summaryrefslogtreecommitdiffstats
path: root/docs/manual/env.html.en
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:01:30 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:01:30 +0000
commit6beeb1b708550be0d4a53b272283e17e5e35fe17 (patch)
tree1ce8673d4aaa948e5554000101f46536a1e4cc29 /docs/manual/env.html.en
parentInitial commit. (diff)
downloadapache2-upstream.tar.xz
apache2-upstream.zip
Adding upstream version 2.4.57.upstream/2.4.57upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--docs/manual/env.html.en529
1 files changed, 529 insertions, 0 deletions
diff --git a/docs/manual/env.html.en b/docs/manual/env.html.en
new file mode 100644
index 0000000..7876cdd
--- /dev/null
+++ b/docs/manual/env.html.en
@@ -0,0 +1,529 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
+<meta content="text/html; charset=UTF-8" http-equiv="Content-Type" />
+<!--
+ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ This file is generated from xml source: DO NOT EDIT
+ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ -->
+<title>Environment Variables in Apache - Apache HTTP Server Version 2.4</title>
+<link href="./style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
+<link href="./style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
+<link href="./style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="./style/css/prettify.css" />
+<script src="./style/scripts/prettify.min.js" type="text/javascript">
+</script>
+
+<link href="./images/favicon.ico" rel="shortcut icon" /></head>
+<body id="manual-page"><div id="page-header">
+<p class="menu"><a href="./mod/">Modules</a> | <a href="./mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="./glossary.html">Glossary</a> | <a href="./sitemap.html">Sitemap</a></p>
+<p class="apache">Apache HTTP Server Version 2.4</p>
+<img alt="" src="./images/feather.png" /></div>
+<div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="./images/left.gif" /></a></div>
+<div id="path">
+<a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs/">Documentation</a> &gt; <a href="./">Version 2.4</a></div><div id="page-content"><div id="preamble"><h1>Environment Variables in Apache</h1>
+<div class="toplang">
+<p><span>Available Languages: </span><a href="./en/env.html" title="English">&nbsp;en&nbsp;</a> |
+<a href="./fr/env.html" hreflang="fr" rel="alternate" title="Français">&nbsp;fr&nbsp;</a> |
+<a href="./ja/env.html" hreflang="ja" rel="alternate" title="Japanese">&nbsp;ja&nbsp;</a> |
+<a href="./ko/env.html" hreflang="ko" rel="alternate" title="Korean">&nbsp;ko&nbsp;</a> |
+<a href="./tr/env.html" hreflang="tr" rel="alternate" title="Türkçe">&nbsp;tr&nbsp;</a></p>
+</div>
+
+ <p>There are two kinds of environment variables that affect
+ the Apache HTTP Server.</p>
+
+ <p>First, there are the environment variables controlled by
+ the underlying operating system. These are set before the
+ server starts. They can be used in expansions in configuration
+ files, and can optionally be passed to CGI scripts and SSI
+ using the PassEnv directive.</p>
+
+ <p>Second, the Apache HTTP Server provides a mechanism for storing
+ information in named variables that are also called <em>environment
+ variables</em>. This information can be used to control various
+ operations such as logging or access control. The variables are
+ also used as a mechanism to communicate with external programs
+ such as CGI scripts. This document discusses different ways to
+ manipulate and use these variables.</p>
+
+ <p>Although these variables are referred to as <em>environment
+ variables</em>, they are not the same as the environment
+ variables controlled by the underlying operating system.
