6.2.5 Directives starting with K and L

Organization of this subsection
(1) KeepAlive {On | Off}
(2) KeepAliveTimeout time
(3) LanguagePriority language-code [language-code ...]
(4) LDAPBaseDN DN-value [DN-value...]
(5) LDAPNoEntryStatus {Authorization | Forbidden}
(6) LDAPRequire [% DN-attribute %] [LDAP-search-filter]
(7) LDAPServerName {host-name | IP-address} [{host-name | IP-address}...]
(8) LDAPServerPort port-number [port-number...]
(9) LDAPSetEnv environment-variable attribute
(10) LDAPTimeout value
(11) LDAPUnsetEnv environment-variable
(12) LimitRequestBody request-body-size
(13) LimitRequestFields number-of-headers
(14) LimitRequestFieldsize header-size
(15) LimitRequestLine request-line-length
(16) Listen [IP-address:] port-number
(17) ListenBacklog number-of-backlogs
(18) LoadFile file-name [file-name ...]
(19) LoadModule module-structure-name library-file-name
(20) LogFormat "format" [label-name]
(21) LogLevel {debug | info | notice | warn | error | crit | alert | emerg}

(1) KeepAlive {On | Off}

(a) Contents

The KeepAlive directive specifies whether to enable the KeepAlive connection. Actually the KeepAlive is executed only when the client also supports the KeepAlive. As the KeepAlive keeps the persistent connection between server process and the client, the response to continuous requests is good. On the other hand, as a server process is exclusively reserved for specific clients, the service efficiency of the Web server as a whole may decline. You need to make adjustments by using the KeepAliveTimeout and the MaxKeepAliveRequests directives.

On: Enables the persistent connection (KeepAlive).

Off: Disables the persistent connection (KeepAlive).

(b) Location where you can code

httpsd.conf

(c) Specification example

KeepAlive On

(2) KeepAliveTimeout time

~((0 - 65535))<<15>> (Unit: Seconds)

(a) Contents

This directive specifies the request waiting time during the KeepAlive connection in seconds. If the request waiting time elapses and the next request does not come from the client, the connection is disconnected. In the KeepAlive connection, persistent clients occupy the server process. Specify the settings in such a way that when the standard time required for moving from one Web page to the next Web page is exceeded, the timeout disconnects the connection and the server process is applied for processing other request. If the time is set to 0, the KeepAlive connection becomes invalid.

(b) Location where you can code

httpsd.conf

(c) Specification example

KeepAliveTimeout 15

The request waiting time is 15 seconds in the case of KeepAlive connection.

(3) LanguagePriority language-code [language-code ...]

(a) Contents

The LanguagePriority directive specifies the used languages in the order of descending priorities. In the content negotiation, if the priority order (Accept-Language header) of the language code is not included in the request from the Web browser, the specified priority order is used. For the language code specified here, see AddLanguage directive.

(b) Location where you can code

httpsd.conf, <VirtualHost>, <Directory>, .htaccess

(c) Overwrite permission

FileInfo level

(d) Specification example

LanguagePriority ja en fr de

The priority order is Japanese, English, French, and German.

(4) LDAPBaseDN DN-value [DN-value...]

(a) Contents

When you authenticate in the LDAP server, the LDAPBaseDN directive specifies the uppermost DN to start search. With this DN, you need to permit the access from the Web server.

All the user entries and group entries to be searched must be present under this DN. The Web server requires access rights to all these entries and attribute. When multiple LDAP servers are specified with the LDAPServerName directive, specify DN for each LDAP server. When there are multiple specifications of DN, enclose each DN with " (double quotation marks). If only one DN is specified, you need not enclose the DN with quotation marks. If DN includes quotation marks, add a [Figure] before the quotation mark.

(b) Note

The mod_hws_ldap module must be embedded for user authentication via the LDAP server. For details on user authentication via the LDAP server, see 4.5.4 User authentication and access control using the directory service.

(c) Location where you can code

httpsd.conf, <VirtualHost>, <Directory>

(5) LDAPNoEntryStatus {Authorization | Forbidden}

(a) Contents

This directive specifies the status code that the Web server returns to the Web browser when the access is denied by the access control of the LDAPRequire directive, even if the user authentication with the LDAP server is successful.

Authorization: Returns the status code 401.

Forbidden: Returns the status code 403.

(b) Note

The mod_hws_ldap module must be embedded for user authentication via the LDAP server. For details on user authentication via the LDAP server, see 4.5.4 User authentication and access control using the directory service.

