Redirect only if 2 conditions


I want to redirect (in my local server) all the external visitors that
don't ask for an existing directory.

    RedirectMatch ^/((?!index_ext.html).*)$ /index_ext.html

But AND (&&) doesn't seem to work. I'm always redirected to /index_ext.html

What am I missing ?




I'd like to unsubscribe on this mail list.

Thanks for advance

Bien Cordialement
Vincent ROSET
IT Security Trainee
26 boulevard des Capucines - 75009 Paris - France
<a href="" title=""></a>

httpd mod_cache_disk shared by two servers

I'm trying to get two servers using mod_cache_disk to share each other
cached files.

I got them to use the same share and use the same url > file using the
CacheKeyBaseURL directive, but while as long as I hit the same file on the
same server, I get caches hit, when I hit the file from the other server,
the cache entry gets cleaned up and recreated.

Apachectl configtest did not warn on a configuration error

While progressively disabling modules I don't need for my application, I found an issue with apachectl configtest returning Syntax OK, but the restart of httpd failing.

When I comment out:

LoadModule slotmem_shm_module modules/

And do a sudo apachectl configtest I get back "Syntax OK" but when I do a sudo apachectl restart I get back "Job for httpd.service failed because the control process exited with error code.

Can't get X-Forwarded-For to be passed through to app with apache reverse proxy

I have tried everything and I can't get Apache (2.4.39) to pass the
X-Forwarded-For header to my tomcat (8.5) instance.

I have apache listening on port 8081 and bound to the public IP address as
a reverse proxy to a backend tomcat instance which is also bound to 8081
but on
My apache instance has the following modules loaded:

proxy_module (shared)
proxy_connect_module (shared)
proxy_ajp_module (shared)
proxy_http_module (shared)
proxy_wstunnel_module (shared)
remoteip_module (shared)

Here is my virtualhost stanza
<VirtualHost _default_:8081>
ProxyPreserveHost On

Apache-httpd 2.4.41 compiling/linking error


I am trying to cross-compile Apache-httpd along with APR and APR-util with the below recommended version.

APR 1.7.0, released April 5, 2019 and APR-util 1.6.1, released October 22, 2017

Compilation is failed with error

Making all in apr
Makefile:139: warning: undefined variable `LOCAL_LIBS'
/salim/test/obj/x86_64/apache-httpd/httpd-2.4.41/srclib/apr/build/ warning: undefined variable `EXTRA_SOURCE_DIRS'
Makefile:139: warning: undefined variable `LOCAL_LIBS'
libtool: compile: x86_64-montavista-linux-gnu-gcc -m64 -msse3 --sysroot /salim/test/distro/tmp/sysr

a php initiation for GD question

HI, I have a problem with getting the following in the error log of apache at startup.
It is the least crazy variant of obfuscating the
extension_dir = "C:/php/" of the php.ini file; all other variants of back/forward stroke combinations gives all kinds of wierd paths
PHP Warning: PHP Startup: Unable to load dynamic library 'C:/php/php_gd2.dll' - Det g\xe5r inte att hitta den angivna modulen.\r\n in Unknown on line 0
the file php_gd2.dll is definitely in the C:\php dir (and also a copy in the C:\php\ext dir )
(further down in the php.ini I have the: extension=php_gd2.dll as I think approp

mod_cgi(d) vs mod_proxy_fcgi

Dearest Apache Gurus,

Do mod_cgi and mod_cgid have any sort of dependency relationship to mod_proxy_fcgi? I only want to use CGI as a means to execute PHP code so, mod_proxy, mod_proxy_fcgi and PHP-FPM sounds like the stack I need, but I wanted to confirm that “classic” mod_cgi(d) is not required, similar to how mod_php is not needed to support PHP-FPM. I don't see any relationship between them in the module documentation but I wanted to make sure I wasn't missing something.



mod_brotli vs / and / or / xor mod_deflate

Greetings Apache Gurus,

I am presently trying to form a content compression strategy for a new Apache 2.4 httpd server and have been looking at the mod_brotli and mod_deflate modules. The first thing I noticed about them, comparatively, is how very similar they are in terms of functionality, directives, etc.

