Apache Web Server





The Apache HTTP Server is a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Typically Apache is run on a Unix-like operating system, but it is available for a wide variety of operating systems, including Linux, Novell NetWare, Mac OS-X and Windows. Released under the Apache License, Apache is open-source software.

Share tech news, updates, or what's on your mind.

Sign up to Post

need to upgrade  apache version on centos 6.5. (as of now having 2.4.6)
Free Tool: SSL Checker
LVL 12
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

apache2 on ubuntu(16.04), took to long to respond.
 it was working before update and upgrade. service is runnig and nagios on it it's ok but no page.
Unusual High CPU CLoud watch alarm from my AWS Ec2 Instance. The Ec2 Instance consists of Magento 2 website and Wordpress websites. The Magento 2 site is loading very slow accessing when the server is UP. But the server goes down for every 30 mins approx.  In the Apache Error log, it shows :

[Mon Mar 19 01:29:55.216115 2018] [lbmethod_heartbeat:notice] [pid 2571] AH02282: No slotmem from mod_heartmonitor
[Mon Mar 19 01:30:01.432626 2018] [mpm_prefork:notice] [pid 2571] AH00163: Apache/2.4.27 (Amazon) OpenSSL/1.0.2k-fips PHP/5.6.32 configured -- resuming normal operations
[Mon Mar 19 01:30:01.432665 2018] [core:notice] [pid 2571] AH00094: Command line: '/usr/sbin/httpd'
[Mon Mar 19 01:35:45.104754 2018] [mpm_prefork:notice] [pid 2571] AH00169: caught SIGTERM, shutting down
[Mon Mar 19 01:37:03.874296 2018] [suexec:notice] [pid 2570] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

This unusual activity started on March 12th before that the server went down only once in a month. Any Idea on what causing this issue? Is it apache MPM prefork version or Magento codes? I don't know how to troubleshoot this.
What is the invalid character in this set-Cookie value?

Response header 'Set-Cookie' value of '___utmvaVMuYcwIB=hwV\x01RRgl; path=/; Max-Age=900' contains invalid characters
I have installed AWstats install on CentOS7, by following this guide https://panel.bullten.net/knowledgebase/59/Install-and-Configure-Awstats-in-CWP.html
When I visit http://mydomain.com/awstats/awstats.pl?config=mydomain.com all I get is a page of text as below,
# Free realtime web server logfile analyzer to show advanced web statistics.
# Works from command line or as a CGI. You must use this script as often as
# necessary from your scheduler to update your statistics and from command
# line or a browser to read report results.
# See AWStats documentation (in docs/ directory) for all setup instructions.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
require 5.007;

#use warnings;		# Must be used in test mode only. This reduce a little process speed
#use diagnostics;	# Must

Open in new window

See: https://blogs.msdn.microsoft.com/ieinternals/2009/07/20/internet-explorers-cache-control-extensions/

Generally, the pre-check directive is very similar to max-age. However, IE's implementation of max-age takes the Age response header into account. In contrast, the implementation of post-check and pre-check do not. Hence, pre-check is equivalent to max-age only when there is no Age header on the response.

This article is from 2009, so pretty old. How max-age and the Age header are related nowawdays? Or are they not related at all anymore?
My question is about one specific reason to use max-age over Expires.

See for example: https://www.mnot.net/cache_docs/#EXPIRES
Although the Expires header is useful, it has some limitations. First, because there’s a date involved, the clocks on the Web server and the cache must be synchronised; if they have a different idea of the time, the intended results won’t be achieved, and caches might wrongly consider stale content as fresh.

But with max-age you also have the exact same problem, right? In my opinion there are 2 possibilities:

1. A cache receives a response from a server. The cache's clock starts counting from that moment. If there would be a delay between the server sending the response, and the cache receiving the response, then the age would be incorrect. So this is not a good way to calculate the age.

2. A cache receives a response from a server. The age of the response is calculated as a difference between the cache's current date and the Date general header included in the HTTP response.

Case 2 is in my opinion the right way to calculate the age of the response. But the reponse header field "Date" will be determined by the server. Just like "Expires" will be determined by the server. So in both cases the server's clock will be compared with the cache's clock. So in this respect (clock synchronization), I see no difference between max-age and Expires?

With case 1 they would be right, because then the cache's clock on moment A …
When a stored response is used to satisfy a request without validation, my browser is not showing me the HTTP reponse header field: "Age"?

