename enables logging via syslogd(8) if the system supports it. The default is to use syslog facility local7, but you can override this by using the syslog:facility syntax where facility can be one of the names usually documented in syslog(1). The facility is effectively global, and if it is changed in individual virtual hosts, the final facility specified affects the entire server.

ErrorLog syslog:user

SECURITY: See the security tips document for details on why your security could be compromised if the directory where log files are stored is writable by anyone other than the user that starts the server.

Note

When entering a file path on non-Unix platforms, care should be taken to make sure that only forward slashes are used even though the platform may allow the use of back slashes. In general it is a good idea to always use forward slashes throughout the configuration files.

See also

top

ErrorLogFormat Directive

Description:Format specification for error log entries
Syntax: ErrorLogFormat [connection|request] format
Context:server config, virtual host
Status:Core
Module:core

ErrorLogFormat allows to specify what supplementary information is logged in the error log in addition to the actual log message.

#Simple example
ErrorLogFormat "[%t] [%l] [pid %P] %F: %E: [client %a] %M"

Specifying connection or request as first parameter allows to specify additional formats, causing additional information to be logged when the first message is logged for a specific connection or request, respectively. This additional information is only logged once per connection/request. If a connection or request is processed without causing any log message, the additional information is not logged either.

It can happen that some format string items do not produce output. For example, the Referer header is only present if the log message is associated to a request and the log message happens at a time when the Referer header has already been read from the client. If no output is produced, the default behavior is to delete everything from the preceding space character to the next space character. This means the log line is implicitly divided into fields on non-whitespace to whitespace transitions. If a format string item does not produce output, the whole field is omitted. For example, if the remote address %a in the log format [%t] [%l] [%a] %M  is not available, the surrounding brackets are not logged either. Space characters can be escaped with a backslash to prevent them from delimiting a field. The combination '% ' (percent space) is a zero-width field delimiter that does not produce any output.

The above behavior can be changed by adding modifiers to the format string item. A - (minus) modifier causes a minus to be logged if the respective item does not produce any output. In once-per-connection/request formats, it is also possible to use the + (plus) modifier. If an item with the plus modifier does not produce any output, the whole line is omitted.

A number as modifier can be used to assign a log severity level to a format item. The item will only be logged if the severity of the log message is not higher than the specified log severity level. The number can range from 1 (alert) over 4 (warn) and 7 (debug) to 15 (trace8).

For example, here's what would happen if you added modifiers to the %{Referer}i token, which logs the Referer request header.

Modified TokenMeaning
%-{Referer}i Logs a - if Referer is not set.
%+{Referer}i Omits the entire line if Referer is not set.
%4{Referer}i Logs the Referer only if the log message severity is higher than 4.

Some format string items accept additional parameters in braces.

Format String Description
%% The percent sign
%a Client IP address and port of the request
%{c}a Underlying peer IP address and port of the connection (see the mod_remoteip module)
%A Local IP-address and port
%{name}e Request environment variable name
%E APR/OS error status code and string
%F Source file name and line number of the log call
%{name}i Request header name
%k Number of keep-alive requests on this connection
%l Loglevel of the message
%L Log ID of the request
%{c}L Log ID of the connection
%{C}L Log ID of the connection if used in connection scope, empty otherwise
%m Name of the module logging the message
%M The actual log message
%{name}n Request note name
%P Process ID of current process
%T Thread ID of current thread
%{g}T System unique thread ID of current thread (the same ID as displayed by e.g. top; currently Linux only)
%t The current time
%{u}t The current time including micro-seconds
%{cu}t The current time in compact ISO 8601 format, including micro-seconds
%v The canonical ServerName of the current server.
%V The server name of the server serving the request according to the UseCanonicalName setting.
(backslash space) Non-field delimiting space
(percent space) Field delimiter (no output)

The log ID format %L produces a unique id for a connection or request. This can be used to correlate which log lines belong to the same connection or request, which request happens on which connection. A %L format string is also available in mod_log_config, to allow to correlate access log entries with error log lines. If mod_unique_id is loaded, its unique id will be used as log ID for requests.

#Example (default format for threaded MPMs)
ErrorLogFormat "[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"

This would result in error messages such as:

[Thu May 12 08:28:57.652118 2011] [core:error] [pid 8777:tid 4326490112] [client ::1:58619] File does not exist: /usr/local/apache2/htdocs/favicon.ico

Notice that, as discussed above, some fields are omitted entirely because they are not defined.

