Apache Module mod_alias

Apache Module mod_alias

Summary

The directives contained in this module allow for manipulation
and control of URLs as requests arrive at the server. The
Alias and ScriptAlias directives are used to
map between URLs and filesystem paths. This allows for content
which is not directly under the DocumentRoot served as part of the web
document tree. The ScriptAlias directive has the
additional effect of marking the target directory as containing
only CGI scripts.

The Redirect
directives are used to instruct clients to make a new request with
a different URL. They are often used when a resource has moved to
a new location.

When the Alias,
ScriptAlias and
Redirect directives are used
within a <Location>
or <LocationMatch>
section, expression syntax can be used
to manipulate the destination path or URL.

Order of Processing

Aliases and Redirects occurring in different contexts are processed
like other directives according to standard merging rules. But when multiple
Aliases or Redirects occur in the same context (for example, in the
same <VirtualHost>
section) they are processed in a particular order.

First, all Redirects are processed before Aliases are processed,
and therefore a request that matches a Redirect or RedirectMatch will never have Aliases
applied. Second, the Aliases and Redirects are processed in the order
they appear in the configuration files, with the first match taking
precedence.

Alias "/foo/bar" "/baz"
Alias "/foo" "/gaq"

But if the above two directives were reversed in order, the
/foo Alias
would always match before the /foo/bar Alias, so the latter directive would be
ignored.

When the Alias,
ScriptAlias and
Redirect directives are used
within a <Location>
or <LocationMatch>
section, these directives will take precedence over any globally
defined Alias,
ScriptAlias and
Redirect directives.

Alias Directive

The Alias directive allows documents to
be stored in the local filesystem other than under the
DocumentRoot. URLs with a
(%-decoded) path beginning with URL-path will be mapped
to local files beginning with directory-path. The
URL-path is case-sensitive, even on case-insensitive
file systems.

Alias "/image" "/ftp/pub/image"

Note that if you include a trailing / on the
URL-path then the server will require a trailing / in
order to expand the alias. That is, if you use

Alias "/icons/" "/usr/local/apache/icons/"

then the URL /icons will not be aliased, as it lacks
that trailing /. Likewise, if you omit the slash on the
URL-path then you must also omit it from the
file-path.

Note that you may need to specify additional <Directory> sections which
cover the destination of aliases. Aliasing occurs before
<Directory> sections
are checked, so only the destination of aliases are affected.
(Note however <Location>
sections are run through once before aliases are performed, so
they will apply.)

In particular, if you are creating an Alias to a
directory outside of your DocumentRoot, you may need to explicitly
permit access to the target directory.

Alias "/image" "/ftp/pub/image"
<Directory "/ftp/pub/image">
    Require all granted
</Directory>

Any number slashes in the URL-path parameter
matches any number of slashes in the requested URL-path.

If the Alias directive is used within a
<Location>
or <LocationMatch>
section the URL-path is omitted, and the file-path is interpreted
using expression syntax.
This syntax is available in Apache 2.4.19 and later.

<Location "/image">
    Alias "/ftp/pub/image"
</Location>
<LocationMatch "/error/(?<NUMBER>[0-9]+)">
    Alias "/usr/local/apache/errors/%{env:MATCH_NUMBER}.html"
</LocationMatch>

AliasMatch Directive

This directive is equivalent to Alias, but makes use of
regular expressions,
instead of simple prefix matching. The
supplied regular expression is matched against the URL-path, and
if it matches, the server will substitute any parenthesized
matches into the given string and use it as a filename. For
example, to activate the /icons directory, one might
use:

AliasMatch "^/icons(/|$)(.*)" "/usr/local/apache/icons$1$2"

The full range of regular expression
power is available. For example,
it is possible to construct an alias with case-insensitive
matching of the URL-path:

AliasMatch "(?i)^/image(.*)" "/ftp/pub/image$1"

One subtle difference
between Alias
and AliasMatch is
that Alias will
automatically copy any additional part of the URI, past the part
that matched, onto the end of the file path on the right side,
while AliasMatch will
not. This means that in almost all cases, you will want the
regular expression to match the entire request URI from beginning
to end, and to use substitution on the right side.

In other words, just changing
Alias to
AliasMatch will not
have the same effect. At a minimum, you need to
add ^ to the beginning of the regular expression
and add (.*)$ to the end, and add $1 to
the end of the replacement.

For example, suppose you want to replace this with AliasMatch:

Alias "/image/" "/ftp/pub/image/"

This is NOT equivalent — don’t do this! This will send all
requests that have /image/ anywhere in them to /ftp/pub/image/:

AliasMatch "/image/" "/ftp/pub/image/"

This is what you need to get the same effect:

AliasMatch "^/image/(.*)$" "/ftp/pub/image/$1"

Of course, there’s no point in
using AliasMatch
where Alias would
work. AliasMatch lets
you do more complicated things. For example, you could
serve different kinds of files from different directories:

AliasMatch "^/image/(.*)\.jpg$" "/files/jpg.images/$1.jpg"
AliasMatch "^/image/(.*)\.gif$" "/files/gif.images/$1.gif"

Multiple leading slashes in the requested URL are discarded
by the server before directives from this module compares
against the requested URL-path.

