c3b8fe2327e10aafbf419315dca8a683c1974327slive<?xml-stylesheet type="text/xsl" href="/style/manual.en.xsl"?>
5f5d1b4cc970b7f06ff8ef6526128e9a27303d88nd<!-- $LastChangedRevision$ -->
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding Licensed to the Apache Software Foundation (ASF) under one or more
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding contributor license agreements. See the NOTICE file distributed with
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding this work for additional information regarding copyright ownership.
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding The ASF licenses this file to You under the Apache License, Version 2.0
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding (the "License"); you may not use this file except in compliance with
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding the License. You may obtain a copy of the License at
acc36ab93565d2880447d535da6ca6e5feac7a70nd Unless required by applicable law or agreed to in writing, software
acc36ab93565d2880447d535da6ca6e5feac7a70nd distributed under the License is distributed on an "AS IS" BASIS,
acc36ab93565d2880447d535da6ca6e5feac7a70nd WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
acc36ab93565d2880447d535da6ca6e5feac7a70nd See the License for the specific language governing permissions and
acc36ab93565d2880447d535da6ca6e5feac7a70nd limitations under the License.
c3b8fe2327e10aafbf419315dca8a683c1974327slivehref="configuring.html">configuration files</a> may apply to the
c3b8fe2327e10aafbf419315dca8a683c1974327sliveentire server, or they may be restricted to apply only to particular
c3b8fe2327e10aafbf419315dca8a683c1974327slivedirectories, files, hosts, or URLs. This document describes how to
c3b8fe2327e10aafbf419315dca8a683c1974327sliveuse configuration section containers or <code>.htaccess</code> files
c3b8fe2327e10aafbf419315dca8a683c1974327sliveto change the scope of other configuration directives.</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<section id="types"><title>Types of Configuration Section Containers</title>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<modulelist>
c3b8fe2327e10aafbf419315dca8a683c1974327slive</modulelist>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directivelist>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">Directory</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">DirectoryMatch</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">Files</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">FilesMatch</directive>
d1fade344cfe51ad5d070d1ec286a1f4b4ff5e1drbowen<directive type="section" module="core">If</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">IfDefine</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">IfModule</directive>
0b7893b0bf10e51219e772f804db822a8bb7e9eajerenkrantz<directive type="section" module="mod_version">IfVersion</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">Location</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">LocationMatch</directive>
fb34b161f35ff05215e80fe7a54ce19cc0648ac6slive<directive type="section" module="mod_proxy">Proxy</directive>
fb34b161f35ff05215e80fe7a54ce19cc0648ac6slive<directive type="section" module="mod_proxy">ProxyMatch</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">VirtualHost</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slive</directivelist>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>There are two basic types of containers. Most containers are
c3b8fe2327e10aafbf419315dca8a683c1974327sliveevaluated for each request. The enclosed directives are applied only
c3b8fe2327e10aafbf419315dca8a683c1974327slivefor those requests that match the containers. The <directive
0b7893b0bf10e51219e772f804db822a8bb7e9eajerenkrantztype="section" module="core">IfDefine</directive>, <directive
0b7893b0bf10e51219e772f804db822a8bb7e9eajerenkrantztype="section" module="core">IfModule</directive>, and
0b7893b0bf10e51219e772f804db822a8bb7e9eajerenkrantz<directive type="section" module="mod_version">IfVersion</directive>
0b7893b0bf10e51219e772f804db822a8bb7e9eajerenkrantzcontainers, on the other hand, are evaluated only at server startup
0b7893b0bf10e51219e772f804db822a8bb7e9eajerenkrantzand restart. If their conditions are true at startup, then the
0b7893b0bf10e51219e772f804db822a8bb7e9eajerenkrantzenclosed directives will apply to all requests. If the conditions are
0b7893b0bf10e51219e772f804db822a8bb7e9eajerenkrantznot true, the enclosed directives will be ignored.</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>The <directive type="section" module="core">IfDefine</directive> directive
c3b8fe2327e10aafbf419315dca8a683c1974327sliveencloses directives that will only be applied if an appropriate
a1ef40892ffa2b44fc249423c5b6c42a74a84c68ndparameter is defined on the <program>httpd</program> command line. For example,
c3b8fe2327e10aafbf419315dca8a683c1974327slivewith the following configuration, all requests will be redirected
c3b8fe2327e10aafbf419315dca8a683c1974327sliveto another site only if the server is started using
b47bddbe88fb1489893591d69d4ccab9b873af68humbedooh<IfDefine ClosedForNow>
c3b8fe2327e10aafbf419315dca8a683c1974327slive</IfDefine>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>The <directive type="section" module="core">IfModule</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slivedirective is very similar, except it encloses directives that will
c3b8fe2327e10aafbf419315dca8a683c1974327sliveonly be applied if a particular module is available in the server.
