Apache Server Frequently Asked Questions

$Revision: $ ($Date: 1997/08/03 08:47:57 $)

The latest version of this FAQ is always available from the main Apache web site, at <http://www.apache.org/docs/misc/FAQ>.

If you are reading a text-only version of this FAQ, you may find numbers enclosed in brackets (such as "[12]"). These refer to the list of reference URLs to be found at the end of the document. These references do not appear, and are not needed, for the hypertext version.

The Questions

The Answers


  1. What is Apache?

    Apache was originally based on code and ideas found in the most popular HTTP server of the time.. NCSA httpd 1.3 (early 1995). It has since evolved into a far superior system which can rival (and probably surpass) almost any other UNIX based HTTP server in terms of functionality, efficiency and speed.

    Since it began, it has been completely rewritten, and includes many new features. Apache is, as of January 1997, the most popular WWW server on the Internet, according to the Netcraft Survey.

  2. Why was Apache created?

    To address the concerns of a group of WWW providers and part-time httpd programmers that httpd didn't behave as they wanted it to behave. Apache is an entirely volunteer effort, completely funded by its members, not by commercial sales.

  3. How does The Apache Group's work relate to other server efforts, such as NCSA's?

    We, of course, owe a great debt to NCSA and their programmers for making the server Apache was based on. We now, however, have our own server, and our project is mostly our own. The Apache Project is an entirely independent venture.

  4. Why the name "Apache"?

    A cute name which stuck. Apache is "A PAtCHy server". It was based on some existing code and a series of "patch files".

  5. OK, so how does Apache compare to other servers?

    For an independent assessment, see Web Compare's comparison chart.

    Apache has been shown to be substantially faster than many other free servers. Although certain commercial servers have claimed to surpass Apache's speed (it has not been demonstrated that any of these "benchmarks" are a good way of measuring WWW server speed at any rate), we feel that it is better to have a mostly-fast free server than an extremely-fast server that costs thousands of dollars. Apache is run on sites that get millions of hits per day, and they have experienced no performance difficulties.

  6. How thoroughly tested is Apache?

    Apache is run on over 500,000 Internet servers (as of July 1997). It has been tested thoroughly by both developers and users. The Apache Group maintains rigorous standards before releasing new versions of their server, and our server runs without a hitch on over one third of all WWW servers available on the Internet. When bugs do show up, we release patches and new versions as soon as they are available.

    The Apache project's web site includes a page with a partial list of sites running Apache.

  7. What are the future plans for Apache?

  8. Whom do I contact for support?

    There is no official support for Apache. None of the developers want to be swamped by a flood of trivial questions that can be resolved elsewhere. Bug reports and suggestions should be sent via the bug report page. Other questions should be directed to the comp.infosystems.www.servers.unix newsgroup, where some of the Apache team lurk, in the company of many other httpd gurus who should be able to help.

    Commercial support for Apache is, however, available from a number of third parties.

  9. Is there any more information available on Apache?

    Indeed there is. See the main Apache web site. There is also a regular electronic publication called Apache Week available. Links to relevant Apache Week articles are included below where appropriate.

  10. Where can I get Apache?

    You can find out how to download the source for Apache at the project's main web page.

Technical Questions

  1. "Why can't I ...? Why won't ... work?" What to do in case of problems

    If you are having trouble with your Apache server software, you should take the following steps:

    1. Check the errorlog!

      Apache tries to be helpful when it encounters a problem. In many cases, it will provide some details by writing one or messages to the server error log. Sometimes this is enough for you to diagnose & fix the problem yourself (such as file permissions or the like). The default location of the error log is /usr/local/etc/httpd/logs/error_log, but see the ErrorLog directive in your config files for the location on your server.

    2. Check the FAQ!

      The latest version of the Apache Frequently-Asked Questions list can always be found at the main Apache web site.

    3. Check the Apache bug database

      Most problems that get reported to The Apache Group are recorded in the bug database. Please check the existing reports, open and closed, before adding one. If you find that your issue has already been reported, please don't add a "me, too" report. If the original report isn't closed yet, we suggest that you check it periodically. You might also consider contacting the original submitter, because there may be an email exchange going on about the issue that isn't getting recorded in the database.

