6.2.7 Directives starting with S

Organization of this subsection
(1) Satisfy {any | all}
(2) Script Method CGI-script-name
(3) ScriptAlias URL directory-name
(4) ScriptAliasMatch regular-expression new-path
(5) ScriptInterpreterSource { registry | script }
(6) ScriptLog file-name
(7) ScriptLogBuffer number-of-buffers
(8) ScriptLogLength file-size
(9) ServerAdmin E-Mail-address
(10) ServerAlias host-name [host-name ...]
(11) ServerName server-name[:port-number]
(12) ServerPath path-name
(13) ServerRoot directory-name
(14) ServerSignature {On | Off | Email}
(15) ServerTokens {Minimal | OS | Full | ProductOnly}
(16) SetEnv environment-variable-value
(17) SetEnvIf request-value regular-expression environment-variable[=value] [environment-variable[=value] ...]
(18) SetEnvIfNoCase request-value regular-expression environment-variable[=value] [environment-variable[=value] ...]
(19) SetHandler handler-name
(20) SSLBanCipher encryption-type [encryption-type ...]
(21) SSLCACertificateFile file-name
(22) SSLCACertificatePath directory
(23) SSLCacheServerPath path-name
(24) SSLCacheServerPort {port-number | path-name}
(25) SSLCacheServerRunDir path-name
(26) SSLCertificateFile file-name
(27) SSLCertificateKeyFile file-name
(28) SSLCertificateKeyPassword path-name
(29) SSLCRLAuthoritative {On | Off}
(30) SSLCRLDERPath path-name
(31) SSLCRLPEMPath path-name
(32) SSLDenySSL
(33) SSLDisable
(34) SSLEnable
(35) SSLExportCertChainDepth value
(36) SSLExportClientCertificates
(37) SSLFakeBasicAuth
(38) SSLProtocol protocol-name [protocol-name ...]
(39) SSLRequireCipher encryption-type [encryption-type ...]
(40) SSLRequiredCiphers encryption-type [:encryption-type ...]
(41) SSLRequireSSL
(42) SSLSessionCacheTimeout value
(43) SSLSessionCacheSize {size | max}
(44) SSLSessionCacheSizePerChild {size | max}
(45) SSLVerifyClient {0 | 1 | 2}
(46) SSLVerifyDepth number-of-levels
(47) StartServers number-of-processes

(1) Satisfy {any | all}

(a) Contents

When the access to the contents is controlled by both the user authentication (specifications of AuthUserFile and Require directives) and the host name or the IP address (specifications of Allow from and Deny from directive), this directive sets their relationship.

any: If any of the condition is satisfied, permits the access to the contents.

all: If none of the conditions are satisfied, prohibits the access to the contents.

(b) Location where you can code

<Directory>, .htaccess

(2) Script Method CGI-script-name

(a) Contents

When a request based on the specified method, this directive executes the script displayed in CGI script name.

Methods that you can specify: GET, POST, PUT, DELETE
The Method is case sensitive.
However, in the case of GET method, the script is called only when there is an query string (for example, /foo.html?bar).
(b) Location where you can code

httpsd.conf, <VirtualHost>, <Directory>

(c) Specification example

Script POST /cgi-bin/search

(3) ScriptAlias URL directory-name

(a) Contents

This directive specifies the name of the directory that contains the CGI program to be executed for the requests to execute the CGI programs specified in the URL from the Web browser.

You cannot specify a URL that is a duplicate of any of the following directive specification values:

For example, the following URLs cannot be specified:

 ScriptAlias /aaa/bbb/ C:/alias/

ProxyPass /aaa/ http://aaa.example.com/

Specify the directory name with an absolute path.

(b) Location where you can code

httpsd.conf, <VirtualHost>

(c) Specification example

ScriptAlias /cgi-bin/ "<Cosminexus-installation-directory>/httpsd/cgi-bin/"

(4) ScriptAliasMatch regular-expression new-path

(a) Contents

When the URL requesting the execution of the specified CGI program from the Web browser satisfies the conditions described by the regular expressions, this directive executes the CGI program with the specified new path. When the regular expressions are grouped using brackets ( ), you can refer to the character string that matches with the expression of group i using $i in new path. Specify numeric characters from 1 to 9 for i.

Specify the new path with an absolute path. When '$' or '&' are included as characters of new path, add '[Figure]' before the characters. Note that when you specify $i, you need not add '[Figure]' before '$'.