c3b8fe2327e10aafbf419315dca8a683c1974327sliveThe module must either be statically compiled in the server, or it
c3b8fe2327e10aafbf419315dca8a683c1974327slivemust be dynamically compiled and its <directive
c3b8fe2327e10aafbf419315dca8a683c1974327slivemodule="mod_so">LoadModule</directive> line must be earlier in the
c3b8fe2327e10aafbf419315dca8a683c1974327sliveconfiguration file. This directive should only be used if you need
c3b8fe2327e10aafbf419315dca8a683c1974327sliveyour configuration file to work whether or not certain modules are
c3b8fe2327e10aafbf419315dca8a683c1974327sliveinstalled. It should not be used to enclose directives that you want
c3b8fe2327e10aafbf419315dca8a683c1974327sliveto work all the time, because it can suppress useful error messages
c3b8fe2327e10aafbf419315dca8a683c1974327sliveabout missing modules.</p>
df47c169dad27600c1e98e547a065378c5e9a2b3rbowenmodule="mod_mime_magic">MimeMagicFile</directive> directive will be
c3b8fe2327e10aafbf419315dca8a683c1974327sliveapplied only if <module>mod_mime_magic</module> is available.</p>
b47bddbe88fb1489893591d69d4ccab9b873af68humbedooh<IfModule mod_mime_magic.c>
c3b8fe2327e10aafbf419315dca8a683c1974327slive</IfModule>
0b7893b0bf10e51219e772f804db822a8bb7e9eajerenkrantz<p>The <directive type="section" module="mod_version">IfVersion</directive>
0b7893b0bf10e51219e772f804db822a8bb7e9eajerenkrantzdirective is very similar to <directive type="section"
0b7893b0bf10e51219e772f804db822a8bb7e9eajerenkrantzmodule="core">IfDefine</directive> and <directive type="section"
0b7893b0bf10e51219e772f804db822a8bb7e9eajerenkrantzmodule="core">IfModule</directive>, except it encloses directives that will
0b7893b0bf10e51219e772f804db822a8bb7e9eajerenkrantzonly be applied if a particular version of the server is executing. This
0b7893b0bf10e51219e772f804db822a8bb7e9eajerenkrantzmodule is designed for the use in test suites and large networks which have to
0b7893b0bf10e51219e772f804db822a8bb7e9eajerenkrantzdeal with different httpd versions and different configurations.</p>
95d5b247a62f1128779deb699f4dd931dfd605fahumbedooh<IfVersion >= 2.4>
b47bddbe88fb1489893591d69d4ccab9b873af68humbedooh # this happens only in versions greater or
95d5b247a62f1128779deb699f4dd931dfd605fahumbedooh # equal 2.4.0.
e197de2a1939612782e7cebb5327fd06a2ce09aahumbedooh</IfVersion>
0b7893b0bf10e51219e772f804db822a8bb7e9eajerenkrantz<p><directive type="section" module="core">IfDefine</directive>,
0b7893b0bf10e51219e772f804db822a8bb7e9eajerenkrantz<directive type="section" module="core">IfModule</directive>, and the
0b7893b0bf10e51219e772f804db822a8bb7e9eajerenkrantz<directive type="section" module="mod_version">IfVersion</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slivecan apply negative conditions by preceding their test with "!".