    4. Ask in the comp.infosystems.www.servers.unix USENET newsgroup

      A lot of common problems never make it to the bug database because there's already high Q&A traffic about them in the comp.infosystems.www.servers.unix newsgroup. Many Apache users, and some of the developers, can be found roaming its virtual halls, so it is suggested that you seek wisdom there. The chances are good that you'll get a faster answer there than from the bug database, even if you don't see your question already posted.

    5. If all else fails, report the problem in the bug database

      If you've gone through those steps above that are appropriate and have obtained no relief, then please do let The Apache Group know about the problem by logging a bug report.

      If your problem involves the server crashing and generating a core dump, please include a backtrace (if possible). As an example,

      # cd ServerRoot
      # dbx httpd core
      (dbx) where

      (Substitute the appropriate locations for your ServerRoot and your httpd and core files. You may have to use gdb instead of dbx.)

  2. How compatible is Apache with my existing NCSA 1.3 setup?

    Apache attempts to offer all the features and configuration options of NCSA httpd 1.3, as well as many of the additional features found in NCSA httpd 1.4 and NCSA httpd 1.5.

    NCSA httpd appears to be moving toward adding experimental features which are not generally required at the moment. Some of the experiments will succeed while others will inevitably be dropped. The Apache philosophy is to add what's needed as and when it is needed.

    Friendly interaction between Apache and NCSA developers should ensure that fundamental feature enhancements stay consistent between the two servers for the foreseeable future.

  3. How do I enable CGI execution in directories other than the ScriptAlias?

    Apache recognizes all files in a directory named as a ScriptAlias as being eligible for execution rather than processing as normal documents. This applies regardless of the file name, so scripts in a ScriptAlias directory don't need to be named "*.cgi" or "*.pl" or whatever. In other words, all files in a ScriptAlias directory are scripts, as far as Apache is concerned.

    To persuade Apache to execute scripts in other locations, such as in directories where normal documents may also live, you must tell it how to recognize them - and also that it's okay to execute them. For this, you need to use something like the AddHandler directive.

    1. In an appropriate section of your server configuration files, add a line such as

      AddHandler cgi-script .cgi

      The server will then recognize that all files in that location (and its logical descendants) that end in ".cgi" are script files, not documents.

    2. Make sure that the directory location is covered by an Options declaration that includes the ExecCGI option.

    In some situations it can be not conform to your local policy to actually allow all files named "*.cgi" to be executable. Perhaps all you want is to enable a particular file in a normal directory to be executable. This can be alternatively accomplished via mod_rewrite and the following steps:

    1. Locally add to the corresponding .htaccess file a ruleset similar to this one:

      RewriteEngine on
      RewriteBase /~foo/bar/
      RewriteRule ^quux\.cgi$ - [T=application/x-httpd-cgi]

    2. Make sure that the directory location is covered by an Options declaration that includes the ExecCGI and FollowSymLinks option.

  4. What does it mean when my CGIs fail with "Premature end of script headers"?

    It means just what it says: the server was expecting a complete set of HTTP headers (one or more followed by a blank line), and didn't get them.

    The most common cause of this problem is the script dying before sending the complete set of headers, or possibly any at all, to the server. To see if this is the case, try running the script standalone from an interactive session, rather than as a script under the server. If you get error messages, this is almost certainly the cause of the "premature end of script headers" message.

    The second most common cause of this (aside from people not outputting the required headers at all) is a result of an interaction with Perl's output buffering. To make Perl flush its buffers after each output statement, insert the following statements around the print or write statements that send your HTTP headers:

     local ($oldbar) = $|;
     $cfh = select (STDOUT);
     $| = 1;
     # print your HTTP headers here
     $| = $oldbar;
     select ($cfh);

    This is generally only necessary when you are calling external programs from your script that send output to stdout, or if there will be a long delay between the time the headers are sent and the actual content starts being emitted. To maximize performance, you should turn buffer-flushing back off (with $| = 0 or the equivalent) after the statements that send the headers, as displayed above.

    If your script isn't written in Perl, do the equivalent thing for whatever language you are using (e.g., for C, call fflush() after writing the headers).

  5. How do I enable SSI (parsed HTML)?

    SSI (an acronym for Server-Side Include) directives allow static HTML documents to be enhanced at run-time (e.g., when delivered to a client by Apache). The format of SSI directives is covered in the mod_include manual; suffice it to say that Apache supports not only SSI but xSSI (eXtended SSI) directives.

