The next set of directives are enclosed in a <Directory . . .>container as shown here:
<Directory />
Options FollowSymLinks AllowOverride None
</Directory>
The scope of the enclosed directives is limited to the named directory (with any subdirectories); however, you may only use directives that are allowed in a direc-tory context (you learn about these directives in detail in the next chapter).
Here the Optionsand the AllowOverridedirectives apply to %DocumentRoot%
that is root (/) or the top-level directory of the main Web site. Because directives enclosed within a directory container apply to all the subdirectories below the named directory, the directives apply to all directories within %DocumentRoot%. The Optionsdirective is set to FollowSymLinks, which tells Apache to allow itself to traverse any symbolic within %DocumentRoot%. Because the Optionsdirective is only set to follow symbolic links, no other options are available to any of the direc-tories within %DocumentRoot%. Effectively, the Optionsdirective is:
Options FollowSymLinks -ExecCGI -Includes -Indexes -MultiViews The other options are explained in the Optionsdirective section in the next chap-ter. However, be assured that the big idea here is to create a very closed server.
Because only symbolic link traversal is allowed, you must explicitly enable other options as needed on a per directory basis. This is very good thing from a security prospective. The next directory container opens up the %DocumentRoot%directory as shown here:
<Directory “/usr/local/apache/htdocs”>
Options Indexes FollowSymLinks MultiViews AllowOverride None
Order allow,deny Allow from all
</Directory>
If your %DocumentRoot%is different, change the named directory path. Here is what the above configuration means to Apache:
✦The named directory and its subdirectories can be indexed. If there is an index file, it will be displayed; in the absence of an index file, the server will create a dynamic index for the directory. The Optionsdirective specifies this.
✦The named directory and all subdirectories under it can have symbolic links that the server can follow (that is, use as a path) to access information. The Optionsdirective also specifies this.
✦The named directory and all subdirectories under it can be part of content negotiations. The MultiViewsoption for the Optionsdirective sets this. I am not a fan of this option but do not so dislike it as to remove it. For example, when the given Optionsdirective is enabled within the %DocumentRoot%
directory as shown above, a request for http://www.domain.com/
ratecard.htmlcan answered by a file called ratecard.html.bak, or ratecard.bak, ratecard.old, and the like if ratecard.htmlis missing.
This may or may not be desirable.
✦No options specified here can be overridden by a local access control file (specified by the AccessFileNamedirective in httpd.conf; the default is .htaccess). This is specified using the AllowOverridedirective.
✦The Allowdirectives are evaluated before the Denydirectives. Access is denied by default. Any client that does not match an Allowdirective or that does match a Denydirective is denied access to the server.
✦Access is permitted for all.
The default setting should be sufficient.
If your server is going to be on the Internet, you may want to remove the FollowSymLinks option from the Optionsdirective line. Leaving this option creates a potential security risk. For example, if a directory in your Web site does not have an index page, the server displays an automated index that shows any symbolic links you may have in that directory. This could cause sensitive informa-tion to be displayed, or may even allow anyone to run an executable that resides in a carelessly linked directory.
UserDir
The UserDirdirective tells Apache to consider %UserDir%as document root (~username/%UserDir%) of each user Web site. This only makes sense if you have multiple users on the system and want to allow each user to have his or her own Web directory. The default setting is:
UserDir public_html
which means that if you set up your Web server’s name to be
www.yourcompany.com, and you have two users (joe and jenny), their personal Web site URLs would be:
http://www.yourcompany.com/~joe Physical directory:
~joe/public_html
http://www.yourcompany.com/~jenny Physical directory:
~jenny/public_html
Note that on Unix systems, ~ (tilde) expands to a user’s home directory. The direc-tory specified by the UserDirdirective resides in each user’s home directory, and Caution
Apache must have read and execute permissions to read files and directories within the public_htmldirectory. This can be accomplished using the following commands on a Unix system:
chown -R <user>.<Apache server’s group name>
~<user>/<directory assigned in UserDir>
chmod -R 770 ~<user>/<directory assigned in UserDir>
For example, if the username is joeand Apache’s group is called httpd, and pub-lic_htmlis assigned in the UserDirdirective, the preceding commands will look like this:
chown -R joe.httpd ~joe/public_html chmod -R 2770 ~joe/public_html
The first command, chown, changes ownership of the ~joe/public_htmldirectory (and that of all files and subdirectories within it) to joe.httpd. In other words, it gives the user joeand the group httpdfull ownership of all the files and directo-ries in the public_htmldirectory. The next command, chmod, sets the access rights to 2770 — in other words, only the user (joe) and the group (httpd) have full read, write, and execute privileges in public_htmland all files and subdirectories under it. It also ensures that when a new file or subdirectory is created in the pub-lic_htmldirectory, the newly created file has the group ID set. This enables the Web server to access the new file without the user’s intervention.
If you create user accounts on your system using a script (such as /usr/
sbin/adduserscript on Linux systems), you may want to incorporate the Web site creation process in this script. Just add a mkdircommand to create a default public_html directory (if that’s what you assign to the UserDirdirective) to create the Web directory. Add the chmodand chowncommands to give the Web server user permission to read and execute files and directories under this public directory.
DirectoryIndex
Next, you need to configure the DirectoryIndexdirective, which has the following syntax:
DirectoryIndex [filename1, filename2, filename3, ... ]
This directive specifies which file the Apache server should consider as the index for the directory being requested. For example, when a URL such as www.yourcom-pany.com/is requested, the Apache server determines that this is a request to access the /(document root) directory of the Web site. If the DocumentRoot direc-tive is set as:
DocumentRoot “/www/www.yourcompany.com/public/htdocs”
Tip
then the Apache server looks for a file named /www/www.yourcompany.com/
public/htdocs/index.html; if it finds the file, Apache services the request by returning the content of the file to the requesting Web browser. If the
DirectoryIndexis assigned welcome.htmlinstead of the default index.html, however, the Web server will look for /www/www.yourcompany.com/public/
htdocs/welcome.htmlinstead. If the file is absent, Apache returns the directory listing by creating a dynamic HTML page. Figure 3-3 shows what happens when index.htmlis missing in a directory and the server has generated a directory listing for the requesting browser.
Figure 3-3: Dynamic directory listing in the absence of index.htm
You can specify multiple index filenames in the DirectoryIndexdirective. For example:
DirectoryIndex index.html index.htm welcome.htm
tells the Web server that it should check for the existence of any of the three files, and if any one file is found, it should be returned to the requesting Web client.
Listing many files as the index may create two problems. First, the server will now have to check for the existence of many files per directory request; this could make it slower than usual. Second, having multiple files as indexes could make your site difficult to manage from the organizational point of view. If your Web site content developers use various systems to create files, however, it might be a practical solution to keep both index.htmland index.htmas index files. For example, an older Windows machine is unable to create filenames with extensions longer than three characters, so a user working on such a machine may need to manually update all of the user’s index.htm files on the Web server. Using the recom-mended index filenames eliminates this hassle.
Note
AccessFileName
The AccessFileNamedirective defines the name of the per-directory access con-trol configuration file. The default name .htaccesshas a leading period to hide the file from normal directory listing under Unix systems. The only reason to change the name to something else is to increase security by obscurity, which is not much of a reason. However, if you do change the filename to something else, make sure that you change the regular expression “^\.ht”to “^\.whatever”where .whateveris the first view character of what you set AccessFileNameto.