When the access to the contents is controlled by both the user authentication (specifications of AuthUserFile and Require directives) and the host name or the IP address (specifications of Allow from and Deny from directive), this directive sets their relationship.
any: If any of the condition is satisfied, permits the access to the contents.
all: If none of the conditions are satisfied, prohibits the access to the contents.
<Directory>, .htaccess
When a request based on the specified method, this directive executes the script displayed in CGI script name.
httpsd.conf, <VirtualHost>, <Directory>
Script POST /cgi-bin/search
This directive specifies the name of the directory that contains the CGI program to be executed for the requests to execute the CGI programs specified in the URL from the Web browser.
You cannot specify a URL that is a duplicate of any of the following directive specification values:
For example, the following URLs cannot be specified:
ScriptAlias /aaa/bbb/ C:/alias/
ProxyPass /aaa/ http://aaa.example.com/
Specify the directory name with an absolute path.
httpsd.conf, <VirtualHost>
ScriptAlias /cgi-bin/ "<Cosminexus-installation-directory>/httpsd/cgi-bin/"
When the URL requesting the execution of the specified CGI program from the Web browser satisfies the conditions described by the regular expressions, this directive executes the CGI program with the specified new path. When the regular expressions are grouped using brackets ( ), you can refer to the character string that matches with the expression of group i using $i in new path. Specify numeric characters from 1 to 9 for i.
Specify the new path with an absolute path. When '$' or '&' are included as characters of new path, add '' before the characters. Note that when you specify $i, you need not add '
' before '$'.
You cannot specify a regular expression that is a duplicate of any of the following direcrive specification values:
For example, the following regular expressions cannot be specified:
ScriptAliasMatch ^/aaa/bbb/(.*) C:/alias/$1
ProxyPass /aaa/ http://aaa.example.com/
httpsd.conf, <VirtualHost>
ScriptAliasMatch ^/cgi-bin/(.*) "<Cosminexus-installation-directory>/httpsd/cgi-bin/$1"
This directive defines the interpreter used to execute the CGI script.
registry: The registry is searched and the program related to the extension is used as the interpreter.
script: The interpreter specified in #! Line in the script is used.
httpsd.conf, <VirtualHost>, <Directory>, .htaccess
FileInfo level
The ScriptLog directive specifies the file to which the CGI script error log is output. For the file name, you can specify either an absolute path, or the relative path from the value specified in the ServerRoot directive.
In UNIX, the specified file must be writable with the user authentication specified in the User directive.
httpsd.conf
~((0 - 2147483647))<<1024>> (Unit: Bytes)
This directive specifies the maximum value when collecting the log of request body by PUT and POST methods, in bytes. This specification in valid only when you specify the file of the error log output destination with the ScriptLog directive.
The area of the value specified in this directive is stored in the request process. As a result, when you specify large values, memory storage failure may occur and Web server may stop. Hitachi recommends that you specify the default value or the minimum required value.
httpsd.conf
~((0 - 2147483647))<<10385760>> (Unit: Bytes)
This directive specifies the maximum size of error log file of CGI script in bytes. The specification of this directive is valid only when you specify the error log output destination file with the ScriptLog directive.
httpsd.conf
This directive specifies the E-Mail address of the server administrator. Always specify this directive when you specify the E-Mail address with the ServerSignature directive.
httpsd.conf, <VirtualHost>
ServerAdmin www-admin@server.example.com
This directive specifies an optional name for the host name (ServerName) that is used in the virtual host based on server name. You can specify the host name corresponding to an IPv6 address.
<VirtualHost>
The ServerName directive specifies the server name and the port number of Cosminexus HTTP Server. When you omit the port number, the value specified in the Port directive is set.
Server name is specified in FQDN (fully qualified domain name) or IP address. You can also specify an IPv6 address or the FQDN corresponding to an IPv6 address for server-name. When specifying both an IPv6 address and a port number, enclose the IPv6 address in square brackets ([ ]).