    Processing a document at run-time is called parsing it; hence the term "parsed HTML" sometimes used for documents that contain SSI instructions. Parsing tends to be extremely resource-consumptive, and is not enabled by default. It can also interfere with the cachability of your documents, which can put a further load on your server. (see the next question for more information about this.)

    To enable SSI processing, you need to

    For additional information, see the Apache Week article on Using Server Side Includes.

  6. Why don't my parsed files get cached?

    Since the server is performing run-time processing of your SSI directives, which may change the content shipped to the client, it can't know at the time it starts parsing what the final size of the result will be, or whether the parsed result will always be the same. This means that it can't generate Content-Length or Last-Modified headers. Caches commonly work by comparing the Last-Modified of what's in the cache with that being delivered by the server. Since the server isn't sending that header for a parsed document, whatever's doing the caching can't tell whether the document has changed or not - and so fetches it again to be on the safe side.

    You can work around this in some cases by causing an Expires header to be generated. (See the mod_expires documentation for more details.) Another possibility is to use the XBitHack Full mechanism, which tells Apache to send (under certain circumstances detailed in the XBitHack directive description) a Last-Modified header based upon the last modification time of the file being parsed. Note that this may actually be lying to the client if the parsed file doesn't change but the SSI-inserted content does; if the included content changes often, this can result in stale copies being cached.

  7. How can I have my script output parsed?

    So you want to include SSI directives in the output from your CGI script, but can't figure out how to do it? The short answer is "you can't." This is potentially a security liability and, more importantly, it can not be cleanly implemented under the current server API. The best workaround is for your script itself to do what the SSIs would be doing. After all, it's generating the rest of the content.

    This is a feature The Apache Group hopes to add in the next major release after 1.2.

  8. Does or will Apache act as a Proxy server?

    Apache version 1.1 and above comes with a proxy module. If compiled in, this will make Apache act as a caching-proxy server.

  9. What are "multiviews"?

    "Multiviews" is the general name given to the Apache server's ability to provide language-specific document variants in response to a request. This is documented quite thoroughly in the content negotiation description page. In addition, Apache Week carried an article on this subject entitled "Content Negotiation Explained".

  10. Why can't I run more than <n> virtual hosts?

    You are probably running into resource limitations in your operating system. The most common limitation is the per-process limit on file descriptors, which is almost always the cause of problems seen when adding virtual hosts. Apache often does not give an intuitive error message because it is normally some library routine (such as gethostbyname()) which needs file descriptors and doesn't complain intelligibly when it can't get them.

    Each log file requires a file descriptor, which means that if you are using separate access and error logs for each virtual host, each virtual host needs two file descriptors. Each Listen directive also needs a file descriptor.

    Typical values for <n> that we've seen are in the neighborhood of 128 or 250. When the server bumps into the file descriptor limit, it may dump core with a SIGSEGV, it might just hang, or it may limp along and you'll see (possibly meaningful) errors in the error log. One common problem that occurs when you run into a file descriptor limit is that CGI scripts stop being executed properly.

    As to what you can do about this:

    1. Reduce the number of Listen directives. If there are no other servers running on the machine on the same port then you normally don't need any Listen directives at all. By default Apache listens to all addresses on port 80.
    2. Reduce the number of log files. You can use mod_log_config to log all requests to a single log file while including the name of the virtual host in the log file. You can then write a script to split the logfile into separate files later if necessary.
    3. Increase the number of file descriptors available to the server (see your system's documentation on the limit or ulimit commands). For some systems, information on how to do this is available in the performance hints page. There is a specific note for FreeBSD below.
    4. "Don't do that" - try to run with fewer virtual hosts
    5. Spread your operation across multiple server processes (using Listen for example, but see the first point) and/or ports.

    Since this is an operating-system limitation, there's not much else available in the way of solutions.

    As of 1.2.1 we have made attempts to work around various limitations involving running with many descriptors. More information is available.

