# Based upon the NCSA server configuration files originally by Rob McCool. # Changed extensively for the Debian package by Daniel Stone # and also by Thom May . # ServerRoot: The top of the directory tree under which the server's # configuration, error, and log files are kept. # # NOTE! If you intend to place this on an NFS (or otherwise network) # mounted filesystem then please read the LockFile documentation # (available at ); # you will save yourself a lot of trouble. ServerRoot "/etc/apache2" # The LockFile directive sets the path to the lockfile used when Apache # is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or # USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at # its default value. The main reason for changing it is if the logs # directory is NFS mounted, since the lockfile MUST BE STORED ON A LOCAL # DISK. The PID of the main server process is automatically appended to # the filename. LockFile /var/lock/apache2/accept.lock # PidFile: The file in which the server should record its process # identification number when it starts. PidFile /var/run/apache2.pid # Timeout: The number of seconds before receives and sends time out. Timeout 60 # KeepAlive: Whether or not to allow persistent connections (more than # one request per connection). Set to "Off" to deactivate. KeepAlive On # MaxKeepAliveRequests: The maximum number of requests to allow # during a persistent connection. Set to 0 to allow an unlimited amount. # We recommend you leave this number high, for maximum performance. MaxKeepAliveRequests 0 # KeepAliveTimeout: Number of seconds to wait for the next request from the # same client on the same connection. KeepAliveTimeout 120 ## ## Server-Pool Size Regulation (MPM specific) ## # prefork MPM # StartServers ......... number of server processes to start # MinSpareServers ...... minimum number of server processes which are kept spare # MaxSpareServers ...... maximum number of server processes which are kept spare # MaxClients ........... maximum number of server processes allowed to start # MaxRequestsPerChild .. maximum number of requests a server process serves ServerLimit 5000 StartServers 2 MinSpareServers 2 MaxSpareServers 5 MaxClients 3000 MaxRequestsPerChild 0 # pthread MPM # StartServers ......... initial number of server processes to start # MaxClients ........... maximum number of server processes allowed to start # MinSpareThreads ...... minimum number of worker threads which are kept spare # MaxSpareThreads ...... maximum number of worker threads which are kept spare # ThreadsPerChild ...... constant number of worker threads in each server process # MaxRequestsPerChild .. maximum number of requests a server process serves StartServers 2 MaxClients 150 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 MaxRequestsPerChild 0 # perchild MPM # NumServers ........... constant number of server processes # StartThreads ......... initial number of worker threads in each server process # MinSpareThreads ...... minimum number of worker threads which are kept spare # MaxSpareThreads ...... maximum number of worker threads which are kept spare # MaxThreadsPerChild ... maximum number of worker threads in each server process # MaxRequestsPerChild .. maximum number of connections per server process (then it dies) NumServers 5 StartThreads 5 MinSpareThreads 5 MaxSpareThreads 10 MaxThreadsPerChild 20 MaxRequestsPerChild 0 AcceptMutex fcntl User www-data Group www-data # The following directives define some format nicknames for use with # a CustomLog directive (see below). LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent # Global error log. ErrorLog /var/log/apache2/error.log # Include module configuration: Include /etc/apache2/mods-enabled/*.load Include /etc/apache2/mods-enabled/*.conf # Include all the user configurations: Include /etc/apache2/httpd.conf # Include ports listing Include /etc/apache2/ports.conf # Include generic snippets of statements Include /etc/apache2/conf.d/[^.