#Example (similar to the 2.2.x format)
ErrorLogFormat "[%t] [%l] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"
#Advanced example with request/connection log IDs
ErrorLogFormat "[%{uc}t] [%-m:%-l] [R:%L] [C:%{C}L] %7F: %E: %M"
ErrorLogFormat request "[%{uc}t] [R:%L] Request %k on C:%{c}L pid:%P tid:%T"
ErrorLogFormat request "[%{uc}t] [R:%L] UA:'%+{User-Agent}i'"
ErrorLogFormat request "[%{uc}t] [R:%L] Referer:'%+{Referer}i'"
ErrorLogFormat connection "[%{uc}t] [C:%{c}L] local\ %a remote\ %A"

See also

top

ExtendedStatus Directive

Description:Keep track of extended status information for each request
Syntax:ExtendedStatus On|Off
Default:ExtendedStatus Off[*]
Context:server config
Status:Core
Module:core

This option tracks additional data per worker about the currently executing request, and a utilization summary; you can see these variables during runtime by configuring mod_status. Note that other modules may rely on this scoreboard.

This setting applies to the entire server, and cannot be enabled or disabled on a virtualhost-by-virtualhost basis. The collection of extended status information can slow down the server. Also note that this setting cannot be changed during a graceful restart.

Note that loading mod_status will change the default behavior to ExtendedStatus On, while other third party modules may do the same. Such modules rely on collecting detailed information about the state of all workers. The default is changed by mod_status beginning with version 2.3.6; the previous default was always Off.

top

FileETag Directive

Description:File attributes used to create the ETag HTTP response header for static files
Syntax:FileETag component ...
Default:FileETag MTime Size
Context:server config, virtual host, directory, .htaccess
Override:FileInfo
Status:Core
Module:core
Compatibility:The default used to be "INode MTime Size" in 2.3.14 and earlier.

The FileETag directive configures the file attributes that are used to create the ETag (entity tag) response header field when the document is based on a static file. (The ETag value is used in cache management to save network bandwidth.) The FileETag directive allows you to choose which of these -- if any -- should be used. The recognized keywords are:

INode
The file's i-node number will be included in the calculation
MTime
The date and time the file was last modified will be included
Size
The number of bytes in the file will be included
All
All available fields will be used. This is equivalent to:
FileETag INode MTime Size
None
If a document is file-based, no ETag field will be included in the response

The INode, MTime, and Size keywords may be prefixed with either + or -, which allow changes to be made to the default setting inherited from a broader scope. Any keyword appearing without such a prefix immediately and completely cancels the inherited setting.

If a directory's configuration includes FileETag INode MTime Size, and a subdirectory's includes FileETag -INode, the setting for that subdirectory (which will be inherited by any sub-subdirectories that don't override it) will be equivalent to FileETag MTime Size.

Warning

Do not change the default for directories or locations that have WebDAV enabled and use mod_dav_fs as a storage provider. mod_dav_fs uses MTime Size as a fixed format for ETag comparisons on conditional requests. These conditional requests will break if the ETag format is changed via FileETag.

Server Side Includes

An ETag is not generated for responses parsed by mod_include, since the response entity can change without a change of the INode, MTime, or Size of the static file with embedded SSI directives.
top

<Files> Directive

Description:Contains directives that apply to matched filenames
Syntax:<Files filename> ... </Files>
Context:server config, virtual host, directory, .htaccess
Override:All
Status:Core
Module:core

The <Files> directive limits the scope of the enclosed directives by filename. It is comparable to the <Directory> and <Location> directives. It should be matched with a </Files> directive. The directives given within this section will be applied to any object with a basename (last component of filename) matching the specified filename. <Files> sections are processed in the order they appear in the configuration file, after the <Directory> sections and .htaccess files are read, but before <Location> sections. Note that <Files> can be nested inside <Directory> sections to restrict the portion of the filesystem they apply to.

The filename argument should include a filename, or a wild-card string, where ? matches any single character, and * matches any sequences of characters.

<Files "cat.html">
    # Insert stuff that applies to cat.html here
</Files>

<Files "?at.*">
    # This would apply to cat.html, bat.html, hat.php and so on.
</Files>

Regular expressions can also be used, with the addition of the ~ character. For example:

<Files ~ "\.(gif|jpe?g|png)$">
    #...
</Files>

would match most common Internet graphics formats. <FilesMatch> is preferred, however.