You cannot specify a regular expression that is a duplicate of any of the following direcrive specification values:

For example, the following regular expressions cannot be specified:

 ScriptAliasMatch ^/aaa/bbb/(.*) C:/alias/$1
 ProxyPass /aaa/ http://aaa.example.com/

(b) Location where you can code

httpsd.conf, <VirtualHost>

(c) Specification example

ScriptAliasMatch ^/cgi-bin/(.*) "<Cosminexus-installation-directory>/httpsd/cgi-bin/$1"

(5) ScriptInterpreterSource { registry | script } [Figure]

(a) Contents

This directive defines the interpreter used to execute the CGI script.

registry: The registry is searched and the program related to the extension is used as the interpreter.

script: The interpreter specified in #! Line in the script is used.

(b) Location where you can code

httpsd.conf, <VirtualHost>, <Directory>, .htaccess

(c) Overwrite permission

FileInfo level

(6) ScriptLog file-name

(a) Contents

The ScriptLog directive specifies the file to which the CGI script error log is output. For the file name, you can specify either an absolute path, or the relative path from the value specified in the ServerRoot directive.

In UNIX, the specified file must be writable with the user authentication specified in the User directive.

(b) Location where you can code

httpsd.conf

(7) ScriptLogBuffer number-of-buffers

~((0 - 2147483647))<<1024>> (Unit: Bytes)

(a) Contents

This directive specifies the maximum value when collecting the log of request body by PUT and POST methods, in bytes. This specification in valid only when you specify the file of the error log output destination with the ScriptLog directive.

The area of the value specified in this directive is stored in the request process. As a result, when you specify large values, memory storage failure may occur and Web server may stop. Hitachi recommends that you specify the default value or the minimum required value.

(b) Location where you can code

httpsd.conf

(8) ScriptLogLength file-size

~((0 - 2147483647))<<10385760>> (Unit: Bytes)

(a) Contents

This directive specifies the maximum size of error log file of CGI script in bytes. The specification of this directive is valid only when you specify the error log output destination file with the ScriptLog directive.

(b) Location where you can code

httpsd.conf

(9) ServerAdmin E-Mail-address

(a) Contents

This directive specifies the E-Mail address of the server administrator. Always specify this directive when you specify the E-Mail address with the ServerSignature directive.

(b) Location where you can code

httpsd.conf, <VirtualHost>

(c) Specification example

ServerAdmin www-admin@server.example.com

(10) ServerAlias host-name [host-name ...]

(a) Contents

This directive specifies an optional name for the host name (ServerName) that is used in the virtual host based on server name. You can specify the host name corresponding to an IPv6 address.

(b) Location where you can code

<VirtualHost>

(11) ServerName server-name[:port-number]

(a) Contents

The ServerName directive specifies the server name and the port number of Cosminexus HTTP Server. When you omit the port number, the value specified in the Port directive is set.

Server name is specified in FQDN (fully qualified domain name) or IP address. You can also specify an IPv6 address or the FQDN corresponding to an IPv6 address for server-name. When specifying both an IPv6 address and a port number, enclose the IPv6 address in square brackets ([ ]).

Based on the specified value of the UseCanonicalName directive, any requests that use an image map or any specifications of a directory that does not end with a / (slash) are set in the Location header as redirect destination (when redirect is indicated in the Web server) and returned to the client. Therefore, you must specify the server name that a client can access. Specification of this directive is mandatory.

(b) Location where you can code

httpsd.conf, <VirtualHost>

(c) Specification example

ServerName www.example.com
ServerName 2001::123:4567:89ab:cdef
ServerName [2001::123:4567:89ab:cdef]
ServerName [2001::123:4567:89ab:cdef]:8080

(12) ServerPath path-name

(a) Contents

Specify this directive when you use the path name instead of Host header to connect to each host, in the virtual host based on the server name.

(b) Location where you can code

<VirtualHost>

(13) ServerRoot directory-name

~<</opt/hitachi/httpsd>>(UNIX version)

~<<<Cosminexus-installation-directory>\httpsd>> (Windows version)

(a) Contents

This directive specifies the root directory of server with the absolute path.