Redirect Directive

The Redirect directive maps an old URL into a new one by asking
the client to refetch the resource at the new location.

The old URL-path is a case-sensitive (%-decoded) path
beginning with a slash. A relative path is not allowed.

The new URL may be either an absolute URL beginning
with a scheme and hostname, or a URL-path beginning with a slash.
In this latter case the scheme and hostname of the current server will
be added.

Then any request beginning with URL-path will return a
redirect request to the client at the location of the target
URL. Additional path information beyond the matched
URL-path will be appended to the target URL.

# Redirect to a URL on a different host
Redirect "/service" "http://foo2.example.com/service"

# Redirect to a URL on the same host
Redirect "/one" "/two"

Note

Redirect directives take precedence over Alias and ScriptAlias
directives, irrespective of their ordering in the configuration
file. Redirect directives inside a Location take
precedence over Redirect and Alias directives with an URL-path.

If no status argument is given, the redirect will
be «temporary» (HTTP status 302). This indicates to the client
that the resource has moved temporarily. The status
argument can be used to return other HTTP status codes:

permanent

Returns a permanent redirect status (301) indicating that
the resource has moved permanently.

temp

Returns a temporary redirect status (302). This is the
default.

seeother

Returns a «See Other» status (303) indicating that the
resource has been replaced.

gone

Returns a «Gone» status (410) indicating that the
resource has been permanently removed. When this status is
used the URL argument should be omitted.

Other status codes can be returned by giving the numeric
status code as the value of status. If the status is
between 300 and 399, the URL argument must be present.
If the status is not between 300 and 399, the
URL argument must be omitted. The status must be a valid
HTTP status code, known to the Apache HTTP Server (see the function
send_error_response in http_protocol.c).

Redirect permanent "/one" "http://example.com/two"
Redirect 303 "/three" "http://example.com/other"

If the Redirect directive is used within a
<Location>
or <LocationMatch>
section with the URL-path omitted, then the URL parameter
will be interpreted using expression syntax.
This syntax is available in Apache 2.4.19 and later.

<Location "/one">
    Redirect permanent "http://example.com/two"
</Location>
<Location "/three">
    Redirect 303 "http://example.com/other"
</Location>
<LocationMatch "/error/(?<NUMBER>[0-9]+)">
    Redirect permanent "http://example.com/errors/%{env:MATCH_NUMBER}.html"
</LocationMatch>

RedirectMatch Directive

This directive is equivalent to Redirect, but makes use of
regular expressions,
instead of simple prefix matching. The
supplied regular expression is matched against the URL-path, and
if it matches, the server will substitute any parenthesized
matches into the given string and use it as a filename. For
example, to redirect all GIF files to like-named JPEG files on
another server, one might use:

RedirectMatch "(.*)\.gif$" "http://other.example.com$1.jpg"

The considerations related to the difference between
Alias and
AliasMatch
also apply to the difference between
Redirect and
RedirectMatch.
See AliasMatch for
details.

RedirectPermanent Directive

This directive makes the client know that the Redirect is
permanent (status 301). Exactly equivalent to Redirect
permanent.

RedirectTemp Directive

This directive makes the client know that the Redirect is
only temporary (status 302). Exactly equivalent to
Redirect temp.

ScriptAlias Directive

The ScriptAlias directive has the same
behavior as the Alias
directive, except that in addition it marks the target directory
as containing CGI scripts that will be processed by mod_cgi‘s cgi-script handler. URLs with a case-sensitive
(%-decoded) path beginning with URL-path will be mapped
to scripts beginning with the second argument, which is a full
pathname in the local filesystem.

ScriptAlias "/cgi-bin/" "/web/cgi-bin/"

A request for http://example.com/cgi-bin/foo would cause the
server to run the script /web/cgi-bin/foo. This configuration
is essentially equivalent to:

Alias "/cgi-bin/" "/web/cgi-bin/"
<Location "/cgi-bin">
    SetHandler cgi-script
    Options +ExecCGI
</Location>

ScriptAlias can also be used in conjunction with
a script or handler you have. For example:

ScriptAlias "/cgi-bin/" "/web/cgi-handler.pl"

In this scenario all files requested in /cgi-bin/ will be
handled by the file you have configured, this allows you to use your own custom
handler. You may want to use this as a wrapper for CGI so that you can add
content, or some other bespoke action.

It is safer to avoid placing CGI scripts under the
DocumentRoot in order to
avoid accidentally revealing their source code if the
configuration is ever changed. The
ScriptAlias makes this easy by mapping a
URL and designating CGI scripts at the same time. If you do
choose to place your CGI scripts in a directory already
accessible from the web, do not use
ScriptAlias. Instead, use <Directory>, SetHandler, and Options as in:

<Directory "/usr/local/apache2/htdocs/cgi-bin">
    SetHandler cgi-script
    Options ExecCGI
</Directory>

This is necessary since multiple URL-paths can map
to the same filesystem location, potentially bypassing the
ScriptAlias and revealing the source code
of the CGI scripts if they are not restricted by a
Directory section.

