Tweet
Bookmark this on Delicious
The < Directory / > tag, the < Files / > tag and the directives Allow / Deny can help you control who has access to a given directory or file. By default, you want access to be granted only to these files contained within your htdocs folder (or public-html folder, depending on how it is called). Access to any other directory on the web server should be denied. This is done by inserting the following lines in httpd.conf:
< Directory / >
Order Deny,Allow
Deny from all
< /Directory >
< Directory /var/www/htdocs >
Order Allow,Deny
Allow from all
< /Directory >
where /var/www/htdocs should of course be replaced with your own path to htdocs. In addition to the above, the Options directive controls how SymLinks are being dealt with by Apache. The Options directive is placed within the < Directory/ > tag:
< Directory / >
Options -FollowSymLinks
Order Deny,Allow
Deny from all
< /Directory >
< Directory /var/www/htdocs >
Order Allow,Deny
Allow from all
< /Directory >
will disable FollowSymLinks for your Apache server, meaning that symbolic links won't be followed. In order to get to know all the possible options made available by the Options directive, you can look at the standard Apache server documentation.
Another point worth mentioning is that, if you really need SymLinks to be followed, you'd better:
- Simply add to the web server tree that folder towards which the symbolic links will be made, rather than turn on FollowSymLinks. This can be done with the directive:
Alias Folder/You/Want/To/Add
- Turn off FollowSymLinks and turn on SymLinksIfOwnerMatch (this option verifies that the owner of the file pointed to by a symbolic link is the same as the owner of the symbolic link; this constitutes therefore an extra layer of Apache security):
Options -FollowSymLinks +SymLinksIfOwnerMatch
You need to take note that the - and + signs in front of the options mean that these options are merged with the previously set options. If no -/+ sign is put before the option, this or these options become the only options set, regardless of the options directives set before. Therefore the following set of Apache directory options (placed withint the directory tags as above) will ONLY authorize Includes and turn on FollowSymLinks (despite the Options ALL which will be overridden by Options Includes Indexes):
Options ALL
Options Includes Indexes
Options -Indexes +FollowSymLinks
Naturally, this is just an example and most likely you will want to turn off all options by setting:
Options None
In particular, it is important that the Options Indexes is not enabled by default since this might give access to files of your web server tree that weren't meant to be seen by the public (backups, source code that has been left there by mistake, etc ...).
By the same token, you do not want that certain types of files to be echoed by the browser if they are not supposed to be to - such files include source code that wouldn't be interpreted correctly for any possible reason - e.g. some Perl source code or some PHP source code. The trick here is to allow the browser to display only these kinds of files which are supposed to be displayed: you can do this by using the directives FilesMatch and/or DirectoryMatch (the following example allows files whose extension begins with ht, or php files):
< FilesMatch "(^\.ht|^\.php$)" >
Order Allow,Deny
Deny from all
< /FilesMatch >
You will notice that the argument taken by FilesMatch is a regular expression. If you want to learn more about regular expressions (regexp), have a look at our tutorial on regular expressions. Finally, please note that some modules will require certain options turned on (e.g. mod-rewrite will require the FollowSymLinks option turned on).
N.B.: One of the options of the Options directive is ExecCGI: this option allows you to enable the execution of cgi scripts at the directory level. Note that it is generally unwise to enable cgi-scripting on the whole server; instead, it is usually preferred to dedicate one folder (traditionally named cgi-bin) for cgi scripts. The following configuration allows the execution of cgi scripts from the cgi-bin directory (but no other option if you set the Options None above):
< Directory /path/to/cgi-bin >
Options +ExecCGI
SetHandler cgi-script
< /Directory >
Next tutorial: Installing an Apache server on Linux - General Apache server configuration
Back to computer forums
Bookmark this on Delicious
Apache server configuration on Linux - Options directive: controlling which files are served by an Apache server
The < Directory / > tag, the < Files / > tag and the directives Allow / Deny can help you control who has access to a given directory or file. By default, you want access to be granted only to these files contained within your htdocs folder (or public-html folder, depending on how it is called). Access to any other directory on the web server should be denied. This is done by inserting the following lines in httpd.conf:
< Directory / >
Order Deny,Allow
Deny from all
< /Directory >
< Directory /var/www/htdocs >
Order Allow,Deny
Allow from all
< /Directory >
where /var/www/htdocs should of course be replaced with your own path to htdocs. In addition to the above, the Options directive controls how SymLinks are being dealt with by Apache. The Options directive is placed within the < Directory/ > tag:
< Directory / >
Options -FollowSymLinks
Order Deny,Allow
Deny from all
< /Directory >
< Directory /var/www/htdocs >
Order Allow,Deny
Allow from all
< /Directory >
will disable FollowSymLinks for your Apache server, meaning that symbolic links won't be followed. In order to get to know all the possible options made available by the Options directive, you can look at the standard Apache server documentation.
Another point worth mentioning is that, if you really need SymLinks to be followed, you'd better:
- Simply add to the web server tree that folder towards which the symbolic links will be made, rather than turn on FollowSymLinks. This can be done with the directive:
Alias Folder/You/Want/To/Add
- Turn off FollowSymLinks and turn on SymLinksIfOwnerMatch (this option verifies that the owner of the file pointed to by a symbolic link is the same as the owner of the symbolic link; this constitutes therefore an extra layer of Apache security):
Options -FollowSymLinks +SymLinksIfOwnerMatch
You need to take note that the - and + signs in front of the options mean that these options are merged with the previously set options. If no -/+ sign is put before the option, this or these options become the only options set, regardless of the options directives set before. Therefore the following set of Apache directory options (placed withint the directory tags as above) will ONLY authorize Includes and turn on FollowSymLinks (despite the Options ALL which will be overridden by Options Includes Indexes):
Options ALL
Options Includes Indexes
Options -Indexes +FollowSymLinks
Naturally, this is just an example and most likely you will want to turn off all options by setting:
Options None
In particular, it is important that the Options Indexes is not enabled by default since this might give access to files of your web server tree that weren't meant to be seen by the public (backups, source code that has been left there by mistake, etc ...).
By the same token, you do not want that certain types of files to be echoed by the browser if they are not supposed to be to - such files include source code that wouldn't be interpreted correctly for any possible reason - e.g. some Perl source code or some PHP source code. The trick here is to allow the browser to display only these kinds of files which are supposed to be displayed: you can do this by using the directives FilesMatch and/or DirectoryMatch (the following example allows files whose extension begins with ht, or php files):
< FilesMatch "(^\.ht|^\.php$)" >
Order Allow,Deny
Deny from all
< /FilesMatch >
You will notice that the argument taken by FilesMatch is a regular expression. If you want to learn more about regular expressions (regexp), have a look at our tutorial on regular expressions. Finally, please note that some modules will require certain options turned on (e.g. mod-rewrite will require the FollowSymLinks option turned on).
N.B.: One of the options of the Options directive is ExecCGI: this option allows you to enable the execution of cgi scripts at the directory level. Note that it is generally unwise to enable cgi-scripting on the whole server; instead, it is usually preferred to dedicate one folder (traditionally named cgi-bin) for cgi scripts. The following configuration allows the execution of cgi scripts from the cgi-bin directory (but no other option if you set the Options None above):
< Directory /path/to/cgi-bin >
Options +ExecCGI
SetHandler cgi-script
< /Directory >
Next tutorial: Installing an Apache server on Linux - General Apache server configuration
Back to computer forums