Just take a simple test.html file, which is chacheable by default. Now visit the page 2 times, so the second time the file is shown directly from cache without validation.

Firefox shows me response headers like this:

Date: Mon, 12 Mar 2018 16:05:18 GMT
Server: Apache/2.4.17 (Unix) OpenSSL/1.0.1e-fips PHP/5.6.16
Last-Modified: Mon, 12 Mar 2018 12:24:12 GMT
Accept-Ranges: bytes
Content-Length: 143
Content-Type: text/html

Open in new window

But why Firefox does not show me the "Age" header field?

See: https://tools.ietf.org/html/rfc7234

When a stored response is used to satisfy a request without validation, a cache MUST generate an Age header field

And see: https://tools.ietf.org/html/rfc7234#section-5.1

However, lack of an Age header field does not imply the origin was contacted, since the response might have been received from an HTTP/1.0 cache that does not implement Age.

A browser's cache is not HTTP/1.0, so the response headers must contain an Age header field. Firefox is not showing me "Age"?

Are browsers only showing the response and request headers of the server? But if that's the case then they had to show no response headers at all, because there was no response from server in case of "200 OK (cached)"?

So I don't understand this? What's the logic behind this?

P.S. The example was about Firefox, but for example Chrome is doing the same.
After using apache and weblogic for more than 10 years(the last working module used is: mod_wl_22), I am ready to set up a replacement system with the newer version of the connector module (mod_wl_24) for our production.

I follow the official documentation from this link:


The server OS is:
root@server90 ~]# uname -a
Linux server90 4.1.12-94.3.9.el7uek.x86_64 #2 SMP Fri Jul 14 20:09:40 PDT 2017 x86_64 x86_64 x86_64 GNU/Linux

Open in new window

Apache version:
[root@server90 ~]# apachectl -version
Server version: Apache/2.4.6 ()
Server built:   Oct 19 2017 14:54:33

Open in new window

APACHE_HOME folder details
[root@server90 httpd]# pwd
[root@server90 httpd]# ll
total 8
drwxr-xr-x 2 root root   58 Mar 10 21:58 conf
drwxr-xr-x 2 root root  103 Mar 10 21:56 conf.d
drwxr-xr-x 2 root root 4096 Mar 10 21:42 conf.modules.d
drwxr-xr-x 2 root root 4096 Mar 11 15:31 lib
lrwxrwxrwx 1 root root   19 Feb 22 16:32 logs -> ../../var/log/httpd
lrwxrwxrwx 1 root root   29 Feb 22 16:32 modules -> ../../usr/lib64/httpd/modules
lrwxrwxrwx 1 root root   10 Feb 22 16:32 run -> /run/httpd
[root@server90 httpd]# 

Open in new window

I created a lib folder at the APACHE_HOME folder and copy all the lib files and this connection module(downloaded from Apache foundation website) into this folder
[root@server90 httpd]# cd lib/
[root@server90 lib]# ll
total 138808
-rwxr-xr-x 1 root root  6990875 Mar 10 21:00 libclntshcore.so
-rwxr-xr-x 1 root root  6990875 Mar 10 21:00 libclntshcore.so.12.1
-rwxr-xr-x 1 root root 58793741 Mar 10 21:00 libclntsh.so
-rwxr-xr-x 1 root root 58793741 Mar 10 21:00 libclntsh.so.12.1
-rwxr-xr-x 1 root root   409107 Mar 10 21:00 libdms2.so
-rwxr-xr-x 1 root root  1768370 Mar 10 21:00 libipc1.so
-rwxr-xr-x 1 root root   544150 Mar 10 21:00 libmql1.so
-rwxr-xr-x 1 root root  6747034 Mar 10 21:00 libnnz12.so
-rwxr-xr-x 1 root root   346242 Mar 10 21:00 libons.so
-rwxr-xr-x 1 root root    98521 Mar 10 21:00 libonsssl.so
-rwxr-xr-x 1 root root    72281 Mar 10 21:00 libonssys.so
-rwxr-xr-x 1 root root   567319 Mar 11 15:24 mod_wl_24.so
[root@server90 lib]# 

Open in new window

After that, I added directive for loading the module  into the $APACHE_HOME/conf/httpd.conf file:
[root@server90 httpd]# cd conf
[root@server90 conf]# ll
total 36
-rw-r--r-- 1 root root 11814 Mar 11 00:49 httpd.conf
-rw-r--r-- 1 root root 13077 Oct 19 17:55 magic
-rw-r--r-- 1 root root  4104 Mar 10 21:58 weblogic.conf
[root@server90 conf]# cat httpd.conf 
LoadModule weblogic_module /etc/httpd/lib/mod_wl_24.so