c3b8fe2327e10aafbf419315dca8a683c1974327sliveAlso, these sections can be nested to achieve more complex
c3b8fe2327e10aafbf419315dca8a683c1974327sliverestrictions.</p>
5f6587403928b0945e3f426127a039da48b2f537sf<section id="file-and-web"><title>Filesystem, Webspace, and Boolean Expressions</title>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>The most commonly used configuration section containers are the
c3b8fe2327e10aafbf419315dca8a683c1974327sliveones that change the configuration of particular places in the
c3b8fe2327e10aafbf419315dca8a683c1974327slivefilesystem or webspace. First, it is important to understand the
c3b8fe2327e10aafbf419315dca8a683c1974327slivedifference between the two. The filesystem is the view of your disks
c3b8fe2327e10aafbf419315dca8a683c1974327sliveas seen by your operating system. For example, in a default install,
13793cd95ff9a02fa5b57e405ede7447835a3f0brbowenApache httpd resides at <code>/usr/local/apache2</code> in the Unix
c3b8fe2327e10aafbf419315dca8a683c1974327slivefilesystem or <code>"c:/Program Files/Apache Group/Apache2"</code> in
c3b8fe2327e10aafbf419315dca8a683c1974327slivethe Windows filesystem. (Note that forward slashes should always be
13793cd95ff9a02fa5b57e405ede7447835a3f0brbowenused as the path separator in Apache httpd configuration files, even for Windows.) In contrast,
c3b8fe2327e10aafbf419315dca8a683c1974327slivethe webspace is the view of your site as delivered by the web server
c3b8fe2327e10aafbf419315dca8a683c1974327sliveand seen by the client. So the path <code>/dir/</code> in the
c3b8fe2327e10aafbf419315dca8a683c1974327slivewebspace corresponds to the path
c3b8fe2327e10aafbf419315dca8a683c1974327slive<code>/usr/local/apache2/htdocs/dir/</code> in the filesystem of a
13793cd95ff9a02fa5b57e405ede7447835a3f0brbowendefault Apache httpd install on Unix. The webspace need not map directly to
c3b8fe2327e10aafbf419315dca8a683c1974327slivethe filesystem, since webpages may be generated dynamically
c3b8fe2327e10aafbf419315dca8a683c1974327slivefrom databases or other locations.</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<section id="filesystem"><title>Filesystem Containers</title>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>The <directive type="section" module="core">Directory</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327sliveand <directive type="section" module="core">Files</directive>
696b223118c0aadb16aed69aca68e7b88990d453nddirectives, along with their <glossary ref="regex">regex</glossary>
696b223118c0aadb16aed69aca68e7b88990d453ndcounterparts, apply directives to
c3b8fe2327e10aafbf419315dca8a683c1974327sliveparts of the filesystem. Directives enclosed in a <directive
c3b8fe2327e10aafbf419315dca8a683c1974327slivetype="section" module="core">Directory</directive> section apply to
c3b8fe2327e10aafbf419315dca8a683c1974327slivethe named filesystem directory and all subdirectories of that
860b4efe27e7c1c9a2bf5c872b29c90f76849b51jimdirectory (as well as the files in those directories).
898475b582dd849de5915df0f2089b72ed8b2e2bcovenerThe same effect can be obtained using <a
c3b8fe2327e10aafbf419315dca8a683c1974327slivehref="howto/htaccess.html">.htaccess files</a>. For example, in the
c3b8fe2327e10aafbf419315dca8a683c1974327slivefollowing configuration, directory indexes will be enabled for the
c3b8fe2327e10aafbf419315dca8a683c1974327slive<code>/var/web/dir1</code> directory and all subdirectories.</p>
b47bddbe88fb1489893591d69d4ccab9b873af68humbedooh Options +Indexes
c3b8fe2327e10aafbf419315dca8a683c1974327slive</Directory>
c3b8fe2327e10aafbf419315dca8a683c1974327slivemodule="core">Files</directive> section apply to any file with
c3b8fe2327e10aafbf419315dca8a683c1974327slivethe specified name, regardless of what directory it lies in.
c3b8fe2327e10aafbf419315dca8a683c1974327sliveSo for example, the following configuration directives will,
c3b8fe2327e10aafbf419315dca8a683c1974327slivewhen placed in the main section of the configuration file,
c3b8fe2327e10aafbf419315dca8a683c1974327slivedeny access to any file named <code>private.html</code> regardless
c3b8fe2327e10aafbf419315dca8a683c1974327sliveof where it is found.</p>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<Files "private.html">
95d5b247a62f1128779deb699f4dd931dfd605fahumbedooh Require all denied
c3b8fe2327e10aafbf419315dca8a683c1974327slive</Files>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>To address files found in a particular part of the filesystem, the
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">Files</directive> and
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">Directory</directive> sections
c3b8fe2327e10aafbf419315dca8a683c1974327slivecan be combined. For example, the following configuration will deny
c3b8fe2327e10aafbf419315dca8a683c1974327slive<code>/var/web/dir1/subdir3/private.html</code>, and any other instance
c3b8fe2327e10aafbf419315dca8a683c1974327sliveof <code>private.html</code> found under the <code>/var/web/dir1/</code>
c3b8fe2327e10aafbf419315dca8a683c1974327slivedirectory.</p>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar <Files "private.html">
95d5b247a62f1128779deb699f4dd931dfd605fahumbedooh Require all denied
b47bddbe88fb1489893591d69d4ccab9b873af68humbedooh </Files>
c3b8fe2327e10aafbf419315dca8a683c1974327slive</Directory>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<section id="webspace"><title>Webspace Containers</title>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>The <directive type="section" module="core">Location</directive>
696b223118c0aadb16aed69aca68e7b88990d453nddirective and its <glossary ref="regex">regex</glossary> counterpart, on
696b223118c0aadb16aed69aca68e7b88990d453ndthe other hand, change the
c3b8fe2327e10aafbf419315dca8a683c1974327sliveconfiguration for content in the webspace. For example, the following
c3b8fe2327e10aafbf419315dca8a683c1974327sliveconfiguration prevents access to any URL-path that begins in /private.
