apache安装配置说明2

2、配置文件说明

###################文件说明###################
# This is the main Apache HTTP server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See < URL:http://httpd.apache.org/docs/2.2> for detailed information.
# In particular, see
# < URL:http://httpd.apache.org/docs/2.2/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned. 
###################配置说明##########################
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/foo_log"
# with ServerRoot set to "/usr/local/apache" will be interpreted by the
# server as "/usr/local/apache/logs/foo_log".
#如果包含的配置文件以根目录/开始,则使用指出的明确路径,要是非根目录开始,则路径为:查找路径=ServerRoot目录+所写目录
##################软件主目录################
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path.  If you point
# ServerRoot at a non-local disk, be sure to point the LockFile directive
# at a local disk.  If you wish to share the same ServerRoot for multiple
# httpd daemons, you will need to change at least LockFile and PidFile.
#
#ServerRoot:服务配置文件,日志,错误日志等的根目录,即软件所在目录。
#注意不要再目录后加/,如果目录非本地磁盘,要先在本地磁盘使用LockFile指令来指明。如果要为多个httpd程序共享根目录,需要至少改变LockFile和PidFile。即,要保证apache的进程文件的独占性。
ServerRoot "/usr/local/apache"
#################监听端口和IP############################
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
#apache程序运行的监听IP地址和端口,即http访问地址+端口,默认80
Listen 80
#####################要加载的DSO模块##########################
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#需要动态加载的DSO模块写在这里以使程序启动时加载。格式如例子所述,静态编译的模块不需要写在这里,由httpd -l来加载静态模块
# Example:
# LoadModule foo_module modules/mod_foo.so
#
<IfModule !mpm_netware_module>
<IfModule !mpm_winnt_module>
#非NetWare和winnt模式下
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch. 
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
####################软件运行用户设定###################
#如果要更换不同的用户或组来运行apache,你必须先以root运行,然后他将会切换到所设置用户。跟大多数的系统服务一样,为apache单独建立一个用户和组来运行它是一个很好的做法。(注意,此项是设置在非NetWare和非win系统下才需配置,否则无需配置)
User daemon
Group daemon
</IfModule>
</IfModule>
######################Apache主配置部分###############
###############概要说明##########
# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition.  These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
#主站点的配置选项,该选项的配置为主机配置的默认值,如果定义了虚拟主机,里面的命令会覆盖此处的值,否则使用该处配置的值。
#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed.  This address appears on some server-generated pages, such
# as error documents.  e.g. [email protected]
##############服务器联系人#############
ServerAdmin [email protected]
##################服务器网站域名指定###############
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#服务器域名指定。这里一般可以自动识别,也可以给出域名和端口以明确指定(虚拟主机多用此选项),如果没有注册DNS,可以使用IP地址。
#ServerName www.example.com:80
################网站根目录#############
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#站点根目录。一般网站请求直接来此处寻找网页,但是动态链接或别名可能被使用从而指向其他地点。
DocumentRoot "/usr/local/apache/htdocs"
##################网站目录全局设置##############
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#apache能访问的每一个目录都可以配置哪些特性能开启禁用,特性设置对子目录有效。默认给出的是一个非常严格的特性设置。
# First, we configure the "default" to be a very restrictive set of
# features. 
#
#Options指令控制了在特定目录中将使用哪些服务器特性。其值如下:None All Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#option可以为None ,在这种情况下,将不启用任何额外特性。或设置为以下选项中的一个或多个:
#All :除MultiViews之外的所有特性。这是默认设置。
#ExecCGI:允许使用mod_cgi执行CGI脚本。
#FollowSymLinks:服务器允许在此目录中使用符号连接。 注意:即使服务器会使用符号连接,但它不会改变用于匹配<Directory>段的路径名。
#Includes:允许使用mod_include提供的服务器端包含。
#IncludesNOEXEC:允许服务器端包含,但禁用"#exec cmd"和"#exec cgi"。但仍可以从ScriptAlias目录使用"#include virtual"虚拟CGI脚本。
#Indexes:如果一个映射到目录的URL被请求,而此目录中又没有DirectoryIndex(例如:index.html),那么服务器会返回由mod_autoindex生成的一个格式化后的目录列表。
#MultiViews:允许使用mod_negotiation提供内容协商的"多重视图"(MultiViews)。
#SymLinksIfOwnerMatch:服务器仅在符号连接与其目的目录或文件的拥有者具有相同的uid时才使用它。
#一般来说,如果一个目录被多次设置了Options ,则最特殊的一个会被完全接受(其它的被忽略),而各个可选项的设定彼此并不融合。然而,如果所有作用于Options指令的可选项前都加有"+"或"-"符号,此可选项将被合并。所有前面加有"+"号的可选项将强制覆盖当前的可选项设置,而所有前面有"-"号的可选项将强制从当前可选项设置中去除。
#AllowOverride指令控制允许存在于.htaccess文件中的指令类型,其值如下:Options FileInfo AuthConfig Limit All None
#当服务器发现一个.htaccess文件(由AccessFileName指定)时,它需要知道在这个文件中声明的哪些指令能覆盖在此之前指定的配置指令。AllowOverride仅在不包含正则表达式的<Directory>配置段中才是有效的。在<Location>, <DirectoryMatch>, <Files>配置段中都是无效的。如果此指令被设置为None ,那么.htaccess文件将被完全忽略。事实上,服务器根本不会读取.htaccess文件。当此指令设置为 All时,所有具有".htaccess"作用域的指令都允许出现在.htaccess文件中。
#选项:
#AuthConfig:允许使用与认证授权相关的指令(AuthDBMGroupFile, AuthDBMUserFile, AuthGroupFile, AuthName, AuthType, AuthUserFile, Require, 等)。
#FileInfo:允许使用控制文档类型的指令(DefaultType, ErrorDocument, ForceType, LanguagePriority, SetHandler, SetInputFilter, SetOutputFilter, mod_mime中的 Add* 和 Remove* 指令等等)、控制文档元数据的指令(Header, RequestHeader, SetEnvIf, SetEnvIfNoCase, BrowserMatch, CookieExpires, CookieDomain, CookieStyle, CookieTracking, CookieName)、mod_rewrite中的指令(RewriteEngine, RewriteOptions, RewriteBase, RewriteCond, RewriteRule)和mod_actions中的Action指令。
#Indexes:允许使用控制目录索引的指令(AddDescription, AddIcon, AddIconByEncoding, AddIconByType, DefaultIcon, DirectoryIndex, FancyIndexing, HeaderName, IndexIgnore, IndexOptions, ReadmeName, 等)。
#Limit:允许使用控制主机访问的指令(Allow, Deny, Order)。
#Options[=Option,...]允许使用控制指定目录功能的指令(Options和XBitHack)。可以在等号后面附加一个逗号分隔的(无空格的)Options选项列表,用来控制允许Options指令使用哪些选项。