Issue with 'Require expr' and pattern indents

Hi list,

I'm not sure if this may be a bug or a lack of understanding on my side.
I do access control for various <Location>'s like this:

<Location /some/path>
Require expr %{HTTP:X-SSL-Client} in { \
'/DC=com/CN=Fool me not', \
'/C=DE/O=MyCompany/CN=Some Dude' \
Require expr %{HTTP:X-SSL-Issuer} in { \
'/C=DE/CN=My Project ROOT_CA', \
'/DC=com/DC=Some Other/DC=Root CA' \

'%{HTTP:X-SSL-Client}' and '%{HTTP:X-SSL-Issuer' is set in a upstream by a load balancer which

Apache 2.4.25 (Debian Stretch 9.11) reverse proxy load balancing


I am trying to set up reverse proxy load balancing using Apache.

I've read <a href="" title=""></a> and
<a href="" title=""></a> and
<a href="" title=""></a>

What I want to achieve is:

HTTPS connection to my load balancer (which has an appropriate SSL certificate
for its own URL) forwarding requests on to (currently two) HTTPS back-end
servers (each of which also has an appropriate SSL certificate for its distinct

I can get things working fine if I use HTTP for the

Apache 2.4.6 - ErrorLog

In use of CentOS7 servers and the included apache, I'm moving to

It appears something related to ErrorLog has changed.
I'm using what I have always used:
ErrorLog "logs/error_log"

and I do see messages going to logs/error_log such as start/stop and
certain types of errors such as access denied, but something simple like
a file not found error is not getting logged outside of certain scripts
not being found associated with SriptAlias definitions.

But just a request to https://'my_web_server'/no_such_file.html does not
get logged as not found as it used to in earlier apache.

Singapore Citizen Mr. Teo En Ming's Refugee Seeking Attempts, In The Search of a Substantially Better Life

In The Search of a Substantially Better Life

In reverse chronological order:

[1] Petition to the Government of Taiwan for Refugee Status, 5th
August 2019 Monday

Photo #1: At the building of the National Immigration Agency, Ministry
of the Interior, Taipei, Taiwan, 5th August 2019

Photo #2: Queue ticket no. 515 at the National Immigration Agency,
Ministry of the Interior, Taipei, Taiwan, 5th August 2019

Photo #3: Submission of documents/petition to the National Immigration
Agency, Ministry of the Interior, Taipei, Taiwan, 5th August 2019

Photos #4 and #5: Acknowledgement of Receipt (no.

php5.2 with apache 2.2 not working

Hi, I have installed Apache 2.2 on windows XP, which seems to work, accessed on localhost (<a href="" title=""></a>), I get the .html document hello content.
However, having installed php5.2, which seem fine from apache viewpoint, at least no errors, the <?php echo "xxx"; ?> included in the .html, just vanishes,
there is no trace of the statement.
What could be wrong
thanx for hints

more complex IfDefine directives

IfDefine currently only takes one argument, and even that one is pretty

Sometimes this leads to complex configuration files, where IfDefine is
repeated over and over, often with the same content.

Is there a way to create more complex IfDefine clauses, perhaps linking
together multiple conditions, using logical operators?


compiling http-2.4.41 on linux variants

I am trying to compile http-2.4.41 and it works on Fedora 29 and Centos 
7 but

on Centos 6 and Ubuntu 18  the compile generates the following error:

/usr/local/apache2/build-1/libtool --silent --mode=compile gcc
-std=gnu99  -g -O2 -pthread      -DLINUX -D_REENTRANT -D_GNU_SOURCE    

Qualys Full Standard Community Scan, Requires Login not qualys SSL Labs quick scan, Causes 100% CPU - 2.4.37 & 2.4.38 w/openssl_1.1.1a and 2.4.41 w/openssl-1.1.1c

Our production apache http 2.4.37 server running with openssl 1.1.1a have been getting hit with qualys scans like clockwork and every time our CPU goes to 100% and after more scans to 200% CPU. After reading the bug reports I upgraded to 2.4.38 which made no difference.

Modifying Headers Programmatically

I have an app that runs on frontend- and backend-servers. Customers login to the frontend-server and the same credentials are used for various apps available on the backend-servers. From within their session on the frontend-server, they select an app on the backend server, whereupon they automatically log into the backend-server app, using the same credentials. (Easy enough, so far).