  11. Can I increase FD_SETSIZE on FreeBSD?

    On versions of FreeBSD before 3.0, the FD_SETSIZE define defaults to 256. This means that you will have trouble usefully using more than 256 file descriptors in Apache. This can be increased, but doing so can be tricky. If you are using a version prior to 2.2, you need to recompile your kernel with a larger FD_SETSIZE. This can be done by adding a line such as:

    options FD_SETSIZE nnn

    To your kernel config file. Starting at version 2.2, this is no longer necessary.

    If you are using a version of 2.1-stable from after 1997/03/10 or 2.2 or 3.0-current from before 1997/06/28, there is a limit in the resolver library that prevents it from using more file descriptors than what FD_SETSIZE is set to when libc is compiled. To increase this, you have to recompile libc with a higher FD_SETSIZE.

    In FreeBSD 3.0, the default FD_SETSIZE has been increased to 1024 and the above limitation in the resolver library has been removed.

    After you deal with the appropriate changes above, you can increase the setting of FD_SETSIZE at Apache compilation time by adding "-DFD_SETSIZE=nnn" to the EXTRA_CFLAGS line in your Configuration file.

  12. Why do I keep getting "access denied" for form POST requests?

    The most common cause of this is a <Limit> section that only names the GET method. Look in your configuration files for something that resembles the following and would affect the location where the POST-handling script resides:

    <Limit GET>

    Change that to <Limit GET POST> and the problem will probably go away.

  13. Can I use my /etc/passwd file for Web page authentication?

    Yes, you can - but it's a very bad idea. Here are some of the reasons:

    If you still want to do this in light of the above disadvantages, the method is left as an exercise for the reader. It'll void your Apache warranty, though, and you'll lose all accumulated UNIX guru points.

  14. Why doesn't my ErrorDocument 401 work?

    You need to use it with a URL in the form "/foo/bar" and not one with a method and hostname such as "http://host/foo/bar". See the ErrorDocument documentation for details. This was incorrectly documented in the past.

  15. Why do I get "setgid: Invalid argument" at startup?

    Your Group directive (probably in conf/httpd.conf) needs to name a group that actually exists in the /etc/group file (or your system's equivalent).

  16. Why does Apache send a cookie on every response?

    Apache does not send automatically send a cookie on every response, unless you have re-compiled it with the mod_cookies module. This module was distributed with Apache prior to 1.2. This module may help track users, and uses cookies to do this. If you are not using the data generated by mod_cookies, do not compile it into Apache. Note that in 1.2 this module was renamed to the more correct name mod_usertrack, and cookies have to be specifically enabled with the CookieTracking directive.

  17. Why don't my cookies work, I even compiled in mod_cookies?

    Firstly, you do not need to compile in mod_cookies in order for your scripts to work (see the previous question for more about mod_cookies). Apache passes on your Set-Cookie header fine, with or without this module. If cookies do not work it will be because your script does not work properly or your browser does not use cookies or is not set-up to accept them.

  18. Why do my Java app[let]s give me plain text when I request an URL from an Apache server?

    As of version 1.2, Apache is an HTTP/1.1 (HyperText Transfer Protocol version 1.1) server. This fact is reflected in the protocol version that's included in the response headers sent to a client when processing a request. Unfortunately, low-level Web access classes included in the Java Development Kit (JDK) version 1.0.2 expect to see the version string "HTTP/1.0" and do not correctly interpret the "HTTP/1.1" value Apache is sending (this part of the response is a declaration of what the server can do rather than a declaration of the dialect of the response). The result is that the JDK methods do not correctly parse the headers, and include them with the document content by mistake.

    This is definitely a bug in the JDK 1.0.2 foundation classes from Sun, and it has been fixed in version 1.1. However, the classes in question are part of the virtual machine environment, which means they're part of the Web browser (if Java-enabled) or the Java environment on the client system - so even if you develop your classes with a recent JDK, the eventual users might encounter the problem. The classes involved are replaceable by vendors implementing the Java virtual machine environment, and so even those that are based upon the 1.0.2 version may not have this problem.

    In the meantime, a workaround is to tell Apache to "fake" an HTTP/1.0 response to requests that come from the JDK methods; this can be done by including a line such as the following in your server configuration files:

    BrowserMatch Java1.0 force-response-1.0
    BrowserMatch JDK/1.0 force-response-1.0

    More information about this issue can be found in the Java and HTTP/1.1 page at the Apache web site.