c3b8fe2327e10aafbf419315dca8a683c1974327sliveIn particular, it will apply to requests for
c3b8fe2327e10aafbf419315dca8a683c1974327slive<code>http://yoursite.example.com/private123</code>, and
c3b8fe2327e10aafbf419315dca8a683c1974327slive<code>http://yoursite.example.com/private/dir/file.html</code> as well
c3b8fe2327e10aafbf419315dca8a683c1974327sliveas any other requests starting with the <code>/private</code> string.</p>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<LocationMatch "^/private">
95d5b247a62f1128779deb699f4dd931dfd605fahumbedooh Require all denied
dbc54ea02532d8351409da4988381bfc2b188ac4humbedooh</LocationMatch>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>The <directive type="section" module="core">Location</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slivedirective need not have anything to do with the filesystem.
c3b8fe2327e10aafbf419315dca8a683c1974327sliveFor example, the following example shows how to map a particular
13793cd95ff9a02fa5b57e405ede7447835a3f0brbowenURL to an internal Apache HTTP Server handler provided by <module>mod_status</module>.
c3b8fe2327e10aafbf419315dca8a683c1974327sliveNo file called <code>server-status</code> needs to exist in the
c3b8fe2327e10aafbf419315dca8a683c1974327slivefilesystem.</p>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<Location "/server-status">
b47bddbe88fb1489893591d69d4ccab9b873af68humbedooh SetHandler server-status
c3b8fe2327e10aafbf419315dca8a683c1974327slive</Location>
8f143e2dffb5188b3ca42066def1572f70f633ccigalic<section id="overlapping-webspace"><title>Overlapping Webspace</title>
753cef47327961b43a772b35f15436f30ce7fa58nd<p>In order to have two overlapping URLs one has to consider the order in which
8f143e2dffb5188b3ca42066def1572f70f633ccigaliccertain sections or directives are evaluated. For
753cef47327961b43a772b35f15436f30ce7fa58nd<directive type="section" module="core">Location</directive> this would be:</p>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<Location "/foo">
b47bddbe88fb1489893591d69d4ccab9b873af68humbedooh</Location>
8f143e2dffb5188b3ca42066def1572f70f633ccigalic</Location>
df47c169dad27600c1e98e547a065378c5e9a2b3rbowen<p><directive type="section" module="mod_alias">Alias</directive>es on the other hand,
753cef47327961b43a772b35f15436f30ce7fa58ndare mapped vice-versa:</p>
753cef47327961b43a772b35f15436f30ce7fa58nd<p>The same is true for the <directive module="mod_proxy">ProxyPass</directive>
753cef47327961b43a772b35f15436f30ce7fa58nddirectives:</p>
2fae9d127f7143fabe8f73958eb9bde31df17d41coarProxyPass "/special-area" "http://special.example.com" smax=5 max=10
2fae9d127f7143fabe8f73958eb9bde31df17d41coarProxyPass "/" "balancer://mycluster/" stickysession=JSESSIONID|jsessionid nofailover=On
c3b8fe2327e10aafbf419315dca8a683c1974327slive<section id="wildcards"><title>Wildcards and Regular Expressions</title>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>The <directive type="section" module="core">Directory</directive>,
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">Files</directive>, and
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">Location</directive>
8e3ff39cc6fe48e65a920cbc1dcbe30ca9db688dslivedirectives can each use shell-style wildcard characters as in
8e3ff39cc6fe48e65a920cbc1dcbe30ca9db688dslive<code>fnmatch</code> from the C standard library. The character "*"
8e3ff39cc6fe48e65a920cbc1dcbe30ca9db688dslivematches any sequence of characters, "?" matches any single character,
8e3ff39cc6fe48e65a920cbc1dcbe30ca9db688dsliveand "[<em>seq</em>]" matches any character in <em>seq</em>. The "/"
8e3ff39cc6fe48e65a920cbc1dcbe30ca9db688dslivecharacter will not be matched by any wildcard; it must be specified
49caeb3359e048f14ded3a13440b18550f6ffdebpepperexplicitly.</p>
8e3ff39cc6fe48e65a920cbc1dcbe30ca9db688dslive<p>If even more flexible matching is required, each
030108b1816bcda3d925df65357feabdce83bc94slivecontainer has a regular expression (regex) counterpart <directive
c3b8fe2327e10aafbf419315dca8a683c1974327slivetype="section" module="core">DirectoryMatch</directive>, <directive