#Order指令:控制是否允许从服务器上获取东西,即控制默认的访问状态与Allow和Deny指令生效的顺序
#Allow指令:控制哪些主机能够访问服务器
#Deny指令:控制哪些主机被禁止访问服务器
<Directory />
    Options FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>
#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#
################网站主根目录设置############
# This should be changed to whatever you set DocumentRoot to.
#此处用于更改你将要设置的站点根目录
<Directory "/usr/local/apache/htdocs">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.2/mod/core.html#options
    # for more information.
    #
    Options Indexes FollowSymLinks
    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    #
    AllowOverride None
    #
    # Controls who can get stuff from this server.
    #
    Order allow,deny
    Allow from all
</Directory>
####################网站主页索引##############
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#在目录被请求是查找的主文件。即设置网站主页格式。
<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>
###################ht文件等是否被查看设定##############
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#如下配置保护正则表达式中所描述的文件不被web所查看
#Satisfy指令:同时使用Allow和Require时的访问策略。参数可以设置为 All 或 Any 。这个指令仅在某个特定区域的访问控制同时被用户名/密码和客户端主机地址进行限定的时候起作用。默认行为(All)采取客户端首先通过地址访问限制并且输入有效的用户名和密码的方式。使用可选项 Any 将使客户端在通过主机限制或是输入一个有效的用户名和密码两种方式之一得到访问权限。这样,就可以通过密码来限制一个区域的访问,但允许某些特定地址的客户端访问时不需要输入密码。
<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>
#################错误日志存储地点##############
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#错误日志。如果虚拟主机未配置错误日志参数,则都写着次数,如果虚拟主机配置了此参数,则使用虚拟主机参数所定义的文件。
ErrorLog "logs/error_log"
##################日志存储级别(即日志内容和格式)####################
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#控制记录到日志的消息的级别。可选值有debug, info, notice, warn, error, crit, alert, emerg.
LogLevel warn
<IfModule log_config_module>
    #
    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).
    #
#下面的指令定义了一些为用户指令而使用的别名的格式。Apache配置中,LogFormat可用变量格式字符串 描述
#%% 百分号(Apache2.0.44或更高的版本)
#%a 远端IP地址
#%A 本机IP地址
#%B 除HTTP头以外传送的字节数
#%b 以CLF格式显示的除HTTP头以外传送的字节数,也就是当没有字节传送时显示'-'而不是0。
#%{Foobar}C 在请求中传送给服务端的cookieFoobar的内容。
#%D 服务器处理本请求所用时间,以微为单位。
#%{FOOBAR}e 环境变量FOOBAR的值
#%f 文件名
#%h 远端主机
#%H 请求使用的协议
#%{Foobar}i 发送到服务器的请求头Foobar:的内容。
#%l 远端登录名(由identd而来,如果支持的话),除非IdentityCheck设为"On",否则将得到一个"-"。
#%m 请求的方法
#%{Foobar}n 来自另一个模块的注解Foobar的内容。
#%{Foobar}o 应答头Foobar:的内容。
#%p 服务器服务于该请求的标准端口。
#%P 为本请求提供服务的子进程的PID。
#%{format}P 服务于该请求的PID或TID(线程ID),format的取值范围为:pid和tid(2.0.46及以后版本)以及hextid(需要APR1.2.0及以上版本)
#%q 查询字符串(若存在则由一个"?"引导,否则返回空串)
#%r 请求的第一行
#%s 状态。对于内部重定向的请求,这个状态指的是原始请求的状态,---%>s则指的是最后请求的状态。
#%t 时间,用普通日志时间格式(标准英语格式)
#%{format}t 时间,用strftime(3)指定的格式表示的时间。(默认情况下按本地化格式)
#%T 处理完请求所花时间,以秒为单位。
#%u 远程用户名(根据验证信息而来;如果返回status(%s)为401,可能是假的)
#%U 请求的URL路径,不包含查询字符串。
#%v 对该请求提供服务的标准ServerName。
#%V 根据UseCanonicalName指令设定的服务器名称。
#%X 请求完成时的连接状态:X= 连接在应答完成前中断。
#+= 应答传送完后继续保持连接。
#-= 应答传送完后关闭连接。
#(在1.3以后的版本中,这个指令是%c,但这样就和过去的SSL语法:%{var}c冲突了)
 
#%I 接收的字节数,包括请求头的数据,并且不能为零。要使用这个指令你必须启用mod_logio模块。
#%O 发送的字节数,包括请求头的数据,并且不能为零。要使用这个指令你必须启用mod_logio模块。
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      #使用此模块要加载mod_logio模块
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    #
    # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a <VirtualHost>
    # container, they will be logged here.  Contrariwise, if you *do*
    # define per-<VirtualHost> access logfiles, transactions will be
    # logged therein and *not* in this file.
    #访问日志文件(普通文件格式)的位置。如果虚拟主机内定义了,则使用虚拟主机的定义,否则使用此处的定义
    CustomLog "logs/access_log" common
    #
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    #如果您喜欢访问代理日志文件和referer信息(综合日志文件格式),你可以使用下面的指令。
    #CustomLog "logs/access_log" combined
</IfModule>
#############################域名重定向设定#####################
<IfModule alias_module>
    #
    # Redirect: Allows you to tell clients about documents that used to
    # exist in your server's namespace, but do not anymore. The client
    # will make a new request for the document at its new location.
    # Example:
    # Redirect permanent /foo http://www.example.com/bar
    #重定向:允许你告诉曾经存在于您的服务器的网站文档,但不是现在。客户端会收到那个旧文件所在的新位置。
    #
    # Alias: Maps web paths into filesystem paths and is used to
    # access content that does not live under the DocumentRoot.
    # Example:
    # Alias /webpath /full/filesystem/path
    #映射web路径到文件系统路径下,用于访问那些不在网站根目录下的文件
    # If you include a trailing / on /webpath then the server will
    # require it to be present in the URL.  You will also likely
    # need to provide a <Directory> section to allow access to
    # the filesystem path.
    #如果你使用站点路径,服务器将请求现存的url路径,你可能需要提供个<Directory> 部分以允许访问物理路径。
    #
    # ScriptAlias: This controls which directories contain server scripts.
    # ScriptAliases are essentially the same as Aliases, except that
    # documents in the target directory are treated as applications and
    # run by the server when requested rather than as documents sent to the
    # client.  The same rules about trailing "/" apply to ScriptAlias
    # directives as to Alias.
    #ScriptAlias指令:此控制哪个目录包含服务器脚本。
    #ScriptAliases实质上基本与别名相同,除了在目标目录中的文件当发生请求访问时被视为应用程序并在服务器运行,而不是文件被发送到客户端。对尾随同样的规则“/”适用于在ScriptAlias指令和Alias。
    ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/"