For better security, I do not want to store username/password in the browser, but rather I'd like to store them on the frontend-server.

protect apache to stop work if logdir is missing


I need the web server to continue working if the user has deleted the
log directory.
I wrote a small patch. Are there any obvious errors in it that disrupt
the operation of the web server or lead to a memory / pointer leak?

I have been customizing all error pages in my Apache project. Everything
seemed to be ok until 403 Error (Forbidden) appeared. When you send an
special character through the URL (such as a blank space or an asterisk),
the custom error page is not loaded. If 403 error is caused by another
reason (not special chars) this error does not appear and the custom error
page is loaded correctly.

X-Forwarded-For and If directive

I am certain I'm missing something important about the <If> directive and the -ipmatch operator when used in conjunction with %{HTTP:X-Forwarded-For}.
Please permit me to illustrate the problem by way of example:
<If "%{HTTP:X-Forwarded-For} -ipmatch ''">
LogMessage "Got IP match [%{HTTP:X-Forwarded-For}]"
LogMessage "No IP match [%{HTTP:X-Forwarded-For}]"
produces the following log output:
[Wed Sep 04 17:57:03.611095 2019] [log_debug:info] [pid 11134] [client] No IP match []
Clearly X-Forwarded-For has the value '',

OWASP Apache 2.4 Security Cheatsheet Feedback

I am trying to create an Apache2 security cheatsheet for OWASP.

I am using a monolithic Apache2.conf file (purely for presentation
purposes) to show every single security config I can think of that can be

Any suggestions are welcome. I'm sure the document is missing things / has
errors currently.

<a href="" title=""></a>

OWASP Pull Request: <a href="" title=""></a>


Dan Ehrlich

TLS Session tickets and PFS

The Recommended Mozilla SSL configuration has TLS session tickets
disabled, see
<a href=";server-version=2.4.39&amp;config=intermediate" title=";server-version=2.4.39&amp;config=intermediate">;server-version=2.4.39&amp;conf...</a>

The docu says:

TLS session tickets are enabled by default. Using them without
restarting the web server with an appropriate frequency (e.g.

Has anybody used a SQL database to store static pages without using PHP?


I had a conversation with a friend last week where I was asked:

Can you store an entire static page in an SQL database such as MariaDB
or MySQL and have httpd initiate the database query by parsing the
search parameter from the URL? i.e.
<a href="" title=""></a> would search a table for
"/benny/index.html" and return back a corresponding VARCHAR, or maybe
BLOB, that contains the entire HTML document.

My initial answer was, "Of course! You're not the first person to
have this idea. It seems like a project that somebody would have done
and is out there somewhere.

apache crosscompile on Arm

I want to compile httpd for Arm platform,
I can not correct generate module file,like
below is my config parameter

./configure --host=arm CC=arm-linux-gcc
--with-pcre=/home/eric/test_linux/pcre8.43_arm ac_cv_file__dev_zero=yes
ac_cv_func_setpgrp_word=yes apr_cv_process_shard_works=yes
ac_cv_sizeof_struct_lovec=8 apr_cv_mutex_recursive=yes
ap_cv_void_ptr_lt_long=8 LIBS=-lpthread --enable-modules=most --enable-so
--enable-rewrite --with-mpm=prefork --enabl

Crash of httpd in Endurance

We are running 2.4.39 with openssl 1.0.2r on Solaris sparc 64-bit, After
running for 1-2 hrs we are getting core dump created and apache is crashed.
Has anyone faced such issue.


Issue while generating large documents

Hi All,

We are running in to issue while generating the large documents from our Java application. The Application is deployed in WebLogic server version
Apache (2.4.39) is proxying the Backend weblogic servers via WLS Plugin and an Load Balancer is sitting in front of Apache servers.