Based on the specified value of the UseCanonicalName directive, any requests that use an image map or any specifications of a directory that does not end with a / (slash) are set in the Location header as redirect destination (when redirect is indicated in the Web server) and returned to the client. Therefore, you must specify the server name that a client can access. Specification of this directive is mandatory.
httpsd.conf, <VirtualHost>
ServerName www.example.com
ServerName 2001::123:4567:89ab:cdef
ServerName [2001::123:4567:89ab:cdef]
ServerName [2001::123:4567:89ab:cdef]:8080
Specify this directive when you use the path name instead of Host header to connect to each host, in the virtual host based on the server name.
<VirtualHost>
~<</opt/hitachi/httpsd>>(UNIX version)
~<<<Cosminexus-installation-directory>\httpsd>> (Windows version)
This directive specifies the root directory of server with the absolute path.
httpsd.conf
ServerRoot "C:/Program Files/Hitachi/Cosminexus/httpsd"
This directive specifies whether a content footer of error messages that the Web server creates is to be signed.
On: Displays the character string according to ServerTokens directive (such as Cosminexus HTTP Server and version number), and the server name and the port name according to the specified value of UseCanonicalName directive.
Cosminexus HTTP Server 09-00 at www.example.com Port 80
Off: Does not display signature in the contents footer.
Email: In addition to the display when On is specified, this option adds the specification value of the ServerAdmin directive in a mailto tag.
Note that when On is specified, the IPv6 address specified in the ServerName directive or the host name corresponding to an IPv6 address can be displayed.
httpsd.conf, <VirtualHost>, <Directory>, .htaccess
ServerSignature On
This directive sets the server header format of the HTTP response header. The Server header values based on respective setting are described below. Unix, Win32, or Win64 is set as the OS type. The value of Server header is used as per the client specifications.
Minimal: Cosminexus HTTP Server Version number
OS: Cosminexus HTTP Server Version number (OS type)
Full: Cosminexus HTTP Server Version number (OS type) Information set by an additional PP
ProductOnly: Cosminexus HTTP Server
httpsd.conf
ServerTokens Full
This directive specifies the environment variable value that is set when you pass the optional environment variable to the CGI script. If you specify this directive multiple times, you cannot specify different values for the same environment variable.
httpsd.conf, <VirtualHost>, <Directory>, .htaccess
FileInfo level
SetEnv MY_ENV myenv
This directive defines the environment variable on the basis of the client request. Set the specified environment variable when the request value from client satisfies the conditions in the regular expressions. By default, the value is set to 1. When ! is added before the environment variable, the setting of that environment variable is cancelled. You can specify the value shown in the HTTP request header or the values shown in the following table as the request value. You can search an environment variable by specifying the environment value specified earlier as the request value. However, such environment variable must not conform to the HTTP request header and to the values described in the following table:
Request value | Meaning |
---|---|
Remote_Addr | IP address of the client |
Remote_Host | Host name of the client (only when set in the request) |
Request_Protocol | Protocol of the request (such as HTTP/1.1) |
Request_Method | Method name of the request (such as GET, POST, and HEAD) |
Request_URI | URI of the request |
Server_Addr | IP address of the server that receives the request |
When performing multiple specifications of this directive, you cannot specify the same request value multiple times.
Note that when specifying Remote_Host for request-value, you can also specify the host name corresponding to an IPv6 address for regular-expression. In addition, the Remote_Addr and Server_Addr request values cannot be used for connections that use IPv6. To use Remote_Addr and Server_Addr, perform settings by using the HWSSetEnvIfIPv6 directive.
httpsd.conf, <VirtualHost>, <Directory>, .htaccess
FileInfo level
SetEnvIf User-Agent "Mozilla.*" SETENVIF_USER_AGENT=Mozilla
SetEnvIf Request_URI ".(gif)|(jpg)$" request_is_image
Listen 123.123.123.123:80
Listen [2001::123:4567:89ab:cdef]:80
<VirtualHost 123.123.123.123:80>
SetEnvIf Remote_Addr ^234.234
.234
.234$ IPV4_CLIENT
</VirtualHost>
This directive defines the environment variables based on the client request. Set the specified environment variables when the request value from the client satisfies the conditions described in the regular expression. By default, the value is set to 1. When ! is attached before environment variable, it cancels the settings of that environment variable.
For details on the values that can be specified for request-value, see the SetEnvIf directive.
However, regular-expression is not case-sensitive in this directive. When specifying this directive multiple times, you cannot specify the same request value in the directives.