  19. Why can't I publish to my Apache server using PUT on Netscape Gold and other programs?

    Because you need to install and configure a script to handle the uploaded files. This script is often called a "PUT" handler. There are several available, but they may have security problems. Using FTP uploads may be easier and more secure, at least for now. For more information, see the Apache Week article Publishing Pages with PUT.

  20. Why isn't FastCGI included with Apache any more?

    The simple answer is that it was becoming too difficult to keep the version being included with Apache synchronized with the master copy at the FastCGI web site. When a new version of Apache was released, the version of the FastCGI module included with it would soon be out of date.

    You can still obtain the FastCGI module for Apache from the master FastCGI web site.

  21. Why am I getting "httpd: could not set socket option TCP_NODELAY" in my error log?

    This message almost always indicates that the client disconnected before Apache reached the point of calling setsockopt() for the connection. It shouldn't occur for more than about 1% of the requests your server handles, and it's advisory only in any case.

  22. Why am I getting "connection reset by peer" in my error log?

    This is a normal message and nothing about which to be alarmed. It simply means that the client canceled the connection before it had been completely set up - such as by the end-user pressing the "Stop" button. People's patience being what it is, sites with response-time problems or slow network links may experiences this more than high-capacity ones or those with large pipes to the network.

  23. How can I get my script's output without Apache buffering it?

    In order to improve network performance, Apache buffers script output into relatively large chunks. If you have a script that sends information in bursts (such as partial-done messages in a multi-commit database transaction, perhaps), the client will not necessarily get the output as the script is generating it.

    To avoid this, Apache recognizes scripts whose names begin with "nph-" as non-parsed-header scripts. That is, Apache won't buffer their output, but connect it directly to the socket going back to the client.

    While this will probably do what you want, there are some disadvantages to it:

    As an example how you might handle the former (in a Perl script):

    if ($0 =~ m:^(.*/)*nph-[^/]*$:) {
         $HTTP_headers =  "HTTP/1.1 200 OK\015\012";
         $HTTP_headers .=  "Connection: close\015\012";
         print $HTTP_headers;

    and then follow with your normal non-nph headers.

  24. Why do I get complaints about redefinition of "struct iovec" when compiling under Linux?

    This is a conflict between your C library includes and your kernel includes. You need to make sure that the versions of both are matched properly. There are two workarounds, either one will solve the problem:

  25. The errorlog says Apache dumped core, but where's the dump file?

    In Apache version 1.2, the error log message about dumped core includes the directory where the dump file should be located. However, many Unixes do not allow a process that has called setuid() to dump core for security reasons; the typical Apache setup has the server started as root to bind to port 80, after which it changes UIDs to a non-privileged user to serve requests.

    Dealing with this is extremely operating system-specific, and may require rebuilding your system kernel. Consult your operating system documentation or vendor for more information about whether your system does this and how to bypass it. If there is a documented way of bypassing it, it is recommended that you bypass it only for the httpd server process if possible.

    The canonical location for Apache's core-dump files is the ServerRoot directory.

  26. Why isn't restricting access by host or domain name working correctly?

    Two of the most common causes of this are:

    1. An error, inconsistency, or unexpected mapping in the DNS registration
      This happens frequently: your configuration restricts access to Host.FooBar.Com, but you can't get in from that host. The usual reason for this is that Host.FooBar.Com is actually an alias for another name, and when Apache performs the address-to-name lookup it's getting the real name, not Host.FooBar.Com. You can verify this by checking the reverse lookup yourself. The easiest way to work around it is to specify the correct host name in your configuration.
    2. Inadequate checking and verification in your configuration of Apache
      If you intend to perform access checking and restriction based upon the client's host or domain name, you really need to configure Apache to double-check the origin information it's supplied. You do this by adding the -DMAXIMUM_DNS clause to the EXTRA_CFLAGS definition in your Configuration file. For example:


      This will cause Apache to be very paranoid about making sure a particular host address is really assigned to the name it claims to be. Note that this can incur a significant performance penalty, however, because of all the name resolution requests being sent to a nameserver.