(b) Location where you can code

httpsd.conf

(c) Specification example

ServerRoot "C:/Program Files/Hitachi/Cosminexus/httpsd"

(14) ServerSignature {On | Off | Email}

(a) Contents

This directive specifies whether a content footer of error messages that the Web server creates is to be signed.

On: Displays the character string according to ServerTokens directive (such as Cosminexus HTTP Server and version number), and the server name and the port name according to the specified value of UseCanonicalName directive.

Cosminexus HTTP Server 09-00 at www.example.com Port 80

Off: Does not display signature in the contents footer.

Email: In addition to the display when On is specified, this option adds the specification value of the ServerAdmin directive in a mailto tag.

Note that when On is specified, the IPv6 address specified in the ServerName directive or the host name corresponding to an IPv6 address can be displayed.

(b) Location where you can code

httpsd.conf, <VirtualHost>, <Directory>, .htaccess

(c) Specification example

ServerSignature On

(15) ServerTokens {Minimal | OS | Full | ProductOnly}

(a) Contents

This directive sets the server header format of the HTTP response header. The Server header values based on respective setting are described below. Unix, Win32, or Win64 is set as the OS type. The value of Server header is used as per the client specifications.

Minimal: Cosminexus HTTP Server Version number

OS: Cosminexus HTTP Server Version number (OS type)

Full: Cosminexus HTTP Server Version number (OS type) Information set by an additional PP

ProductOnly: Cosminexus HTTP Server

(b) Location where you can code

httpsd.conf

(c) Specification example

ServerTokens Full

(16) SetEnv environment-variable-value

(a) Contents

This directive specifies the environment variable value that is set when you pass the optional environment variable to the CGI script. If you specify this directive multiple times, you cannot specify different values for the same environment variable.

(b) Location where you can code

httpsd.conf, <VirtualHost>, <Directory>, .htaccess

(c) Overwrite permission

FileInfo level

(d) Specification example

SetEnv MY_ENV myenv

(17) SetEnvIf request-value regular-expression environment-variable[=value] [environment-variable[=value] ...]

(a) Contents

This directive defines the environment variable on the basis of the client request. Set the specified environment variable when the request value from client satisfies the conditions in the regular expressions. By default, the value is set to 1. When ! is added before the environment variable, the setting of that environment variable is cancelled. You can specify the value shown in the HTTP request header or the values shown in the following table as the request value. You can search an environment variable by specifying the environment value specified earlier as the request value. However, such environment variable must not conform to the HTTP request header and to the values described in the following table:

Request valueMeaning
Remote_AddrIP address of the client
Remote_HostHost name of the client (only when set in the request)
Request_ProtocolProtocol of the request (such as HTTP/1.1)
Request_MethodMethod name of the request (such as GET, POST, and HEAD)
Request_URIURI of the request
Server_AddrIP address of the server that receives the request

When performing multiple specifications of this directive, you cannot specify the same request value multiple times.

Note that when specifying Remote_Host for request-value, you can also specify the host name corresponding to an IPv6 address for regular-expression. In addition, the Remote_Addr and Server_Addr request values cannot be used for connections that use IPv6. To use Remote_Addr and Server_Addr, perform settings by using the HWSSetEnvIfIPv6 directive.

(b) Location where you can code

httpsd.conf, <VirtualHost>, <Directory>, .htaccess

(c) Overwrite permission

FileInfo level

(d) Specification example
(Example 1)

SetEnvIf User-Agent "Mozilla.*" SETENVIF_USER_AGENT=Mozilla

(Example 2)

SetEnvIf Request_URI "[Figure].(gif)|(jpg)$" request_is_image

(Example 3)
For connections that use IPv4, set the environment variable for a specific client as follows:

Listen 123.123.123.123:80
Listen [2001::123:4567:89ab:cdef]:80
<VirtualHost 123.123.123.123:80>
       SetEnvIf Remote_Addr ^234[Figure].234[Figure].234[Figure].234$ IPV4_CLIENT
</VirtualHost>

(18) SetEnvIfNoCase request-value regular-expression environment-variable[=value] [environment-variable[=value] ...]

(a) Contents

This directive defines the environment variables based on the client request. Set the specified environment variables when the request value from the client satisfies the conditions described in the regular expression. By default, the value is set to 1. When ! is attached before environment variable, it cancels the settings of that environment variable.

For details on the values that can be specified for request-value, see the SetEnvIf directive.