Note that unlike <Directory> and <Location> sections, <Files> sections can be used inside .htaccess files. This allows users to control access to their own files, at a file-by-file level.

See also

top

<FilesMatch> Directive

Description:Contains directives that apply to regular-expression matched filenames
Syntax:<FilesMatch regex> ... </FilesMatch>
Context:server config, virtual host, directory, .htaccess
Override:All
Status:Core
Module:core

The <FilesMatch> directive limits the scope of the enclosed directives by filename, just as the <Files> directive does. However, it accepts a regular expression. For example:

<FilesMatch "\.(gif|jpe?g|png)$">
    # ...
</FilesMatch>

would match most common Internet graphics formats.

From 2.4.8 onwards, named groups and backreferences are captured and written to the environment with the corresponding name prefixed with "MATCH_" and in upper case. This allows elements of files to be referenced from within expressions and modules like mod_rewrite. In order to prevent confusion, numbered (unnamed) backreferences are ignored. Use named groups instead.

<FilesMatch ^(?<sitename>[^/]+)>
    require ldap-group cn=%{env:MATCH_SITENAME},ou=combined,o=Example
</FilesMatch>

See also

top

ForceType Directive

Description:Forces all matching files to be served with the specified media type in the HTTP Content-Type header field
Syntax:ForceType media-type|None
Context:directory, .htaccess
Override:FileInfo
Status:Core
Module:core

When placed into an .htaccess file or a <Directory>, or <Location> or <Files> section, this directive forces all matching files to be served with the content type identification given by media-type. For example, if you had a directory full of GIF files, but did not want to label them all with .gif, you might want to use:

ForceType image/gif

Note that this directive overrides other indirect media type associations defined in mime.types or via the AddType.

You can also override more general ForceType settings by using the value of None:

# force all files to be image/gif:
<Location /images>
  ForceType image/gif
</Location>

# but normal mime-type associations here:
<Location /images/mixed>
  ForceType None
</Location>

This directive primarily overrides the content types generated for static files served out of the filesystem. For resources other than static files, where the generator of the response typically specifies a Content-Type, this directive has no effect.

top

GprofDir Directive

Description:Directory to write gmon.out profiling data to.
Syntax:GprofDir /tmp/gprof/|/tmp/gprof/%
Context:server config, virtual host
Status:Core
Module:core

When the server has been compiled with gprof profiling support, GprofDir causes gmon.out files to be written to the specified directory when the process exits. If the argument ends with a percent symbol ('%'), subdirectories are created for each process id.

This directive currently only works with the prefork MPM.

top

HostnameLookups Directive

Description:Enables DNS lookups on client IP addresses
Syntax:HostnameLookups On|Off|Double
Default:HostnameLookups Off
Context:server config, virtual host, directory
Status:Core
Module:core

This directive enables DNS lookups so that host names can be logged (and passed to CGIs/SSIs in REMOTE_HOST). The value Double refers to doing double-reverse DNS lookup. That is, after a reverse lookup is performed, a forward lookup is then performed on that result. At least one of the IP addresses in the forward lookup must match the original address. (In "tcpwrappers" terminology this is called PARANOID.)

Regardless of the setting, when mod_authz_host is used for controlling access by hostname, a double reverse lookup will be performed. This is necessary for security. Note that the result of this double-reverse isn't generally available unless you set HostnameLookups Double. For example, if only HostnameLookups On and a request is made to an object that is protected by hostname restrictions, regardless of whether the double-reverse fails or not, CGIs will still be passed the single-reverse result in REMOTE_HOST.

The default is Off in order to save the network traffic for those sites that don't truly need the reverse lookups done. It is also better for the end users because they don't have to suffer the extra latency that a lookup entails. Heavily loaded sites should leave this directive Off, since DNS lookups can take considerable amounts of time. The utility logresolve, compiled by default to the bin subdirectory of your installation directory, can be used to look up host names from logged IP addresses offline.

Finally, if you have hostname-based Require directives, a hostname lookup will be performed regardless of the setting of HostnameLookups.

top

<If> Directive

Description:Contains directives that apply only if a condition is satisfied by a request at runtime
Syntax:<If expression> ... </If>
Context:server config, virtual host, directory, .htaccess
Override:All
Status:Core
Module:core

The <If> directive evaluates an expression at runtime, and applies the enclosed directives if and only if the expression evaluates to true. For example:

<If "-z req('Host')">

would match HTTP/1.0 requests without a Host: header. Expressions