Traps software impacting httpd and reaching max clients

Hi ,

Red Hat Enterprise Linux Server release 6.6 (Santiago)
Server version: Apache/2.2.15 (Unix)

root 29539 4605 0 04:40 ? 00:00:00 /opt/traps/bin/injector64 29537 httpd
root 29555 29539 0 04:40 ? 00:00:00 /opt/traps/bin/injector64 29537 httpd
root 30191 4605 0 08:36 ? 00:00:00 /opt/traps/bin/injector64 30189 httpd
root 30206 4605 0 08:36 ? 00:00:00 /opt/traps/bin/injector64 30202 httpd
root 30244 30191 0 08:36 ? 00:00:00 /opt/traps/bin/injector64 30189 httpd
root 30291 30206 0 08:36 ?

conditionally create a Virtual Host?


In my development environment on a Windows 10 PC I have added the following to Apache's configuration files -

To httpd.conf:
Listen 8080

To httpd-vhosts.conf:
<VirtualHost *:8080>
DocumentRoot "Z:/files/xampp/htdocs"
<Directory "Z:/files/xampp/htdocs">
Options Indexes
Require all granted

Note that Z: is mapped to an external storage device.

With this setup, Apache successfully accesses C: on port 80 and Z: on port 8080. However, if the external storage device is not attached to the computer, Apache will not start.

Apache/2.4.26 (Unix) undocumented error AH02651

Running Apache 2.4.26 on RHEL7, I'm receiving an error in my apache error log of AH02651: Error writing request body to script...<perl script here>. I am unable to locate a meaningful description of AH02651 anywhere as all error lists I can find stop in the lower 2000's. It appears to happen when the POSTDATA is large. A 9k POST works fine but a 25k POST does not and this is repeatable. My perl CGI has no limit configured for POSTDATA size so I don't know if it's a size issue or possibly characters within the POSTDATA. Could someone please help me out with what could cause an AH02651?

fcgi unix domain socket/TCP socket question

Couple of questions ...

Reading this Apache httpd document ...
<a href="" title=""></a>

Does the below mean if the max children for a PHP-FPM pool using Unix Domain Sockets is reached then any subsequent PHP-FPM requests for that virtual host utilize a TCP socket? If we have the base www.conf<http://www.conf> pool configured to use TCP as opposed to Unix Domain Sockets?

SetHandler "proxy:unix:/var/run/php-fpm/|fcgi://"

What would be the impact of NOT defining a matching worker for the above config?

mod_proxy_scgi 2.4.29-1ubuntu4.8 errors with scgi 1.15


Apologies if this isn't the correct forum to discuss this error as it
appears to be Python and SCGI related, but I'm hoping someone here has some

Testing our Python application stack on Ubuntu 18.04 with latest versions
of SCGI (1.15) and the bundled version of Apache (2.4.29-1ubuntu4.8) I'm
getting weird errors after a previous error occurs.

Our application stack is as follows:

Browser --HTTP--> Apache+mod_proxy_scgi --SCGI--> python app --XMLRPC-->

If the service that our app calls returns an error, then I eventually
(after timeout) get a 500 in the browser, as exp

Apache process crashes, utilizing high memory

Hi All,

I have an apache web server(v2.4) + ckan (v2.7.2) running in a docker container.
In our scenario, CKAN is being hit with large number of requests at certain intervals (like 10 requests/sec).

uncompressing lzw payload

i'm reading about mod_deflate where it can handle gzipped content sent and
automatically uncompress the payload. i have embedded clients that want to
send compressed data over the wire due to bandwidth constraints. they can
only support LZW compression due to library/memory restrictions.

as i read, gzip algroithm can handle lzw content, but before i setup a POC
to test lzw content decompression via apache mod_deflate, can anyone
provide insights?


Apache httpd 2.4.41 was installed successfully to CentOS 7.6 using rpm



    CentOS Linux release 7.6.1810 (Core)
    kernel version: kernel-3.10.0-957.27.2.el7.x86_64

I have installed the newly released Apache httpd 2.4.41 on the above 
platform through rpmbuilding successfully with no problems.

Thank you all contributors to this project for this excellent work.

Thank you.

Yours truly,
Kazuhiko Kohmoto

Create cookies using Rewrite after successful mod_authn_dbd login


I am using Apache 2.4.29 on Ubuntu 18.04 and I am migrating a site
that has a directory that was originally protected via login using my
own CGI. As part of this migration I have changed this to use dbd via
pgsql and this works as expected, prompting me to login when I request
the directory in the URL.

