Major changes ignored:
* increasing server counts for mpm_prefork
* mods/available/dav_svn revert
21 files changed:
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
-# with "/", the value of ServerRoot is prepended -- so "/var/log/apache2/foo.log"
-# with ServerRoot set to "" will be interpreted by the
-# server as "//var/log/apache2/foo.log".
+# with "/", the value of ServerRoot is prepended -- so "foo.log"
+# with ServerRoot set to "/etc/apache2" will be interpreted by the
+# server as "/etc/apache2/foo.log".
#
### Section 1: Global Environment
#
### Section 1: Global Environment
#
# NOTE! If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation (available
#
# NOTE! If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation (available
-# at <URL:http://httpd.apache.org/docs-2.1/mod/mpm_common.html#lockfile>);
+# at <URL:http://httpd.apache.org/docs/2.2/mod/mpm_common.html#lockfile>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
-ServerRoot "/etc/apache2"
+#ServerRoot "/etc/apache2"
#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
-#<IfModule !mpm_winnt.c>
-#<IfModule !mpm_netware.c>
-LockFile /var/lock/apache2/accept.lock
-#</IfModule>
-#</IfModule>
+LockFile ${APACHE_LOCK_DIR}/accept.lock
#
# PidFile: The file in which the server should record its process
#
# PidFile: The file in which the server should record its process
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
##
## Server-Pool Size Regulation (MPM specific)
##
## Server-Pool Size Regulation (MPM specific)
# worker MPM
# StartServers: initial number of server processes to start
# worker MPM
# StartServers: initial number of server processes to start
-# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
+# ThreadLimit: ThreadsPerChild can be changed to this maximum value during a
+# graceful restart. ThreadLimit can only be changed by stopping
+# and starting Apache.
# ThreadsPerChild: constant number of worker threads in each server process
# ThreadsPerChild: constant number of worker threads in each server process
+# MaxClients: maximum number of simultaneous client connections
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_worker_module>
StartServers 2
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_worker_module>
StartServers 2
# event MPM
# StartServers: initial number of server processes to start
# event MPM
# StartServers: initial number of server processes to start
-# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
+# MaxClients: maximum number of simultaneous client connections
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_event_module>
StartServers 2
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_event_module>
StartServers 2
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>
MaxRequestsPerChild 0
</IfModule>
<Files ~ "^\.ht">
Order allow,deny
Deny from all
<Files ~ "^\.ht">
Order allow,deny
Deny from all
# keep browsers from trying to display binary files as though they are
# text.
#
# keep browsers from trying to display binary files as though they are
# text.
#
+# It is also possible to omit any default MIME type and let the
+# client's browser guess an appropriate action instead. Typically the
+# browser will decide based on the file's extension then. In cases
+# where no good assumption can be made, letting the default MIME type
+# unset is suggested instead of forcing the browser to accept
+# incorrect metadata.
+#
+DefaultType None
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
-ErrorLog /var/log/apache2/error.log
+ErrorLog ${APACHE_LOG_DIR}/error.log
#
# LogLevel: Control the number of messages logged to the error_log.
#
# LogLevel: Control the number of messages logged to the error_log.
LogLevel warn
# Include module configuration:
LogLevel warn
# Include module configuration:
-Include /etc/apache2/mods-enabled/*.load
-Include /etc/apache2/mods-enabled/*.conf
+Include mods-enabled/*.load
+Include mods-enabled/*.conf
# Include all the user configurations:
# Include all the user configurations:
-Include /etc/apache2/httpd.conf
-Include /etc/apache2/ports.conf
#
# The following directives define some format nicknames for use with
#
# The following directives define some format nicknames for use with
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
-#
-# Define an access log for VirtualHosts that don't define their own logfile
-CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined
-
# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.
# Include generic snippets of statements
# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.