If the ScriptAlias directive is used within
a <Location>
or <LocationMatch>
section with the URL-path omitted, then the URL parameter will be
interpreted using expression syntax.
This syntax is available in Apache 2.4.19 and later.

<Location "/cgi-bin">
    ScriptAlias "/web/cgi-bin/"
</Location>
<LocationMatch "/cgi-bin/errors/(?<NUMBER>[0-9]+)">
    ScriptAlias "/web/cgi-bin/errors/%{env:MATCH_NUMBER}.cgi"
</LocationMatch>

See also

ScriptAliasMatch Directive

This directive is equivalent to ScriptAlias, but makes use of
regular expressions,
instead of simple prefix matching. The
supplied regular expression is matched against the URL-path,
and if it matches, the server will substitute any parenthesized
matches into the given string and use it as a filename. For
example, to activate the standard /cgi-bin, one
might use:

ScriptAliasMatch "^/cgi-bin(.*)" "/usr/local/apache/cgi-bin$1"

As for AliasMatch, the full range of regular
expression power is available.
For example, it is possible to construct an alias with case-insensitive
matching of the URL-path:

ScriptAliasMatch "(?i)^/cgi-bin(.*)" "/usr/local/apache/cgi-bin$1"

The considerations related to the difference between
Alias and
AliasMatch
also apply to the difference between
ScriptAlias and
ScriptAliasMatch.
See AliasMatch for
details.

Apache Core Features

AcceptFilter Directive

This directive enables operating system specific optimizations for a
listening socket by the Protocol type.
The basic premise is for the kernel to not send a socket to the server
process until either data is received or an entire HTTP Request is buffered.
Only
FreeBSD’s Accept Filters, Linux’s more primitive
TCP_DEFER_ACCEPT, and Windows’ optimized AcceptEx()
are currently supported.

Using none for an argument will disable any accept filters
for that protocol. This is useful for protocols that require a server
send data first, such as ftp: or nntp:

AcceptFilter nntp none

The default protocol names are https for port 443
and http for all other ports. To specify that another
protocol is being used with a listening port, add the protocol
argument to the Listen
directive.

The default values on FreeBSD are:

AcceptFilter http httpready
AcceptFilter https dataready

The default values on Linux are:

AcceptFilter http data
AcceptFilter https data

The default values on Windows are:

AcceptFilter http connect
AcceptFilter https connect

Window’s mpm_winnt interprets the AcceptFilter to toggle the AcceptEx()
API, and does not support http protocol buffering. connect
will use the AcceptEx() API, also retrieve the network endpoint
addresses, but like none the connect option
does not wait for the initial data transmission.

The data AcceptFilter (Windows)

For versions 2.4.23 and prior, the Windows data accept
filter waited until data had been transmitted and the initial data
buffer and network endpoint addresses had been retrieved from the
single AcceptEx() invocation. This implementation was subject to a
denial of service attack and has been disabled.

See also

AcceptPathInfo Directive

For example, assume the location /test/ points to
a directory that contains only the single file
here.html. Then requests for
/test/here.html/more and
/test/nothere.html/more both collect
/more as PATH_INFO.

The three possible arguments for the
AcceptPathInfo directive are:

Off

A request will only be accepted if it
maps to a literal path that exists. Therefore a request with
trailing pathname information after the true filename such as
/test/here.html/more in the above example will return
a 404 NOT FOUND error.

On

A request will be accepted if a
leading path component maps to a file that exists. The above
example /test/here.html/more will be accepted if
/test/here.html maps to a valid file.

Default

The treatment of requests with
trailing pathname information is determined by the handler responsible for the request.
The core handler for normal files defaults to rejecting
PATH_INFO requests. Handlers that serve scripts, such as cgi-script and isapi-handler, generally accept
PATH_INFO by default.

<Files "mypaths.shtml">
  Options +Includes
  SetOutputFilter INCLUDES
  AcceptPathInfo On
</Files>

AccessFileName Directive

While processing a request, the server looks for
the first existing configuration file from this list of names in
every directory of the path to the document, if distributed
configuration files are enabled for that
directory. For example:

AccessFileName .acl

Before returning the document
/usr/local/web/index.html, the server will read
/.acl, /usr/.acl,
/usr/local/.acl and /usr/local/web/.acl
for directives unless they have been disabled with:

<Directory "/">
    AllowOverride None
</Directory>

See also

AddDefaultCharset Directive

AddDefaultCharset utf-8

See also

AllowEncodedSlashes Directive

The AllowEncodedSlashes directive allows URLs
which contain encoded path separators (%2F for /
and additionally %5C for \ on accordant systems)
to be used in the path info.

With the default value, Off, such URLs are refused
with a 404 (Not found) error.