(c) Location where you can code

httpsd.conf, <VirtualHost>

(6) LDAPRequire [% DN-attribute %] [LDAP-search-filter]

(a) Contents

Specify the LDAPRequire directive with the AuthName directive, AuthType directive, and the Require valid-user directive and specify the range of users for whom access is to be controlled.

If there is a character string enclosed by % in the beginning, this character string is used as the DN attribute that identifies the user name entered by the client. If the character string does not contain %, the Web Server assumes cn (mandatory attribute that identifies a person defined on the basis of entry) as the DN attribute.

The DN registered by the user is requested from the specification value of the LDAPBaseDN directive by combining the user name entered by the client and a value set as the DN attribute. Use this DN and the password entered by the client to perform the authentication in the LDAP server.

When the specified user is authenticated in LDAP server and is applicable to the LDAP search field, the user can access contents. When filter is not specified, (objectClass=*) is specified as search filter.

When this directive is simultaneously used with SSL client authentication, the access to the LDAP server becomes the anonymous access without any password and with the CN value of the Subject field in the client certificate as the user name. As a result of the LDAP server search, if the user name is registered in the LDAP server and is applicable to the LDAP search filter, the user can access the contents. If the filter is not specified, (objectClass=*) is set as a search filter.

When you specify this directive, the specification value of the Require directive specified in the directive will be disabled. However, the specification of the Require directive is mandatory.

Specify the search filter in the following format:

(Attribute Operator Value)

The following table describes the operators that you can use:

Table 6-7 Operators that you can use in search filter

Search typeSymbolDescription
Equality=Returns the entry containing the attribute entry set in the specification value.
Example: cn=hitachi taro
Substring=<Character string>*<Character string>Returns the entry containing the attribute that includes the specified sub-character string.
Example: cn=hita*, cn=*hanako, cn=*hi*, and cn=h*hanako
Greater than or equal to>=Returns the entry that includes the attributes greater than or equal to the specified value.
Example: employeenumber>=100
Less than or equal to<=Returns the entry that includes the attributes less than or equal to the specified value.
Example: employeenumber<=100
Presence=*Returns the entry that includes the specified attribute.
Example: cn=*, telephonenumber=*, and manager=*

Moreover, you can create a filter by combining two or more of these search filters.

(Operator (Search filter)(Search filter) ...)

In this case, you can use the operators described in the following table.

If the authenticated user has multiple attribute entries for one attribute, access is granted if one attribute entry matches with the operation.

Table 6-8 Operators that you can use in multiple search filters

OperatorsSymbolDescription
And&All the filters return true entry.
Example: (&(filter)(filter)(filter) ...)
Or|Atleast one specified filter returns true entry.
Example: (|(filter)(filter)(filter) ...)
Not!Specified filter returns the entry that is not true.
Example: (!(filter))

# You cannot specify multiple filters in the case of Not operator.


The Web server responds with the status code 401 Authorization Required, if the authentication fails. When the entry does not match with the filter condition, the Web server responds with the status code (by default 401 Authorization Required) as per the LDAPNoEntryStatus directive. When the filter format syntax is wrong, the status code 500 Internal Server Error is returned.

If there are multiple specifications of the same user, the access is possible if access permission is granted to one of the specified users.

(b) Note

The mod_hws_ldap module must be embedded for user authentication via the LDAP server. For details on user authentication via the LDAP server, see 4.5.4 User authentication and access control using the directory service.

(c) Location where you can code

<Directory>, .htaccess

(d) Overwrite permission

AuthConfig level

(e) Specification example

(7) LDAPServerName {host-name | IP-address} [{host-name | IP-address}...]

~<<127.0.0.1>>

(a) Contents

The LDAPServerName directive specifies the host name or the IP address of the LDAP server. When you specify multiple LDAP servers, specify the respective port numbers for each LDAP server (LDAPServerPort directive) and the upper-most DN (LDAPBaseDN directive) that starts the search. If the LDAP servers, the port numbers, and the number of DNs do not match, the authentication is not executed on the LDAP server. The Web Server outputs error log and returns the status code 500 to the Web browser.

However, when you use the same port number for all the LDAP servers specified in this directive, you can simplify the port number specification.

When you specify multiple LDAP servers, specify in the order descending priorities. Always perform the user authentication for each request, from the LDAP server that was specified in the beginning.

Local host (127.0.0.1) is set by default.

Note that a host name corresponding to an IPv6 address cannot be specified for host-name. An IPv6 address also cannot be specified for IP-address.

(b) Note

The mod_hws_ldap module must be embedded for user authentication via the LDAP server. For details on user authentication via the LDAP server, see 4.5.4 User authentication and access control using the directory service.