</IfModule>
############################CGI守护进程设定####################
<IfModule cgid_module>
    #
    # ScriptSock: On threaded servers, designate the path to the UNIX
    # socket used to communicate with the CGI daemon of mod_cgid.
    #ScriptSock:在线程服务器上,指定的路径到UNIX接口可以用来与mod_cgid的CGI守护进程通信。
    #Scriptsock logs/cgisock
</IfModule>
#
# "/usr/local/apache/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#如果配置了ScriptAliased,要把"/usr/local/apache/cgi-bin"改成你的ScriptAliased CGI所在的目录
<Directory "/usr/local/apache/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>
#######################MIME类型设定######################
# DefaultType: the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value.  If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#默认类型:如果服务器不能从扩展名决定文档类型,将使用此处定义的默认类型。如果服务器包含了很多文本或html文档"text/plain" 是一个很好的值。如果你的内容大部分是二进制文件,例如应用程序或镜像,你可以使用"application/octet-stream" 来使浏览器显示为二进制文件类型。
DefaultType text/plain
<IfModule mime_module>
    #
    # TypesConfig points to the file containing the list of mappings from
    # filename extension to MIME-type.
    #TypesConfig列表指明通过文件扩展名所映射的MIME类型
    TypesConfig conf/mime.types
    #
    # AddType allows you to add to or override the MIME configuration
    # file specified in TypesConfig for specific file types.
    #AddType允许你添加或覆盖在TypesConfig中所指定的文件类型的MIME类型的配置
    #AddType application/x-gzip .tgz
    #
    # AddEncoding allows you to have certain browsers uncompress
    # information on the fly. Note: Not all browsers support this.
    #AddEncoding允许你使某些浏览器在传输过程中解压信息。注意:不是所有浏览器都支持。
    #AddEncoding x-compress .Z
    #AddEncoding x-gzip .gz .tgz
    #
    # If the AddEncoding directives above are commented-out, then you
    # probably should define those extensions to indicate media types:
    #如果如上的AddEncoding指令注释掉了,你可能应该定义这些扩展媒体类型说明
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    #
    # AddHandler allows you to map certain file extensions to "handlers":
    # actions unrelated to filetype. These can be either built into the server
    # or added with the Action directive (see below)
    #AddHandler允许某些文件扩展名映射到“handlers”:行为无关的文件类型。这些可以是内置到服务器或操作指令增加(见下文)。要使用ScriptAliased目录以外的CGI脚本的(你还需要添加“ExecCGI”到“Options”指令。)
    # To use CGI scripts outside of ScriptAliased directories:
    # (You will also need to add "ExecCGI" to the "Options" directive.)
    #
    #AddHandler cgi-script .cgi
    # For type maps (negotiated resources):为类型映射(谈判源)
    #AddHandler type-map var
    #
    # Filters allow you to process content before it is sent to the client.
    #过滤器允许内容被发送到客户端前被处理。为在解析.shtml文件服务器端包含(ssl)文件。(你也需要添加Include到Options指令中)  
    # To parse .shtml files for server-side includes (SSI):
    # (You will also need to add "Includes" to the "Options" directive.)
    #
    #AddType text/html .shtml
    #AddOutputFilter INCLUDES .shtml
</IfModule>
#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type.  The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#mod_mime_magic模块允许服务器使用从文件本身的内容中各个暗示来决定其类型。MIMEMagicFile指令告诉模块在哪里找到暗示定义的位置。
#MIMEMagicFile conf/magic
#########################访问错误重定向######################
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#定制的错误响应有三种:1)纯文本2)本地重定向3)外部重定向,下面是例子
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#
########################MMAP设定####################
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall is used to deliver
# files.  This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
#EnableMMAP和EnableSendfile:在支持它的系统上,内存映射或发送文件系统调用是用来提供文件系统。这通常提供了服务器性能,再在关闭时必须从挂载的文件系统或者所支持该功能的函数中保存,否则可能损坏您的系统。
#EnableMMAP off
#EnableSendfile off
############################其他导入的配置文件################
# Supplemental configuration
#
# The configuration files in the conf/extra/ directory can be
# included to add extra features or to modify the default configuration of
# the server, or you may simply copy their contents here and change as
# necessary.
#参考配置
#在conf/extra目录下的配置文件可以添加特性或者修改服务器上的默认配置,或者你可以简单的拷贝内容然后根据需要更改。
# Server-pool management (MPM specific)服务器池管理(MPM)
#Include conf/extra/httpd-mpm.conf
# Multi-language error messages多语言错误信息
#Include conf/extra/httpd-multilang-errordoc.conf
# Fancy directory listings目录列表
#Include conf/extra/httpd-autoindex.conf
# Language settings语言设定
#Include conf/extra/httpd-languages.conf
# User home directories用户目录设定
#Include conf/extra/httpd-userdir.conf
# Real-time info on requests and configuration实时信息的要求和配置
#Include conf/extra/httpd-info.conf
# Virtual hosts虚拟主机配置
#Include conf/extra/httpd-vhosts.conf
# Local access to the Apache HTTP Server Manual本地访问Apache HTTP服务器手册
#Include conf/extra/httpd-manual.conf
# Distributed authoring and versioning (WebDAV)WebDAV配置
#Include conf/extra/httpd-dav.conf
# Various default settings各种默认设置
#Include conf/extra/httpd-default.conf
#############################SSL设定###############################
# Secure (SSL/TLS) connections加密连接设置
#Include conf/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
#       starting without SSL on platforms with no /dev/random equivalent
#       but a statically compiled-in mod_ssl.
#注意:要支持如下功能必须存在在没有ssl的平台上(和no /dev/random 等价),而是静态编译了mod_ssl。
#伪随机数生成器(PRNG)播种源
<IfModule ssl_module>
SSLRandomSeed startup builtin使用内建方式启动
SSLRandomSeed connect builtin使用内建方式连接
</IfModule>

3、附加配置文件说明

httpd-autoindex.conf(控制目录列表显示)
#
# Directives controlling the display of server-generated directory listings.
#这些指令控制服务器显示生成的目录列表,需要mod_autoindex, mod_alias模块
# Required modules: mod_autoindex, mod_alias
#
# To see the listing of a directory, the Options directive for the
# directory must include "Indexes", and the directory must not contain
# a file matching those listed in the DirectoryIndex directive.
#要查看一个目录列表,目录的Options指令必须包括“索引”,并且目录不能包含一个DirectoryIndex指令列出的文件。
#
# IndexOptions: Controls the appearance of server-generated directory
# listings.
#IndexOptions控制服务器目录列表的生成
IndexOptions FancyIndexing HTMLTable VersionSort
# We include the /icons/ alias for FancyIndexed directory listings.  If
# you do not use FancyIndexing, you may comment this out.
#通过使用为/icons/为目录列表做别名。如果不使用FancyIndexing,则注释掉此项。
Alias /icons/ "/usr/local/apache/icons/"