+ Instead, these variables are stored and manipulated in an
+ internal Apache structure. They only become actual operating
+ system environment variables when they are provided to CGI
+ scripts and Server Side Include scripts. If you wish to
+ manipulate the operating system environment under which the
+ server itself runs, you must use the standard environment
+ manipulation mechanisms provided by your operating system
+ shell.</p>
+ </div>
+<div id="quickview"><a href="https://www.apache.org/foundation/contributing.html" class="badge"><img src="https://www.apache.org/images/SupportApache-small.png" alt="Support Apache!" /></a><ul id="toc"><li><img alt="" src="./images/down.gif" /> <a href="#setting">Setting Environment Variables</a></li>
+<li><img alt="" src="./images/down.gif" /> <a href="#using">Using Environment Variables</a></li>
+<li><img alt="" src="./images/down.gif" /> <a href="#special">Special Purpose Environment Variables</a></li>
+<li><img alt="" src="./images/down.gif" /> <a href="#examples">Examples</a></li>
+</ul><h3>See also</h3><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
+<div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="setting" id="setting">Setting Environment Variables</a></h2>
+
+ <table class="related"><tr><th>Related Modules</th><th>Related Directives</th></tr><tr><td><ul><li><code class="module"><a href="./mod/mod_cache.html">mod_cache</a></code></li><li><code class="module"><a href="./mod/mod_env.html">mod_env</a></code></li><li><code class="module"><a href="./mod/mod_rewrite.html">mod_rewrite</a></code></li><li><code class="module"><a href="./mod/mod_setenvif.html">mod_setenvif</a></code></li><li><code class="module"><a href="./mod/mod_unique_id.html">mod_unique_id</a></code></li></ul></td><td><ul><li><code class="directive"><a href="./mod/mod_setenvif.html#browsermatch">BrowserMatch</a></code></li><li><code class="directive"><a href="./mod/mod_setenvif.html#browsermatchnocase">BrowserMatchNoCase</a></code></li><li><code class="directive"><a href="./mod/mod_env.html#passenv">PassEnv</a></code></li><li><code class="directive"><a href="./mod/mod_rewrite.html#rewriterule">RewriteRule</a></code></li><li><code class="directive"><a href="./mod/mod_env.html#setenv">SetEnv</a></code></li><li><code class="directive"><a href="./mod/mod_setenvif.html#setenvif">SetEnvIf</a></code></li><li><code class="directive"><a href="./mod/mod_setenvif.html#setenvifnocase">SetEnvIfNoCase</a></code></li><li><code class="directive"><a href="./mod/mod_env.html#unsetenv">UnsetEnv</a></code></li></ul></td></tr></table>
+
+ <h3><a name="basic-manipulation" id="basic-manipulation">Basic Environment Manipulation</a></h3>
+
+
+ <p>The most basic way to set an environment variable in Apache
+ is using the unconditional <code class="directive"><a href="./mod/mod_env.html#setenv">SetEnv</a></code> directive. Variables may also be passed from
+ the environment of the shell which started the server using the
+ <code class="directive"><a href="./mod/mod_env.html#passenv">PassEnv</a></code> directive.</p>
+
+
+ <h3><a name="conditional" id="conditional">Conditional Per-Request Settings</a></h3>
+
+
+ <p>For additional flexibility, the directives provided by
+ <code class="module"><a href="./mod/mod_setenvif.html">mod_setenvif</a></code> allow environment variables to be set
+ on a per-request basis, conditional on characteristics of particular
+ requests. For example, a variable could be set only when a
+ specific browser (User-Agent) is making a request, or only when
+ a specific Referer [sic] header is found. Even more flexibility
+ is available through the <code class="module"><a href="./mod/mod_rewrite.html">mod_rewrite</a></code>'s <code class="directive"><a href="./mod/mod_rewrite.html#rewriterule">RewriteRule</a></code> which uses the
+ <code>[E=...]</code> option to set environment variables.</p>
+
+
+ <h3><a name="unique-identifiers" id="unique-identifiers">Unique Identifiers</a></h3>
+
+
+ <p>Finally, <code class="module"><a href="./mod/mod_unique_id.html">mod_unique_id</a></code> sets the environment
+ variable <code>UNIQUE_ID</code> for each request to a value which is
+ guaranteed to be unique across "all" requests under very
+ specific conditions.</p>
+
+
+ <h3><a name="standard-cgi" id="standard-cgi">Standard CGI Variables</a></h3>
+
+
+ <p>In addition to all environment variables set within the
+ Apache configuration and passed from the shell, CGI scripts and
+ SSI pages are provided with a set of environment variables
+ containing meta-information about the request as required by
+ the <a href="http://www.ietf.org/rfc/rfc3875">CGI
+ specification</a>.</p>
+
+
+ <h3><a name="caveats" id="caveats">Some Caveats</a></h3>
+
+
+ <ul>
+ <li>It is not possible to override or change the standard CGI
+ variables using the environment manipulation directives.</li>
+
+ <li>When <code class="program"><a href="./programs/suexec.html">suexec</a></code> is used to launch
+ CGI scripts, the environment will be cleaned down to a set of
+ <em>safe</em> variables before CGI scripts are launched. The
+ list of <em>safe</em> variables is defined at compile-time in
+ <code>suexec.c</code>.</li>
+
+ <li>For portability reasons, the names of environment
+ variables may contain only letters, numbers, and the
+ underscore character. In addition, the first character may
+ not be a number. Characters which do not match this
+ restriction will be replaced by an underscore when passed to
+ CGI scripts and SSI pages.</li>
+
+ <li>A special case are HTTP headers which are passed to CGI
+ scripts and the like via environment variables (see below).