(c) Location where you can code

httpsd.conf, <VirtualHost>, <Directory>

(d) Specification example

LDAPServerName server01 server02 server03
LDAPServerPort 389
LDAPBaseDN "ou=employee, o=hitachi, c=jp" "ou=employee, o=example.com" "o=hitachi, c=jp"

If you specify as mentioned above, the combination of the LDAP server, port number, and the DN is as follows:

Order of the LDAP server to be usedHost namePort numberDN that starts search
1server01389ou=employee, o=hitachi, c=jp
2server02389ou=employee, o=example.com
3server03389o=hitachi, c=jp

(8) LDAPServerPort port-number [port-number...]

~((1 - 65535))<<389>>

(a) Contents

The LDAPServerPort directive specifies the LDAP server port number. When multiple LDAP servers are specified in the LDAPServerName directive, specify the port number for each LDAP server. However, when you use the same port number for all the LDAP servers specified in the LDAPServerName directive, you need not specify the number multiple times. Specify only one port number that applies to all the LDAP servers. For the example of multiple LDAP server specifications, see LDAPServerName directive. If the number of LDAP servers and the port numbers do not match, an error occurs.

(b) Note

The mod_hws_ldap module must be embedded for user authentication via the LDAP server. For details on user authentication via the LDAP server, see 4.5.4 User authentication and access control using the directory service.

(c) Location where you can code

httpsd.conf, <VirtualHost>, <Directory>

(9) LDAPSetEnv environment-variable attribute

(a) Contents

When you authenticate with the LDAP server, this directive sets the value of the attribute that configures the entries identified by the DN of authenticated users, as the value of the environment variable. Set the attribute value with the character code acquired from the LDAP server. For the details on the returned character codes, see the LDAP server manual. When there are multiple values for one attribute, the environment variable is not set. You cannot specify the attribute with a binary option (;binary). For the attributes containing other options, the attribute value is not set properly unless the value is not a character string. When the same environment variable is defined in another attribute, error does not occur but the value of environment variable becomes undefined.

(b) Note

The mod_hws_ldap module must be embedded for user authentication via the LDAP server. For details on user authentication via the LDAP server, see 4.5.4 User authentication and access control using the directory service.

(c) Location where you can code

httpsd.conf, <VirtualHost>, <Directory>, .htaccess

(d) Overwrite permission

FileInfo level

(10) LDAPTimeout value

~((1 - 86400))<<30>> (Unit: Seconds)

(a) Contents

After the user authentication, the LDAPTimeout directive specifies the maximum waiting time in seconds for the search process of the filter specified in one LDAPRequire directive. The status code 500 Internal Server is returned in any of the following cases:

(b) Note

The mod_hws_ldap module must be embedded for user authentication via the LDAP server. For details on user authentication via the LDAP server, see 4.5.4 User authentication and access control using the directory service.

(c) Location where you can code

httpsd.conf, <VirtualHost>, <Directory>

(11) LDAPUnsetEnv environment-variable

(a) Contents

This directive disables the environment variables specified in the LDAPSetEnv directive.

(b) Note

The mod_hws_ldap module must be embedded for user authentication via the LDAP server. For details on user authentication via the LDAP server, see 4.5.4 User authentication and access control using the directory service.

(c) Location where you can code

httpsd.conf, <VirtualHost>, <Directory>, .htaccess

(d) Overwrite permission

FileInfo level

(12) LimitRequestBody request-body-size

~((0 - 2147483647))<<0>> (Unit: bytes)

(a) Contents

This directive specifies the upper limit for the object body (data) size when the server receives a request from the Web browser using the HTTP communication. The object body is used when the request is sent by <FORM METHOD=POST ACTION=...> from the Web server. When the upper limit is not specified, it is set to 0.

(b) Location where you can code

httpsd.conf, <VirtualHost>, <Directory>, .htaccess

(13) LimitRequestFields number-of-headers

~((0 - 32767))<<100>>

(a) Contents

This directive specifies the upper limit for the number of HTTP headers when the server receives a request from the Web browser using the HTTP communication. The number of HTTP headers of the request changes as per the specification of the proxy that links the Web browser and requests. When the upper limit is not specified, it is set to 0.

(b) Location where you can code

httpsd.conf

(14) LimitRequestFieldsize header-size

~((0 - 8190))<<8190>> (Unit: bytes)

(a) Contents

This directive specifies the upper limit for the size of one HTTP header when the server receives the request from the Web browser using the HTTP communication. The size of request header changes as per the specification of the proxy that links the Web browser and requests.