<Directory "/usr/local/apache/icons">
    Options Indexes MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>
#
# AddIcon* directives tell the server which icon to show for different
# files or filename extensions.  These are only displayed for
# FancyIndexed directories.
#AddIcon *指令告诉服务器显示不同的文件或文件扩展名的图标。这只是为显示FancyIndexed指令
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core
AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^
#
# DefaultIcon is which icon to show for files which do not have an icon
# explicitly set.
#设置默认的(即不识别的扩展名)图标。
DefaultIcon /icons/unknown.gif
#
# AddDescription allows you to place a short description after a file in
# server-generated indexes.  These are only displayed for FancyIndexed
# directories.
# Format: AddDescription "description" filename
#AddDescription允许您为服务器上在文件中生成的索引创建一个简短的说明。这只是显示为FancyIndexed指令。格式:AddDescription“说明”文件类型
#AddDescription "GZIP compressed document" .gz
#AddDescription "tar archive" .tar
#AddDescription "GZIP compressed tar archive" .tgz
#
# ReadmeName is the name of the README file the server will look for by
# default, and append to directory listings.
#
# HeaderName is the name of a file which should be prepended to
# directory indexes.
#ReadmeName是README文件的名称,服务器默认情况下将寻找并追加到目录列表。HeaderName是应追加到目录列表的文件名
ReadmeName README.html
HeaderName HEADER.html
#
# IndexIgnore is a set of filenames which directory indexing should ignore
# and not include in the listing.  Shell-style wildcarding is permitted.
#IndexIgnore要忽略的文件。允许使用shell的通配符
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
httpd-vhosts.conf(虚拟主机配置)
#
# Virtual Hosts
#
# If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#如果要保留多个域名/主机 在你的服务器上,你可以为它们设置虚拟主机。大部分的配置使用基于域名的虚拟主机,所以不需要担心IP地址问题,这一点可以在下面通过星号来表示。
# Please see the documentation at
# < URL:http://httpd.apache.org/docs/2.2/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.
#你可以使用-S指令来验证你的虚拟主机文件配置。
#
# Use name-based virtual hosting.
#
NameVirtualHost *:80
#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any <VirtualHost> block.
#虚拟主机示例:大部分的Apache指令可以放在虚拟主机容器中。第一个就是个模板。
<VirtualHost *:80>
    ServerAdmin [email protected]
    DocumentRoot "/usr/local/apache/docs/dummy-host.example.com"
    ServerName dummy-host.example.com
    ServerAlias www.dummy-host.example.com
    ErrorLog "logs/dummy-host.example.com-error_log"
    CustomLog "logs/dummy-host.example.com-access_log" common
</VirtualHost>
<VirtualHost *:80>
    ServerAdmin [email protected]
    DocumentRoot "/usr/local/apache/docs/dummy-host2.example.com"
    ServerName dummy-host2.example.com
    ErrorLog "logs/dummy-host2.example.com-error_log"
    CustomLog "logs/dummy-host2.example.com-access_log" common
</VirtualHost>
httpd-userdir.conf(用户主目录作为网站)
# Settings for user home directories
#
# Required module: mod_userdir
#用户主目录设置:目录名是当一个请求到达时追加到用户的家目录。注意你必须为这些目录设置默认的访问控制
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.  Note that you must also set
# the default access control for these directories, as in the example below.
#
UserDir public_html
#
# Control access to UserDir directories.  The following is an example
# for a site where these directories are restricted to read-only.
#用户目录的控制访问。下面是个例子
<Directory "/home/*/public_html">
    AllowOverride FileInfo AuthConfig Limit Indexes
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    <Limit GET POST OPTIONS>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST OPTIONS>
        Order deny,allow
        Deny from all
    </LimitExcept>
</Directory>
#参考 http://www.phpchina.com/manual/apache/mod/mod_userdir.html
httpd-manual.conf(服务器文件访问)
#在服务器上提供文件访问
# Provide access to the documentation on your server as
#  http://yourserver.example.com/manual/
# The documentation is always available at
#  http://httpd.apache.org/docs/2.2/
#
# Required modules: mod_alias, mod_setenvif, mod_negotiation
#
AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br|ru|tr))?(/.*)?$ "/usr/local/apache/manual$1"
<Directory "/usr/local/apache/manual">
    Options Indexes
    AllowOverride None
    Order allow,deny
    Allow from all
    <Files *.html>
        SetHandler type-map
    </Files>
    # .tr is text/troff in mime.types!
    <Files *.html.tr.utf8>
        ForceType text/html
    </Files>
    SetEnvIf Request_URI ^/manual/(de|en|es|fr|ja|ko|pt-br|ru|tr)/ prefer-language=$1
    RedirectMatch 301 ^/manual(?:/(de|en|es|fr|ja|ko|pt-br|ru|tr)){2,}(/.*)?$ /manual/$1$2
    LanguagePriority en de es fr ja ko pt-br ru tr
    #可用语言类型
    ForceLanguagePriority Prefer Fallback
    #首先从上面取一个可用的语言类型,若找不到,则机器试图使用最接近的语言
</Directory>
httpd-dav.conf(DAV配置)
#
# Distributed authoring and versioning (WebDAV)
#
# Required modules: mod_dav, mod_dav_fs, mod_setenvif, mod_alias
#                   mod_auth_digest, mod_authn_file
#
# The following example gives DAV write access to a directory called
# "uploads" under the ServerRoot directory.
# 下面的例子给出了使用DAV在根目录下上传文件的例子。在httpd.conf中指定的用户或组需要对DavLockDB中的目录有写权限,并且在任何目录中,要指定Dav On
# The User/Group specified in httpd.conf needs to have write permissions
# on the directory where the DavLockDB is placed and on any directory where
# "Dav On" is specified.
DavLockDB "/usr/local/apache/var/DavLock"
Alias /uploads "/usr/local/apache/uploads"
<Directory "/usr/local/apache/uploads">
    Dav On
    Order Allow,Deny
    Allow from all
    AuthType Digest
    AuthName DAV-upload
    # You can use the htdigest program to create the password database:
    #   htdigest -c "/usr/local/apache/user.passwd" DAV-upload admin
    #你可以使用htdigest程序创建个密码数据库。
    AuthUserFile "/usr/local/apache/user.passwd"
    AuthDigestProvider file
    # Allow universal read-access, but writes are restricted
    # to the admin user.
    #允许普遍读访问,但仅限于写的管理员用户
    <LimitExcept GET OPTIONS>
        require user admin
    </LimitExcept>
</Directory>
#
# The following directives disable redirects on non-GET requests for
# a directory that does not include the trailing slash.  This fixes a
# problem with several clients that do not appropriately handle
# redirects for folders with DAV methods.
#下面的指令禁用了在对不包括尾部有斜线的目录非get请求的重定向。这些修正了一些客户端不能对DAV方法的文件夹妥善处理重定向。
#
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
httpd-info.conf(服务器信息报告)