My original CGI created JavaScript accessible cookies when the user
was authenticated as they are needed by the pages to work.

Re: [users@httpd] How can I simplify this URL to just the hostname with rewrite rules?

Have you tried “Redirect permanent “/q3/app\?service=external/EmployerPages:DudeLogin” “”

Darryl Baker (he/him/his)

How can I simplify this URL to just the hostname with rewrite rules?

So - I'm the administrator of a Java application which has a URL similar to the following:

<a href="" title=""></a>

Can't have them change it, and there's no way to simplify.

I'd like to redirect the URL above to:

<a href="" title=""></a>

I've tried a few rewrite rules by trial and error, unsuccessfully.

I also attempted to use generators such as <a href="" title=""></a> and <a href="" title=""></a>.

Any thoughts?

Thanks in advance.

Apache process is terminated by high memory usage of CKAN

Hi All,

I have an apache web server(v2.4) + ckan (v2.7.2) running in a docker container.
In our scenario, CKAN is being hit with large number of requests at certain intervals (like 10 requests/sec).

httpd as a backend ignores ALPN?


I am using trying to get httpd to correctly handle http2 from behind
hitch ( the varnish proxy server). For http2 to work probably I need
ALPN, so I have enabled that in hitch and configured hitch to use the HA
proxy protocol for for it's backend communication to httpd. In httpd I
have enabled mod_http2 and mod_remoteip. I found that in the httpd
config I had to use 'Protocols h2c', because hitch already terminates
the TLS connection and as such httpd can't use the 'secure' variant h2.
This works fine for the most part.

However if I also enable http1.1 httpd acts a bit odd.

apache 2.4.29 ubuntu 18.04 VirtualHost ssl redirect not working?

target url: "" works fine.
SSL target url: "" redirect to /var/www/html

However, "/var/www/html" is not a DocumentRoot for any virtual hosts.
Output of "apachectl -S":
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server
         port 443 namevhost
                 alias <a href="" title=""></a>
         port 443 namevhost

Question on headers, global or individual virtual host, apache 2.4?


I'm running apache 2.4. I've got a question on headers, should the
below be set in a global context in a configuration file?

httpd.conf "Define" directive?

I have been using a WAMP installation for several years.  I'm migrating
to Amazon Web Services and moving to an AWS-Linux platform.  I have done
quite a bit of customization of my httpd.conf over the years.  So I've
been in the process of merging everything into the AWS httpd.conf file. 
The WAMP httpd.conf uses a "Define" directive to define variables such
as "installDirectory", and references the variables using EL -
${installDir}.  Turns out that the AWS apache never heard of "Define". 
My WAMP apache is 2.4.33.

Options for characterizing module CPU consumption


What options do I have for characterizing, on a per-prequest basis, how much CPU and/or clock time is consumed by each Apache module in request processing?


No matter what I do, the file is created in the wrong location at runtime!

OK, I'm just trying to learn about building Apache httpd.

Apache out of memory

I have ubuntu 16.04 server with 2.4.16 server
Yesterday server stop responding and when check logs it's shows
Out of memory: kill process 7986 (apache) score 1613 or a child.

When I restarted server it's started working,server is having 40gb ram and
same getting full after sometime

Please suggest.

Compiling Apache with Non-System OpenSSL


Having some trouble compiling Apache with non-system OpenSSL, any help
appreciated. Looked at many threads online but no answers so far.

I'm compiling Apache using non-system-installed libraries for APR,
APR-Util, OpenSSL and PCRE. It works fine, and compiles from the
provided libraries.

Using server variables in CustomLog Directives

I have a server application, and for security reasons I'm trying to prevent
requests, which provide 'username' and 'password' as query parameters, from
being logged (providing these parameters as query parameters is a user
mistake, but still...)

I've tried this way:

* SetEnvIf QUERY_STRING "username.*password|password.*username" dontlog
CustomLog logs/my_log common env=!dontlog*

But the unwanted requests were still being printed to the log.

AH02968: Can't check pipelined data

I am running 2.4.37. For certain requests (HTTP/1.1), I am receiving the following debug level message in the error log,, “AH02968: Can't check pipelined data”. This causes the response to hang until the configured keepalive timeout. Any ideas on what may be causing this?