With the value On, such URLs are accepted, and encoded
slashes are decoded like all other encoded characters.

With the value NoDecode, such URLs are accepted, but
encoded slashes are not decoded but left in their encoded state.

Turning AllowEncodedSlashes On is
mostly useful when used in conjunction with PATH_INFO.

Note

If encoded slashes are needed in path info, use of NoDecode is
strongly recommended as a security measure. Allowing slashes
to be decoded could potentially allow unsafe paths.

See also

AllowOverride Directive

When the server finds an .htaccess file (as
specified by AccessFileName),
it needs to know which directives declared in that file can override
earlier configuration directives.

Only available in <Directory> sections

AllowOverride is valid only in
<Directory>
sections specified without regular expressions, not in <Location>, <DirectoryMatch> or
<Files> sections.

When this directive is set to None and AllowOverrideList is set to
None, .htaccess files are
completely ignored. In this case, the server will not even attempt
to read .htaccess files in the filesystem.

When this directive is set to All, then any
directive which has the .htaccess Context is allowed in
.htaccess files.

AuthConfig

Allow use of the authorization directives (AuthDBMGroupFile,
AuthDBMUserFile,
AuthGroupFile,
AuthName,
AuthType, AuthUserFile, Require, etc.).

FileInfo

Allow use of the directives controlling document types
(ErrorDocument,
ForceType,
LanguagePriority,
SetHandler,
SetInputFilter,
SetOutputFilter, and
mod_mime Add* and Remove* directives),
document meta data (Header, RequestHeader, SetEnvIf, SetEnvIfNoCase, BrowserMatch, CookieExpires, CookieDomain, CookieStyle, CookieTracking, CookieName),
mod_rewrite directives (RewriteEngine, RewriteOptions, RewriteBase, RewriteCond, RewriteRule),
mod_alias directives (Redirect, RedirectTemp, RedirectPermanent, RedirectMatch), and
Action from
mod_actions.

Indexes

Allow use of the directives controlling directory indexing
(AddDescription,
AddIcon, AddIconByEncoding,
AddIconByType,
DefaultIcon, DirectoryIndex, FancyIndexing, HeaderName, IndexIgnore, IndexOptions, ReadmeName,
etc.).

Limit

Allow use of the directives controlling host access (Allow, Deny and Order).

Nonfatal=[Override|Unknown|All]

Allow use of AllowOverride option to treat syntax errors in
.htaccess as nonfatal. Instead of causing an Internal Server
Error, disallowed or unrecognised directives will be ignored
and a warning logged:

• Nonfatal=Override treats directives
  forbidden by AllowOverride as nonfatal.
• Nonfatal=Unknown treats unknown directives
  as nonfatal. This covers typos and directives implemented
  by a module that’s not present.
• Nonfatal=All treats both the above as nonfatal.

Note that a syntax error in a valid directive will still cause
an internal server error.

Security

Options[=Option,…]

Allow use of the directives controlling specific directory
features (Options and
XBitHack).
An equal sign may be given followed by a comma-separated list, without
spaces, of options that may be set using the Options command.

Implicit disabling of Options

Even though the list of options that may be used in .htaccess files
can be limited with this directive, as long as any Options directive is allowed any
other inherited option can be disabled by using the non-relative
syntax. In other words, this mechanism cannot force a specific option
to remain set while allowing any others to be set.

AllowOverride AuthConfig Indexes

In the example above, all directives that are neither in the group
AuthConfig nor Indexes cause an internal
server error.

See also

AllowOverrideList Directive

When the server finds an .htaccess file (as
specified by AccessFileName),
it needs to know which directives declared in that file can override
earlier configuration directives.

Only available in <Directory> sections

AllowOverrideList is valid only in
<Directory>
sections specified without regular expressions, not in <Location>, <DirectoryMatch> or
<Files> sections.

When this directive is set to None and AllowOverride is set to None,
then .htaccess files are completely
ignored. In this case, the server will not even attempt to read
.htaccess files in the filesystem.

AllowOverride None
AllowOverrideList Redirect RedirectMatch

In the example above, only the Redirect and
RedirectMatch directives are allowed. All others will
cause an internal server error.

AllowOverride AuthConfig
AllowOverrideList CookieTracking CookieName

In the example above, AllowOverride
grants permission to the AuthConfig
directive grouping and AllowOverrideList grants
permission to only two directives from the FileInfo directive
grouping. All others will cause an internal server error.

See also

CGIMapExtension Directive

This directive is used to control how Apache httpd finds the
interpreter used to run CGI scripts. For example, setting
CGIMapExtension sys:\foo.nlm .foo will
cause all CGI script files with a .foo extension to
be passed to the FOO interpreter.

CGIPassAuth Directive

This directive can be used instead of the compile-time setting
SECURITY_HOLE_PASS_AUTHORIZATION which has been available
in previous versions of Apache HTTP Server.

