The KeepAlive directive specifies whether to enable the KeepAlive connection. Actually the KeepAlive is executed only when the client also supports the KeepAlive. As the KeepAlive keeps the persistent connection between server process and the client, the response to continuous requests is good. On the other hand, as a server process is exclusively reserved for specific clients, the service efficiency of the Web server as a whole may decline. You need to make adjustments by using the KeepAliveTimeout and the MaxKeepAliveRequests directives.
On: Enables the persistent connection (KeepAlive).
Off: Disables the persistent connection (KeepAlive).
httpsd.conf
KeepAlive On
~((0 - 65535))<<15>> (Unit: Seconds)
This directive specifies the request waiting time during the KeepAlive connection in seconds. If the request waiting time elapses and the next request does not come from the client, the connection is disconnected. In the KeepAlive connection, persistent clients occupy the server process. Specify the settings in such a way that when the standard time required for moving from one Web page to the next Web page is exceeded, the timeout disconnects the connection and the server process is applied for processing other request. If the time is set to 0, the KeepAlive connection becomes invalid.
httpsd.conf
KeepAliveTimeout 15
The request waiting time is 15 seconds in the case of KeepAlive connection.
The LanguagePriority directive specifies the used languages in the order of descending priorities. In the content negotiation, if the priority order (Accept-Language header) of the language code is not included in the request from the Web browser, the specified priority order is used. For the language code specified here, see AddLanguage directive.
httpsd.conf, <VirtualHost>, <Directory>, .htaccess
FileInfo level
LanguagePriority ja en fr de
The priority order is Japanese, English, French, and German.
When you authenticate in the LDAP server, the LDAPBaseDN directive specifies the uppermost DN to start search. With this DN, you need to permit the access from the Web server.
All the user entries and group entries to be searched must be present under this DN. The Web server requires access rights to all these entries and attribute. When multiple LDAP servers are specified with the LDAPServerName directive, specify DN for each LDAP server. When there are multiple specifications of DN, enclose each DN with " (double quotation marks). If only one DN is specified, you need not enclose the DN with quotation marks. If DN includes quotation marks, add a before the quotation mark.
The mod_hws_ldap module must be embedded for user authentication via the LDAP server. For details on user authentication via the LDAP server, see 4.5.4 User authentication and access control using the directory service.
httpsd.conf, <VirtualHost>, <Directory>
This directive specifies the status code that the Web server returns to the Web browser when the access is denied by the access control of the LDAPRequire directive, even if the user authentication with the LDAP server is successful.
Authorization: Returns the status code 401.
Forbidden: Returns the status code 403.
The mod_hws_ldap module must be embedded for user authentication via the LDAP server. For details on user authentication via the LDAP server, see 4.5.4 User authentication and access control using the directory service.
httpsd.conf, <VirtualHost>
Specify the LDAPRequire directive with the AuthName directive, AuthType directive, and the Require valid-user directive and specify the range of users for whom access is to be controlled.
If there is a character string enclosed by % in the beginning, this character string is used as the DN attribute that identifies the user name entered by the client. If the character string does not contain %, the Web Server assumes cn (mandatory attribute that identifies a person defined on the basis of entry) as the DN attribute.
The DN registered by the user is requested from the specification value of the LDAPBaseDN directive by combining the user name entered by the client and a value set as the DN attribute. Use this DN and the password entered by the client to perform the authentication in the LDAP server.
When the specified user is authenticated in LDAP server and is applicable to the LDAP search field, the user can access contents. When filter is not specified, (objectClass=*) is specified as search filter.
When this directive is simultaneously used with SSL client authentication, the access to the LDAP server becomes the anonymous access without any password and with the CN value of the Subject field in the client certificate as the user name. As a result of the LDAP server search, if the user name is registered in the LDAP server and is applicable to the LDAP search filter, the user can access the contents. If the filter is not specified, (objectClass=*) is set as a search filter.
When you specify this directive, the specification value of the Require directive specified in the directive will be disabled. However, the specification of the Require directive is mandatory.
Specify the search filter in the following format:
(Attribute Operator Value)
The following table describes the operators that you can use:
Table 6-7 Operators that you can use in search filter
Search type | Symbol | Description |
---|---|---|
Equality | = | Returns the entry containing the attribute entry set in the specification value. Example: cn=hitachi taro |
Substring | =<Character string>*<Character string> | Returns the entry containing the attribute that includes the specified sub-character string. Example: cn=hita*, cn=*hanako, cn=*hi*, and cn=h*hanako |
Greater than or equal to | >= | Returns the entry that includes the attributes greater than or equal to the specified value. Example: employeenumber>=100 |
Less than or equal to | <= | Returns the entry that includes the attributes less than or equal to the specified value. Example: employeenumber<=100 |
Presence | =* | Returns the entry that includes the specified attribute. Example: cn=*, telephonenumber=*, and manager=* |
Moreover, you can create a filter by combining two or more of these search filters.
(Operator (Search filter)(Search filter) ...)
In this case, you can use the operators described in the following table.
