Configuration Sections

Types of Configuration Section Containers

There are two basic types of containers. Most containers areevaluated for each request. The enclosed directives are applied onlyfor those requests that match the containers. The <IfDefine>, <IfModule>, and<IfVersion>containers, on the other hand, are evaluated only at server startupand restart. If their conditions are true at startup, then theenclosed directives will apply to all requests. If the conditions arenot true, the enclosed directives will be ignored.

The <IfDefine> directiveencloses directives that will only be applied if an appropriateparameter is defined on the httpd command line. For example,with the following configuration, all requests will be redirectedto another site only if the server is started usinghttpd -DClosedForNow:

The <IfModule>directive is very similar, except it encloses directives that willonly be applied if a particular module is available in the server.The module must either be statically compiled in the server, or itmust be dynamically compiled and its LoadModule line must be earlier in theconfiguration file. This directive should only be used if you needyour configuration file to work whether or not certain modules areinstalled. It should not be used to enclose directives that you wantto work all the time, because it can suppress useful error messagesabout missing modules.

In the following example, the MimeMagicFiles directive will beapplied only if mod_mime_magic is available.

The <IfVersion>directive is very similar to <IfDefine> and <IfModule>, except it encloses directives that willonly be applied if a particular version of the server is executing. Thismodule is designed for the use in test suites and large networks which have todeal with different httpd versions and different configurations.

<IfDefine>,<IfModule>, and the<IfVersion>can apply negative conditions by preceding their test with "!".Also, these sections can be nested to achieve more complexrestrictions.

Filesystem and Webspace

The most commonly used configuration section containers are theones that change the configuration of particular places in thefilesystem or webspace. First, it is important to understand thedifference between the two. The filesystem is the view of your disksas seen by your operating system. For example, in a default install,Apache resides at /usr/local/apache2 in the Unixfilesystem or "c:/Program Files/Apache Group/Apache2" inthe Windows filesystem. (Note that forward slashes should always beused as the path separator in Apache, even for Windows.) In contrast,the webspace is the view of your site as delivered by the web serverand seen by the client. So the path /dir/ in thewebspace corresponds to the path/usr/local/apache2/htdocs/dir/ in the filesystem of adefault Apache install on Unix. The webspace need not map directly tothe filesystem, since webpages may be generated dynamicallyfrom databases or other locations.

Filesystem Containers

The <Directory>and <Files>directives, along with their regexcounterparts, apply directives toparts of the filesystem. Directives enclosed in a <Directory> section apply tothe named filesystem directory and all subdirectories of thatdirectory. The same effect can be obtained using .htaccess files. For example, in thefollowing configuration, directory indexes will be enabled for the/var/web/dir1 directory and all subdirectories.

Directives enclosed in a <Files> section apply to any file withthe specified name, regardless of what directory it lies in.So for example, the following configuration directives will,when placed in the main section of the configuration file,deny access to any file named private.html regardlessof where it is found.

To address files found in a particular part of the filesystem, the<Files> and<Directory> sectionscan be combined. For example, the following configuration will denyaccess to /var/web/dir1/private.html,/var/web/dir1/subdir2/private.html,/var/web/dir1/subdir3/private.html, and any other instanceof private.html found under the /var/web/dir1/directory.

Webspace Containers

The <Location>directive and its regex counterpart, on theother hand, change theconfiguration for content in the webspace. For example, the followingconfiguration prevents access to any URL-path that begins in /private.In particular, it will apply to requests forhttp://yoursite.example.com/private,http://yoursite.example.com/private123, andhttp://yoursite.example.com/private/dir/file.html as wellas any other requests starting with the /private string.

The <Location>directive need not have anything to do with the filesystem.For example, the following example shows how to map a particularURL to an internal Apache handler provided by mod_status.No file called server-status needs to exist in thefilesystem.

Wildcards and Regular Expressions

The <Directory>,<Files>, and<Location>directives can each use shell-style wildcard characters as infnmatch from the C standard library. The character "*"matches any sequence of characters, "?" matches any single character,and "[seq]" matches any character in seq. The "/"character will not be matched by any wildcard; it must be specifiedexplicitly.