Note that when specifying Remote_Host for request-value, you can specify the host name corresponding to request-value. In addition, the Remote_Addr and Server_Addr request values cannot be used for connections that use IPv6. To use Remote_Addr and Server_Addr, perform settings by using the HWSSetEnvIfIPv6 directive.
httpsd.conf, <VirtualHost>, <Directory>, .htaccess
FileInfo level
Specify this directive when the requests of specified <Directory> or all the requests in the scope of access control file are related to the handlers specified with the handler names. If you specify none as the handler name, the settings specified for the SetHandler directive until then are disabled.
<Directory>, .htaccess
FileInfo level
This directive denies an access to specified encryption types and returns the status code 403 Forbidden to the client. The following are the encryption types.
Encryption type | Key exchange method | Authentication method | Symmetric key cryptography | Encryption key size (bit) | Message authentication algorithm |
---|---|---|---|---|---|
RC4-MD5 | RSA | RSA | RC4 | 128 | MD5 |
RC4-SHA | RSA | RSA | RC4 | 128 | SHA |
AES128-SHA | RSA | RSA | AES | 128 | SHA |
AES128-SHA256 | RSA | RSA | AES | 128 | SHA256 |
DES-CBC3-SHA | RSA | RSA | DES | 168 | SHA |
AES256-SHA | RSA | RSA | AES | 256 | SHA |
AES256-SHA256 | RSA | RSA | AES | 256 | SHA256 |
httpsd.conf, <VirtualHost>, <Directory>, .htaccess
FileInfo level
When you perform the server and client authentication by SSL, this directive specifies the file name of the public key (PEM format) of the CA (Certification Authority). By combining multiple certificate files, you can mix multiple certificates into one file.
Specify the file name with an absolute path.
httpsd.conf, <VirtualHost>
SSLCACertificateFile "<Cosminexus-installation-directory>/httpsd/conf/ssl/cacert/anycert.pem"
When performing the server and client authentication by SSL, this directive specifies the directory that stores the hash link of the CA certificate (PEM format). For details on how to create and operate a hash link, see 5.2.6 Creating a hash link (in UNIX) (certutil cert command).
You need the hash link when verifying the client certificate. For the acquired CA certificate, create a hash link in a specific directory and specify this directory in the SSLCACertificatePath directive.
Specify directory name with an absolute path.
httpsd.conf, <VirtualHost>
SSLCACertificatePath /opt/hitachi/httpsd/conf/ssl/cacerts
This directive specifies the path name for the SSL session management cache server gcache. Specify the path name with an absolute path, or the relative path from the ServerRoot directive.
httpsd.conf
SSLCacheServerPath /opt/hitachi/httpsd/sbin/gcache
~((Use 1 - 65535 when specifying the port number))
This directive specifies the port number or the path name to exchange data between Web server and SSL session management cache server gcache. You can specify the path name with an absolute path, or the relative path from the ServerRoot directive.
httpsd.conf
SSLCacheServerPort logs/gcache_port
~<<Specification value of the ServerRoot directive>>
This directive specifies the path name to run the SSL session management cache server gcache. Use gcache to specify the directory to output the core dump. You can specify path name with an absolute path, or the relative path from the ServerRoot directive. You need to grant the read permissions, write permissions, and execution permissions specified in the User directive to the directory specified in the path name.
httpsd.conf
SSLCacheServerRunDir /opt/hitachi/httpsd/logs
This directive specifies the file name of the Web server certificate (PEM format) when you perform the authentication by SSL.
Specify file name with an absolute path.
httpsd.conf, <VirtualHost>
SSLCertificateFile "<Cosminexus-installation-directory>/httpsd/conf/ssl/server/httpsd.pem"
~<<Specification value of the SSLCertificateFile directive>>
This directive specifies the private key file name of the Web server when you perform the authentication by SSL.
Specify the file name with an absolute path.
httpsd.conf, <VirtualHost>
SSLCertificateKeyFile "<Cosminexus-installation-directory>/httpsd/conf/ssl/server/httpsdkey.pem"
This directive specifies the path name of the file that stores the password of the server private key where the password is protected. The File that stores the password is created by the sslpasswd command. Specify the path name with an absolute path, or the relative path from the ServerRoot directive.
httpsd.conf, <VirtualHost>
Specify this directive to handle the next issue date of the CRL that is used during the SSL client authentication.
httpsd.conf, <VirtualHost>
SSLCRLAuthoritative On
When the next issue date of the CRL elapses, deny the access to the clients holding a certificate issued by the CA that also issues the CRL.