The setting is respected by any modules which use
ap_add_common_vars(), such as mod_cgi,
mod_cgid, mod_proxy_fcgi,
mod_proxy_scgi, and so on. Notably, it affects
modules which don’t handle the request in the usual sense but
still use this API; examples of this are mod_include
and mod_ext_filter. Third-party modules that don’t
use ap_add_common_vars() may choose to respect the setting
as well.

CGIVar Directive

This directive controls how some CGI variables are set.

original-uri (default)

The value is taken from the original request line, and will not
reflect internal redirects or subrequests which change the requested
resource.

current-uri

The value reflects the resource currently being processed,
which may be different than the original request from the client
due to internal redirects or subrequests.

ContentDigest Directive

This directive enables the generation of
Content-MD5 headers as defined in RFC1864
respectively RFC2616.

MD5 is an algorithm for computing a «message digest»
(sometimes called «fingerprint») of arbitrary-length data, with
a high degree of confidence that any alterations in the data
will be reflected in alterations in the message digest.

The Content-MD5 header provides an end-to-end
message integrity check (MIC) of the entity-body. A proxy or
client may check this header for detecting accidental
modification of the entity-body in transit. Example header:

Note that this can cause performance problems on your server
since the message digest is computed on every request (the
values are not cached).

Content-MD5 is only sent for documents served
by the core, and not by any module. For example,
SSI documents, output from CGI scripts, and byte range responses
do not have this header.

DefaultRuntimeDir Directive

DefaultRuntimeDir scratch/

The default location of DefaultRuntimeDir may be
modified by changing the DEFAULT_REL_RUNTIMEDIR #define
at build time.

Note: ServerRoot should be specified before this
directive is used. Otherwise, the default value of ServerRoot
would be used to set the base directory.

See also

• the
  security tips for information on how to properly set
  permissions on the ServerRoot

DefaultType Directive

This directive has been disabled. For backwards compatibility
of configuration files, it may be specified with the value
none, meaning no default media type. For example:

DefaultType None

DefaultType None is only available in
httpd-2.2.7 and later.

Use the mime.types configuration file and the
AddType to configure media
type assignments via file extensions, or the
ForceType directive to configure
the media type for specific resources. Otherwise, the server will
send the response without a Content-Type header field and the
recipient may attempt to guess the media type.

Define Directive

In its one parameter form, Define is
equivalent to passing the -D argument to
httpd. It can be used to toggle the use of
<IfDefine>
sections without needing to alter -D arguments in any
startup scripts.

<IfDefine TEST>
  Define servername test.example.com
</IfDefine>
<IfDefine !TEST>
  Define servername www.example.com
  Define SSL
</IfDefine>

DocumentRoot "/var/www/${servername}/htdocs"

Variable names may not contain colon «:» characters, to avoid clashes
with RewriteMap‘s syntax.

Virtual Host scope and pitfalls

While this directive is supported in virtual host context,
the changes it makes are visible to any later configuration
directives, beyond any enclosing virtual host.

See also

Directive

<Directory "/usr/local/httpd/htdocs">
  Options Indexes FollowSymLinks
</Directory>

Directory paths may be quoted, if you like, however, it
must be quoted if the path contains spaces. This is because a
space would otherwise indicate the end of an argument.

Be careful with the directory-path arguments:
They have to literally match the filesystem path which Apache httpd uses
to access the files. Directives applied to a particular
<Directory> will not apply to files accessed from
that same directory via a different path, such as via different symbolic
links.

Regular
expressions can also be used, with the addition of the
~ character. For example:

<Directory ~ "^/www/[0-9]{3}">

</Directory>

would match directories in /www/ that consisted of
three numbers.

If multiple (non-regular expression) <Directory> sections
match the directory (or one of its parents) containing a document,
then the directives are applied in the order of shortest match
first, interspersed with the directives from the .htaccess files. For example,
with

<Directory "/">
  AllowOverride None
</Directory>

<Directory "/home">
  AllowOverride FileInfo
</Directory>

for access to the document /home/web/dir/doc.html
the steps are:

• Apply directive AllowOverride None
  (disabling .htaccess files).
• Apply directive AllowOverride FileInfo (for
  directory /home).
• Apply any FileInfo directives in
  /home/.htaccess, /home/web/.htaccess and
  /home/web/dir/.htaccess in that order.

Regular expressions are not considered until after all of the
normal sections have been applied. Then all of the regular
expressions are tested in the order they appeared in the
configuration file. For example, with

<Directory ~ "abc$">
  # ... directives here ...
</Directory>

the regular expression section won’t be considered until after
all normal <Directory>s and
.htaccess files have been applied. Then the regular
expression will match on /home/abc/public_html/abc and
the corresponding <Directory> will
be applied.

<Directory "/">
  Require all denied
</Directory>

The directory sections occur in the httpd.conf file.
<Directory> directives
cannot nest, and cannot appear in a <Limit> or <LimitExcept> section.