If even more flexible matching is required, eachcontainer has a regular expression (regex) counterpart <DirectoryMatch>, <FilesMatch>, and <LocationMatch> that allowperl-compatibleregular expressionsto be used in choosing the matches. But see the section below onconfiguration merging to find out how using regex sections will changehow directives are applied.

A non-regex wildcard section that changes the configuration ofall user directories could look as follows:

Using regex sections, we can deny access to many types of image filesat once:

What to use When

Choosing between filesystem containers and webspace containers isactually quite easy. When applying directives to objects that residein the filesystem always use <Directory> or <Files>. When applying directives to objectsthat do not reside in the filesystem (such as a webpage generated froma database), use <Location>.

It is important to never use <Location> when trying to restrictaccess to objects in the filesystem. This is because manydifferent webspace locations (URLs) could map to the same filesystemlocation, allowing your restrictions to be circumvented.For example, consider the following configuration:

This works fine if the request is forhttp://yoursite.example.com/dir/. But what if you are ona case-insensitive filesystem? Then your restriction could be easilycircumvented by requestinghttp://yoursite.example.com/DIR/. The <Directory> directive, incontrast, will apply to any content served from that location,regardless of how it is called. (An exception is filesystem links.The same directory can be placed in more than one part of thefilesystem using symbolic links. The <Directory> directive will follow the symboliclink without resetting the pathname. Therefore, for the highest levelof security, symbolic links should be disabled with the appropriateOptions directive.)

If you are, perhaps, thinking that none of this applies to youbecause you use a case-sensitive filesystem, remember that there aremany other ways to map multiple webspace locations to the samefilesystem location. Therefore you should always use the filesystemcontainers when you can. There is, however, one exception to thisrule. Putting configuration restrictions in a <Location/> section is perfectly safe because this section will applyto all requests regardless of the specific URL.

Virtual Hosts

The <VirtualHost>container encloses directives that apply to specific hosts.This is useful when serving multiple hosts from the same machinewith a different configuration for each. For more information,see the Virtual Host Documentation.

Proxy

The <Proxy>and <ProxyMatch>containers apply enclosed configuration directives onlyto sites accessed through mod_proxy's proxy serverthat match the specified URL. For example, the following configurationwill prevent the proxy server from being used to access thecnn.com website.

What Directives are Allowed?

To find out what directives are allowed in what types ofconfiguration sections, check the Context of the directive.Everything that is allowed in <Directory>sections is also syntactically allowed in<DirectoryMatch>,<Files>,<FilesMatch>,<Location>,<LocationMatch>,<Proxy>,and <ProxyMatch>sections. There are some exceptions, however:

• The AllowOverride directiveworks only in <Directory>sections.
• The FollowSymLinks andSymLinksIfOwnerMatch Options work only in <Directory> sections or.htaccess files.
• The Options directive cannotbe used in <Files>and <FilesMatch>sections.

How the sections are merged

The configuration sections are applied in a very particular order.Since this can have important effects on how configuration directivesare interpreted, it is important to understand how this works.

The order of merging is:

1. <Directory> (except regular expressions) and .htaccess done simultaneously (with .htaccess, if allowed, overriding <Directory>)
2. <DirectoryMatch> (and <Directory ~>)
3. <Files> and <FilesMatch> done simultaneously
4. <Location> and <LocationMatch> done simultaneously

Apart from <Directory>, each group is processed in the order that they appear in the configuration files. <Directory> (group 1 above) is processed in the order shortest directory component to longest. So for example, <Directory /var/web/dir> will be processed before <Directory /var/web/dir/subdir>. If multiple <Directory> sections apply to the same directory they are processed in the configuration file order. Configurations included via the Include directive will be treated as if they were inside the including file at the location of the Include directive.

Sections inside <VirtualHost> sections are applied after the corresponding sections outside the virtual host definition. This allows virtual hosts to override the main server configuration.

When the request is served by mod_proxy, the <Proxy> container takes the place of the <Directory> container in the processing order.

Later sections override earlier ones.

Some Examples

Below is an artificial example to show the order ofmerging. Assuming they all apply to the request, the directives inthis example will be applied in the order A > B > C > D >E.

For a more concrete example, consider the following. Regardless ofany access restrictions placed in <Directory> sections, the <Location> section will beevaluated last and will allow unrestricted access to the server. Inother words, order of merging is important, so be careful!