+ They are converted to uppercase and only dashes are replaced with
+ underscores; if the header contains any other (invalid) character,
+ the whole header is silently dropped. See <a href="#fixheader">
+ below</a> for a workaround.</li>
+
+ <li>The <code class="directive"><a href="./mod/mod_env.html#setenv">SetEnv</a></code> directive runs
+ late during request processing meaning that directives such as
+ <code class="directive"><a href="./mod/mod_setenvif.html#setenvif">SetEnvIf</a></code> and <code class="directive"><a href="./mod/mod_rewrite.html#rewritecond">RewriteCond</a></code> will not see the
+ variables set with it.</li>
+
+ <li>When the server looks up a path via an internal
+ <a class="glossarylink" href="./glossary.html#subrequest" title="see glossary">subrequest</a> such as looking
+ for a <code class="directive"><a href="./mod/mod_dir.html#directoryindex">DirectoryIndex</a></code>
+ or generating a directory listing with <code class="module"><a href="./mod/mod_autoindex.html">mod_autoindex</a></code>,
+ per-request environment variables are <em>not</em> inherited in the
+ subrequest. Additionally,
+ <code class="directive"><a href="./mod/mod_setenvif.html#setenvif">SetEnvIf</a></code> directives
+ are not separately evaluated in the subrequest due to the API phases
+ <code class="module"><a href="./mod/mod_setenvif.html">mod_setenvif</a></code> takes action in.</li>
+ </ul>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="using" id="using">Using Environment Variables</a></h2>
+
+
+ <table class="related"><tr><th>Related Modules</th><th>Related Directives</th></tr><tr><td><ul><li><code class="module"><a href="./mod/mod_authz_host.html">mod_authz_host</a></code></li><li><code class="module"><a href="./mod/mod_cgi.html">mod_cgi</a></code></li><li><code class="module"><a href="./mod/mod_ext_filter.html">mod_ext_filter</a></code></li><li><code class="module"><a href="./mod/mod_headers.html">mod_headers</a></code></li><li><code class="module"><a href="./mod/mod_include.html">mod_include</a></code></li><li><code class="module"><a href="./mod/mod_log_config.html">mod_log_config</a></code></li><li><code class="module"><a href="./mod/mod_rewrite.html">mod_rewrite</a></code></li></ul></td><td><ul><li><code class="directive"><a href="./mod/mod_authz_core.html#require">Require</a></code></li><li><code class="directive"><a href="./mod/mod_log_config.html#customlog">CustomLog</a></code></li><li><code class="directive"><a href="./mod/mod_access_compat.html#allow">Allow</a></code></li><li><code class="directive"><a href="./mod/mod_access_compat.html#deny">Deny</a></code></li><li><code class="directive"><a href="./mod/mod_ext_filter.html#extfilterdefine">ExtFilterDefine</a></code></li><li><code class="directive"><a href="./mod/mod_headers.html#header">Header</a></code></li><li><code class="directive"><a href="./mod/mod_log_config.html#logformat">LogFormat</a></code></li><li><code class="directive"><a href="./mod/mod_rewrite.html#rewritecond">RewriteCond</a></code></li><li><code class="directive"><a href="./mod/mod_rewrite.html#rewriterule">RewriteRule</a></code></li></ul></td></tr></table>
+
+ <h3><a name="cgi-scripts" id="cgi-scripts">CGI Scripts</a></h3>
+
+
+ <p>One of the primary uses of environment variables is to
+ communicate information to CGI scripts. As discussed above, the
+ environment passed to CGI scripts includes standard
+ meta-information about the request in addition to any variables
+ set within the Apache configuration. For more details, see the