See also

Directive

<DirectoryMatch> and
</DirectoryMatch> are used to enclose a group
of directives which will apply only to the named directory (and the files within),
the same as <Directory>.
However, it takes as an argument a
regular expression. For example:

<DirectoryMatch "^/www/(.+/)?[0-9]{3}/">
    # ...
</DirectoryMatch>

matches directories in /www/ (or any subdirectory thereof)
that consist of three numbers.

Compatibility

Prior to 2.3.9, this directive implicitly applied to sub-directories
(like <Directory>) and
could not match the end of line symbol ($). In 2.3.9 and later,
only directories that match the expression are affected by the enclosed
directives.

Trailing Slash

This directive applies to requests for directories that may or may
not end in a trailing slash, so expressions that are anchored to the
end of line ($) must be written with care.

From 2.4.8 onwards, named groups and backreferences are captured and
written to the environment with the corresponding name prefixed with
«MATCH_» and in upper case. This allows elements of paths to be referenced
from within expressions and modules like
mod_rewrite. In order to prevent confusion, numbered
(unnamed) backreferences are ignored. Use named groups instead.

<DirectoryMatch "^/var/www/combined/(?<sitename>[^/]+)">
    Require ldap-group cn=%{env:MATCH_SITENAME},ou=combined,o=Example
</DirectoryMatch>

See also

• <Directory> for
  a description of how regular expressions are mixed in with normal
  <Directory>s
• How <Directory>, <Location> and
  <Files> sections work for an explanation of how these different
  sections are combined when a request is received

DocumentRoot Directive

This directive sets the directory from which httpd
will serve files. Unless matched by a directive like Alias, the server appends the
path from the requested URL to the document root to make the
path to the document. Example:

DocumentRoot "/usr/web"

then an access to
http://my.example.com/index.html refers to
/usr/web/index.html. If the directory-path is
not absolute then it is assumed to be relative to the ServerRoot.

The DocumentRoot should be specified without
a trailing slash.

See also

Directive

The <Else> applies the enclosed
directives if and only if the most recent
<If> or
<ElseIf> section
in the same scope has not been applied.
For example: In

<If "-z req('Host')">
  # ...
</If>
<Else>
  # ...
</Else>

The <If> would match HTTP/1.0
requests without a Host: header and the
<Else> would match requests
with a Host: header.

See also

• <If>
• <ElseIf>
• How <Directory>, <Location>,
  <Files> sections work for an explanation of how these
  different sections are combined when a request is received.
  <If>,
  <ElseIf>, and
  <Else> are applied last.

Directive

The <ElseIf> applies the enclosed
directives if and only if both the given condition evaluates to true and
the most recent <If> or
<ElseIf> section in the same scope has
not been applied. For example: In

<If "-R '10.1.0.0/16'">
  #...
</If>
<ElseIf "-R '10.0.0.0/8'">
  #...
</ElseIf>
<Else>
  #...
</Else>

The <ElseIf> would match if
the remote address of a request belongs to the subnet 10.0.0.0/8 but
not to the subnet 10.1.0.0/16.

See also

• Expressions in Apache HTTP Server,
  for a complete reference and more examples.
• <If>
• <Else>
• How <Directory>, <Location>,
  <Files> sections work for an explanation of how these
  different sections are combined when a request is received.
  <If>,
  <ElseIf>, and
  <Else> are applied last.

EnableMMAP Directive

This directive controls whether the httpd may use
memory-mapping if it needs to read the contents of a file during
delivery. By default, when the handling of a request requires
access to the data within a file — for example, when delivering a
server-parsed file using mod_include — Apache httpd
memory-maps the file if the OS supports it.

This memory-mapping sometimes yields a performance improvement.
But in some environments, it is better to disable the memory-mapping
to prevent operational problems:

• On some multiprocessor systems, memory-mapping can reduce the
  performance of the httpd.
• Deleting or truncating a file while httpd
  has it memory-mapped can cause httpd to
  crash with a segmentation fault.

For server configurations that are vulnerable to these problems,
you should disable memory-mapping of delivered files by specifying:

EnableMMAP Off

For NFS mounted files, this feature may be disabled explicitly for
the offending files by specifying:

<Directory "/path-to-nfs-files">
  EnableMMAP Off
</Directory>

EnableSendfile Directive

This directive controls whether httpd may use the
sendfile support from the kernel to transmit file contents to the client.
By default, when the handling of a request requires no access
to the data within a file — for example, when delivering a
static file — Apache httpd uses sendfile to deliver the file contents
without ever reading the file if the OS supports it.

This sendfile mechanism avoids separate read and send operations,
and buffer allocations. But on some platforms or within some
filesystems, it is better to disable this feature to avoid
operational problems:

• Some platforms may have broken sendfile support that the build
  system did not detect, especially if the binaries were built on
  another box and moved to such a machine with broken sendfile
  support.
• On Linux the use of sendfile triggers TCP-checksum
  offloading bugs on certain networking cards when using IPv6.
• On Linux on Itanium, sendfile may be unable to handle
  files over 2GB in size.
• With a network-mounted DocumentRoot (e.g., NFS, SMB, CIFS, FUSE),
  the kernel may be unable to serve the network file through
  its own cache.