  27. Why doesn't Apache include SSL?

    SSL (Secure Socket Layer) data transport requires encryption, and many governments have restrictions upon the import, export, and use of encryption technology. If Apache included SSL in the base package, its distribution would involve all sorts of legal and bureaucratic issues, and it would no longer be freely available. Also, some of the technology required to talk to current clients using SSL is patented by RSA Data Security, who restricts its use without a license.

    Some SSL implementations of Apache are available, however; see the "related projects" page at the main Apache web site.

    You can find out more about this topic in the Apache Week article about Apache and Secure Transactions.

  28. Why do I get core dumps under HPUX using HP's ANSI C compiler?

    We have had numerous reports of Apache dumping core when compiled with HP's ANSI C compiler using optimization. Disabling the compiler optimization has fixed these problems.

  29. How do I get Apache to send a MIDI file so the browser can play it?

    Even though the registered MIME type for MIDI files is audio/midi, some browsers are not set up to recognize it as such; instead, they look for audio/x-midi. There are two things you can do to address this:

    1. Configure your browser to treat documents of type audio/midi correctly. This is the type that Apache sends by default. This may not be workable, however, if you have many client installations to change, or if some or many of the clients are not under your control.
    2. Instruct Apache to send a different Content-type header for these files by adding the following line to your server's configuration files:

      AddType audio/x-midi .mid .midi .kar

      Note that this may break browsers that do recognize the audio/midi MIME type unless they're prepared to also handle audio/x-midi the same way.

  30. Why won't Apache compile with my system's cc?

    If the server won't compile on your system, it is probably due to one of the following causes:

    The Apache Group tests the ability to build the server on many different platforms. Unfortunately, we can't test all of the OS platforms there are. If you have verified that none of the above issues is the cause of your problem, and it hasn't been reported before, please submit a problem report. Be sure to include complete details, such as the compiler & OS versions and exact error messages.

  31. How do I add browsers and referrers to my logs?

    Apache provides a couple of different ways of doing this. The recommended method is to compile the mod_log_config module into your configuration and use the CustomLog directive.

    You can either log the additional information in files other than your normal transfer log, or you can add them to the records already being written. For example:

    CustomLog logs/access_log "%h %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-Agent}i\""

    This will add the values of the User-agent: and Referer: headers, which indicate the client and the referring page, respectively, to the end of each line in the access log.

    You may want to check out the Apache Week article entitled: "Gathering Visitor Information: Customising Your Logfiles".

  32. Why do I get an error about an undefined reference to "__inet_ntoa" or other __inet_* symbols?

    If you have installed BIND-8 then this is normally due to a conflict between your include files and your libraries. BIND-8 installs its include files and libraries /usr/local/include/ and /usr/local/lib/, while the resolver that comes with your system is probably installed in /usr/include/ and /usr/lib/. If your system uses the header files in /usr/local/include/ before those in /usr/include/ but you do not use the new resolver library, then the two versions will conflict.

    To resolve this, you can either make sure you use the include files and libraries that came with your system or make sure to use the new include files and libraries. Adding -lbind to the EXTRA_LDFLAGS line in your Configuration file, then re-running Configure, should resolve the problem. (Apache versions 1.2.* and earlier use EXTRA_LFLAGS instead.)

    Note:As of BIND 8.1.1, the bind libraries and files are installed under /usr/local/bind by default, so you should not run into this problem. Should you want to use the bind resolvers you'll have to add the following to the respective lines:


  33. Why does accessing directories only work when I include the trailing "/" (e.g.http://foo.domain.com/~user/) but not when I omit it (e.g.http://foo.domain.com/~user)?

    When you access a directory without a trailing "/", Apache needs to send what is called a redirect to the client to tell it to add the trailing slash. If it did not do so, relative URLs would not work properly. When it sends the redirect, it needs to know the name of the server so that it can include it in the redirect. There are two ways for Apache to find this out; either it can guess, or you can tell it. If your DNS is configured correctly, it can normally guess without any problems. If it is not, however, then you need to tell it.

    Add a ServerName directive to the config file to tell it what the domain name of the server is.

  34. How do I set up Apache to require a username and password to access certain documents?

    There are several ways to do this; some of the more popular ones are to use the mod_auth, mod_auth_db, or mod_auth_dbm modules.

    For an explanation on how to implement these restrictions, see Apache Week's articles on Using User Authentication or DBM User Authentication.