Issue with FastCGI module in Apache 2.4

I am upgrading apache version from 2.0 - 32 bit to 2.4 - 64 bit on Linux.

I am not able to convert the httpd.conf file to newer version.
Please help.
Especially I m finding difficulty in migration the variable 'FastCgiServer'

Httpd.conf in 2.0 version

<IfModule mod_fastcgi.c>
AddHandler fastcgi-script .fcgi

# Launch the FastCGI processes
FastCgiIpcDir /tmp
FastCgiServer /datlib/advantage/pc/envs/fo_b2_a/manager/bin/ -idle-timeout 300 -processes 3 -initial-env LD_LIBRARY_PATH

<VirtualHost *>
DocumentRoot /datlib/advantage/pc/envs/fo_b2_a/ma

any users of mod_pagespeed?


Do we have any users of mod_pagespeed with apache 2.4.x on a FreeBSD
system? I'm having no luck compiling it via system ports as one of
it's dependencies or one of it's dependencies dependencies requires
opencv which is failing to stage properly. I am therefor stuck.

Any ideas?


Occasional "%T / The time taken to serve the request, in seconds" inaccuracy in Apache/2.4.39 access_log ?


I am running Apache/2.4.39 on Linux.

I am using a custom log format, and have included "%T / The time taken to
serve the request, in seconds" in my LogFormat command.

I occasionally see a real outlier number for that %T -- say 10 seconds or
more -- for a page element that almost always takes less than 1 second.

This number is not backed up by my firewall logging or my other logging --
they always show a much more realistic and reasonable number for that exact
request (as per timestamp and requesting IP addy).

Is it possible that %T is occasionally inaccurate???

Sorry if this has a

Regex in ServerAlias


i try somethink like

ServerAlias (www\.)(example)\.(com|info|

I have done, and reload config, no error is shown, but i do not see the
right page, only the default one.

Is there a way in Apache?

Best Regards,

Re: [users@httpd] Need Apache to return multiple error doc

Changing what an error return code points to should not effect your
server's ability to restart (even if there are errors in the
ErrorDocument itself).

Need Apache to return multiple error doc

Hi all,
I have a requirement where I need send different error docs for same
error code depending upon specific error returned by application..
For example, if application returns 400,it means error may be due to non
availability of query param or url doesn't have mandatory fields etc,and
depending upon this exact error, I need to send proper error doc with exact

Expose my server to internet


Out of curiosity, I just want to access my server over internet.
I have forwarded port 80.
I have got a free domain in NoIP.
In my router I've also configured the settings and successfully logged in.
But when I test whether my port 80 is accessible, it's not opened.
This is my home system, using Ubuntu 18.04. I've not enabled any firewall
by myself.

So just wanted to know whether should I configure anything in Apache httpd
to make port 80 accessible?

Thank you.

Looking for advice re getting mod_xml2enc for Apache 2.4.39


I built and have been using the 2.4.39 version of Apache for a while, and
been reasonably happy with it. However, I am porting some web pages
that require mod_proxy_html which in turn requires mod_xml2enc.

The problems are that I can’t seem to find mod_xml2enc anywhere,
and my 2.4.39 build environment got toasted.

Blocking particular URL/file patterns

apache 2.4.39
linux 4.12.14-lp151.28.7-default x86_64

Our site has beset with numerous search engine queries for URLs that
have *never* existed on the site. They have the form:


where the digits are randomly changed. The search bots of Google and
Bing are the most prevalent producing 1000s of 404s per day. Not a
particular CPU burden, to be sure.


Hello, at this day i didn t find the answer to the following question :

RewriteRule ^that-and-that$ talent\.php\?id=(.+)[E=BREAK:1,L]
RewriteCond %{ENV:REDIRECT_BREAK} !^1$
RewriteCond %{QUERY_STRING} ^id=([0-9]+)$ [NC]

RewriteRule ^this\.php$ /that-and-that [QSD,R=301,L]

This code works actually but it doesn t display the right product. I found
my php var_dump display this info ...["QUERY_STRING"]=> string(20)
"id=(.+)[E=BREAK:1,L]. ...

Syndicate content