This directive specifies the directory that stores the CRL of the DER format with an absolute path. If you store the required CRL in the specified directory and start or restart the Web server, you can apply the CRL during the client authentication with SSL. When the CRL issued from the same CA (including the CRL in the directory specified with the SSLCRLPEMPath directive) is stored multiple times, the CRL with latest date is applicable. The Web server does not start when directory contains a file other than the CRL of the DER format.
httpsd.conf, <VirtualHost>
SSLCRLDERPath "<Cosminexus-installation-directory>/httpsd/conf/ssl/crl/DER"
Specify the directory in which the CRL file of the DER format is stored.
This directive specifies the directory that stores the CRL of the PEM format with an absolute path. If you store the required CRL in the specified directory and start or restart the Web server, you can apply the CRL during the client authentication with SSL. When the CRL issued from the same CA (including the CRL in the directory specified with the SSLCRLDERPath directive) is stored multiple times, the CRL with latest date is applicable. The Web server does not start when directory contains a file other than the CRL of the PEM format.
httpsd.conf, <VirtualHost>
SSLCRLPEMPath "<Cosminexus-installation-directory>/httpsd/conf/ssl/crl/PEM"
Specify the directory in which CRL file of the PEM format is stored.
Specify this directive to prohibit the SSL access. When you specify this directive, and even if the SSL is enabled with the SSLEnable directive, access from https is denied with the status code 403 Forbidden. The operations contrary to the SSLRequireSSL directive take place.
httpsd.conf, <VirtualHost>, <directory>, .htaccess
FileInfo level
This directive disables the SSL. The default value is the SSLEnable directive (SSL is enabled). Specify this directive to disable the SSL for a specific host with the virtual host.
httpsd.conf, <VirtualHost>
This directive enables the SSL. By default, the SSL is enabled unless the SSLDisable directive is specified.
httpsd.conf, <VirtualHost>
~((0 - 9))<<0>>
In the case of performing the SSL client authentication, specify this directive when setting the certificate from the CA that issued the client certificates in the environment variable SSL_CLIENT_CERT_CHAIN_n, up to the root CA. The maximum specification value is n. This directive is enabled only when the SSLExportClientCertificates directive is specified. As the specified number of CA certificates are cached in the gcache server, you can use the cache effectively by specifying only the required number of CGI programs or Servlets in this directive. However, when some of the cached certificates are deleted due to memory restrictions and cannot be acquired, only those certificates that could be acquired are set in the environment variable.
httpsd.conf, <VirtualHost>
This example describes a certificate chain called the 'Root CA-Lower CA-Client certificate'. In this case, the relationship between the environment variables and the certificates is as follows:
Environment variable | Certificate |
---|---|
SSL_CLIENT_CERT | Client certificate |
SSL_CLIENT_CERT_CHAIN_1 | Lower CA certificate |
SSL_CLIENT_CERT_CHAIN_2 | Root CA certificate |
Specify the directive in the following format to acquire all environment variables and certificate chains:
SSLExportClientCertificates
SSLExportCertChainDepth 2 Specify the value of 2 or more
In the case of performing the SSL client authentication, specify this directive when setting the client certificate in the environment variable SSL_CLIENT_CERT. In the environment variable SSL_CLIENT_CERT, set the Base64 encoded value of the certificate in DER format
httpsd.conf, <VirtualHost>, <Directory>, .htaccess
Along with the SSL client authentication functionality, specify the settings such that the Basic authentication is possible only by presenting the client certificate without entering user ID and password in the Web browser. Code the Subject and the password of X509 client certificate in the file specified with the AuthUserFile directive. The password is always fixed to the following values ("password" is encrypted in both):
httpsd.conf, <VirtualHost>
Subject: EMAIL=username@userhost,CN=username,OU=Software,O=HITACHI,L=Yokohama-shi,ST=Kanagawa,C=JP
In this case, the file specified with the AuthUserFile directive is specified as follows:
/C=JP/ST=Kanagawa/L=Yokohama-shi/O=HITACHI/OU=Software/CN=username/EMAIL=username@userhost:xxj31ZMTZzkVA
/C=JP/ST=Kanagawa/L=Yokohama-shi/O=HITACHI/OU=Software/CN=username/EMAIL=username@userhost:{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
Subject is logged in the u specification of the LogFormat directive.