For server configurations that are not vulnerable to these problems,
you may enable this feature by specifying:

EnableSendfile On

For network mounted files, this feature may be disabled explicitly
for the offending files by specifying:

<Directory "/path-to-nfs-files">
  EnableSendfile Off
</Directory>

Please note that the per-directory and .htaccess configuration
of EnableSendfile is not supported by
mod_cache_disk.
Only global definition of EnableSendfile
is taken into account by the module.

Error Directive

If an error can be detected within the configuration, this
directive can be used to generate a custom error message, and halt
configuration parsing. The typical use is for reporting required
modules which are missing from the configuration.

# Example
# ensure that mod_include is loaded
<IfModule !include_module>
  Error "mod_include is required by mod_foo.  Load it with LoadModule."
</IfModule>

# ensure that exactly one of SSL,NOSSL is defined
<IfDefine SSL>
<IfDefine NOSSL>
  Error "Both SSL and NOSSL are defined.  Define only one of them."
</IfDefine>
</IfDefine>
<IfDefine !SSL>
<IfDefine !NOSSL>
  Error "Either SSL or NOSSL must be defined."
</IfDefine>
</IfDefine>

Note

This directive is evaluated and configuration processing time,
not at runtime. As a result, this directive cannot be conditonally
evaluated by enclosing it in an <If> section.

ErrorDocument Directive

In the event of a problem or error, Apache httpd can be configured
to do one of four things,

1. output a simple hardcoded error message
2. output a customized message
3. internally redirect to a local URL-path to handle the
   problem/error
4. redirect to an external URL to handle the
   problem/error

From 2.4.13, expression syntax can be
used inside the directive to produce dynamic strings and URLs.

URLs can begin with a slash (/) for local web-paths (relative
to the DocumentRoot), or be a
full URL which the client can resolve. Alternatively, a message
can be provided to be displayed by the browser. Note that deciding
whether the parameter is an URL, a path or a message is performed
before any expression is parsed. Examples:

ErrorDocument 500 http://example.com/cgi-bin/server-error.cgi
ErrorDocument 404 /errors/bad_urls.php
ErrorDocument 401 /subscription_info.html
ErrorDocument 403 "Sorry, can't allow you access today"
ErrorDocument 403 Forbidden!
ErrorDocument 403 /errors/forbidden.py?referrer=%{escape:%{HTTP_REFERER}}

Additionally, the special value default can be used
to specify Apache httpd’s simple hardcoded message. While not required
under normal circumstances, default will restore
Apache httpd’s simple hardcoded message for configurations that would
otherwise inherit an existing ErrorDocument.

ErrorDocument 404 /cgi-bin/bad_urls.pl

<Directory "/web/docs">
  ErrorDocument 404 default
</Directory>

Microsoft Internet Explorer (MSIE) will by default ignore
server-generated error messages when they are «too small» and substitute
its own «friendly» error messages. The size threshold varies depending on
the type of error, but in general, if you make your error document
greater than 512 bytes, then MSIE will show the server-generated
error rather than masking it. More information is available in
Microsoft Knowledge Base article Q294807.

Although most error messages can be overridden, there are certain
circumstances where the internal messages are used regardless of the
setting of ErrorDocument. In
particular, if a malformed request is detected, normal request processing
will be immediately halted and the internal error message returned.
This is necessary to guard against security problems caused by
bad requests.

If you are using mod_proxy, you may wish to enable
ProxyErrorOverride so that you can provide
custom error messages on behalf of your Origin servers. If you don’t enable ProxyErrorOverride,
Apache httpd will not generate custom error documents for proxied content.

See also

ErrorLog Directive

The ErrorLog directive sets the name of
the file to which the server will log any errors it encounters. If
the file-path is not absolute then it is assumed to be
relative to the ServerRoot.

ErrorLog "/var/log/httpd/error_log"

ErrorLog "|/usr/local/bin/httpd_errors"

See the notes on piped logs for
more information.

Using syslog instead of a filename enables logging
via syslogd(8) if the system supports it. The default is to use
syslog facility local7, but you can override this by
using the syslog:facility syntax where
facility can be one of the names usually documented in
syslog(1). The facility is effectively global, and if it is changed
in individual virtual hosts, the final facility specified affects the
entire server. Same rules apply for the syslog tag, which by default
uses the Apache binary name, httpd in most cases. You can
also override this by using the syslog::tag
syntax.

ErrorLog syslog:user
ErrorLog syslog:user:httpd.srv1
ErrorLog syslog::httpd.srv2

Note

When entering a file path on non-Unix platforms, care should be taken
to make sure that only forward slashes are used even though the platform
may allow the use of back slashes. In general it is a good idea to always
use forward slashes throughout the configuration files.

See also

ErrorLogFormat Directive

ErrorLogFormat allows to specify what
supplementary information is logged in the error log in addition to the
actual log message.