# Include generic snippets of statements
-Include /etc/apache2/conf.d/
# Include the virtual host configurations:
# Include the virtual host configurations:
-Include /etc/apache2/sites-enabled/
--- /dev/null
+# Define an access log for VirtualHosts that don't define their own logfile
+CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined
# are explicitly allowed later.
#
# This currently breaks the configurations that come with some web application
# are explicitly allowed later.
#
# This currently breaks the configurations that come with some web application
-# Debian packages. It will be made the default for the release after lenny.
#
#<Directory />
# AllowOverride None
#
#<Directory />
# AllowOverride None
Alias /icons/ "/usr/share/apache2/icons/"
<Directory "/usr/share/apache2/icons">
Alias /icons/ "/usr/share/apache2/icons/"
<Directory "/usr/share/apache2/icons">
- Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
AllowOverride None
Order allow,deny
Allow from all
--- /dev/null
+# Depends: dav_svn
+LoadModule authz_svn_module /usr/lib/apache2/modules/mod_authz_svn.so
# Socket for cgid communication
# Socket for cgid communication
-ScriptSock /var/run/apache2/cgisock
+ScriptSock ${APACHE_RUN_DIR}/cgisock
-DAVLockDB /var/lock/apache2/DAVLock
+DAVLockDB ${APACHE_LOCK_DIR}/DAVLock
#AuthName "Subversion Repository"
#AuthUserFile /etc/apache2/dav_svn.passwd
#AuthName "Subversion Repository"
#AuthUserFile /etc/apache2/dav_svn.passwd
- # To enable authorization via mod_authz_svn
+ # To enable authorization via mod_authz_svn (enable that module separately):
+ #<IfModule mod_authz_svn.c>
#AuthzSVNAccessFile /etc/apache2/dav_svn.authz
#AuthzSVNAccessFile /etc/apache2/dav_svn.authz
# The following three lines allow anonymous read, but make
# committers authenticate themselves. It requires the 'authz_user'
# The following three lines allow anonymous read, but make
# committers authenticate themselves. It requires the 'authz_user'
# Depends: dav
LoadModule dav_svn_module /usr/lib/apache2/modules/mod_dav_svn.so
# Depends: dav
LoadModule dav_svn_module /usr/lib/apache2/modules/mod_dav_svn.so
-LoadModule authz_svn_module /usr/lib/apache2/modules/mod_authz_svn.so
#
# Allow remote server configuration reports, with the URL of
# http://servername/server-info (requires that mod_info.c be loaded).
#
# Allow remote server configuration reports, with the URL of
# http://servername/server-info (requires that mod_info.c be loaded).
-# Uncomment and change the ".example.com" to allow
-# access from other hosts.
+# Uncomment and change the "192.0.2.0/24" to allow access from other hosts.
#
<Location /server-info>
SetHandler server-info
Order deny,allow
Deny from all
#
<Location /server-info>
SetHandler server-info
Order deny,allow
Deny from all
- Allow from localhost ip6-localhost
-# Allow from .example.com
+ Allow from 127.0.0.1 ::1
+# Allow from 192.0.2.0/24
--- /dev/null
+<Location /ldap-status>
+ SetHandler ldap-status
+ Order deny,allow
+ Deny from all
+ Allow from 127.0.0.1 ::1
+# Allow from 192.0.2.0/24
+ Satisfy all
+</Location>
# Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv)
# Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW)
#
# Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv)
# Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW)
#
+AddLanguage am .amh
+AddLanguage ar .ara
+AddLanguage be .be
+AddLanguage bg .bg
+AddLanguage bn .bn
+AddLanguage br .br
+AddLanguage bs .bs
AddLanguage ca .ca
AddLanguage cs .cz .cs
AddLanguage ca .ca
AddLanguage cs .cz .cs
AddLanguage da .dk
AddLanguage de .de
AddLanguage da .dk
AddLanguage de .de