#
# Get information about the requests being processed by the server
# and the configuration of the server.
# 获取服务器当前处理的请求和服务器配置的信息
# Required modules: mod_status (for the server-status handler),
#                   mod_info (for the server-info handler)
#允许使用网址 http://servername/server-status通过mod_status生成服务器状态报告。
# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
# Change the ".example.com" to match your domain to enable.
<Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
    Allow from .example.com
</Location>
#
# ExtendedStatus controls whether Apache will generate "full" status
# information (ExtendedStatus On) or just basic information (ExtendedStatus
# Off) when the "server-status" handler is called. The default is Off.
#ExtendedStatus控制apache是否允许生成全部的状态信息。on生成所有信息,off是基本信息,默认off。
#ExtendedStatus On
#允许通过网址 http://servername/server-info显示远程服务器配置报告
# Allow remote server configuration reports, with the URL of
#  http://servername/server-info (requires that mod_info.c be loaded).
# Change the ".example.com" to match your domain to enable.
#
<Location /server-info>
    SetHandler server-info
    Order deny,allow
    Deny from all
    Allow from .example.com
</Location>
httpd-default.conf(http默认参数)
#
# This configuration file reflects default settings for Apache HTTP Server.
#
# You may change these, but chances are that you may not need to.
#这个配置文件反应的是apache的默认配置,但是一般可能用不到
#
# Timeout: The number of seconds before receives and sends time out.
#在收到和发送前的超时时间
Timeout 300
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#是否允许持续连接。off不允许。
KeepAlive On
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#允许在一个持续连接中最大的请求数量。0不限制。为了性能,不建议设置的数值太高。
MaxKeepAliveRequests 100
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#等待来自同一个连接的同一个客户端的下一个请求的秒数
KeepAliveTimeout 5
#
# UseCanonicalName: Determines how Apache constructs self-referencing
# URLs and the SERVER_NAME and SERVER_PORT variables.
# When set "Off", Apache will use the Hostname and Port supplied
# by the client.  When set "On", Apache will use the value of the
# ServerName directive.
#UseCanonicalName指令:决定Apache如何构造自引用的URL和SERVER_NAME和SERVER_PORT变量。当设置为“关闭”,Apache会使用由客户提供的主机名和端口。当设置为“On”,Apache会使用ServerName指令的值。
UseCanonicalName Off
#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
#需要在目录中额外配置指令的文件。
AccessFileName .htaccess
#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
#该指令配置服务器HTTP响应头返回内容。默认值为'全部'这发出关于操作系统的类型和模块编译的资料。可选值有Full | OS | Minor | Minimal | Major | Prod,full最多,prod最少。
ServerTokens Full
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
#可以选择性的添加一行包含服务器版本和虚拟主机名的生成页面(包含内部错误文档,ftp目录列表,mod_status和mod_info输出等,但是不包括CGI生成文档或者用户错误文档)。Email选项会发送邮件给服务器管理员。
ServerSignature On
#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#记录客户端的域名(on)或者他们的IP地址(off)。默认是off因为记录域名需要请求DNS。
HostnameLookups Off
httpd-languages.conf(语言类型设定)
#为主机设置不同语言
# Settings for hosting different languages.
#
# Required modules: mod_mime, mod_negotiation
# DefaultLanguage and AddLanguage allows you to specify the language of
# a document. You can then use content negotiation to give a browser a
# file in a language the user can understand.
#DefaultLanguage 和 AddLanguage运行你指定文档的语言。你可以然后使用这些内容来给与浏览文件时协商一个合适语言。
# Specify a default language. This means that all data
# going out without a specific language tag (see below) will
# be marked with this one. You probably do NOT want to set
# this unless you are sure it is correct for all cases.
#指定一个默认的语言。这意味着所有没有指定语言标识的出去的数据将使用此语言。你可能不希望设置这个除非你确定它在所有情况下是正确的。
# * It is generally better to not mark a page as
# * being a certain language than marking it with the wrong
# * language!
#通常不对页面设置语言总比设置一个错误的语言要好的多。
# DefaultLanguage nl
#
# Note 1: The suffix does not have to be the same as the language
# keyword --- those with documents in Polish (whose net-standard
# language code is pl) may wish to use "AddLanguage pl .po" to
# avoid the ambiguity with the common suffix for perl scripts.
#后缀与语言标志不同的可能需要使用AddLanguage来避免与perl脚本的普通后缀含糊
# Note 2: The example entries below illustrate that in some cases
# the two character 'Language' abbreviation is not identical to
# the two character 'Country' code for its country,
# E.g. 'Danmark/dk' versus 'Danish/da'.
#下面的例子说明了在某些情况下双字符语言缩写与其对应的国家的双字符不匹配的情况。
# Note 3: In the case of 'ltz' we violate the RFC by using a three char
# specifier. There is 'work in progress' to fix this and get
# the reference data for rfc1766 cleaned up.
#在某些情况下,我们违背RFC而使用了三个字符。'work in progress'来规定这些并且得到这些参考数据在rfc1766清理。
# Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl)
# English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de)
# Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja)
# Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn)
# Norwegian (no) - Polish (pl) - Portugese (pt)
# Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv)
