sections.xml revision 49caeb3359e048f14ded3a13440b18550f6ffdeb
c3b8fe2327e10aafbf419315dca8a683c1974327slive<?xml-stylesheet type="text/xsl" href="/style/manual.en.xsl"?>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<manualpage>
c3b8fe2327e10aafbf419315dca8a683c1974327slivehref="configuring.html">configuration files</a> may apply to the
c3b8fe2327e10aafbf419315dca8a683c1974327sliveentire server, or they may be restricted to apply only to particular
c3b8fe2327e10aafbf419315dca8a683c1974327slivedirectories, files, hosts, or URLs. This document describes how to
c3b8fe2327e10aafbf419315dca8a683c1974327sliveuse configuration section containers or <code>.htaccess</code> files
c3b8fe2327e10aafbf419315dca8a683c1974327sliveto change the scope of other configuration directives.</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<section id="types"><title>Types of Configuration Section Containers</title>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<modulelist>
c3b8fe2327e10aafbf419315dca8a683c1974327slive</modulelist>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directivelist>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">Directory</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">DirectoryMatch</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">Files</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">FilesMatch</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">IfDefine</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">IfModule</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">Location</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">LocationMatch</directive>
fb34b161f35ff05215e80fe7a54ce19cc0648ac6slive<directive type="section" module="mod_proxy">Proxy</directive>
fb34b161f35ff05215e80fe7a54ce19cc0648ac6slive<directive type="section" module="mod_proxy">ProxyMatch</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">VirtualHost</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slive</directivelist>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>There are two basic types of containers. Most containers are
c3b8fe2327e10aafbf419315dca8a683c1974327sliveevaluated for each request. The enclosed directives are applied only
c3b8fe2327e10aafbf419315dca8a683c1974327slivefor those requests that match the containers. The <directive
c3b8fe2327e10aafbf419315dca8a683c1974327slivetype="section" module="core">IfDefine</directive> and <directive
c3b8fe2327e10aafbf419315dca8a683c1974327slivetype="section" module="core">IfModule</directive> containers, on the
c3b8fe2327e10aafbf419315dca8a683c1974327sliveother hand, are evaluated only at server startup and restart. If
c3b8fe2327e10aafbf419315dca8a683c1974327slivetheir conditions are true at startup, then the enclosed directives
c3b8fe2327e10aafbf419315dca8a683c1974327slivewill apply to all requests. If the conditions are not true, the
c3b8fe2327e10aafbf419315dca8a683c1974327sliveenclosed directives will be ignored.</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>The <directive type="section" module="core">IfDefine</directive> directive
c3b8fe2327e10aafbf419315dca8a683c1974327sliveencloses directives that will only be applied if an appropriate
c3b8fe2327e10aafbf419315dca8a683c1974327sliveparameter is defined on the <code>httpd</code> command line. For example,
c3b8fe2327e10aafbf419315dca8a683c1974327slivewith the following configuration, all requests will be redirected
c3b8fe2327e10aafbf419315dca8a683c1974327sliveto another site only if the server is started using
c3b8fe2327e10aafbf419315dca8a683c1974327slive<IfDefine ClosedForNow><br />
c3b8fe2327e10aafbf419315dca8a683c1974327slive</IfDefine>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>The <directive type="section" module="core">IfModule</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slivedirective is very similar, except it encloses directives that will
c3b8fe2327e10aafbf419315dca8a683c1974327sliveonly be applied if a particular module is available in the server.
c3b8fe2327e10aafbf419315dca8a683c1974327sliveThe module must either be statically compiled in the server, or it
c3b8fe2327e10aafbf419315dca8a683c1974327slivemust be dynamically compiled and its <directive
c3b8fe2327e10aafbf419315dca8a683c1974327slivemodule="mod_so">LoadModule</directive> line must be earlier in the
c3b8fe2327e10aafbf419315dca8a683c1974327sliveconfiguration file. This directive should only be used if you need
c3b8fe2327e10aafbf419315dca8a683c1974327sliveyour configuration file to work whether or not certain modules are
c3b8fe2327e10aafbf419315dca8a683c1974327sliveinstalled. It should not be used to enclose directives that you want
c3b8fe2327e10aafbf419315dca8a683c1974327sliveto work all the time, because it can suppress useful error messages
c3b8fe2327e10aafbf419315dca8a683c1974327sliveabout missing modules.</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slivemodule="mod_mime_magic">MimeMagicFiles</directive> directive will be
c3b8fe2327e10aafbf419315dca8a683c1974327sliveapplied only if <module>mod_mime_magic</module> is available.</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive</IfModule>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>Both <directive type="section" module="core">IfDefine</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327sliveand <directive type="section" module="core">IfModule</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slivecan apply negative conditions by preceding their test with "!".
