Documentation< Previous | Contents | Next >
Common Directives
This section briefly reviews some of the commonly-used Apache configuration directives.
The main configuration file usually includes several Directory blocks; they allow specifying dif- ferent behaviors for the server depending on the location of the file being served. Such a block commonly includes Options and AllowOverride directives:
<Directory /var/www>
Options Includes FollowSymLinks AllowOverride All
DirectoryIndex index.php index.html index.htm
</Directory>
<Directory /var/www>
Options Includes FollowSymLinks AllowOverride All
DirectoryIndex index.php index.html index.htm
</Directory>
The DirectoryIndex directive contains a list of files to try when the client request matches a direc- tory. The first existing file in the list is used and sent as a response.
The Options directive is followed by a list of options to enable. The None value disables all options; correspondingly, All enables them all except MultiViews. Available options include:
• ExecCGI—indicates that CGI scripts can be executed.
• FollowSymLinks—tells the server that symbolic links can be followed, and that the response should contain the contents of the target of such links.
• SymLinksIfOwnerMatch—also tells the server to follow symbolic links, but only when the link and its target have the same owner.
• Includes—enables Server Side Includes (SSI). These are directives embedded in HTML pages and executed on the fly for each request.
• Indexes—tells the server to list the contents of a directory if the HTTP request sent by the client points to a directory without an index file (that is, when no files mentioned by the DirectoryIndex directive exist in this directory).
• MultiViews—enables content negotiation; this can be used by the server to return a web page matching the preferred language as configured in the browser.
Requiring Authentication In some circumstances, access to part of a website needs to be re- stricted, so only legitimate users who provide a username and a password are granted access to the contents.
The .htaccess file contains Apache configuration directives enforced each time a request con- cerns an element from the directory where the .htaccess file is stored. These directives are recursive, expanding the scope to all subdirectories.
Most of the directives that can occur in a Directory block are also legal in an .htaccess file. The AllowOverride directive lists all the options that can be enabled or disabled by way of .htaccess. A common use of this option is to restrict ExecCGI, so that the administrator chooses which users are allowed to run programs under the web server’s identity (the www-data user).
Example 5.3 .htaccess File Requiring Authentication
Require valid-user
AuthName ”Private directory” AuthType Basic
AuthUserFile /etc/apache2/authfiles/htpasswd-private
Require valid-user
AuthName ”Private directory” AuthType Basic
AuthUserFile /etc/apache2/authfiles/htpasswd-private
Basic Authentication The authentication system used in the above example (Basic) has minimal security Offers No Security as the password is sent in clear text (it is only encoded as base64, which is a simple encoding rather than an encryption method). It should also be noted that the docu-
ments protected by this mechanism also go over the network in the clear. If security is important, the entire HTTP session should be encrypted with Transport Layer Se- curity (TLS).
Basic Authentication The authentication system used in the above example (Basic) has minimal security Offers No Security as the password is sent in clear text (it is only encoded as base64, which is a simple encoding rather than an encryption method). It should also be noted that the docu-
ments protected by this mechanism also go over the network in the clear. If security is important, the entire HTTP session should be encrypted with Transport Layer Se- curity (TLS).
The /etc/apache2/authfiles/htpasswd-private file contains a list of users and passwords; it is commonly manipulated with the htpasswd command. For example, the following command is used to add a user or change their password:
# htpasswd /etc/apache2/authfiles/htpasswd-private user
New password:
Re-type new password:
Adding password for user user
# htpasswd /etc/apache2/authfiles/htpasswd-private user
New password:
Re-type new password:
Adding password for user user
Restricting Access The Require directive controls access restrictions for a directory (and its subdirectories, recursively).
It can be used to restrict access based on many criteria; we will stop at describing access restriction based on the IP address of the client but it can be made much more powerful than that, especially when several Require directives are combined within a RequireAll block.
For instance, you could restrict access to the local network with the following directive:
Require ip 192.168.0.0/16
Require ip 192.168.0.0/16