(b) Location where you can code

httpsd.conf

(15) LimitRequestLine request-line-length

~((0 - 8190))<<8190>> (Unit: bytes)

(a) Contents

This directive specifies the upper limit for the length of the request string (including the URI, HTTP version, the method and the inquiry character string) when the server receives the request from the Web browser using the HTTP communication. When the request is sent from the Web browser by <FORM METHOD=GET ACTION...>, the request string is used as a query string. Note that the number of bytes sent from the Web browser as the request line changes as per the specification of the proxy that links the Web browser and requests.

(b) Location where you can code

httpsd.conf

(16) Listen [IP-address:] port-number

(a) Contents

The 'Listen' directive specifies the IP address and the port number that receives the request. Unlike 'Port' directive, you can perform multiple specifications. Specify this directive when defining the virtual host. When you specify the Listen directive, the specifications of Port directive and BindAddress directive are ignored.

You can specify an IPv6 address for IP-address. Specify an IPv6 address by enclosing it in square brackets ([ ]). However, if you omit IP-address and specify only the port number, only requests using IPv4 addresses are accepted. Therefore, when using an IPv6 address, be sure to specify the IPv6 address in the Listen directive.

To restart the server after changing the IP address specified in the Listen directive, stop the server, and then start it. If you use other means to restart the server, such as a command, startup might fail.

(b) Location where you can code

httpsd.conf

(c) Specification example

Listen 80
Listen [2001::123:4567:89ab:cdef]:8080

Listen [::]:80

(17) ListenBacklog number-of-backlogs

~((1 - 2147483647))<<511>>

(a) Contents

The ListenBacklog directive specifies the maximum queue size for the connection requests from the client. The specified value is set as the number of backlogs of system call listen( ). However, as the limit for the specification value and the actual maximum value for queue size differ according to the OS, see the OS manual for listen( ) and documents that explain TCP/IP implementation for each OS.

(b) Location where you can code

httpsd.conf

(18) LoadFile file-name [file-name ...]

(a) Contents

The LoadFile directive specifies the object file or the library containing the codes that are referred by the module incorporated by the DSO. In the file name, you can specify the absolute path, or the relative path from the specified value of the ServerRoot directive.

When you specify the modules that refer to this file in the LoadModule directive, you need to specify this directive before these modules are used in httpsd.conf.

(b) Location where you can code

httpsd.conf

(19) LoadModule module-structure-name library-file-name

(a) Contents

This directive specifies a module to be dynamically embedded in the Web server. You can specify absolute path, or the relative path from the specified value of the ServerRoot directive in the library file name.

(b) Location where you can code

httpsd.conf

(c) Specification example

LoadModule hws01_module libexec/mod_hws01.so
LoadModule hws02_module libexec/mod_hws02.so

Embed the module hws01_module and the module hws02_module.

(20) LogFormat "format" [label-name]

~<<"%h %l %u %t[Figure] "%r[Figure]" %>s %b">>

(a) Contents

The LogFormat directive defines the label name in log format. You can specify the label name defined here in the CustomLog directive. For the format that you can specify, see CustomLog directive. If label name is not attached, you cannot specify this directive multiple times. If %A or %a is specified in the format, IPv6 addresses can also be output. If %h or %V is specified in the format, host names corresponding to IPv6 addresses or the IPv6 addresses can also be output.

(b) Location where you can code

httpsd.conf, <VirtualHost>

(c) Specification example

LogFormat "%h %l %u %t [Figure]"%r[Figure]" %>s %b [Figure]"%{Referer}i[Figure]" [Figure]"%{User-Agent}i[Figure]"" combined
LogFormat "%h %l %u %t [Figure]"%r[Figure]" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

(21) LogLevel {debug | info | notice | warn | error | crit | alert | emerg}

(a) Contents

This directive specifies the level of the errors that are output to the error log. The Web Server outputs the upper level error log than the specified level. Note that notice level logs are output regardless of this specification. Messages that are output before the analysis of the level specification finishes (for example, during Cosminexus HTTP Server startup) may be output regardless of this specification.

The following table describes the error levels in the ascending order:

LevelMeaning
emergEmergency message
alertMessage that requests instant processing
critCritical state message
errorGeneral error message
warnWarning level message
noticeStandard but important message
infoInformation messages, and module trace information# collected when external modules and CGI programs are executed
debugDebug level messages, trace information for internal modules, and info-level module trace information#

#: You can specify that module trace information is to be output not to the error log but to the request log. For details, see 4.2.2 (5) Locations to which trace information is output and 4.2.6 Collecting the module trace.


(b) Location where you can code

httpsd.conf, <VirtualHost>

(c) Specification example

LogLevel info