c3b8fe2327e10aafbf419315dca8a683c1974327slivetype="section" module="core">FilesMatch</directive>, and <directive
c3b8fe2327e10aafbf419315dca8a683c1974327slivetype="section" module="core">LocationMatch</directive> that allow
8e3ff39cc6fe48e65a920cbc1dcbe30ca9db688dsliveperl-compatible
c3b8fe2327e10aafbf419315dca8a683c1974327sliveto be used in choosing the matches. But see the section below on
c3b8fe2327e10aafbf419315dca8a683c1974327sliveconfiguration merging to find out how using regex sections will change
c3b8fe2327e10aafbf419315dca8a683c1974327slivehow directives are applied.</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>A non-regex wildcard section that changes the configuration of
c3b8fe2327e10aafbf419315dca8a683c1974327sliveall user directories could look as follows:</p>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<Directory "/home/*/public_html">
b47bddbe88fb1489893591d69d4ccab9b873af68humbedooh Options Indexes
c3b8fe2327e10aafbf419315dca8a683c1974327slive</Directory>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>Using regex sections, we can deny access to many types of image files
c3b8fe2327e10aafbf419315dca8a683c1974327sliveat once:</p>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<FilesMatch "\.(?i:gif|jpe?g|png)$">
95d5b247a62f1128779deb699f4dd931dfd605fahumbedooh Require all denied
c3b8fe2327e10aafbf419315dca8a683c1974327slive</FilesMatch>
4dee1345ce2dd104902dc895dc99b7b81ac3b43fminfrin<p>Regular expressions containing <strong>named groups and
4dee1345ce2dd104902dc895dc99b7b81ac3b43fminfrinbackreferences</strong> are added to the environment with the
4dee1345ce2dd104902dc895dc99b7b81ac3b43fminfrincorresponding name in uppercase. This allows elements of filename paths
4dee1345ce2dd104902dc895dc99b7b81ac3b43fminfrinand URLs to be referenced from within <a href="expr.html">expressions</a>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<DirectoryMatch "^/var/www/combined/(?<SITENAME>[^/]+)">
7fdacf55a2f0a99798a28d5b764f28d42158c5e7covener require ldap-group cn=%{env:MATCH_SITENAME},ou=combined,o=Example
4dee1345ce2dd104902dc895dc99b7b81ac3b43fminfrin</DirectoryMatch>
4dee1345ce2dd104902dc895dc99b7b81ac3b43fminfrin</highlight>
5f6587403928b0945e3f426127a039da48b2f537sf<section id="expressions"><title>Boolean expressions</title>
5f6587403928b0945e3f426127a039da48b2f537sf<p>The <directive type="section" module="core">If</directive>
5f6587403928b0945e3f426127a039da48b2f537sfdirective change the configuration depending on a condition which can be
5f6587403928b0945e3f426127a039da48b2f537sfexpressed by a boolean expression. For example, the following configuration
5f6587403928b0945e3f426127a039da48b2f537sfdenies access if the HTTP Referer header does not start with
b47bddbe88fb1489893591d69d4ccab9b873af68humbedooh<If "!(%{HTTP_REFERER} -strmatch 'http://www.example.com/*')">
b47bddbe88fb1489893591d69d4ccab9b873af68humbedooh Require all denied
5f6587403928b0945e3f426127a039da48b2f537sf</If>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<section id="whichwhen"><title>What to use When</title>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>Choosing between filesystem containers and webspace containers is
c3b8fe2327e10aafbf419315dca8a683c1974327sliveactually quite easy. When applying directives to objects that reside
c3b8fe2327e10aafbf419315dca8a683c1974327slivemodule="core">Directory</directive> or <directive type="section"
c3b8fe2327e10aafbf419315dca8a683c1974327slivemodule="core">Files</directive>. When applying directives to objects
c3b8fe2327e10aafbf419315dca8a683c1974327slivethat do not reside in the filesystem (such as a webpage generated from
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>It is important to never use <directive type="section"
c3b8fe2327e10aafbf419315dca8a683c1974327slivemodule="core">Location</directive> when trying to restrict
c3b8fe2327e10aafbf419315dca8a683c1974327sliveaccess to objects in the filesystem. This is because many
c3b8fe2327e10aafbf419315dca8a683c1974327slivedifferent webspace locations (URLs) could map to the same filesystem
c3b8fe2327e10aafbf419315dca8a683c1974327slivelocation, allowing your restrictions to be circumvented.