c3b8fe2327e10aafbf419315dca8a683c1974327sliveAlso, these sections can be nested to achieve more complex
c3b8fe2327e10aafbf419315dca8a683c1974327sliverestrictions.</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<section id="file-and-web"><title>Filesystem and Webspace</title>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>The most commonly used configuration section containers are the
c3b8fe2327e10aafbf419315dca8a683c1974327sliveones that change the configuration of particular places in the
c3b8fe2327e10aafbf419315dca8a683c1974327slivefilesystem or webspace. First, it is important to understand the
c3b8fe2327e10aafbf419315dca8a683c1974327slivedifference between the two. The filesystem is the view of your disks
c3b8fe2327e10aafbf419315dca8a683c1974327sliveas seen by your operating system. For example, in a default install,
c3b8fe2327e10aafbf419315dca8a683c1974327sliveApache resides at <code>/usr/local/apache2</code> in the Unix
c3b8fe2327e10aafbf419315dca8a683c1974327slivefilesystem or <code>"c:/Program Files/Apache Group/Apache2"</code> in
c3b8fe2327e10aafbf419315dca8a683c1974327slivethe Windows filesystem. (Note that forward slashes should always be
c3b8fe2327e10aafbf419315dca8a683c1974327sliveused as the path separator in Apache, even for Windows.) In contrast,
c3b8fe2327e10aafbf419315dca8a683c1974327slivethe webspace is the view of your site as delivered by the web server
c3b8fe2327e10aafbf419315dca8a683c1974327sliveand seen by the client. So the path <code>/dir/</code> in the
c3b8fe2327e10aafbf419315dca8a683c1974327slivewebspace corresponds to the path
c3b8fe2327e10aafbf419315dca8a683c1974327slive<code>/usr/local/apache2/htdocs/dir/</code> in the filesystem of a
c3b8fe2327e10aafbf419315dca8a683c1974327slivedefault Apache install on Unix. The webspace need not map directly to
c3b8fe2327e10aafbf419315dca8a683c1974327slivethe filesystem, since webpages may be generated dynamically
c3b8fe2327e10aafbf419315dca8a683c1974327slivefrom databases or other locations.</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<section id="filesystem"><title>Filesystem Containers</title>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>The <directive type="section" module="core">Directory</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327sliveand <directive type="section" module="core">Files</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slivedirectives, along with their regex counterparts, apply directives to
c3b8fe2327e10aafbf419315dca8a683c1974327sliveparts of the filesystem. Directives enclosed in a <directive
c3b8fe2327e10aafbf419315dca8a683c1974327slivetype="section" module="core">Directory</directive> section apply to
c3b8fe2327e10aafbf419315dca8a683c1974327slivethe named filesystem directory and all subdirectories of that
c3b8fe2327e10aafbf419315dca8a683c1974327slivedirectory. The same effect can be obtained using <a
c3b8fe2327e10aafbf419315dca8a683c1974327slivehref="howto/htaccess.html">.htaccess files</a>. For example, in the
c3b8fe2327e10aafbf419315dca8a683c1974327slivefollowing configuration, directory indexes will be enabled for the
c3b8fe2327e10aafbf419315dca8a683c1974327slive<code>/var/web/dir1</code> directory and all subdirectories.</p>
c3b8fe2327e10aafbf419315dca8a683c1974327sliveOptions +Indexes<br />
c3b8fe2327e10aafbf419315dca8a683c1974327slive</Directory>
c3b8fe2327e10aafbf419315dca8a683c1974327slivemodule="core">Files</directive> section apply to any file with
c3b8fe2327e10aafbf419315dca8a683c1974327slivethe specified name, regardless of what directory it lies in.