Open in new window

Then verify if this apache web server has included the dynamic sharing module: mod_so.c
[root@server90 conf]# apachectl -l
Compiled in modules:
[root@server90 conf]# 

Open in new window

the next step is to try to test the syntax of httpd.conf:
[root@server90 conf]# apachectl -t
httpd: Syntax error on line 355 of /etc/httpd/conf/httpd.conf: Cannot load modules/mod_wl_24.so into server: libonssys.so: cannot open shared object file: No such file or directory
[root@server90 conf]# 

Open in new window

it shows some error message:

Open in new window

I want the easiest way to link a desktop access file to mysql in the web cpanel
any aides please?
Free Tool: Subnet Calculator
LVL 12
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Hi all, I know this is all over every forum and I have tried and tried but just can't get it to work.
It is for a free image hosting service that allows hotlinkning, but not abusive hotinking, so they need to stop images being hotlinked from certain outside domains only, all other websites/forums etc can hotlink, in the same way imgur block hotlinking to sites that break their terms of service.

The .htaccess file looks like this but images are still hotlinked to eBay, any ideas?

RewriteEngine on
RewriteCond %{HTTP_REFERER} ^https://(.+\.)?vipr.ebaydesc\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^https://(.+\.)?vi.vipr.ebaydesc\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^https://(.+\.)?ebay\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^https://(.+\.)?ebaydesc\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^https://(.+\.)?www.ebay\.com/ [NC]
RewriteRule .*\.(jpeg|jpg|gif|bmp|png)$ https://mydomain.com/nohotlinking.gif [L]

RewriteEngine on
RewriteRule \.(gif|jpe?g|png|bmp) 404.gif [NC,L]

Open in new window

The second rule is designed to show an image when the image at a particular url has been deleted, that works perfectly.

We have also tried variations such as,

RewriteCond %{HTTP_REFERER} ^http(s)?://(.+\.)?vi.vipr.ebaydesc(.+)?\.com [NC]

Open in new window


RewriteCond %{HTTP_REFERER} ^https://(.*\.)*ebay\.com [NC,OR]

Open in new window

But nothing works, now we know its possible as imgur do it.

Any ideas?

See: http://php.net/manual/en/function.session-cache-limiter.php

PHP is using:

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Open in new window

I don't understand this 100%. A cache could have a different idea about time. Although it's really rare, a cache could think it's 1980. In a case like that, the cached copy will be seen as fresh.

When using:

Expires: 0

Open in new window

you can avoid problems like that. So in my opinion PHP is choosing the second best solution instead of the best solution.

See: https://tools.ietf.org/html/rfc7234#section-5.3

A cache recipient MUST interpret invalid date formats, especially the
value "0", as representing a time in the past (i.e., "already

So when using the value "0", you know for sure it will be seen as a date in the past. But this is the protocol for HTTP/1.1 (not HTTP/1.0).

I was also searching for some information about HTTP/1.0 and invalid dates, but I could not find an answer. I know HTTP/1.0 CAN implement things from HTTP/1.1.

How HTTP/1.0 caches are dealing with invalide dates? And can I be sure that in all situations "Expires: 0" will be seen as a date in the past? And if no, do you have examples?

I saw Google is using:

Expires: -1

Open in new window

In the past people were setting Expires via html via the meta tag ... in cases like that "-1" could mean something different than "0", but in what kind of situations "Expires: -1" means something different than "Expires: 0" in the http headers?

So what to use? Date in the past, 0 or -1?
I have configured Apache on Windows 7 machine to run our digital singage media on multiple screens which I got it working fine but I have got in to another problem I can't get to our own website now, every time we type our Web address www.example.com it takes us to Apache server page can you guy's please tell how to resolve this problem.
1. Where or what is the default Apache (2.x?) config file for Windows as I see more than one? I see three httpd*.conf (each with a date in the filename, possible backup) and one called httpd.conf (most recent time stamp). They were in the folder
C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf

2. I'm looking for the access.log file(s) showing inbound requests which I believe I found with all the other files such as apache_reverse*.log, SSLaccess.log.* and so forth, but the access.log files are 0 byte. It might be a permissions issue, but is it called access*.log? All the files mentioned were found in C:\Program Files (x86)\Apache Software Foundation\Apache2.2\cache-proxy\logs.