c3b8fe2327e10aafbf419315dca8a683c1974327sliveFor example, consider the following configuration:</p>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<Location "/dir/">
95d5b247a62f1128779deb699f4dd931dfd605fahumbedooh Require all denied
c3b8fe2327e10aafbf419315dca8a683c1974327slive</Location>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>This works fine if the request is for
c3b8fe2327e10aafbf419315dca8a683c1974327slive<code>http://yoursite.example.com/dir/</code>. But what if you are on
c3b8fe2327e10aafbf419315dca8a683c1974327slivea case-insensitive filesystem? Then your restriction could be easily
c3b8fe2327e10aafbf419315dca8a683c1974327slivecircumvented by requesting
c3b8fe2327e10aafbf419315dca8a683c1974327slive<code>http://yoursite.example.com/DIR/</code>. The <directive
c3b8fe2327e10aafbf419315dca8a683c1974327slivetype="section" module="core">Directory</directive> directive, in
c3b8fe2327e10aafbf419315dca8a683c1974327slivecontrast, will apply to any content served from that location,
c3b8fe2327e10aafbf419315dca8a683c1974327sliveregardless of how it is called. (An exception is filesystem links.
c3b8fe2327e10aafbf419315dca8a683c1974327sliveThe same directory can be placed in more than one part of the
c3b8fe2327e10aafbf419315dca8a683c1974327slivefilesystem using symbolic links. The <directive type="section"
c3b8fe2327e10aafbf419315dca8a683c1974327slivemodule="core">Directory</directive> directive will follow the symbolic
c3b8fe2327e10aafbf419315dca8a683c1974327slivelink without resetting the pathname. Therefore, for the highest level
c3b8fe2327e10aafbf419315dca8a683c1974327sliveof security, symbolic links should be disabled with the appropriate
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive module="core">Options</directive> directive.)</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>If you are, perhaps, thinking that none of this applies to you
c3b8fe2327e10aafbf419315dca8a683c1974327slivebecause you use a case-sensitive filesystem, remember that there are
c3b8fe2327e10aafbf419315dca8a683c1974327slivemany other ways to map multiple webspace locations to the same
c3b8fe2327e10aafbf419315dca8a683c1974327slivefilesystem location. Therefore you should always use the filesystem
c3b8fe2327e10aafbf419315dca8a683c1974327slivecontainers when you can. There is, however, one exception to this
c3b8fe2327e10aafbf419315dca8a683c1974327sliverule. Putting configuration restrictions in a <code><Location
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar"/"></code> section is perfectly safe because this section will apply
c3b8fe2327e10aafbf419315dca8a683c1974327sliveto all requests regardless of the specific URL.</p>
063f440ab9730778d5388f56c3df1f4a8678c501jailletc<p>Some section types can be nested inside other section types. On the one
df47c169dad27600c1e98e547a065378c5e9a2b3rbowenhand, <directive type="section" module="core">Files</directive> can be used
5f6587403928b0945e3f426127a039da48b2f537sfinside <directive type="section" module="core">Directory</directive>. On
5f6587403928b0945e3f426127a039da48b2f537sfthe other hand, <directive type="section" module="core">If</directive> can
5f6587403928b0945e3f426127a039da48b2f537sfbe used inside <directive type="section" module="core">Directory</directive>,
5f6587403928b0945e3f426127a039da48b2f537sf<directive type="section" module="core">Location</directive>, and <directive
5f6587403928b0945e3f426127a039da48b2f537sftype="section" module="core">Files</directive> sections. The regex
5f6587403928b0945e3f426127a039da48b2f537sfcounterparts of the named section behave identically.</p>
5f6587403928b0945e3f426127a039da48b2f537sf<p>Nested sections are merged after non-nested sections of the same type.</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>The <directive type="section" module="core">VirtualHost</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slivecontainer encloses directives that apply to specific hosts.
c3b8fe2327e10aafbf419315dca8a683c1974327sliveThis is useful when serving multiple hosts from the same machine
c3b8fe2327e10aafbf419315dca8a683c1974327slivewith a different configuration for each. For more information,
c3b8fe2327e10aafbf419315dca8a683c1974327slivesee the <a href="vhosts/">Virtual Host Documentation</a>.</p>
8e3ff39cc6fe48e65a920cbc1dcbe30ca9db688dslive<p>The <directive type="section" module="mod_proxy">Proxy</directive>
8e3ff39cc6fe48e65a920cbc1dcbe30ca9db688dsliveand <directive type="section" module="mod_proxy">ProxyMatch</directive>
8e3ff39cc6fe48e65a920cbc1dcbe30ca9db688dslivecontainers apply enclosed configuration directives only
c3b8fe2327e10aafbf419315dca8a683c1974327sliveto sites accessed through <module>mod_proxy</module>'s proxy server
c3b8fe2327e10aafbf419315dca8a683c1974327slivethat match the specified URL. For example, the following configuration
c3b8fe2327e10aafbf419315dca8a683c1974327slivewill prevent the proxy server from being used to access the
95d5b247a62f1128779deb699f4dd931dfd605fahumbedooh Require all granted
c3b8fe2327e10aafbf419315dca8a683c1974327slive</Proxy>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<section id="whatwhere"><title>What Directives are Allowed?</title>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>To find out what directives are allowed in what types of
c3b8fe2327e10aafbf419315dca8a683c1974327sliveconfiguration sections, check the <a
c3b8fe2327e10aafbf419315dca8a683c1974327slivehref="mod/directive-dict.html#Context">Context</a> of the directive.