#]* # Set up the default error docs. # # Customizable error responses come in three flavors: # 1) plain text 2) local redirects 3) external redirects # # Some examples: #ErrorDocument 500 "The server made a boo boo." #ErrorDocument 404 /missing.html #ErrorDocument 404 "/cgi-bin/missing_handler.pl" #ErrorDocument 402 http://www.example.com/subscription_info.html # # # Putting this all together, we can Internationalize error responses. # # We use Alias to redirect any /error/HTTP_.html.var response to # our collection of by-error message multi-language collections. We use # includes to substitute the appropriate text. # # You can modify the messages' appearance without changing any of the # default HTTP_.html.var files by adding the line; # # Alias /error/include/ "/your/include/path/" # # which allows you to create your own set of files by starting with the # /usr/local/apache2/error/include/ files and # copying them to /your/include/path/, even on a per-VirtualHost basis. # Alias /error/ "/usr/share/apache2/error/" AllowOverride None Options IncludesNoExec AddOutputFilter Includes html AddHandler type-map var Order allow,deny Allow from all LanguagePriority en es de fr ForceLanguagePriority Prefer Fallback ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var ErrorDocument 410 /error/HTTP_GONE.html.var ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var ErrorDocument 415 /error/HTTP_SERVICE_UNAVAILABLE.html.var ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var # # AddHandler application/x-httpd-php .php # SecAuditEngine On # SecAuditLog /var/log/apache2/audit.log # SecFilterScanPOST On # SecFilterEngine On # SecFilterDefaultAction "deny,log,status:500" # SecFilter "<(.|\n)+>" # SecFilter "'" # SecFilter "\"" # # # Only inspect dynamic requests # (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED) # SecFilterEngine DynamicOnly # SecFilterEngine On # Reject requests with status 500 # SecFilterDefaultAction "deny,log,status:403" # Some sane defaults # SecFilterScanPOST On # SecFilterCheckURLEncoding On # SecFilterCheckCookieFormat On # SecFilterCheckUnicodeEncoding Off # SecServerResponseToken Off #If you want to scan the output, uncomment these #SecFilterScanOutput On #SecFilterOutputMimeTypes "(null) text/html text/plain" # Accept almost all byte values # SecFilterForceByteRange 1 255 # Server masking is optional #fake server banner - NOYB used - no one needs to know what we are using # SecServerSignature "NOYB" #SecUploadDir /tmp #SecUploadKeepFiles Off # Only record the interesting stuff # SecAuditEngine RelevantOnly # SecAuditLog /var/log/apache2/audit.log # You normally won't need debug logging # SecFilterDebugLevel 0 # SecFilterDebugLog /var/log/apache2/modsec_debug_log #And now, the rules #Remove any of these Include lines you do not use or have rules for. #Application protection rules # Include /etc/apache2/modsecurity/rules.conf #Comment spam rules # Include /etc/apache2/modsecurity/blacklist.conf # #DirectoryIndex index.html index.cgi index.pl index.php index.xhtml DirectoryIndex index.php index.html # UserDir is now a module #UserDir public_html #UserDir disabled root # # AllowOverride FileInfo AuthConfig Limit # Options Indexes SymLinksIfOwnerMatch IncludesNoExec # AccessFileName .htaccess Order allow,deny Deny from all UseCanonicalName Off ServerSignature Off HostnameLookups Off ServerTokens Prod ScoreBoardFile /var/log/apache2/scoreboard.log TypesConfig /etc/mime.types DefaultType text/plain IndexOptions FancyIndexing VersionSort AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip AddIconByType (TXT,/icons/text.gif) text/* AddIconByType (IMG,/icons/image2.gif) image/* AddIconByType (SND,/icons/sound2.gif) audio/* AddIconByType (VID,/icons/movie.gif) video/* # This really should be .jpg. AddIcon /icons/binary.gif .bin .exe AddIcon /icons/binhex.gif .hqx AddIcon /icons/tar.gif .tar AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip AddIcon /icons/a.gif .ps .ai .eps AddIcon /icons/layout.gif .html .shtml .htm .pdf AddIcon /icons/text.gif .txt AddIcon /icons/c.gif .c AddIcon /icons/p.gif .pl .py AddIcon /icons/f.gif .for AddIcon /icons/dvi.gif .dvi AddIcon /icons/uuencoded.gif .uu AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl AddIcon /icons/tex.gif .tex AddIcon /icons/bomb.gif core AddIcon /icons/back.gif .. AddIcon /icons/hand.right.gif README AddIcon /icons/folder.gif ^^DIRECTORY^^ AddIcon /icons/blank.gif ^^BLANKICON^^ # This is from Matty J's patch. Anyone want to make the icons? #AddIcon /icons/dirsymlink.jpg ^^SYMDIR^^ #AddIcon /icons/symlink.jpg ^^SYMLINK^^ DefaultIcon /icons/unknown.gif ReadmeName README.html HeaderName HEADER.html IndexIgnore .??* *~ *# HEADER* RCS CVS *,t AddEncoding x-compress Z AddEncoding x-gzip gz tgz AddLanguage da .dk AddLanguage nl .nl AddLanguage en .en AddLanguage et .et AddLanguage fr .fr AddLanguage de .de AddLanguage el .el AddLanguage it .it AddLanguage ja .ja AddLanguage pl .po AddLanguage ko .ko AddLanguage pt .pt AddLanguage no .no AddLanguage pt-br .pt-br AddLanguage ltz .ltz AddLanguage ca .ca AddLanguage es .es AddLanguage sv .se AddLanguage cz .cz AddLanguage ru .ru AddLanguage tw .tw AddLanguage zh-tw .tw LanguagePriority en da nl et fr de el it ja ko no pl pt pt-br ltz ca es sv tw AddDefaultCharset iso-8859-1 AddCharset ISO-8859-1 .iso8859-1 .latin1 AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen AddCharset ISO-8859-3 .iso8859-3 .latin3 AddCharset ISO-8859-4 .iso8859-4 .latin4 AddCharset ISO-8859-5 .iso8859-5 .latin5 .cyr .iso-ru AddCharset ISO-8859-6 .iso8859-6 .latin6 .arb AddCharset ISO-8859-7 .iso8859-7 .latin7 .grk AddCharset ISO-8859-8 .iso8859-8 .latin8 .heb AddCharset ISO-8859-9 .iso8859-9 .latin9 .trk AddCharset ISO-2022-JP .iso2022-jp .jis AddCharset ISO-2022-KR .iso2022-kr .kis AddCharset ISO-2022-CN .iso2022-cn .cis AddCharset Big5 .Big5 .big5 # For russian, more than one charset is used (depends on client, mostly): AddCharset WINDOWS-1251 .cp-1251 .win-1251 AddCharset CP866 .cp866 AddCharset KOI8-r .koi8-r .koi8-ru AddCharset KOI8-ru .koi8-uk .ua AddCharset ISO-10646-UCS-2 .ucs2 AddCharset ISO-10646-UCS-4 .ucs4 AddCharset UTF-8 .utf8 AddCharset GB2312 .gb2312 .gb AddCharset utf-7 .utf7 AddCharset utf-8 .utf8 AddCharset big5 .big5 .b5 AddCharset EUC-TW .euc-tw AddCharset EUC-JP .euc-jp AddCharset EUC-KR .euc-kr AddCharset shift_jis .sjis #AddType application/x-httpd-php .php #AddType application/x-httpd-php-source .phps AddType application/x-tar .tgz # To use CGI scripts outside /cgi-bin/: # #AddHandler cgi-script .cgi # To use server-parsed HTML files # SetOutputFilter INCLUDES # If you wish to use server-parsed imagemap files, use # #AddHandler imap-file map BrowserMatch "Mozilla/2" nokeepalive BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 BrowserMatch "RealPlayer 4\.0" force-response-1.0 BrowserMatch "Java/1\.0" force-response-1.0 BrowserMatch "JDK/1\.0" force-response-1.0 # # The following directive disables redirects on non-GET requests for # a directory that does not include the trailing slash. This fixes a # problem with Microsoft WebFolders which does not appropriately handle # redirects for folders with DAV methods. # BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully BrowserMatch "^WebDrive" redirect-carefully BrowserMatch "^gnome-vfs" redirect-carefully BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully # Allow server status reports, with the URL of http://servername/server-status # Change the ".your_domain.com" to match your domain to enable. # # # SetHandler server-status # Order deny,allow # Deny from all # Allow from 10.15.20.30 # # Allow remote server configuration reports, with the URL of # http://servername/server-info (requires that mod_info.c be loaded). # Change the ".your_domain.com" to match your domain to enable. # # # SetHandler server-info # Order deny,allow # Deny from all # Allow from .your_domain.com # # Include the virtual host configurations: Include /etc/apache2/sites-enabled/[^.#]*