AddLanguage el .el
AddLanguage en .en
AddLanguage eo .eo
AddLanguage el .el
AddLanguage en .en
AddLanguage eo .eo
RemoveType es
AddLanguage es .es
AddLanguage et .et
RemoveType es
AddLanguage es .es
AddLanguage et .et
+AddLanguage eu .eu
+AddLanguage fa .fa
+AddLanguage fi .fi
+AddLanguage ga .ga
+AddLanguage gl .glg
+AddLanguage gu .gu
+AddLanguage hu .hu
+AddLanguage hy .hy
+AddLanguage id .id
+AddLanguage is .is
AddLanguage it .it
AddLanguage ja .ja
AddLanguage it .it
AddLanguage ja .ja
+AddLanguage ka .ka
+AddLanguage kk .kk
+AddLanguage km .km
+AddLanguage kn .kn
+AddLanguage ku .ku
+AddLanguage lo .lo
+AddLanguage lt .lt
+AddLanguage lv .lv
+AddLanguage mg .mg
+AddLanguage mk .mk
+AddLanguage ml .ml
+AddLanguage mr .mr
+AddLanguage ms .msa
+AddLanguage nb .nob
+AddLanguage ne .ne
AddLanguage nl .nl
AddLanguage nn .nn
AddLanguage no .no
AddLanguage nl .nl
AddLanguage nn .nn
AddLanguage no .no
+AddLanguage pt .pt
+AddLanguage ro .ro
+AddLanguage sa .sa
+AddLanguage se .se
+AddLanguage si .si
+AddLanguage sk .sk
+AddLanguage sl .sl
+AddLanguage sq .sq
+AddLanguage sr .sr
-# tr is troff in /etc/mime.types
+AddLanguage ta .ta
+AddLanguage te .te
+AddLanguage th .th
+AddLanguage tl .tl
+# tr is troff in /etc/mime.types
+AddLanguage uk .uk
+AddLanguage ur .ur
+AddLanguage vi .vi
+AddLanguage wo .wo
+AddLanguage xh .xh
AddLanguage zh-CN .zh-cn
AddLanguage zh-TW .zh-tw
AddLanguage zh-CN .zh-cn
AddLanguage zh-TW .zh-tw
- #turning ProxyRequests on and allowing proxying from all may allow
- #spammers to use your proxy to send email.
+# If you want to use apache2 as a forward proxy, uncomment the
+# 'ProxyRequests On' line and the <Proxy *> block below.
+# WARNING: Be careful to restrict access inside the <Proxy *> block.
+# Open proxy servers are dangerous both to your network and to the
+# Internet at large.
+#
+# If you only want to use apache2 as a reverse proxy/gateway in
+# front of some web application server, you DON'T need
+# 'ProxyRequests On'.
- <Proxy *>
- AddDefaultCharset off
- Order deny,allow
- Deny from all
- #Allow from .example.com
- </Proxy>
+#ProxyRequests On
+#<Proxy *>
+# AddDefaultCharset off
+# Order deny,allow
+# Deny from all
+# #Allow from .example.com
+#</Proxy>
- # Enable/disable the handling of HTTP/1.1 "Via:" headers.
- # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
- # Set to one of: Off | On | Full | Block
+# Enable/disable the handling of HTTP/1.1 "Via:" headers.
+# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
+# Set to one of: Off | On | Full | Block
+#ProxyVia Off
--- /dev/null
+<IfModule mod_proxy_balancer.c>
+
+# Balancer manager enables dynamic update of balancer members
+# (needs mod_status). Uncomment to enable.
+#
+#<IfModule mod_status.c>
+#<Location /balancer-manager>
+# SetHandler balancer-manager
+# Order deny,allow
+# Deny from all
+# Allow from 127.0.0.1 ::1
+# Satisfy all
+#</Location>
+#</IfModule>
+
+</IfModule>
--- /dev/null
+<IfModule mod_proxy_ftp.c>
+
+# Define the character set for proxied FTP listings. Default is ISO-8859-1
+ProxyFtpDirCharset UTF-8
+
+</IfModule>
<IfModule reqtimeout_module>
<IfModule reqtimeout_module>
-# Wait max 10 seconds for the first byte of the request line+headers
+# mod_reqtimeout limits the time waiting on the client to prevent an
+# attacker from causing a denial of service by opening many connections
+# but not sending requests. This file tries to give a sensible default
+# configuration, but it may be necessary to tune the timeout values to
+# the actual situation. Note that it is also possible to configure
+# mod_reqtimeout per virtual host.
