Apache Core Features 5
Syntax:
Group unix-group
Default:
Group #-1
Context:
server config, virtual host
Status:
core
The Group directive sets the group under which the server will answer requests. In order to
use this directive, the stand-alone server must be run initially as root. Unix-group
is one of:
- A group name
- Refers to the given group by name.
- # followed by a group number.
- Refers to a group by its number.
It is recommended that you set up a new group specifically for running the server. Some
admins use user nobody, but this is not always possible or desirable.
Example:
Group www-group
Note: if you start the server as a non-root user, it will fail to change to the specified
group, and will instead continue to run as the group of the original user.
Special note: Use of this directive in <VirtualHost> requires a properly configured
suEXEC wrapper. When used inside a <VirtualHost>
in this manner, only the group that CGIs are run as is affected. Non-CGI requests are still
processed as the group specified in the main Group directive.
SECURITY: See User for a discussion of the security considerations.
Syntax:
HostnameLookups on|off|double
Default:
HostnameLookups off
Context:
server config, virtual host, directory
Status:
core
Compatibility:
double available only in Apache 1.3 and above.
Compatibility:
Default was on prior to Apache 1.3.
This directive enables DNS lookups so that host names can be logged (and passed to CGIs/SSIs
in REMOTE_HOST). The value double refers to doing double-reverse
DNS. That is, after a reverse lookup is performed, a forward lookup is then performed on that
result. At least one of the ip addresses in the forward lookup must match the original
address. (In "tcpwrappers" terminology this is called PARANOID.)
Regardless of the setting, when
mod_access
is used for controlling access by hostname, a double reverse lookup will be performed. This is
necessary for security. Note that the result of this double-reverse isn't generally available
unless you set HostnameLookups double. For example, if only HostnameLookups
on and a request is made to an object that is protected by hostname restrictions,
regardless of whether the double-reverse fails or not, CGIs will still be passed the
single-reverse result in REMOTE_HOST.
The default for this directive was previously on in versions of Apache prior
to 1.3. It was changed to off in order to save the network traffic for those
sites that don't truly need the reverse lookups done. It is also better for the end users
because they don't have to suffer the extra latency that a lookup entails. Heavily loaded
sites should leave this directive off, since DNS lookups can take considerable
amounts of time. The utility
logresolve,
provided in the /support directory, can be used to look up host names from logged IP
addresses offline.
Syntax:
IdentityCheck on|off
Default:
IdentityCheck off
Context:
server config, virtual host, directory
Status:
core
This directive enables RFC1413-compliant logging of the remote user name for each
connection, where the client machine runs identd or something similar. This information is
logged in the access log.
The information should not be trusted in any way except for rudimentary usage tracking.
Note that this can cause serious latency problems accessing your server since every request
requires one of these lookups to be performed. When firewalls are involved each lookup might
possibly fail and add 30 seconds of latency to each hit. So in general this is not very useful
on public servers accessible from the Internet.
Syntax:
<IfDefine [!]parameter-name> ... </IfDefine>
Default:
None
Context:
all
Status:
Core
Compatibility:
<IfDefine> is only available in 1.3.1 and later.
The <IfDefine test>...</IfDefine> section is used to mark directives
that are conditional. The directives within an IfDefine section are only processed if the test
is true. If test is false, everything between the start and end markers is ignored.
The test in the <IfDefine> section directive can be one of two forms:
- parameter-name
!parameter-name
In the former case, the directives between the start and end markers are only processed if
the parameter named parameter-name is defined. The second format reverses the test,
and only processes the directives if parameter-name is not defined.
The parameter-name argument is a define as given on the httpd command
line via -Dparameter-, at the time the server was started.
<IfDefine> sections are nest-able, which can be used to implement simple
multiple-parameter tests. Example:
$ httpd -DReverseProxy ...
# httpd.conf
<IfDefine ReverseProxy>
LoadModule rewrite_module libexec/mod_rewrite.so
LoadModule proxy_module libexec/libproxy.so
</IfDefine>
Syntax:
<IfModule [!]module-name> ... </IfModule>
Default:
None
Context:
all
Status:
Core
Compatibility:
IfModule is only available in 1.2 and later.
The <IfModule test>...</IfModule> section is used to mark directives
that are conditional. The directives within an IfModule section are only processed if the test
is true. If test is false, everything between the start and end markers is ignored.
The test in the <IfModule> section directive can be one of two forms:
In the former case, the directives between the start and end markers are only processed if
the module named module name is included in Apache -- either compiled in or
dynamically loaded using
LoadModule.
The second format reverses the test, and only processes the directives if module name
is not included.
The module name argument is the file name of the module, at the time it was
compiled. For example, mod_rewrite.c.
<IfModule> sections are nest-able, which can be used to implement simple
multiple-module tests.
Syntax: Include file-path|directory-path|wildcard-path
Context:
server config
Status:
Core
Compatibility:
Include is only available in Apache 1.3 and later.
This directive allows inclusion of other configuration files from within the server
configuration files.
The file path specified may be a fully qualified path (i.e. starting with a slash), or may
be relative to the ServerRoot directory.
New in Apache 1.3.13 is the feature that if Include points to a directory,
rather than a file, Apache will read all files in that directory, and any subdirectory, and
parse those as configuration files.
By using a wildcard this can be further limited to, say, just the '*.conf' files.
Examples:
Include /usr/local/apache/conf/ssl.conf
Include /usr/local/apache/conf/vhosts/
Or, providing paths relative to your ServerRoot directory:
Include conf/ssl.conf
Include conf/vhosts/
Make sure that an included directory does not contain any stray files, such as editor
temporary files, for example, as Apache will attempt to read them in and use the contents as
configuration directives, which may cause the server to fail on start up. Running apachectl
configtest will give you a list of the files that are being processed during the
configuration check:
root@host# apachectl configtest
Processing config directory: /usr/local/apache/conf/vhosts
Processing config file: /usr/local/apache/conf/vhosts/vhost1
Processing config file: /usr/local/apache/conf/vhosts/vhost2
Syntax OK
This will help in verifying that you are getting only the files that you intended as part
of your configuration.
See also:
apachectl
|