# Turkish (tr) - Simplified Chinese (zh-CN) - Spanish (es)
# Traditional Chinese (zh-TW)
#
AddLanguage ca .ca
AddLanguage cs .cz .cs
AddLanguage da .dk
AddLanguage de .de
AddLanguage el .el
AddLanguage en .en
AddLanguage eo .eo
AddLanguage es .es
AddLanguage et .et
AddLanguage fr .fr
AddLanguage he .he
AddLanguage hr .hr
AddLanguage it .it
AddLanguage ja .ja
AddLanguage ko .ko
AddLanguage ltz .ltz
AddLanguage nl .nl
AddLanguage nn .nn
AddLanguage no .no
AddLanguage pl .po
AddLanguage pt .pt
AddLanguage pt-BR .pt-br
AddLanguage ru .ru
AddLanguage sv .sv
AddLanguage tr .tr
AddLanguage zh-CN .zh-cn
AddLanguage zh-TW .zh-tw
# LanguagePriority allows you to give precedence to some languages
# in case of a tie during content negotiation.
#LanguagePriority允许你在试图内容协商时提供一些优先的语言。列出的语言次序依次递减。默认的按字母排序,或许可以根据需要更改。
# Just list the languages in decreasing order of preference. We have
# more or less alphabetized them here. You probably want to change this.
#
LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv tr zh-CN zh-TW
#
# ForceLanguagePriority allows you to serve a result page rather than
# MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback)
# [in case no accepted languages matched the available variants]
#首先取一个可用的语言类型,若找不到,则机器试图使用最接近的语言
ForceLanguagePriority Prefer Fallback
#
# Commonly used filename extensions to character sets. You probably
# want to avoid clashes with the language extensions, unless you
# are good at carefully testing your setup after each change.
# See http://www.iana.org/assignments/character-sets for the
# official list of charset names and their respective RFCs.
#通常情况下使用文件扩展名来判断字符设置。你可能想避免与语言扩展名产生冲突,除非你在每次改变后很仔细的测试了。可以通过网址 http://www.iana.org/assignments/character-sets查看官方的字符名和对应的RFC。
AddCharset us-ascii.ascii .us-ascii
AddCharset ISO-8859-1  .iso8859-1  .latin1
AddCharset ISO-8859-2  .iso8859-2  .latin2 .cen
AddCharset ISO-8859-3  .iso8859-3  .latin3
AddCharset ISO-8859-4  .iso8859-4  .latin4
AddCharset ISO-8859-5  .iso8859-5  .cyr .iso-ru
AddCharset ISO-8859-6  .iso8859-6  .arb .arabic
AddCharset ISO-8859-7  .iso8859-7  .grk .greek
AddCharset ISO-8859-8  .iso8859-8  .heb .hebrew
AddCharset ISO-8859-9  .iso8859-9  .latin5 .trk
AddCharset ISO-8859-10  .iso8859-10  .latin6
AddCharset ISO-8859-13  .iso8859-13
AddCharset ISO-8859-14  .iso8859-14  .latin8
AddCharset ISO-8859-15  .iso8859-15  .latin9
AddCharset ISO-8859-16  .iso8859-16  .latin10
AddCharset ISO-2022-JP .iso2022-jp .jis
AddCharset ISO-2022-KR .iso2022-kr .kis
AddCharset ISO-2022-CN .iso2022-cn .cis
AddCharset Big5.Big5   .big5 .b5
AddCharset cn-Big5 .cn-big5
# For russian, more than one charset is used (depends on client, mostly):
AddCharset WINDOWS-1251 .cp-1251   .win-1251
AddCharset CP866   .cp866
AddCharset KOI8  .koi8
AddCharset KOI8-E  .koi8-e
AddCharset KOI8-r  .koi8-r .koi8-ru
AddCharset KOI8-U  .koi8-u
AddCharset KOI8-ru .koi8-uk .ua
AddCharset ISO-10646-UCS-2 .ucs2
AddCharset ISO-10646-UCS-4 .ucs4
AddCharset UTF-7   .utf7
AddCharset UTF-8   .utf8
AddCharset UTF-16  .utf16
AddCharset UTF-16BE .utf16be
AddCharset UTF-16LE .utf16le
AddCharset UTF-32  .utf32
AddCharset UTF-32BE .utf32be
AddCharset UTF-32LE .utf32le
AddCharset euc-cn  .euc-cn
AddCharset euc-gb  .euc-gb
AddCharset euc-jp  .euc-jp
AddCharset euc-kr  .euc-kr
#Not sure how euc-tw got in - IANA doesn't list it???
AddCharset EUC-TW  .euc-tw
AddCharset gb2312  .gb2312 .gb
AddCharset iso-10646-ucs-2 .ucs-2 .iso-10646-ucs-2
AddCharset iso-10646-ucs-4 .ucs-4 .iso-10646-ucs-4
AddCharset shift_jis   .shift_jis .sjis
httpd-multilang-errordoc.conf(多语言错误文档设定)
#下面的配置通过内容协商实现了多语言错误文档
# The configuration below implements multi-language error documents through
# content-negotiation.
#
# Required modules: mod_alias, mod_include, mod_negotiation
#
# We use Alias to redirect any /error/HTTP_<error>.html.var response to
# our collection of by-error message multi-language collections.  We use
# includes to substitute the appropriate text.
#我们使用Alias来重定向任何错误页面来反映到我们通过错误信息收集的多语言的结果集。我们使用包括适当的文本。你可以通过使用Alias /error/include/ "/your/include/path/"来修改错误错误信息的外观而不用修改任何错误页面。
# You can modify the messages' appearance without changing any of the
# default HTTP_<error>.html.var files by adding the line:
#
#   Alias /error/include/ "/your/include/path/"
#包括在任何虚拟主机上,你可以通过以/usr/local/apache/error/include/开始的文件并且拷贝他们到你的/your/include/path/目录来创建你自己的文件设置。默认包含的文件将显示你的apache的版本号和你的管理员邮件地址而与ServerSignature无关。
# which allows you to create your own set of files by starting with the
# /usr/local/apache/error/include/ files and copying them to /your/include/path/,
# even on a per-VirtualHost basis.  The default include files will display
# your Apache version number and your ServerAdmin email address regardless
# of the setting of ServerSignature.
Alias /error/ "/usr/local/apache/error/"
<Directory "/usr/local/apache/error">
    AllowOverride None
    Options IncludesNoExec
    AddOutputFilter Includes html
    AddHandler type-map var
    Order allow,deny
    Allow from all
    LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
    ForceLanguagePriority Prefer Fallback
</Directory>
ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
ErrorDocument 410 /error/HTTP_GONE.html.var
ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
httpd-mpm.conf(mpm管理)
#服务池管理
# Server-Pool Management (MPM specific)
#
#服务进程的pid号所存储的文件。
# PidFile: The file in which the server should record its process
# identification number when it starts.
#
# Note that this is the default PidFile for most MPMs.
#
<IfModule !mpm_netware_module>
    PidFile "logs/httpd.pid"
</IfModule>
#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#设置需要串行访问的文件锁。它必须存储在本地。
<IfModule !mpm_winnt_module>
<IfModule !mpm_netware_module>
LockFile "logs/accept.lock"