+ <a href="howto/cgi.html">CGI tutorial</a>.</p>
+
+
+ <h3><a name="ssi-pages" id="ssi-pages">SSI Pages</a></h3>
+
+
+ <p>Server-parsed (SSI) documents processed by
+ <code class="module"><a href="./mod/mod_include.html">mod_include</a></code>'s
+ <code>INCLUDES</code> filter can print environment variables
+ using the <code>echo</code> element, and can use environment
+ variables in flow control elements to makes parts of a page
+ conditional on characteristics of a request. Apache also
+ provides SSI pages with the standard CGI environment variables
+ as discussed above. For more details, see the <a href="howto/ssi.html">SSI tutorial</a>.</p>
+
+
+ <h3><a name="access-control" id="access-control">Access Control</a></h3>
+
+
+ <p>Access to the server can be controlled based on
+ environment variables using the <code>Require env</code>
+ and <code>Require not env</code> directives. In combination with
+ <code class="directive"><a href="./mod/mod_setenvif.html#setenvif">SetEnvIf</a></code>, this
+ allows for flexible control of access to the server based on
+ characteristics of the client. For example, you can use these
+ directives to deny access to a particular browser (User-Agent).
+ </p>
+
+
+ <h3><a name="logging" id="logging">Conditional Logging</a></h3>
+
+
+ <p>Environment variables can be logged in the access log using
+ the <code class="directive"><a href="./mod/mod_log_config.html#logformat">LogFormat</a></code>
+ option <code>%e</code>. In addition, the decision on whether
+ or not to log requests can be made based on the status of
+ environment variables using the conditional form of the
+ <code class="directive"><a href="./mod/mod_log_config.html#customlog">CustomLog</a></code>
+ directive. In combination with <code class="directive"><a href="./mod/mod_setenvif.html#setenvif">SetEnvIf</a></code> this allows for flexible control of which
+ requests are logged. For example, you can choose not to log
+ requests for filenames ending in <code>gif</code>, or you can
+ choose to only log requests from clients which are outside your
+ subnet.</p>
+
+
+ <h3><a name="response-headers" id="response-headers">Conditional Response Headers</a></h3>
+
+
+ <p>The <code class="directive"><a href="./mod/mod_headers.html#header">Header</a></code>
+ directive can use the presence or
+ absence of an environment variable to determine whether or not
+ a certain HTTP header will be placed in the response to the
+ client. This allows, for example, a certain response header to
+ be sent only if a corresponding header is received in the
+ request from the client.</p>
+
+
+
+ <h3><a name="external-filter" id="external-filter">External Filter Activation</a></h3>
+
+
+ <p>External filters configured by <code class="module"><a href="./mod/mod_ext_filter.html">mod_ext_filter</a></code>
+ using the <code class="directive"><a href="./mod/mod_ext_filter.html#extfilterdefine">ExtFilterDefine</a></code> directive can
+ by activated conditional on an environment variable using the
+ <code>disableenv=</code> and <code>enableenv=</code> options.</p>
+
+
+ <h3><a name="url-rewriting" id="url-rewriting">URL Rewriting</a></h3>
+
+
+ <p>The <code>%{ENV:<em>variable</em>}</code> form of
+ <em>TestString</em> in the <code class="directive"><a href="./mod/mod_rewrite.html#rewritecond">RewriteCond</a></code> allows <code class="module"><a href="./mod/mod_rewrite.html">mod_rewrite</a></code>'s rewrite
+ engine to make decisions conditional on environment variables.