  35. Why is the environment variable REMOTE_USER not set?

    This variable is set and thus available in SSI or CGI scripts if and only if the requested document was protected by access authentication. For an explanation on how to implement these restrictions, see Apache Week's articles on Using User Authentication or DBM User Authentication.

    Hint: When using a CGI script to receive the data of a HTML FORM notice that protecting the document containing the FORM is not sufficient to provide REMOTE_USER to the CGI script. You have to protect the CGI script, too. Or alternatively only the CGI script (then authentication happens only after filling out the form).

  36. How do I set up Apache to allow access to certain documents only if a site is either a local site or the user supplies a password and username?

    Use the Satisfy directive, in particular the Satisfy Any directive, to require that only one of the access restrictions be met. For example, adding the following configuration to a .htaccess or server configuration file would restrict access to people who either are accessing the site from a host under domain.com or who can supply a valid username and password:

    deny from all
    allow from .domain.com
    AuthType Basic
    AuthUserFile /usr/local/etc/httpd/conf/htpasswd.users
    AuthName special directory
    require valid-user
    satisfy any

    See the user authentication question and the mod_access module for details on how the above directives work.

  37. Why doesn't mod_info list any directives?

    The mod_info module allows you to use a Web browser to see how your server is configured. Among the information it displays is the list modules and their configuration directives. The "current" values for the directives are not necessarily those of the running server; they are extracted from the configuration files themselves at the time of the request. If the files have been changed since the server was last reloaded, the display will will not match the values actively in use. If the files and the path to the files are not readable by the user as which the server is running (see the User directive), then mod_info cannot read them in order to list their values. An entry will be made in the error log in this event, however.

  38. When I run it under Linux I get "shmget: function not found", what should I do?

    Your kernel has been built without SysV IPC support. You will have to rebuild the kernel with that support enabled (it's under the "General Setup" submenu). Documentation for kernel building is beyond the scope of this FAQ; you should consult the Kernel HOWTO, or the documentation provided with your distribution, or a Linux newsgroup/mailing list. As a last-resort workaround, you can comment out the #define HAVE_SHMGET definition in the LINUX section of src/conf.h and rebuild the server. This will produce a server which is slower and less reliable.

  39. Why does my authentication give me a server error?

    Under normal circumstances, the Apache access control modules will pass unrecognized user IDs on to the next access control module in line. Only if the user ID is recognized and the password is validated (or not) will it give the usual success or "authentication failed" messages.

    However, if the last access module in line 'declines' the validation request (because it has never heard of the user ID or because it is not configured), the http_request handler will give one of the following, confusing, errors:

    This does not mean that you have to add an 'AuthUserFile /dev/null' line as some magazines suggest!

    The solution is to ensure that at least the last module is authoritative and CONFIGURED. By default, mod_auth is authoritative and will give an OK/Denied, but only if it is configured with the proper AuthUserFile. Likewise, if a valid group is required. (Remember that the modules are processed in the reverse order from that in which they appear in your compile-time Configuration file.)

    A typical situation for this error is when you are using the mod_auth_dbm, mod_auth_msql, mod_auth_mysql, mod_auth_anon or mod_auth_cookie modules on their own. These are by default not authoritative, and this will pass the buck on to the (non-existent) next authentication module when the user ID is not in their respective database. Just add the appropriate 'XXXAuthoritative yes' line to the configuration.

    In general it is a good idea (though not terribly efficient) to have the file-based mod_auth a module of last resort. This allows you to access the web server with a few special passwords even if the databases are down or corrupted. This does cost a file open/seek/close for each request in a protected area.

  40. Do I have to keep the (mSQL) authentication information on the same machine?

    Some organizations feel very strongly about keeping the authentication information on a different machine than the webserver. With the mod_auth_msql, mod_auth_mysql, and other SQL modules connecting to (R)DBMses this is quite possible. Just configure an explicit host to contact.

    Be aware that with mSQL and Oracle, opening and closing these database connections is very expensive and time consuming. You might want to look at the code in the auth_* modules and play with the compile time flags to alleviate this somewhat, if your RDBMS licences allow for it.

  41. Why is my mSQL authentication terribly slow?

    You have probably configured the Host by specifying a FQHN, and thus the libmsql will use a full blown tcp/ip socket to talk to the database, rather than a fast internal device. The libmsql, the mSQL FAQ, and the mod_auth_msql documentation warn you about this. If you have to use different hosts, check out the mod_auth_msql code for some compile time flags which might - or might not - suit you.