If the authentication fails, the Web server responds with the status code 401 Authorization Required.
~<<All>>
This directive specifies the version of SSL protocol that is used.
httpsd.conf, <VirtualHost>
This directive denies the access to encryption types other than the specified ones, and returns the status code 403 Forbidden to the client. For the encryption code that you can specify, see SSLBanCipher directive.
httpsd.conf, <VirtualHost>, <Directory>, .htaccess
FileInfo level
This directive specifies the encryption types that you can use in the SSL communication. If the encryption types specified in this directive and the encryption types that the client can use match, the Web server establishes the SSL communication and receives the HTTP requests. If encryption types do not match, the Web server does not establish the SSL communication or receive the HTTP request. For details on the encryption types that you can specify, see SSLBanCipher directive.
httpsd.conf, <VirtualHost>
SSLRequiredCiphers RC4-MD5:RC4-SHA:DES-CBC3-SHA:AES128-SHA:AES256-SHA
Specify this directive when allowing the access only through SSL. When this directive is specified, even if the SSL is disabled with the SSLDisable directive, access from http is denied with the status code 403 Forbidden. This directive prevents the exposure of the contents due to carelessly disabled SSL in the coding locations of different directives.
httpsd.conf, <VirtualHost>, <Directory>, .htaccess
FileInfo level
<VirtualHost 172.17.40.10:443>
SSLDisable
...
<Directory /secure/dir>
SSLRequireSSL
...
</Directory>
</VirtualHost>
This example allows the http access to the port 443 of 172.17.40.10 host but denies the access to directory /secure/dir. The Web server responds with the status code 403 Forbidden for the http access to /secure/dir directory.
~((1 - 2147483647))<<3600>> (Unit: Second)
This directive sets the validity period (in seconds) for the data such as the session ID that is maintained by the Web server, or in SSL session control cache server gcache.
Set the validity period in such a way that it does not exceed January 19, 2038, 03:14:07 of the Greenwich Mean Time (GMT).
httpsd.conf, <VirtualHost>
SSLSessionCacheTimeout 3600
~((0 - 2147483647))<<16777216>> (Unit: Bytes)
In UNIX version, this directive sets the upper limit for the memory size in bytes, for the data such as session IDs cached in the memory of the cache server gcache that manages the SSL session. When you set this directive to 0, gcache server does not start and hence the session cache does not operate.
In Windows version, this directive specifies the upper limit of session cache size in bytes. When 0 is specified, session cache in not implemented.
When max is specified, the upper limit of session cache size is not set. For each SSL session, approximately 200 bytes are used when performing only the server authentication, and approximately one kilobyte is used when performing the client authentication also.
httpsd.conf
SSLSessionCacheSize 1024
~((0 - 2147483647))<<20480>> (Unit: Bytes)
This directive specifies the upper limit of the memory size for the data such as the session IDs that are cached in the server process memory. When you specify max, the upper limit is not set.
httpsd.conf
SSLSessionCacheSizePerChild 1024
~<<0>>
This directive specifies the settings for certificate used during the client authentication.
0: Certificate is not requested.
1: Client can display the certificate. This setting is used to test the operations.
2: Client must display the certificate.
httpsd.conf, <VirtualHost>
SSLVerifyClient 2
~((0 - 10))<<0>>
This directive specifies the number of levels up to which the certificate chain is traced.
Specify the number of levels for authentication check related to CA certificate chain used in client authentication. This directive is used to limit the extent up to which the CA chain is used. Specify minimum two levels since the certificates with self-signatures are not authenticated. For example:
httpsd.conf, <VirtualHost>
SSLVerifyDepth 10
~((0 - 1024))<<5>>
This directive specifies the number of server processes when you start the Web server. For details on the other directives related to the number of processes, see 4.1 Relationship between processes and directives of Cosminexus HTTP Server.
httpsd.conf
StartServers 5