If the authenticated user has multiple attribute entries for one attribute, access is granted if one attribute entry matches with the operation.
Table 6-8 Operators that you can use in multiple search filters
Operators | Symbol | Description |
---|---|---|
And | & | All the filters return true entry. Example: (&(filter)(filter)(filter) ...) |
Or | | | Atleast one specified filter returns true entry. Example: (|(filter)(filter)(filter) ...) |
Not | ! | Specified filter returns the entry that is not true. Example: (!(filter)) |
# You cannot specify multiple filters in the case of Not operator.
The Web server responds with the status code 401 Authorization Required, if the authentication fails. When the entry does not match with the filter condition, the Web server responds with the status code (by default 401 Authorization Required) as per the LDAPNoEntryStatus directive. When the filter format syntax is wrong, the status code 500 Internal Server Error is returned.
If there are multiple specifications of the same user, the access is possible if access permission is granted to one of the specified users.
The mod_hws_ldap module must be embedded for user authentication via the LDAP server. For details on user authentication via the LDAP server, see 4.5.4 User authentication and access control using the directory service.
<Directory>, .htaccess
AuthConfig level
LDAPRequire (|(cn=hitachi taro)(cn=hitachi hanako))
LDAPRequire %uid% (|(&(uid>=99001)(uid<=99029))(&(uid>=99051)(uid<=99059)))
~<<127.0.0.1>>
The LDAPServerName directive specifies the host name or the IP address of the LDAP server. When you specify multiple LDAP servers, specify the respective port numbers for each LDAP server (LDAPServerPort directive) and the upper-most DN (LDAPBaseDN directive) that starts the search. If the LDAP servers, the port numbers, and the number of DNs do not match, the authentication is not executed on the LDAP server. The Web Server outputs error log and returns the status code 500 to the Web browser.
However, when you use the same port number for all the LDAP servers specified in this directive, you can simplify the port number specification.
When you specify multiple LDAP servers, specify in the order descending priorities. Always perform the user authentication for each request, from the LDAP server that was specified in the beginning.
Local host (127.0.0.1) is set by default.
Note that a host name corresponding to an IPv6 address cannot be specified for host-name. An IPv6 address also cannot be specified for IP-address.
The mod_hws_ldap module must be embedded for user authentication via the LDAP server. For details on user authentication via the LDAP server, see 4.5.4 User authentication and access control using the directory service.
httpsd.conf, <VirtualHost>, <Directory>
LDAPServerName server01 server02 server03
LDAPServerPort 389
LDAPBaseDN "ou=employee, o=hitachi, c=jp" "ou=employee, o=example.com" "o=hitachi, c=jp"
If you specify as mentioned above, the combination of the LDAP server, port number, and the DN is as follows:
Order of the LDAP server to be used | Host name | Port number | DN that starts search |
---|---|---|---|
1 | server01 | 389 | ou=employee, o=hitachi, c=jp |
2 | server02 | 389 | ou=employee, o=example.com |
3 | server03 | 389 | o=hitachi, c=jp |
~((1 - 65535))<<389>>
The LDAPServerPort directive specifies the LDAP server port number. When multiple LDAP servers are specified in the LDAPServerName directive, specify the port number for each LDAP server. However, when you use the same port number for all the LDAP servers specified in the LDAPServerName directive, you need not specify the number multiple times. Specify only one port number that applies to all the LDAP servers. For the example of multiple LDAP server specifications, see LDAPServerName directive. If the number of LDAP servers and the port numbers do not match, an error occurs.
The mod_hws_ldap module must be embedded for user authentication via the LDAP server. For details on user authentication via the LDAP server, see 4.5.4 User authentication and access control using the directory service.
httpsd.conf, <VirtualHost>, <Directory>
When you authenticate with the LDAP server, this directive sets the value of the attribute that configures the entries identified by the DN of authenticated users, as the value of the environment variable. Set the attribute value with the character code acquired from the LDAP server. For the details on the returned character codes, see the LDAP server manual. When there are multiple values for one attribute, the environment variable is not set. You cannot specify the attribute with a binary option (;binary). For the attributes containing other options, the attribute value is not set properly unless the value is not a character string. When the same environment variable is defined in another attribute, error does not occur but the value of environment variable becomes undefined.
The mod_hws_ldap module must be embedded for user authentication via the LDAP server. For details on user authentication via the LDAP server, see 4.5.4 User authentication and access control using the directory service.
httpsd.conf, <VirtualHost>, <Directory>, .htaccess
FileInfo level
~((1 - 86400))<<30>> (Unit: Seconds)
After the user authentication, the LDAPTimeout directive specifies the maximum waiting time in seconds for the search process of the filter specified in one LDAPRequire directive. The status code 500 Internal Server is returned in any of the following cases:
The mod_hws_ldap module must be embedded for user authentication via the LDAP server. For details on user authentication via the LDAP server, see 4.5.4 User authentication and access control using the directory service.
httpsd.conf, <VirtualHost>, <Directory>
This directive disables the environment variables specified in the LDAPSetEnv directive.