</IfModule>
</IfModule>
#
# Only one of the below sections will be relevant on your
# installed httpd.  Use "apachectl -l" to find out the
# active mpm.
#在下面的章节中,只有一个跟你安装apache时是有关的。使用apachectl -l可以查看活动mpm。
#各类型MPM参数设定。
# prefork MPM
# StartServers: number of server processes to start服务进程启动数量
# MinSpareServers: minimum number of server processes which are kept spare保持备用的服务进程的最少数量
# MaxSpareServers: maximum number of server processes which are kept spare保持备用的服务进程的最大数量
# MaxClients: maximum number of server processes allowed to start允许启动的服务进程数量
# MaxRequestsPerChild: maximum number of requests a server process serves一个服务进程服务的最大请求数
<IfModule mpm_prefork_module>
    StartServers          5
    MinSpareServers       5
    MaxSpareServers      10
    MaxClients          150
    MaxRequestsPerChild   0
</IfModule>
# worker MPM
# StartServers: initial number of server processes to start最初服务启动时创建的服务进程数
# MaxClients: maximum number of simultaneous client connections客户端并发连接的最大数量
# MinSpareThreads: minimum number of worker threads which are kept spare存放备用的线程最小值
# MaxSpareThreads: maximum number of worker threads which are kept spare存放备用的线程最大值
# ThreadsPerChild: constant number of worker threads in each server process每个服务进程的工作线程的常量值
# MaxRequestsPerChild: maximum number of requests a server process serves一个服务进程服务的最大请求数
<IfModule mpm_worker_module>
    StartServers          2
    MaxClients          150
    MinSpareThreads      25
    MaxSpareThreads      75
    ThreadsPerChild      25
    MaxRequestsPerChild   0
</IfModule>
# BeOS MPM
# StartThreads: how many threads do we initially spawn?最初生成的线程数。
# MaxClients:   max number of threads we can have (1 thread == 1 client)我们所拥有的最大线程数
# MaxRequestsPerThread: maximum number of requests each thread will process每个线程所处理的最大请求数
<IfModule mpm_beos_module>
    StartThreads            10
    MaxClients              50
    MaxRequestsPerThread 10000
</IfModule>
# NetWare MPM
# ThreadStackSize: Stack size allocated for each worker thread分配给每个工作线程的堆栈大小
# StartThreads: Number of worker threads launched at server startup在服务启动时推出的线程数量
# MinSpareThreads: Minimum number of idle threads, to handle request spikes最小空闲线程数,此项用来处理请求尖峰的
# MaxSpareThreads: Maximum number of idle threads最大线程数
# MaxThreads: Maximum number of worker threads alive at the same time同一时间存活的最大线程数目
# MaxRequestsPerChild: Maximum  number of requests a thread serves. It is
#                      recommended that the default value of 0 be set for this
#                      directive on NetWare.  This will allow the thread to
#                      continue to service requests indefinitely.      
#请求线程服务的最大数量。在NetWare上通常设置为0。这将允许线程服务请求继续下去,无限期。
<IfModule mpm_netware_module>
    ThreadStackSize      65536
    StartThreads           250
    MinSpareThreads         25
    MaxSpareThreads        250
    MaxThreads            1000
    MaxRequestsPerChild      0
    MaxMemFree             100
</IfModule>
# OS/2 MPM
# StartServers: Number of server processes to maintain服务进程保持的数量
# MinSpareThreads: Minimum number of idle threads per process,
#                  to handle request spikes最小空闲线程数,此项用来处理请求尖峰的
# MaxSpareThreads: Maximum number of idle threads per process最大空闲线程数
# MaxRequestsPerChild: Maximum number of connections per server process每个服务处理的最大连接数
<IfModule mpm_mpmt_os2_module>
    StartServers           2
    MinSpareThreads        5
    MaxSpareThreads       10
    MaxRequestsPerChild    0
</IfModule>
# WinNT MPM
# ThreadsPerChild: constant number of worker threads in the server process在服务进程中工作线程的常数值
# MaxRequestsPerChild: maximum  number of requests a server process serves服务进程所服务的最大请求数目
<IfModule mpm_winnt_module>
    ThreadsPerChild      150
    MaxRequestsPerChild    0
</IfModule>
httpd-ssl.conf(SSL配置文件)
#SSL配置文件
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see < URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned. 
#
#
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#伪随机数生成器(PRNG):配置一个或多个来源来产生SSL库的PRNG。种子数据应具备良好的随机质量。警告!在某些平台/dev/random 块,如果没有足够的熵可用。那么这意味着你不能使用/dev/random 设备,因为这会导致很长的连接时间(持续它需要进行更多熵可用)。但通常这些平台提供额外/ dev / urandom设备装置不会阻止块。所以,如果有的话,使用此代替。阅读更多细节mod_ssl的用户手册。
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

#SSL监听端口。注意IPv6需要监听需要设定下面的两个指令。
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
#       Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
#
Listen 443
##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##下面的配置在主服务和虚拟主机中均生效。
#
#   Some MIME-types for downloading Certificates and CRLs
#证书和CRLs的MIME类型设定。
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
#密码对话框:配置密码对话框的输入程序。筛选对话框程序必须在标准输出上提供密码短语。builtin是内建的终端对话框
SSLPassPhraseDialog  builtin
#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism
#   to use and second the expiring timeout (in seconds).
#进程间的会话缓存:一是会话缓存机制,而是超时时间。
#SSLSessionCache         "dbm:/usr/local/apache/logs/ssl_scache"
SSLSessionCache        "shmcb:/usr/local/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300
#   Semaphore:
#   Configure the path to the mutual exclusion semaphore the
#   SSL engine uses internally for inter-process synchronization.
#配置内部进程同步所使用的SSL引擎互斥信号的路径
SSLMutex  "file:/usr/local/apache/logs/ssl_mutex"
##
## SSL Virtual Host Context
##SSL虚拟主机配置内容
<VirtualHost _default_:443>
#   General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs"
ServerName www.example.com:443
ServerAdmin [email protected]
ErrorLog "/usr/local/apache/logs/error_log"
TransferLog "/usr/local/apache/logs/access_log"
#   SSL Engine Switch:SSL是否启用
#   Enable/Disable SSL for this virtual host.
SSLEngine on
#   SSL Cipher Suite:列出运行客户端协商的密码。
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
#   Server Certificate:在一个PEM编码的证书中指出SSL证书文件。如果证书被加密,那么需要你需要被提示密码短语。
注意杀掉-HUP后将再次提示。记得如果同时用RSA和DSA证书,你要在并行配置两个(也允许使用DSA密码等)
#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that a kill -HUP will prompt again.  Keep
#   in mind that if you have both an RSA and a DSA certificate you
#   can configure both in parallel (to also allow the use of DSA
#   ciphers, etc.)
SSLCertificateFile "/usr/local/apache/conf/server.crt"
#SSLCertificateFile "/usr/local/apache/conf/server-dsa.crt"
#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#服务器私钥。如果key不能和证书结合,使用下面指令指定一个key文件。记得如果同时用RSA和DSA证书,你要在并行配置两个(也允许使用DSA密码等)
SSLCertificateKeyFile "/usr/local/apache/conf/server.key"
#SSLCertificateKeyFile "/usr/local/apache/conf/server-dsa.key"
#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#服务器证书链:服务器证书链包含并置的来自于证书链的PEM编码的CA证书。或者当CA证书直接追加到服务器证书时引用文件和SSLCertificateFile文件相同。
#SSLCertificateChainFile "/usr/local/apache/conf/server-ca.crt"
#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#   Note: Inside SSLCACertificatePath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
#证书颁发:设置CA证书的验证路径,即客户端身份验证或一个包含着所有信息的庞大文件(PEM编码)的路径。注:在SSLCACertificatePath中你要包含指向证书文件的哈希链接。使用提供的MakeFile文件在更改后更新哈希链接。
#SSLCACertificatePath "/usr/local/apache/conf/ssl.crt"
#SSLCACertificateFile "/usr/local/apache/conf/ssl.crt/ca-bundle.crt"
#   Certificate Revocation Lists (CRL):
#   Set the CA revocation path where to find CA CRLs for client
#   authentication or alternatively one huge file containing all
#   of them (file must be PEM encoded)
#   Note: Inside SSLCARevocationPath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
#证书吊销列表(CRL):核证机关撤销设置路径,找到客户端身份验证又或者是一个庞大的其中包含所有信息的文件(文件必须PEM编码)。注:在SSLCACertificatePath中你要包含指向证书文件的哈希链接。使用提供的MakeFile文件在更改后更新哈希链接。
#SSLCARevocationPath "/usr/local/apache/conf/ssl.crl"
#SSLCARevocationFile "/usr/local/apache/conf/ssl.crl/ca-bundle.crl"