860b4efe27e7c1c9a2bf5c872b29c90f76849b51jimEverything that is allowed in
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">Directory</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slivesections is also syntactically allowed in
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">DirectoryMatch</directive>,
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">Files</directive>,
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">FilesMatch</directive>,
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">Location</directive>,
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">LocationMatch</directive>,
fb34b161f35ff05215e80fe7a54ce19cc0648ac6slive<directive type="section" module="mod_proxy">Proxy</directive>,
fb34b161f35ff05215e80fe7a54ce19cc0648ac6sliveand <directive type="section" module="mod_proxy">ProxyMatch</directive>
d8ef5ab04fa7d8c250afe57b3cf834b68be63aa2jslsections. There are some exceptions, however:</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<li>The <directive module="core">AllowOverride</directive> directive
c3b8fe2327e10aafbf419315dca8a683c1974327sliveworks only in <directive type="section" module="core">Directory</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slivesections.</li>
c3b8fe2327e10aafbf419315dca8a683c1974327slivemodule="core">Options</directive> work only in <directive
c3b8fe2327e10aafbf419315dca8a683c1974327slivetype="section" module="core">Directory</directive> sections or
c3b8fe2327e10aafbf419315dca8a683c1974327slive<li>The <directive module="core">Options</directive> directive cannot
c3b8fe2327e10aafbf419315dca8a683c1974327slivebe used in <directive type="section" module="core">Files</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327sliveand <directive type="section" module="core">FilesMatch</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slivesections.</li>
1956f2e227ff049e26114c467381c81c15299892rbowen<section id="merging"><title>How the sections are merged</title>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>The configuration sections are applied in a very particular order.
c3b8fe2327e10aafbf419315dca8a683c1974327sliveSince this can have important effects on how configuration directives
c3b8fe2327e10aafbf419315dca8a683c1974327sliveare interpreted, it is important to understand how this works.</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive module="core">Directory</directive> (except regular expressions)
d8ef5ab04fa7d8c250afe57b3cf834b68be63aa2jsl <directive type="section" module="core">Directory</directive>)</li>
c3b8fe2327e10aafbf419315dca8a683c1974327slive <li><directive type="section" module="core">DirectoryMatch</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slive type="section" module="core">FilesMatch</directive> done
c3b8fe2327e10aafbf419315dca8a683c1974327slive simultaneously</li>
c3b8fe2327e10aafbf419315dca8a683c1974327slive <li><directive type="section" module="core">Location</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slive module="core">LocationMatch</directive> done simultaneously</li>
5f6587403928b0945e3f426127a039da48b2f537sf <li><directive type="section" module="core">If</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slive module="core">Directory</directive>, each group is processed in
c3b8fe2327e10aafbf419315dca8a683c1974327slive the order that they appear in the configuration files. <directive
c3b8fe2327e10aafbf419315dca8a683c1974327slive type="section" module="core">Directory</directive> (group 1 above)
c3b8fe2327e10aafbf419315dca8a683c1974327slive is processed in the order shortest directory component to longest.