#Simple example
ErrorLogFormat "[%t] [%l] [pid %P] %F: %E: [client %a] %M"

Specifying connection or request as first
parameter allows to specify additional formats, causing additional
information to be logged when the first message is logged for a specific
connection or request, respectively. This additional information is only
logged once per connection/request. If a connection or request is processed
without causing any log message, the additional information is not logged
either.

The above behavior can be changed by adding modifiers to the format
string item. A - (minus) modifier causes a minus to be logged if the
respective item does not produce any output. In once-per-connection/request
formats, it is also possible to use the + (plus) modifier. If an
item with the plus modifier does not produce any output, the whole line is
omitted.

A number as modifier can be used to assign a log severity level to a
format item. The item will only be logged if the severity of the log
message is not higher than the specified log severity level. The number can
range from 1 (alert) over 4 (warn) and 7 (debug) to 15 (trace8).

Some format string items accept additional parameters in braces.

The log ID format %L produces a unique id for a connection
or request. This can be used to correlate which log lines belong to the
same connection or request, which request happens on which connection.
A %L format string is also available in
mod_log_config to allow to correlate access log entries
with error log lines. If mod_unique_id is loaded, its
unique id will be used as log ID for requests.

#Example (default format for threaded MPMs)
ErrorLogFormat "[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"

This would result in error messages such as:

Notice that, as discussed above, some fields are omitted
entirely because they are not defined.

#Example (similar to the 2.2.x format)
ErrorLogFormat "[%t] [%l] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"

#Advanced example with request/connection log IDs
ErrorLogFormat "[%{uc}t] [%-m:%-l] [R:%L] [C:%{C}L] %7F: %E: %M"
ErrorLogFormat request "[%{uc}t] [R:%L] Request %k on C:%{c}L pid:%P tid:%T"
ErrorLogFormat request "[%{uc}t] [R:%L] UA:'%+{User-Agent}i'"
ErrorLogFormat request "[%{uc}t] [R:%L] Referer:'%+{Referer}i'"
ErrorLogFormat connection "[%{uc}t] [C:%{c}L] remote\ %a local\ %A"

See also

ExtendedStatus Directive

This option tracks additional data per worker about the
currently executing request and creates a utilization summary.
You can see these variables during runtime by configuring
mod_status. Note that other modules may
rely on this scoreboard.

This setting applies to the entire server and cannot be
enabled or disabled on a virtualhost-by-virtualhost basis.
The collection of extended status information can slow down
the server. Also note that this setting cannot be changed
during a graceful restart.

Note that loading mod_status will change
the default behavior to ExtendedStatus On, while other
third party modules may do the same. Such modules rely on
collecting detailed information about the state of all workers.
The default is changed by mod_status beginning
with version 2.3.6. The previous default was always Off.

FileETag Directive

The FileETag directive configures the file
attributes that are used to create the ETag (entity
tag) response header field when the document is based on a static file.
(The ETag value is used in cache management to save
network bandwidth.) The
FileETag directive allows you to choose
which of these — if any — should be used. The recognized keywords are:

INode

The file’s i-node number will be included in the calculation

MTime

The date and time the file was last modified will be included

Size

The number of bytes in the file will be included

All

All available fields will be used. This is equivalent to:

FileETag INode MTime Size

Digest

If a document is file-based, the ETag field will be
calculated by taking the digest over the file.

None

If a document is file-based, no ETag field will be
included in the response

The INode, MTime, Size and
Digest keywords may be prefixed with either +
or -, which allow changes to be made to the default setting
inherited from a broader scope. Any keyword appearing without such a prefix
immediately and completely cancels the inherited setting.

If a directory’s configuration includes
FileETag INode MTime Size, and a
subdirectory’s includes FileETag -INode,
the setting for that subdirectory (which will be inherited by
any sub-subdirectories that don’t override it) will be equivalent to
FileETag MTime Size.

Server Side Includes

An ETag is not generated for responses parsed by mod_include
since the response entity can change without a change of the INode, MTime,
Size or Digest of the static file with embedded SSI directives.

Directive

The <Files> directive
limits the scope of the enclosed directives by filename. It is comparable
to the <Directory>
and <Location>
directives. It should be matched with a </Files>
directive. The directives given within this section will be applied to
any object with a basename (last component of filename) matching the
specified filename. <Files>
sections are processed in the order they appear in the
configuration file, after the <Directory> sections and
.htaccess files are read, but before <Location> sections. Note
that <Files> can be nested
inside <Directory> sections to restrict the
portion of the filesystem they apply to.

The filename argument should include a filename, or
a wild-card string, where ? matches any single character,
and * matches any sequences of characters.

<Files "cat.html">
    # Insert stuff that applies to cat.html here
</Files>

<Files "?at.*">
    # This would apply to cat.html, bat.html, hat.php and so on.
</Files>

Regular expressions
can also be used, with the addition of the
~ character. For example:

<Files ~ "\.(gif|jpe?g|png)$">
    #...
</Files>

would match most common Internet graphics formats. <FilesMatch> is preferred,
however.

See also