#   Client Authentication (Type):
#   Client certificate verification type and depth.  Types are
#   none, optional, require and optional_no_ca.  Depth is a
#   number which specifies how deeply to verify the certificate
#   issuer chain before deciding the certificate is not valid.
#客户端身份验证(类型):客户端证书验证的类型和深度。
类型有none, optional, require 和 optional_no_ca。深度是一个数字,指明在决定该证书的证书颁发者链是否无效前如何深刻验证。
#SSLVerifyClient require
#SSLVerifyDepth  10
#   Access Control:
#   With SSLRequire you can do per-directory access control based
#   on arbitrary complex boolean expressions containing server
#   variable checks and other lookup directives.  The syntax is a
#   mixture between C and Perl.  See the mod_ssl documentation
#   for more details.
#访问控制:随着SSLRequire你可以在每个目录设定任意复杂的包含服务器变量检查和其他指示表达式的查找的布尔表达式的访问控制。语法是与C和Perl的混合物。更多细节见的mod_ssl的文档。
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
#   SSL Engine Options:
#   Set various options for the SSL engine.
#   o FakeBasicAuth:
#     Translate the client X.509 into a Basic Authorisation.  This means that
#     the standard Auth/DBMAuth methods can be used for access control.  The
#     user name is the `one line' version of the client's X.509 certificate.
#     Note that no password is obtained from the user. Every entry in the user
#     file needs this password: `xxj31ZMTZzkVA'.
#   o ExportCertData:
#     This exports two additional environment variables: SSL_CLIENT_CERT and
#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
#     server (always existing) and the client (only existing when client
#     authentication is used). This can be used to import the certificates
#     into CGI scripts.
#   o StdEnvVars:
#     This exports the standard SSL/TLS related `SSL_*' environment variables.
#     Per default this exportation is switched off for performance reasons,
#     because the extraction step is an expensive operation and is usually
#     useless for serving static content. So one usually enables the
#     exportation for CGI and SSI requests only.
#   o StrictRequire:
#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
#     under a "Satisfy any" situation, i.e. when it applies access is denied
#     and no other module can change it.
#   o OptRenegotiate:
#     This enables optimized SSL connection renegotiation handling when SSL
#     directives are used in per-directory context.
#SSL引擎选项
#StdEnvVars
#如果开启此选项,那么与SSL相关的CGI/SSI标准环境变量将会被创建。出于性能考虑,这个选项默认关闭,因为提取这些变量值的过程是非常消耗资源的。一般仅为CGI/SSI脚本开启。
#CompatEnvVars
#如果开启此选项,那么为了兼容其他SSL解决方案而添加的额外CGI/SSI环境变量将会被创建。请参考兼容性一节获取究竟将创建哪些变量的细节。
#ExportCertData
#如果开启此选项,额外的CGI/SSI环境变量:SSL_SERVER_CERT, SSL_CLIENT_CERT, SSL_CLIENT_CERT_CHAIN_n(n=0,1,2,..)将被创建。这些变量包含了作用于当前HTTPS连接的PEM编码的服务器/客户端X.509证书的相关信息,以及客户端证书链中所有证书的相关信息,它们可以被CGI脚本用来进行更深层次的证书检查。
#FakeBasicAuth
#如果开启此选项,那么客户端X509证书中的特征名称(DN)字段的"Subject"值(可以使用"openssl x509 -noout -subject -in certificate.crt"命令查看)将被转化为HTTP基本认证的用户名。这就意味着可以将标准Apache认证方法用于访问控制,同时需要主意的是因为并没有从用户获取密码,所以每个用户名对应的密码都是"xxj31ZMTZzkVA",也即是"password"经过3DES加密后的结果。对于那些基于MD5加密的系统(BSD系统),则需要使用"$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/"作为密码。
#StrictRequire
#如果开启此选项,那么当SSLRequireSSL或SSLRequire要求禁止访问时,将强制禁止访问。默认情况下,当设置了"Satisfy any"时,如果通过了SSLRequireSSL或SSLRequire之外的其他访问控制检查,那么访问将被允许,这符合Satisfy指令的原意。但是在"SSLOptions +StrictRequire"的情况下,你可以使用SSLRequireSSL和/或SSLRequire在SSL连接上强制达到"Satisfy All"的效果。
#OptRenegotiate
#默认情况下,当某个特定目录的SSL配置发生变化时,将会执行一个完整的SSL重新握手和协商过程。如果开启此选项,那么将允许优化SSL连接的重新协商操作,也就是省略不必要的握手过程,而只是进行细粒度的参数检查(仍然是安全的)。不过,在某些时候,只进行参数检查往往不是用户期望的结果,所以如果你想启用这个选项,请只对某些特定的目录启用。
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/apache/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
#   SSL Protocol Adjustments:
#   The safe and default but still SSL/TLS standard compliant shutdown
#   approach is that mod_ssl sends the close notify alert but doesn't wait for
#   the close notify alert from client. When you need a different shutdown
#   approach you can use one of the following variables:
#   o ssl-unclean-shutdown:
#     This forces an unclean shutdown when the connection is closed, i.e. no
#     SSL close notify alert is send or allowed to received.  This violates
#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
#     this when you receive I/O errors because of the standard approach where
#     mod_ssl sends the close notify alert.
#   o ssl-accurate-shutdown:
#     This forces an accurate shutdown when the connection is closed, i.e. a
#     SSL close notify alert is send and mod_ssl waits for the close notify
#     alert of the client. This is 100% SSL/TLS standard compliant, but in
#     practice often causes hanging connections with brain-dead browsers. Use
#     this only for browsers where you know that their SSL implementation
#     works correctly.
#   Notice: Most problems of broken clients are also related to the HTTP
#   keep-alive facility, so you usually additionally want to disable
#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
#   "force-response-1.0" for this.
#SSL协议调整:安全和默认,但仍符合SSL/TLS标准的关闭方法是,mod_ssl的发送关闭警报通知,但并不等待来自客户的通知。当你需要一个不同的关闭的方法您可以使用以下变量之一:ssl-unclean-shutdown(浏览器会发生死机的情况用)和ssl-accurate-shutdown(确认浏览器不会死掉时使用)。
#
BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
#   Per-Server Logging:SSL访问日志。
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
#SSL访问日志。
CustomLog "/usr/local/apache/logs/ssl_request_log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>                                 

本文出自 “IT” 博客,转载请与作者联系!

你可能感兴趣的:(职场,休闲)