+
+
+# Wait max 20 seconds for the first byte of the request line+headers
# From then, require a minimum data rate of 500 bytes/s, but don't
# From then, require a minimum data rate of 500 bytes/s, but don't
-# wait longer than 20 seconds in total.
-RequestReadTimeout header=10-20,minrate=500
+# wait longer than 40 seconds in total.
+# Note: Lower timeouts may make sense on non-ssl virtual hosts but can
+# cause problem with ssl enabled virtual hosts: This timeout includes
+# the time a browser may need to fetch the CRL for the certificate. If
+# the CRL server is not reachable, it may take more than 10 seconds
+# until the browser gives up.
+RequestReadTimeout header=20-40,minrate=500
# Wait max 10 seconds for the first byte of the request body (if any)
# Wait max 10 seconds for the first byte of the request body (if any)
-# From then, require a minimum data rate of 500 byte/s.
+# From then, require a minimum data rate of 500 bytes/s
RequestReadTimeout body=10,minrate=500
</IfModule>
RequestReadTimeout body=10,minrate=500
</IfModule>
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
-SSLPassPhraseDialog builtin
+SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
-#SSLSessionCache dbm:/var/run/apache2/ssl_scache
-SSLSessionCache shmcb:/var/run/apache2/ssl_scache(512000)
+# (The mechanism dbm has known memory leaks and should not be used).
+#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
+SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
-SSLMutex file:/var/run/apache2/ssl_mutex
+SSLMutex file:${APACHE_RUN_DIR}/ssl_mutex
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
# enable only secure ciphers:
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
# enable only secure ciphers:
-SSLCipherSuite HIGH:MEDIUM:!ADH
+SSLCipherSuite HIGH:MEDIUM:!ADH:!MD5
# Use this instead if you want to allow cipher upgrades via SGC facility.
# In this case you also have to use something like
# SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
# Use this instead if you want to allow cipher upgrades via SGC facility.
# In this case you also have to use something like
# SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2
# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2
+# Allow insecure renegotiation with clients which do not yet support the
+# secure renegotiation protocol. Default: Off
+#SSLInsecureRenegotiation on
+
+# Whether to forbid non-SNI clients to access name based virtual hosts.
+# Default: Off
+#SSLStrictSNIVHostCheck On
+
#
# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
#
# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
-# Uncomment and change the ".example.com" to allow
-# access from other hosts.
+# Uncomment and change the "192.0.2.0/24" to allow access from other hosts.
#
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
#
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
- Allow from localhost ip6-localhost
-# Allow from .example.com
+ Allow from 127.0.0.1 ::1
+# Allow from 192.0.2.0/24
+# Keep track of extended status information for each request
+ExtendedStatus On
+
+# Determine if mod_status displays the first 63 characters of a request or
+# the last 63, assuming the request itself is greater than 63 chars.
+# Default: Off
+#SeeRequestTail On
+
+
+<IfModule mod_proxy.c>
+ # Show Proxy LoadBalancer status in mod_status
+ ProxyStatus On
+</IfModule>
+
+
--- /dev/null
+../mods-available/authz_svn.load
\ No newline at end of file
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
- BrowserMatch ".*MSIE.*" \
+ BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
+ # MSIE 7 and newer should be able to use keepalive
+ BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
</VirtualHost>
</IfModule>
</VirtualHost>
</IfModule>
Allow from all
</Directory>
Allow from all
</Directory>
-ErrorLog /var/log/apache2/error.olinda.log
+ErrorLog ${APACHE_LOG_DIR}/error.olinda.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
-CustomLog /var/log/apache2/access.olinda.log combined
+CustomLog ${APACHE_LOG_DIR}/access.olinda.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
</Directory>
Include sites-common/awstats
</Directory>
Include sites-common/awstats