However, regular-expression is not case-sensitive in this directive. When specifying this directive multiple times, you cannot specify the same request value in the directives.

Note that when specifying Remote_Host for request-value, you can specify the host name corresponding to request-value. In addition, the Remote_Addr and Server_Addr request values cannot be used for connections that use IPv6. To use Remote_Addr and Server_Addr, perform settings by using the HWSSetEnvIfIPv6 directive.

(b) Location where you can code

httpsd.conf, <VirtualHost>, <Directory>, .htaccess

(c) Overwrite permission

FileInfo level

(19) SetHandler handler-name

(a) Contents

Specify this directive when the requests of specified <Directory> or all the requests in the scope of access control file are related to the handlers specified with the handler names. If you specify none as the handler name, the settings specified for the SetHandler directive until then are disabled.

(b) Location where you can code

<Directory>, .htaccess

(c) Overwrite permission

FileInfo level

(20) SSLBanCipher encryption-type [encryption-type ...]

(a) Contents

This directive denies an access to specified encryption types and returns the status code 403 Forbidden to the client. The following are the encryption types.

Encryption typeKey exchange methodAuthentication methodSymmetric key cryptographyEncryption key size (bit)Message authentication algorithm
RC4-MD5RSARSARC4128MD5
RC4-SHARSARSARC4128SHA
AES128-SHARSARSAAES128SHA
AES128-SHA256RSARSAAES128SHA256
DES-CBC3-SHARSARSADES168SHA
AES256-SHARSARSAAES256SHA
AES256-SHA256RSARSAAES256SHA256
(b) Location where you can code

httpsd.conf, <VirtualHost>, <Directory>, .htaccess

(c) Overwrite permission

FileInfo level

(21) SSLCACertificateFile file-name

(a) Contents

When you perform the server and client authentication by SSL, this directive specifies the file name of the public key (PEM format) of the CA (Certification Authority). By combining multiple certificate files, you can mix multiple certificates into one file.

Specify the file name with an absolute path.

(b) Location where you can code

httpsd.conf, <VirtualHost>

(c) Specification example

SSLCACertificateFile "<Cosminexus-installation-directory>/httpsd/conf/ssl/cacert/anycert.pem"

(22) SSLCACertificatePath directory [Figure]

(a) Contents

When performing the server and client authentication by SSL, this directive specifies the directory that stores the hash link of the CA certificate (PEM format). For details on how to create and operate a hash link, see 5.2.6 Creating a hash link (in UNIX) (certutil cert command).

You need the hash link when verifying the client certificate. For the acquired CA certificate, create a hash link in a specific directory and specify this directory in the SSLCACertificatePath directive.

Specify directory name with an absolute path.

(b) Location where you can code

httpsd.conf, <VirtualHost>

(c) Specification example

SSLCACertificatePath /opt/hitachi/httpsd/conf/ssl/cacerts

(23) SSLCacheServerPath path-name[Figure]

(a) Contents

This directive specifies the path name for the SSL session management cache server gcache. Specify the path name with an absolute path, or the relative path from the ServerRoot directive.

(b) Location where you can code

httpsd.conf

(c) Specification example

SSLCacheServerPath /opt/hitachi/httpsd/sbin/gcache

(24) SSLCacheServerPort {port-number | path-name} [Figure]

~((Use 1 - 65535 when specifying the port number))

(a) Contents

This directive specifies the port number or the path name to exchange data between Web server and SSL session management cache server gcache. You can specify the path name with an absolute path, or the relative path from the ServerRoot directive.

(b) Location where you can code

httpsd.conf

(c) Specification example

SSLCacheServerPort logs/gcache_port

(25) SSLCacheServerRunDir path-name[Figure]

~<<Specification value of the ServerRoot directive>>

(a) Contents

This directive specifies the path name to run the SSL session management cache server gcache. Use gcache to specify the directory to output the core dump. You can specify path name with an absolute path, or the relative path from the ServerRoot directive. You need to grant the read permissions, write permissions, and execution permissions specified in the User directive to the directory specified in the path name.

(b) Location where you can code

httpsd.conf

(c) Specification example

SSLCacheServerRunDir /opt/hitachi/httpsd/logs

(26) SSLCertificateFile file-name

(a) Contents

This directive specifies the file name of the Web server certificate (PEM format) when you perform the authentication by SSL.

Specify file name with an absolute path.