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar So for example, <code><Directory "/var/web/dir"></code> will
c3b8fe2327e10aafbf419315dca8a683c1974327slive be processed before <code><Directory
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar "/var/web/dir/subdir"></code>. If multiple <directive
c3b8fe2327e10aafbf419315dca8a683c1974327slive type="section" module="core">Directory</directive> sections apply
c3b8fe2327e10aafbf419315dca8a683c1974327slive to the same directory they are processed in the configuration file
c3b8fe2327e10aafbf419315dca8a683c1974327slive order. Configurations included via the <directive
c3b8fe2327e10aafbf419315dca8a683c1974327slive module="core">Include</directive> directive will be treated as if
c3b8fe2327e10aafbf419315dca8a683c1974327slive they were inside the including file at the location of the
c3b8fe2327e10aafbf419315dca8a683c1974327slive <directive module="core">Include</directive> directive.</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive are applied <em>after</em> the corresponding sections outside
c3b8fe2327e10aafbf419315dca8a683c1974327slive the virtual host definition. This allows virtual hosts to
c3b8fe2327e10aafbf419315dca8a683c1974327slive override the main server configuration.</p>
c3a3c963ad3f5b4d816b66117406d4e793049119slive <p>When the request is served by <module>mod_proxy</module>, the
c3a3c963ad3f5b4d816b66117406d4e793049119slive <directive module="mod_proxy" type="section">Proxy</directive>
c3a3c963ad3f5b4d816b66117406d4e793049119slive container takes the place of the <directive module="core"
c3a3c963ad3f5b4d816b66117406d4e793049119slive type="section">Directory</directive> container in the processing
bd43fc31993cfc191e744a9490481f4294894099covener <p>Later sections override earlier ones, however each module is responsible
5d01f40ffd657dd2ac567aacd93cabd162ddfa79coar for interpreting what form this override takes. A later configuration section
bd43fc31993cfc191e744a9490481f4294894099covener with directives from a given module might cause a conceptual "merge" of some
5d01f40ffd657dd2ac567aacd93cabd162ddfa79coar directives, all directives, or a complete replacement of the modules
5d01f40ffd657dd2ac567aacd93cabd162ddfa79coar configuration with the module defaults and directives explicitly listed in
bd43fc31993cfc191e744a9490481f4294894099covener the later context.</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive There is actually a
c3b8fe2327e10aafbf419315dca8a683c1974327slive <code><Location></code>/<code><LocationMatch></code>
c3b8fe2327e10aafbf419315dca8a683c1974327slive sequence performed just before the name translation phase
c3b8fe2327e10aafbf419315dca8a683c1974327slive (where <code>Aliases</code> and <code>DocumentRoots</code>
c3b8fe2327e10aafbf419315dca8a683c1974327slive are used to map URLs to filenames). The results of this
c3b8fe2327e10aafbf419315dca8a683c1974327slive sequence are completely thrown away after the translation has
c3b8fe2327e10aafbf419315dca8a683c1974327slive<section id="merge-examples"><title>Some Examples</title>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>Below is an artificial example to show the order of
c3b8fe2327e10aafbf419315dca8a683c1974327slivemerging. Assuming they all apply to the request, the directives in
c3b8fe2327e10aafbf419315dca8a683c1974327slivethis example will be applied in the order A > B > C > D >
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<Location "/">
b47bddbe88fb1489893591d69d4ccab9b873af68humbedooh</Location>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<Files "f.html">
b47bddbe88fb1489893591d69d4ccab9b873af68humbedooh</Files>
b47bddbe88fb1489893591d69d4ccab9b873af68humbedooh<VirtualHost *>
b47bddbe88fb1489893591d69d4ccab9b873af68humbedooh</Directory>
b47bddbe88fb1489893591d69d4ccab9b873af68humbedooh</VirtualHost>
b47bddbe88fb1489893591d69d4ccab9b873af68humbedooh<DirectoryMatch "^.*b$">
b47bddbe88fb1489893591d69d4ccab9b873af68humbedooh</DirectoryMatch>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<Directory "/a/b>
b47bddbe88fb1489893591d69d4ccab9b873af68humbedooh</Directory>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>For a more concrete example, consider the following. Regardless of
c3b8fe2327e10aafbf419315dca8a683c1974327sliveany access restrictions placed in <directive module="core"
c3b8fe2327e10aafbf419315dca8a683c1974327slivetype="section">Directory</directive> sections, the <directive
c3b8fe2327e10aafbf419315dca8a683c1974327slivemodule="core" type="section">Location</directive> section will be
c3b8fe2327e10aafbf419315dca8a683c1974327sliveevaluated last and will allow unrestricted access to the server. In
c3b8fe2327e10aafbf419315dca8a683c1974327sliveother words, order of merging is important, so be careful!</p>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<Location "/">
95d5b247a62f1128779deb699f4dd931dfd605fahumbedooh Require all granted
b47bddbe88fb1489893591d69d4ccab9b873af68humbedooh</Location>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar# Whoops! This <Directory> section will have no effect
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<Directory "/">
95d5b247a62f1128779deb699f4dd931dfd605fahumbedooh <RequireAll>
95d5b247a62f1128779deb699f4dd931dfd605fahumbedooh Require all granted
95d5b247a62f1128779deb699f4dd931dfd605fahumbedooh Require not host badguy.example.com
95d5b247a62f1128779deb699f4dd931dfd605fahumbedooh </RequireAll>
c3b8fe2327e10aafbf419315dca8a683c1974327slive</Directory>
c3b8fe2327e10aafbf419315dca8a683c1974327slive</manualpage>