3. If you are using an ELB (AWS) wouldn't it mask/substitute the client's IP with it's own? I say this b/c the SSLaccess.log files "seem" to be showing the IPs of ELB and wasn't sure if the access.log, if it contained any data would be any different. Both log settings are using the parameter %h to capture client's IP.

httpd.conf file contents:

CustomLog "logs/access.log" combined
LogLevel debug

ErrorLog "C:\Program Files (x86)\Apache Software Foundation\apache2.2\cache-proxy/logs/apache_error.log"

CustomLog "C:\Program Files (x86)\Apache Software Foundation\apache2.2\cache-proxy/logs/apache_reverse_%m%d%y.log" custom

Thank you
I'm trying to understand:

Vary: Accept-Encoding

Open in new window

Let's say we have:

- client 1 (only understands gzip-encoding)
- client 2 (only understands deflate-encoding)
- a shared cache
- a server (supports gzip and deflate encoding / compression, so the server can send the response message body encoded / compressed)
- a resource (1 url, cacheable)

If client 1 first will make a request to the resource, then the response will be stored in cache. The resource is gzip-encoded. If now client 2 will make a request, then the cache will server the gzip-encoded version which client 2 does not understand.

This is what I understand about it from the internet. But this sounds weird to me.

1. The stored reponse in cache must contain: "Content-Encoding: gzip", because when a server will send an encoded response, it will let you know which encoding has been used. So if I would be a cache and I would get a request with "Accept-Encoding: deflate" (or with an empty value). As a cache I know that my stored response is gzip-encoded (because of the stored "Content-Encoding: gzip"). Then I don't need no "Vary: Accept-Encoding" to know that I have to make a new request to the server??

So why "Vary: Accept-Encoding" exists anyway and in what kind of situations it really makes a difference?

2. Are there also caches around, which can decode / encode (gzip / deflate)? In cases like there is also no need to add "Vary: Accept-Encoding", because a cache could decode …
If you have for exampe an image with max-age=31536000, when using HTTPS what is the best to do:

Cache-Control: public, max-age=31536000

Open in new window

Cache-Control: private, max-age=31536000

Open in new window

Cache-Control: max-age=31536000

Open in new window

Which one and why?

I also did some own research, but I'm not sure yet what the answer has to be. I think this is true:

By default web browsers should cache content over HTTPS the same as over HTTP, unless explicitly told otherwise via the HTTP Headers received.

This is about the cache of the browser. For shared caches I think this is true:

If the request is authenticated or secure (i.e., HTTPS), it won’t be cached by shared caches.

Google is saying here, see: https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching

If the response is marked as "public", then it can be cached, even if it has HTTP authentication associated with it, and even when the response status code isn't normally cacheable. Most of the time, "public" isn't necessary, because explicit caching information (like "max-age") indicates that the response is cacheable anyway.

That's what Google is saying, but I also checked what they are doing. See:

Example: https://www.google.nl/images/branding/googlelogo/2x/googlelogo_color_120x44dp.png
cache-control:private, max-age=31536000

Open in new window

Example: https://www.google.com/textinputassistant/tia.png
cache-control:public, max-age=31536000

Open in new window

Reponse headers can contain something like:

Cache-Control: must-revalidate

Open in new window

But "must-revalidate" does not exist for the request headers, see:


Why? Is there a reason behind this?

Take for example me, my browser, my browser's cache and the origin server. Let's say there is a stale cached copy in the browser's cache. Imagine I don't want the cached copy to be served without making any request to the server. Also not if the cache is disconnected from the origin server. I could add must-revalidate in the request headers, but this only exists for the response headers in similar situations.

Why is that and what's behind it? Directives like max-age, no-cache, no-store you have for the response AND the request directives, so why must-revalidate is an exception to that?
Let's first take a look at the definitions.

1. Max-age in request headers:
See: https://tools.ietf.org/html/rfc7234.html#section-5.2.1

The "max-age" request directive indicates that the client is
unwilling to accept a response whose age is greater than the
specified number of seconds.  Unless the max-stale request directive
is also present, the client is not willing to accept a stale

2. Max-age in the response headers:
See: https://tools.ietf.org/html/rfc7234.html#page-26

The "max-age" response directive indicates that the response is to be
considered stale after its age is greater than the specified number
of seconds.