(b) Location where you can code

httpsd.conf, <VirtualHost>

(c) Specification example

SSLCertificateFile "<Cosminexus-installation-directory>/httpsd/conf/ssl/server/httpsd.pem"

(27) SSLCertificateKeyFile file-name

~<<Specification value of the SSLCertificateFile directive>>

(a) Contents

This directive specifies the private key file name of the Web server when you perform the authentication by SSL.

Specify the file name with an absolute path.

(b) Location where you can code

httpsd.conf, <VirtualHost>

(c) Specification example

SSLCertificateKeyFile "<Cosminexus-installation-directory>/httpsd/conf/ssl/server/httpsdkey.pem"

(28) SSLCertificateKeyPassword path-name

(a) Contents

This directive specifies the path name of the file that stores the password of the server private key where the password is protected. The File that stores the password is created by the sslpasswd command. Specify the path name with an absolute path, or the relative path from the ServerRoot directive.

(b) Location where you can code

httpsd.conf, <VirtualHost>

(29) SSLCRLAuthoritative {On | Off}

(a) Contents

Specify this directive to handle the next issue date of the CRL that is used during the SSL client authentication.

On:
During the SSL client authentication, when the next issue date of the CRL corresponding to client certificate elapses, the Web server denies the connection to the client due to a failure in client authentication. Correct operation of the CRL is required.
Off:
Ignores the next issue date of the CRL. If the next issue date elapses but CRL is valid, the client can connect even though not registered in CRL. Security level will go down, however, even if the CRL is not operated properly, you can continue the service by maintaining the minimum level of security.
(b) Location where you can code

httpsd.conf, <VirtualHost>

(c) Specification example

SSLCRLAuthoritative On

When the next issue date of the CRL elapses, deny the access to the clients holding a certificate issued by the CA that also issues the CRL.

(30) SSLCRLDERPath path-name

(a) Contents

This directive specifies the directory that stores the CRL of the DER format with an absolute path. If you store the required CRL in the specified directory and start or restart the Web server, you can apply the CRL during the client authentication with SSL. When the CRL issued from the same CA (including the CRL in the directory specified with the SSLCRLPEMPath directive) is stored multiple times, the CRL with latest date is applicable. The Web server does not start when directory contains a file other than the CRL of the DER format.

(b) Location where you can code

httpsd.conf, <VirtualHost>

(c) Specification example

SSLCRLDERPath "<Cosminexus-installation-directory>/httpsd/conf/ssl/crl/DER"

Specify the directory in which the CRL file of the DER format is stored.

(31) SSLCRLPEMPath path-name

(a) Contents

This directive specifies the directory that stores the CRL of the PEM format with an absolute path. If you store the required CRL in the specified directory and start or restart the Web server, you can apply the CRL during the client authentication with SSL. When the CRL issued from the same CA (including the CRL in the directory specified with the SSLCRLDERPath directive) is stored multiple times, the CRL with latest date is applicable. The Web server does not start when directory contains a file other than the CRL of the PEM format.

(b) Location where you can code

httpsd.conf, <VirtualHost>

(c) Specification example

SSLCRLPEMPath "<Cosminexus-installation-directory>/httpsd/conf/ssl/crl/PEM"

Specify the directory in which CRL file of the PEM format is stored.

(32) SSLDenySSL

(a) Contents

Specify this directive to prohibit the SSL access. When you specify this directive, and even if the SSL is enabled with the SSLEnable directive, access from https is denied with the status code 403 Forbidden. The operations contrary to the SSLRequireSSL directive take place.

(b) Location where you can code

httpsd.conf, <VirtualHost>, <directory>, .htaccess

(c) Overwrite permission

FileInfo level

(33) SSLDisable

(a) Contents

This directive disables the SSL. The default value is the SSLEnable directive (SSL is enabled). Specify this directive to disable the SSL for a specific host with the virtual host.

(b) Location where you can code

httpsd.conf, <VirtualHost>

(34) SSLEnable

(a) Contents

This directive enables the SSL. By default, the SSL is enabled unless the SSLDisable directive is specified.