+ Note that the variables accessible in <code class="module"><a href="./mod/mod_rewrite.html">mod_rewrite</a></code>
+ without the <code>ENV:</code> prefix are not actually environment
+ variables. Rather, they are variables special to
+ <code class="module"><a href="./mod/mod_rewrite.html">mod_rewrite</a></code> which cannot be accessed from other
+ modules.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="special" id="special">Special Purpose Environment Variables</a></h2>
+
+
+ <p>Interoperability problems have led to the introduction of
+ mechanisms to modify the way Apache behaves when talking to
+ particular clients. To make these mechanisms as flexible as
+ possible, they are invoked by defining environment variables,
+ typically with <code class="directive"><a href="./mod/mod_setenvif.html#browsermatch">BrowserMatch</a></code>, though <code class="directive"><a href="./mod/mod_env.html#setenv">SetEnv</a></code> and <code class="directive"><a href="./mod/mod_env.html#passenv">PassEnv</a></code> could also be used, for example.</p>
+
+ <h3><a name="downgrade" id="downgrade">downgrade-1.0</a></h3>
+
+
+ <p>This forces the request to be treated as a HTTP/1.0 request
+ even if it was in a later dialect.</p>
+
+
+ <h3><a name="force-gzip" id="force-gzip">force-gzip</a></h3>
+
+ <p>If you have the <code>DEFLATE</code> filter activated, this
+ environment variable will ignore the accept-encoding setting of
+ your browser and will send compressed output unconditionally.</p>
+
+ <h3><a name="force-no-vary" id="force-no-vary">force-no-vary</a></h3>
+
+
+ <p>This causes any <code>Vary</code> fields to be removed from
+ the response header before it is sent back to the client. Some
+ clients don't interpret this field correctly; setting this
+ variable can work around this problem. Setting this variable
+ also implies <strong>force-response-1.0</strong>.</p>
+
+
+ <h3><a name="force-response" id="force-response">force-response-1.0</a></h3>
+
+
+ <p>This forces an HTTP/1.0 response to clients making an HTTP/1.0
+ request. It was originally
+ implemented as a result of a problem with AOL's proxies. Some
+ HTTP/1.0 clients may not behave correctly when given an HTTP/1.1
+ response, and this can be used to interoperate with them.</p>
+
+
+
+ <h3><a name="gzip-only-text-html" id="gzip-only-text-html">gzip-only-text/html</a></h3>
+
+
+ <p>When set to a value of "1", this variable disables the
+ <code>DEFLATE</code> output filter provided by
+ <code class="module"><a href="./mod/mod_deflate.html">mod_deflate</a></code> for content-types other than
+ <code>text/html</code>. If you'd rather
+ use statically compressed files, <code class="module"><a href="./mod/mod_negotiation.html">mod_negotiation</a></code>
+ evaluates the variable as well (not only for gzip, but for all
+ encodings that differ from "identity").</p>
+
+
+ <h3><a name="no-gzip" id="no-gzip">no-gzip</a></h3>
+
+ <p>When set, the <code>DEFLATE</code> filter of
+ <code class="module"><a href="./mod/mod_deflate.html">mod_deflate</a></code> will be turned off and
+ <code class="module"><a href="./mod/mod_negotiation.html">mod_negotiation</a></code> will refuse to deliver encoded
+ resources.</p>
+
+
+
+ <h3><a name="no-cache" id="no-cache">no-cache</a></h3>
+ <p><em>Available in versions 2.2.12 and later</em></p>
+
+ <p>When set, <code class="module"><a href="./mod/mod_cache.html">mod_cache</a></code> will not save an otherwise
+ cacheable response. This environment variable does not influence
+ whether a response already in the cache will be served for the current
+ request.</p>
+
+
+
+ <h3><a name="nokeepalive" id="nokeepalive">nokeepalive</a></h3>
+
+
+ <p>This disables <code class="directive"><a href="./mod/core.html#keepalive">KeepAlive</a></code>
+ when set.</p>
+
+
+
+ <h3><a name="prefer-language" id="prefer-language">prefer-language</a></h3>
+
+ <p>This influences <code class="module"><a href="./mod/mod_negotiation.html">mod_negotiation</a></code>'s behaviour. If
+ it contains a language tag (such as <code>en</code>, <code>ja</code>
+ or <code>x-klingon</code>), <code class="module"><a href="./mod/mod_negotiation.html">mod_negotiation</a></code> tries
+ to deliver a variant with that language. If there's no such variant,
+ the normal <a href="content-negotiation.html">negotiation</a> process
+ applies.</p>
+
+
+
+ <h3><a name="redirect-carefully" id="redirect-carefully">redirect-carefully</a></h3>
+
+
+ <p>This forces the server to be more careful when sending a redirect
+ to the client. This is typically used when a client has a known
+ problem handling redirects. This was originally implemented as a
+ result of a problem with Microsoft's WebFolders software which has
+ a problem handling redirects on directory resources via DAV
+ methods.</p>
+
+
+
+ <h3><a name="suppress-error-charset" id="suppress-error-charset">suppress-error-charset</a></h3>
+
+
+ <p><em>Available in versions after 2.0.54</em></p>
+
+ <p>When Apache issues a redirect in response to a client request,
+ the response includes some actual text to be displayed in case
+ the client can't (or doesn't) automatically follow the redirection.