c3b8fe2327e10aafbf419315dca8a683c1974327sliveSo for example, the following configuration directives will,
c3b8fe2327e10aafbf419315dca8a683c1974327slivewhen placed in the main section of the configuration file,
c3b8fe2327e10aafbf419315dca8a683c1974327slivedeny access to any file named <code>private.html</code> regardless
c3b8fe2327e10aafbf419315dca8a683c1974327sliveof where it is found.</p>
c3b8fe2327e10aafbf419315dca8a683c1974327sliveOrder allow,deny<br />
c3b8fe2327e10aafbf419315dca8a683c1974327sliveDeny from all<br />
c3b8fe2327e10aafbf419315dca8a683c1974327slive</Files>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>To address files found in a particular part of the filesystem, the
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">Files</directive> and
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">Directory</directive> sections
c3b8fe2327e10aafbf419315dca8a683c1974327slivecan be combined. For example, the following configuration will deny
c3b8fe2327e10aafbf419315dca8a683c1974327slive<code>/var/web/dir1/subdir3/private.html</code>, and any other instance
c3b8fe2327e10aafbf419315dca8a683c1974327sliveof <code>private.html</code> found under the <code>/var/web/dir1/</code>
c3b8fe2327e10aafbf419315dca8a683c1974327slivedirectory.</p>
c3b8fe2327e10aafbf419315dca8a683c1974327sliveOrder allow,deny<br />
c3b8fe2327e10aafbf419315dca8a683c1974327sliveDeny from all<br />
c3b8fe2327e10aafbf419315dca8a683c1974327slive</Files><br />
c3b8fe2327e10aafbf419315dca8a683c1974327slive</Directory>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<section id="webspace"><title>Webspace Containers</title>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>The <directive type="section" module="core">Location</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slivedirective and its regex counterpart, on the other hand, change the
c3b8fe2327e10aafbf419315dca8a683c1974327sliveconfiguration for content in the webspace. For example, the following
c3b8fe2327e10aafbf419315dca8a683c1974327sliveconfiguration prevents access to any URL-path that begins in /private.
c3b8fe2327e10aafbf419315dca8a683c1974327sliveIn particular, it will apply to requests for
c3b8fe2327e10aafbf419315dca8a683c1974327slive<code>http://yoursite.example.com/private123</code>, and
c3b8fe2327e10aafbf419315dca8a683c1974327slive<code>http://yoursite.example.com/private/dir/file.html</code> as well
c3b8fe2327e10aafbf419315dca8a683c1974327sliveas any other requests starting with the <code>/private</code> string.</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<Location /private><br />
c3b8fe2327e10aafbf419315dca8a683c1974327sliveOrder Allow,Deny<br />
c3b8fe2327e10aafbf419315dca8a683c1974327sliveDeny from all<br />
c3b8fe2327e10aafbf419315dca8a683c1974327slive</Location>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>The <directive type="section" module="core">Location</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slivedirective need not have anything to do with the filesystem.
c3b8fe2327e10aafbf419315dca8a683c1974327sliveFor example, the following example shows how to map a particular
c3b8fe2327e10aafbf419315dca8a683c1974327sliveURL to an internal Apache handler provided by <module>mod_status</module>.
c3b8fe2327e10aafbf419315dca8a683c1974327sliveNo file called <code>server-status</code> needs to exist in the
c3b8fe2327e10aafbf419315dca8a683c1974327slivefilesystem.</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<Location /server-status><br />
c3b8fe2327e10aafbf419315dca8a683c1974327sliveSetHandler server-status<br />
c3b8fe2327e10aafbf419315dca8a683c1974327slive</Location>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<section id="wildcards"><title>Wildcards and Regular Expressions</title>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>The <directive type="section" module="core">Directory</directive>,
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">Files</directive>, and
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">Location</directive>
8e3ff39cc6fe48e65a920cbc1dcbe30ca9db688dslivedirectives can each use shell-style wildcard characters as in
8e3ff39cc6fe48e65a920cbc1dcbe30ca9db688dslive<code>fnmatch</code> from the C standard library. The character "*"
8e3ff39cc6fe48e65a920cbc1dcbe30ca9db688dslivematches any sequence of characters, "?" matches any single character,
8e3ff39cc6fe48e65a920cbc1dcbe30ca9db688dsliveand "[<em>seq</em>]" matches any character in <em>seq</em>. The "/"
8e3ff39cc6fe48e65a920cbc1dcbe30ca9db688dslivecharacter will not be matched by any wildcard; it must be specified
49caeb3359e048f14ded3a13440b18550f6ffdebpepperexplicitly.</p>
8e3ff39cc6fe48e65a920cbc1dcbe30ca9db688dslive<p>If even more flexible matching is required, each
c3b8fe2327e10aafbf419315dca8a683c1974327slivecontainer has a regular-expression (regex) counterpart <directive
c3b8fe2327e10aafbf419315dca8a683c1974327slivetype="section" module="core">DirectoryMatch</directive>, <directive
c3b8fe2327e10aafbf419315dca8a683c1974327slivetype="section" module="core">FilesMatch</directive>, and <directive