(b) Location where you can code

httpsd.conf, <VirtualHost>

(35) SSLExportCertChainDepth value

~((0 - 9))<<0>>

(a) Contents

In the case of performing the SSL client authentication, specify this directive when setting the certificate from the CA that issued the client certificates in the environment variable SSL_CLIENT_CERT_CHAIN_n, up to the root CA. The maximum specification value is n. This directive is enabled only when the SSLExportClientCertificates directive is specified. As the specified number of CA certificates are cached in the gcache server, you can use the cache effectively by specifying only the required number of CGI programs or Servlets in this directive. However, when some of the cached certificates are deleted due to memory restrictions and cannot be acquired, only those certificates that could be acquired are set in the environment variable.

0:
Environment variable is not set.
1~9:
Numbers are allocated from the CA close to the client in a sequence and the environment variable is set. In the environment variable, the Base64 encoded value of the certificate in the DER format is set. Number of bytes when a certificate is encoded in Base64, is around 1KB.
(b) Location where you can code

httpsd.conf, <VirtualHost>

(c) Specification example

This example describes a certificate chain called the 'Root CA-Lower CA-Client certificate'. In this case, the relationship between the environment variables and the certificates is as follows:

Environment variableCertificate
SSL_CLIENT_CERTClient certificate
SSL_CLIENT_CERT_CHAIN_1Lower CA certificate
SSL_CLIENT_CERT_CHAIN_2Root CA certificate

Specify the directive in the following format to acquire all environment variables and certificate chains:

SSLExportClientCertificates
SSLExportCertChainDepth 2      Specify the value of 2 or more

(36) SSLExportClientCertificates

(a) Contents

In the case of performing the SSL client authentication, specify this directive when setting the client certificate in the environment variable SSL_CLIENT_CERT. In the environment variable SSL_CLIENT_CERT, set the Base64 encoded value of the certificate in DER format

(b) Location where you can code

httpsd.conf, <VirtualHost>, <Directory>, .htaccess

(37) SSLFakeBasicAuth

(a) Contents

Along with the SSL client authentication functionality, specify the settings such that the Basic authentication is possible only by presenting the client certificate without entering user ID and password in the Web browser. Code the Subject and the password of X509 client certificate in the file specified with the AuthUserFile directive. The password is always fixed to the following values ("password" is encrypted in both):

(b) Location where you can code

httpsd.conf, <VirtualHost>

(c) Specification example
The following shows the value of the Subject field in the certificate that is displayed by the certutil command.

Subject: EMAIL=username@userhost,CN=username,OU=Software,O=HITACHI,L=Yokohama-shi,ST=Kanagawa,C=JP

In this case, the file specified with the AuthUserFile directive is specified as follows:

In UNIX Version

/C=JP/ST=Kanagawa/L=Yokohama-shi/O=HITACHI/OU=Software/CN=username/EMAIL=username@userhost:xxj31ZMTZzkVA

In Windows Version

/C=JP/ST=Kanagawa/L=Yokohama-shi/O=HITACHI/OU=Software/CN=username/EMAIL=username@userhost:{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=

Subject is logged in the u specification of the LogFormat directive.

If the authentication fails, the Web server responds with the status code 401 Authorization Required.

(38) SSLProtocol protocol-name [protocol-name ...]

~<<All>>

(a) Contents

This directive specifies the version of SSL protocol that is used.

You can specify the following values as protocol name:
SSLv3: Use the SSL protocol version 3.
TLSv1: Use the TLS protocol version 1.0.
TLSv11: Use the TLS protocol version 1.1.
TLSv12: Use the TLS protocol version 1.2.
All: Use all the above-mentioned protocols.
(b) Location where you can code

httpsd.conf, <VirtualHost>

(39) SSLRequireCipher encryption-type [encryption-type ...]

(a) Contents

This directive denies the access to encryption types other than the specified ones, and returns the status code 403 Forbidden to the client. For the encryption code that you can specify, see SSLBanCipher directive.

(b) Location where you can code

httpsd.conf, <VirtualHost>, <Directory>, .htaccess

(c) Overwrite Permission

FileInfo level

(40) SSLRequiredCiphers encryption-type [:encryption-type ...]

(a) Contents

This directive specifies the encryption types that you can use in the SSL communication. If the encryption types specified in this directive and the encryption types that the client can use match, the Web server establishes the SSL communication and receives the HTTP requests. If encryption types do not match, the Web server does not establish the SSL communication or receive the HTTP request. For details on the encryption types that you can specify, see SSLBanCipher directive.