+ Apache ordinarily labels this text according to the character set
+ which it uses, which is ISO-8859-1.</p>
+
+ <p> However, if the redirection is to a page that uses a different
+ character set, some broken browser versions will try to use the
+ character set from the redirection text rather than the actual page.
+ This can result in Greek, for instance, being incorrectly rendered.</p>
+
+ <p>Setting this environment variable causes Apache to omit the character
+ set for the redirection text, and these broken browsers will then correctly
+ use that of the destination page.</p>
+
+ <div class="warning">
+ <h3>Security note</h3>
+
+ <p>Sending error pages without a specified character set may
+ allow a cross-site-scripting attack for existing browsers (MSIE)
+ which do not follow the HTTP/1.1 specification and attempt to
+ "guess" the character set from the content. Such browsers can
+ be easily fooled into using the UTF-7 character set, and UTF-7
+ content from input data (such as the request-URI) will not be
+ escaped by the usual escaping mechanisms designed to prevent
+ cross-site-scripting attacks.</p>
+ </div>
+
+
+
+ <h3><a name="proxy" id="proxy">force-proxy-request-1.0, proxy-nokeepalive, proxy-sendchunked,
+ proxy-sendcl, proxy-chain-auth, proxy-interim-response, proxy-initial-not-pooled</a></h3>
+
+ <p>These directives alter the protocol behavior of
+ <code class="module"><a href="./mod/mod_proxy.html">mod_proxy</a></code>. See the <code class="module"><a href="./mod/mod_proxy.html">mod_proxy</a></code> and <code class="module"><a href="./mod/mod_proxy_http.html">mod_proxy_http</a></code>
+ documentation for more details.</p>
+
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="examples" id="examples">Examples</a></h2>
+
+
+ <h3><a name="fixheader" id="fixheader">Passing broken headers to CGI scripts</a></h3>
+
+
+ <p>Starting with version 2.4, Apache is more strict about how HTTP
+ headers are converted to environment variables in <code class="module"><a href="./mod/mod_cgi.html">mod_cgi
+ </a></code> and other modules: Previously any invalid characters
+ in header names were simply translated to underscores. This allowed
+ for some potential cross-site-scripting attacks via header injection
+ (see <a href="http://events.ccc.de/congress/2007/Fahrplan/events/2212.en.html">
+ Unusual Web Bugs</a>, slide 19/20).</p>
+
+ <p>If you have to support a client which sends broken headers and
+ which can't be fixed, a simple workaround involving <code class="module"><a href="./mod/mod_setenvif.html">mod_setenvif
+ </a></code> and <code class="module"><a href="./mod/mod_headers.html">mod_headers</a></code> allows you to still accept
+ these headers:</p>
+
+<pre class="prettyprint lang-config">#
+# The following works around a client sending a broken Accept_Encoding
+# header.
+#
+SetEnvIfNoCase ^Accept.Encoding$ ^(.*)$ fix_accept_encoding=$1
+RequestHeader set Accept-Encoding %{fix_accept_encoding}e env=fix_accept_encoding</pre>
+
+
+
+
+ <h3><a name="misbehaving" id="misbehaving">Changing protocol behavior with misbehaving clients</a></h3>
+
+
+ <p>Earlier versions recommended that the following lines be included in
+ httpd.conf to deal with known client problems. Since the affected clients
+ are no longer seen in the wild, this configuration is likely no-longer
+ necessary.</p>
+<pre class="prettyprint lang-config">#
+# The following directives modify normal HTTP response behavior.