The mod_hws_ldap module must be embedded for user authentication via the LDAP server. For details on user authentication via the LDAP server, see 4.5.4 User authentication and access control using the directory service.
httpsd.conf, <VirtualHost>, <Directory>, .htaccess
FileInfo level
~((0 - 2147483647))<<0>> (Unit: bytes)
This directive specifies the upper limit for the object body (data) size when the server receives a request from the Web browser using the HTTP communication. The object body is used when the request is sent by <FORM METHOD=POST ACTION=...> from the Web server. When the upper limit is not specified, it is set to 0.
httpsd.conf, <VirtualHost>, <Directory>, .htaccess
~((0 - 32767))<<100>>
This directive specifies the upper limit for the number of HTTP headers when the server receives a request from the Web browser using the HTTP communication. The number of HTTP headers of the request changes as per the specification of the proxy that links the Web browser and requests. When the upper limit is not specified, it is set to 0.
httpsd.conf
~((0 - 8190))<<8190>> (Unit: bytes)
This directive specifies the upper limit for the size of one HTTP header when the server receives the request from the Web browser using the HTTP communication. The size of request header changes as per the specification of the proxy that links the Web browser and requests.
httpsd.conf
~((0 - 8190))<<8190>> (Unit: bytes)
This directive specifies the upper limit for the length of the request string (including the URI, HTTP version, the method and the inquiry character string) when the server receives the request from the Web browser using the HTTP communication. When the request is sent from the Web browser by <FORM METHOD=GET ACTION...>, the request string is used as a query string. Note that the number of bytes sent from the Web browser as the request line changes as per the specification of the proxy that links the Web browser and requests.
httpsd.conf
The 'Listen' directive specifies the IP address and the port number that receives the request. Unlike 'Port' directive, you can perform multiple specifications. Specify this directive when defining the virtual host. When you specify the Listen directive, the specifications of Port directive and BindAddress directive are ignored.
You can specify an IPv6 address for IP-address. Specify an IPv6 address by enclosing it in square brackets ([ ]). However, if you omit IP-address and specify only the port number, only requests using IPv4 addresses are accepted. Therefore, when using an IPv6 address, be sure to specify the IPv6 address in the Listen directive.
To restart the server after changing the IP address specified in the Listen directive, stop the server, and then start it. If you use other means to restart the server, such as a command, startup might fail.
httpsd.conf
Listen 80
Listen [2001::123:4567:89ab:cdef]:8080
Listen [::]:80
~((1 - 2147483647))<<511>>
The ListenBacklog directive specifies the maximum queue size for the connection requests from the client. The specified value is set as the number of backlogs of system call listen( ). However, as the limit for the specification value and the actual maximum value for queue size differ according to the OS, see the OS manual for listen( ) and documents that explain TCP/IP implementation for each OS.
httpsd.conf
The LoadFile directive specifies the object file or the library containing the codes that are referred by the module incorporated by the DSO. In the file name, you can specify the absolute path, or the relative path from the specified value of the ServerRoot directive.
When you specify the modules that refer to this file in the LoadModule directive, you need to specify this directive before these modules are used in httpsd.conf.
httpsd.conf
This directive specifies a module to be dynamically embedded in the Web server. You can specify absolute path, or the relative path from the specified value of the ServerRoot directive in the library file name.
httpsd.conf
LoadModule hws01_module libexec/mod_hws01.so
LoadModule hws02_module libexec/mod_hws02.so
Embed the module hws01_module and the module hws02_module.
~<<"%h %l %u %t "%r
" %>s %b">>
The LogFormat directive defines the label name in log format. You can specify the label name defined here in the CustomLog directive. For the format that you can specify, see CustomLog directive. If label name is not attached, you cannot specify this directive multiple times. If %A or %a is specified in the format, IPv6 addresses can also be output. If %h or %V is specified in the format, host names corresponding to IPv6 addresses or the IPv6 addresses can also be output.
httpsd.conf, <VirtualHost>
LogFormat "%h %l %u %t "%r
" %>s %b
"%{Referer}i
"
"%{User-Agent}i
"" combined
LogFormat "%h %l %u %t "%r
" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
This directive specifies the level of the errors that are output to the error log. The Web Server outputs the upper level error log than the specified level. Note that notice level logs are output regardless of this specification. Messages that are output before the analysis of the level specification finishes (for example, during Cosminexus HTTP Server startup) may be output regardless of this specification.
The following table describes the error levels in the ascending order:
Level | Meaning |
---|---|
emerg | Emergency message |
alert | Message that requests instant processing |
crit | Critical state message |
error | General error message |
warn | Warning level message |
notice | Standard but important message |
info | Information messages, and module trace information# collected when external modules and CGI programs are executed |
debug | Debug level messages, trace information for internal modules, and info-level module trace information# |
#: You can specify that module trace information is to be output not to the error log but to the request log. For details, see 4.2.2 (5) Locations to which trace information is output and 4.2.6 Collecting the module trace.
httpsd.conf, <VirtualHost>
LogLevel info