(b) Location where you can code

httpsd.conf, <VirtualHost>

(c) Specification example

SSLRequiredCiphers RC4-MD5:RC4-SHA:DES-CBC3-SHA:AES128-SHA:AES256-SHA

(41) SSLRequireSSL

(a) Contents

Specify this directive when allowing the access only through SSL. When this directive is specified, even if the SSL is disabled with the SSLDisable directive, access from http is denied with the status code 403 Forbidden. This directive prevents the exposure of the contents due to carelessly disabled SSL in the coding locations of different directives.

(b) Location where you can code

httpsd.conf, <VirtualHost>, <Directory>, .htaccess

(c) Overwrite permission

FileInfo level

(d) Specification example

<VirtualHost 172.17.40.10:443>
SSLDisable
...
 <Directory /secure/dir>
   SSLRequireSSL    
   ...
 </Directory>
</VirtualHost>

This example allows the http access to the port 443 of 172.17.40.10 host but denies the access to directory /secure/dir. The Web server responds with the status code 403 Forbidden for the http access to /secure/dir directory.

(42) SSLSessionCacheTimeout value

~((1 - 2147483647))<<3600>> (Unit: Second)

(a) Contents

This directive sets the validity period (in seconds) for the data such as the session ID that is maintained by the Web server, or in SSL session control cache server gcache.

(b) Note

Set the validity period in such a way that it does not exceed January 19, 2038, 03:14:07 of the Greenwich Mean Time (GMT).

(c) Location where you can code

httpsd.conf, <VirtualHost>

(d) Specification example

SSLSessionCacheTimeout 3600

(43) SSLSessionCacheSize {size | max}

~((0 - 2147483647))<<16777216>> (Unit: Bytes)

(a) Contents

In UNIX version, this directive sets the upper limit for the memory size in bytes, for the data such as session IDs cached in the memory of the cache server gcache that manages the SSL session. When you set this directive to 0, gcache server does not start and hence the session cache does not operate.

In Windows version, this directive specifies the upper limit of session cache size in bytes. When 0 is specified, session cache in not implemented.

When max is specified, the upper limit of session cache size is not set. For each SSL session, approximately 200 bytes are used when performing only the server authentication, and approximately one kilobyte is used when performing the client authentication also.

(b) Location where you can code

httpsd.conf

(c) Specification example

SSLSessionCacheSize 1024

(44) SSLSessionCacheSizePerChild {size | max} [Figure]

~((0 - 2147483647))<<20480>> (Unit: Bytes)

(a) Contents

This directive specifies the upper limit of the memory size for the data such as the session IDs that are cached in the server process memory. When you specify max, the upper limit is not set.

(b) Location where you can code

httpsd.conf

(c) Specification example

SSLSessionCacheSizePerChild 1024

(45) SSLVerifyClient {0 | 1 | 2}

~<<0>>

(a) Contents

This directive specifies the settings for certificate used during the client authentication.

0: Certificate is not requested.

1: Client can display the certificate. This setting is used to test the operations.

2: Client must display the certificate.

(b) Location where you can code

httpsd.conf, <VirtualHost>

(c) Specification example

SSLVerifyClient 2

(46) SSLVerifyDepth number-of-levels

~((0 - 10))<<0>>

(a) Contents

This directive specifies the number of levels up to which the certificate chain is traced.

Specify the number of levels for authentication check related to CA certificate chain used in client authentication. This directive is used to limit the extent up to which the CA chain is used. Specify minimum two levels since the certificates with self-signatures are not authenticated. For example:

(Example)
Conditions
  • CA1 has signed the root CA.
  • Certificate 1 signs in root CA.
  • Certificate 2 signs in CA1.

    [Figure]

Specifying SSLVerifyDepth
In the above example, specify minimum three levels in the SSLVerifyDepth directive to execute the authentication check for both certificates 1 and 2. Specify 2 in SSLVerifyDepth directive, to enable the authentication check for certificate 1 but not for certificate 2.
(b) Location where you can code

httpsd.conf, <VirtualHost>

(c) Specification example

SSLVerifyDepth 10

(47) StartServers number-of-processes[Figure]

~((0 - 1024))<<5>>

(a) Contents

This directive specifies the number of server processes when you start the Web server. For details on the other directives related to the number of processes, see 4.1 Relationship between processes and directives of Cosminexus HTTP Server.

(b) Location where you can code

httpsd.conf

(c) Specification example

StartServers 5