+# The first directive disables keepalive for Netscape 2.x and browsers that
+# spoof it. There are known problems with these browser implementations.
+# The second directive is for Microsoft Internet Explorer 4.0b2
+# which has a broken HTTP/1.1 implementation and does not properly
+# support keepalive when it is used on 301 or 302 (redirect) responses.
+#
+BrowserMatch "Mozilla/2" nokeepalive
+BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
+
+#
+# The following directive disables HTTP/1.1 responses to browsers which
+# are in violation of the HTTP/1.0 spec by not being able to understand a
+# basic 1.1 response.
+#
+BrowserMatch "RealPlayer 4\.0" force-response-1.0
+BrowserMatch "Java/1\.0" force-response-1.0
+BrowserMatch "JDK/1\.0" force-response-1.0</pre>
+
+
+
+ <h3><a name="no-img-log" id="no-img-log">Do not log requests for images in the access log</a></h3>
+
+
+ <p>This example keeps requests for images from appearing in the
+ access log. It can be easily modified to prevent logging of
+ particular directories, or to prevent logging of requests
+ coming from particular hosts.</p>
+
+ <pre class="prettyprint lang-config">SetEnvIf Request_URI \.gif image-request
+SetEnvIf Request_URI \.jpg image-request
+SetEnvIf Request_URI \.png image-request
+CustomLog "logs/access_log" common env=!image-request</pre>
+
+
+
+ <h3><a name="image-theft" id="image-theft">Prevent "Image Theft"</a></h3>
+
+
+ <p>This example shows how to keep people not on your server
+ from using images on your server as inline-images on their
+ pages. This is not a recommended configuration, but it can work
+ in limited circumstances. We assume that all your images are in
+ a directory called <code>/web/images</code>.</p>
+
+ <pre class="prettyprint lang-config">SetEnvIf Referer "^http://www\.example\.com/" local_referal
+# Allow browsers that do not send Referer info
+SetEnvIf Referer "^$" local_referal
+&lt;Directory "/web/images"&gt;
+ Require env local_referal
+&lt;/Directory&gt;</pre>
+
+
+ <p>For more information about this technique, see the
+ "<a href="http://www.serverwatch.com/tutorials/article.php/1132731">Keeping Your Images from Adorning Other Sites</a>"
+ tutorial on ServerWatch.</p>
+
+ </div></div>
+<div class="bottomlang">
+<p><span>Available Languages: </span><a href="./en/env.html" title="English">&nbsp;en&nbsp;</a> |
+<a href="./fr/env.html" hreflang="fr" rel="alternate" title="Français">&nbsp;fr&nbsp;</a> |
+<a href="./ja/env.html" hreflang="ja" rel="alternate" title="Japanese">&nbsp;ja&nbsp;</a> |
+<a href="./ko/env.html" hreflang="ko" rel="alternate" title="Korean">&nbsp;ko&nbsp;</a> |
+<a href="./tr/env.html" hreflang="tr" rel="alternate" title="Türkçe">&nbsp;tr&nbsp;</a></p>
+</div><div class="top"><a href="#page-header"><img src="./images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&amp;A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Libera.chat, or sent to our <a href="https://httpd.apache.org/lists.html">mailing lists</a>.</div>
+<script type="text/javascript"><!--//--><![CDATA[//><!--
+var comments_shortname = 'httpd';
+var comments_identifier = 'http://httpd.apache.org/docs/2.4/env.html';
+(function(w, d) {
+ if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
+ d.write('<div id="comments_thread"><\/div>');
+ var s = d.createElement('script');
+ s.type = 'text/javascript';
+ s.async = true;
+ s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
+ (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
+ }
+ else {
+ d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
+ }
+})(window, document);
+//--><!]]></script></div><div id="footer">
+<p class="apache">Copyright 2023 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
+<p class="menu"><a href="./mod/">Modules</a> | <a href="./mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="./glossary.html">Glossary</a> | <a href="./sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
+if (typeof(prettyPrint) !== 'undefined') {
+ prettyPrint();
+}
+//--><!]]></script>
+</body></html> \ No newline at end of file