  42. Where can I find mod_rewrite rulesets which already solve particular URL-related problems?

    There is a collection of Practical Solutions for URL-Manipulation where you can find all typical solutions the author of mod_rewrite currently knows of. If you have more interesting rulesets which solve particular problems not currently covered in this document, send it to Ralf S. Engelschall for inclusion. The other webmasters will thank you for avoiding the reinvention of the wheel.

  43. Where can I find any published information about URL-manipulations and mod_rewrite?

    There is an article from Ralf S. Engelschall about URL-manipulations based on mod_rewrite in the "iX Multiuser Multitasking Magazin" issue #12/96. The german (original) version can be read online at http://www.heise.de/ix/artikel/9612149/, the English (translated) version can be found at http://www.heise.de/ix/artikel/E/9612149/.

  44. Why is mod_rewrite so difficult to learn and seems so complicated?

    Hmmm... there are a lot of reasons. First, mod_rewrite itself is a powerful module which can help you in really all aspects of URL rewriting, so it can be no trivial module per definition. To accomplish its hard job it uses software leverage and makes use of a powerful regular expression library by Henry Spencer which is an integral part of Apache since its version 1.2. And regular expressions itself can be difficult to newbies, while providing the most flexible power to the advanced hacker.

    On the other hand mod_rewrite has to work inside the Apache API environment and needs to do some tricks to fit there. For instance the Apache API as of 1.x really was not designed for URL rewriting at the .htaccess level of processing. Or the problem of multiple rewrites in sequence, which is also not handled by the API per design. To provide this features mod_rewrite has to do some special (but API compliant!) handling which leads to difficult processing inside the Apache kernel. While the user usually doesn't see anything of this processing, it can be difficult to find problems when some of your RewriteRules seem not to work.

  45. What can I do if my RewriteRules don't work as expected?

    Use "RewriteLog somefile" and "RewriteLogLevel 9" and have a precise look at the steps the rewriting engine performs. This is really the only one and best way to debug your rewriting configuration.

  46. Why don't some of my URLs get prefixed with DocumentRoot when using mod_rewrite?

    If the rule starts with /somedir/... make sure that really no /somedir exists on the filesystem if you don't want to lead the URL to match this directory, i.e. there must be no root directory named somedir on the filesystem. Because if there is such a directory, the URL will not get prefixed with DocumentRoot. This behaviour looks ugly, but is really important for some other aspects of URL rewriting.

  47. How can I make all my URLs case-insensitive with mod_rewrite?

    You can't! The reason is: First, case translations for arbitrary length URLs cannot be done via regex patterns and corresponding substitutions. One need a per-character pattern like sed/Perl tr|..|..| feature. Second, just making URLs always upper or lower case will not resolve the complete problem of case-INSENSITIVE URLs, because actually the URLs had to be rewritten to the correct case-variant residing on the filesystem because in later processing Apache needs to access the file. And Unix filesystem is always case-SENSITIVE.

    But there is a module named mod_speling.c (yes, it is named this way!) out there on the net. Try this one.

  48. Why are RewriteRules in my VirtualHost parts ignored?

    Because you have to enable the engine for every virtual host explicitly due to security concerns. Just add a "RewriteEngine on" to your virtual host configuration parts.

  49. How can I use strings with whitespaces in RewriteRule's ENV flag?

    There is only one ugly solution: You have to surround the complete flag argument by quotation marks ("[E=...]"). Notice: The argument to quote here is not the argument to the E-flag, it is the argument of the Apache config file parser, i.e. the third argument of the RewriteRule here. So you have to write "[E=any text with whitespaces]".

  50. Where can I find the "CGI specification"?

    The Common Gateway Interface (CGI) specification currently lives in at least two versions:

    1. At the original NCSA site <http://hoohoo.ncsa.uiuc.edu/cgi/interface.html>. This version hasn't been updated since 1995, and there have been some efforts to update it and replace it with
    2. The most current version, which is struggling to become an Internet RFC, found at <http://www.ast.cam.ac.uk/~drtr/cgi-spec.html>.

Index Home