And see: https://tools.ietf.org/html/rfc7234#section-4.2.4

A cache MUST NOT send stale responses unless it is disconnected
(i.e., it cannot contact the origin server or otherwise find a
forward path)

So is it true that "max-age=0" in the response headers is NOT equivalent to "no-cache" in the reponse headers (because of case disconnected), BUT "max-age=0" in the request headers IS equivalent to "no-cache" in the reponse headers?

3. No-cache in the request headers:
See: https://tools.ietf.org/html/rfc7234.html#page-23

The "no-cache" request directive indicates that a cache MUST NOT use
a stored response to satisfy the request without successful
validation on the origin server.

4. No-cache in the response headers:
See: https://tools.ietf.org/html/rfc7234.html#section-5.2.2</a>
i have a web application that is work on wamp on windows server and its work fine, i moved the application folder to linux ubuntu 16.4 with apache.
i see the permission and apahe config.
when i try to open the application is't give me 404 page not found
under ci log the error is page not found index
so where is the problem?
The 14th Annual Expert Award Winners
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Running the following CURL command:
curl https://tlstest.paypal.com

Open in new window

I am faced with an error to do with the  SSL certificate:

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). The default
 bundle is named curl-ca-bundle.crt; you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
[#### ~]$ curl --tlsv1.2 https://tlstest.paypal.com/
curl: option --tlsv1.2: is unknown
curl: try 'curl --help' for more information
[#### ~]$ curl --tlsv1 https://tlstest.paypal.com/
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA)
Decyptor.class in Apache POI application contains password in clear text. Why is this? Isnt this a security issue?
My vendor is telling me that that's the architecture by Apache. Is the vendor correct?
I just did a test in Firefox. I have an PHP file (without sessions). The reponse headers do not contain a validator or any other caching related headers, except:

Cache-Control: no-cache

Open in new window

When pressing the back button in Firefox followed by the forward button, the file is coming from cache when coming back on that page.

With "Cache-Control: no-cache" (and no validators), usually you would expect a request to the origin server, resulting in a "200 OK" response (NOT from cache).

I know that there is some different caching behavior with the back / forward button. See: https://tools.ietf.org/html/rfc7234#page-32

6.  History Lists

User agents often have history mechanisms, such as "Back" buttons and
history lists, that can be used to redisplay a representation
retrieved earlier in a session.

The freshness model (Section 4.2) does not necessarily apply to
history mechanisms.  That is, a history mechanism can display a
previous representation even if it has expired.

This does not prohibit the history mechanism from telling the user
that a view might be stale or from honoring cache directives (e.g.,
Cache-Control: no-store).

Here they are saying that the freshness model does not necessarily apply to history mechanisms. So when using max-age=0 or something like that (Expires), I can understand that the back and forward button can serve stale responses.

But no-cache is not part of the freshness model or is it? …
Apache permission for NFS or SAMBA shares
I have an Apache server on CentOS 7.4 and have a share with tools and files I want Apache to have access to and serve it, I have the share on both Samba and NFS.
The issue is that I can't access the directory on Apache with the error being You don't have permission to access / on this server.
If I use a local directory Apache has full access and no issues, once I point it to the share I get the error, I have tried disabling selinux and some mount options still no go.
Any help would be appreciated.
Xampp Server
Dear sir ,
         please telling me about xampp server ,How it is work on own server without
internet or other wireless connection , How does that communicate from one system to another system . i am very confuse related to that problem ,So please satisfy me about xampp server .
Almost everywhere on the internet I'm reading that you can turn off Etags via an .htaccess file, something like this:

FileETag None
<ifModule mod_headers.c>
	Header unset ETag

Open in new window

I don't like to use things that I don't understand 100%. Why is the first line "FileETag None" not enough already?

See: https://httpd.apache.org/docs/2.4/mod/core.html#fileetag

The FileETag directive configures the file attributes that are used to create the ETag (entity tag) response header field when the document is based on a static file.


If a document is file-based, no ETag field will be included in the response

For "Header unset ETag", see: http://httpd.apache.org/docs/current/mod/mod_headers.html

The response header of this name is removed, if it exists. If there are multiple headers of the same name, all will be removed. value must be omitted.

So when using "FileETag None", no ETag field will be included in the response. The "Header unset ETag" will remove that Etag field, but because of "FileETag None" there is no Etag field anyway. So for what exactly people are adding "Header unset ETag"?

Apache Web Server





The Apache HTTP Server is a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Typically Apache is run on a Unix-like operating system, but it is available for a wide variety of operating systems, including Linux, Novell NetWare, Mac OS-X and Windows. Released under the Apache License, Apache is open-source software.