c3b8fe2327e10aafbf419315dca8a683c1974327slivetype="section" module="core">LocationMatch</directive> that allow
8e3ff39cc6fe48e65a920cbc1dcbe30ca9db688dsliveperl-compatible
c3b8fe2327e10aafbf419315dca8a683c1974327sliveto be used in choosing the matches. But see the section below on
c3b8fe2327e10aafbf419315dca8a683c1974327sliveconfiguration merging to find out how using regex sections will change
c3b8fe2327e10aafbf419315dca8a683c1974327slivehow directives are applied.</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>A non-regex wildcard section that changes the configuration of
c3b8fe2327e10aafbf419315dca8a683c1974327sliveall user directories could look as follows:</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<Directory /home/*/public_html><br />
c3b8fe2327e10aafbf419315dca8a683c1974327sliveOptions Indexes<br />
c3b8fe2327e10aafbf419315dca8a683c1974327slive</Directory>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>Using regex sections, we can deny access to many types of image files
c3b8fe2327e10aafbf419315dca8a683c1974327sliveat once:</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<FilesMatch \.(?i:gif|jpe?g|png)$><br />
c3b8fe2327e10aafbf419315dca8a683c1974327sliveOrder allow,deny<br />
c3b8fe2327e10aafbf419315dca8a683c1974327sliveDeny from all<br />
c3b8fe2327e10aafbf419315dca8a683c1974327slive</FilesMatch>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<section id="whichwhen"><title>What to use When</title>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>Choosing between filesystem containers and webspace containers is
c3b8fe2327e10aafbf419315dca8a683c1974327sliveactually quite easy. When applying directives to objects that reside
c3b8fe2327e10aafbf419315dca8a683c1974327slivemodule="core">Directory</directive> or <directive type="section"
c3b8fe2327e10aafbf419315dca8a683c1974327slivemodule="core">Files</directive>. When applying directives to objects
c3b8fe2327e10aafbf419315dca8a683c1974327slivethat do not reside in the filesystem (such as a webpage generated from
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>It is important to never use <directive type="section"
c3b8fe2327e10aafbf419315dca8a683c1974327slivemodule="core">Location</directive> when trying to restrict
c3b8fe2327e10aafbf419315dca8a683c1974327sliveaccess to objects in the filesystem. This is because many
c3b8fe2327e10aafbf419315dca8a683c1974327slivedifferent webspace locations (URLs) could map to the same filesystem
c3b8fe2327e10aafbf419315dca8a683c1974327slivelocation, allowing your restrictions to be circumvented.
c3b8fe2327e10aafbf419315dca8a683c1974327sliveFor example, consider the following configuration:</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<Location /dir/><br />
c3b8fe2327e10aafbf419315dca8a683c1974327sliveOrder allow,deny<br />
c3b8fe2327e10aafbf419315dca8a683c1974327sliveDeny from all<br />
c3b8fe2327e10aafbf419315dca8a683c1974327slive</Location>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>This works fine if the request is for
c3b8fe2327e10aafbf419315dca8a683c1974327slive<code>http://yoursite.example.com/dir/</code>. But what if you are on
c3b8fe2327e10aafbf419315dca8a683c1974327slivea case-insensitive filesystem? Then your restriction could be easily
c3b8fe2327e10aafbf419315dca8a683c1974327slivecircumvented by requesting
c3b8fe2327e10aafbf419315dca8a683c1974327slive<code>http://yoursite.example.com/DIR/</code>. The <directive
c3b8fe2327e10aafbf419315dca8a683c1974327slivetype="section" module="core">Directory</directive> directive, in
c3b8fe2327e10aafbf419315dca8a683c1974327slivecontrast, will apply to any content served from that location,
c3b8fe2327e10aafbf419315dca8a683c1974327sliveregardless of how it is called. (An exception is filesystem links.
c3b8fe2327e10aafbf419315dca8a683c1974327sliveThe same directory can be placed in more than one part of the
c3b8fe2327e10aafbf419315dca8a683c1974327slivefilesystem using symbolic links. The <directive type="section"
c3b8fe2327e10aafbf419315dca8a683c1974327slivemodule="core">Directory</directive> directive will follow the symbolic
c3b8fe2327e10aafbf419315dca8a683c1974327slivelink without resetting the pathname. Therefore, for the highest level
c3b8fe2327e10aafbf419315dca8a683c1974327sliveof security, symbolic links should be disabled with the appropriate
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive module="core">Options</directive> directive.)</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>If you are, perhaps, thinking that none of this applies to you
c3b8fe2327e10aafbf419315dca8a683c1974327slivebecause you use a case-sensitive filesystem, remember that there are
c3b8fe2327e10aafbf419315dca8a683c1974327slivemany other ways to map multiple webspace locations to the same
c3b8fe2327e10aafbf419315dca8a683c1974327slivefilesystem location. Therefore you should always use the filesystem
c3b8fe2327e10aafbf419315dca8a683c1974327slivecontainers when you can. There is, however, one exception to this
c3b8fe2327e10aafbf419315dca8a683c1974327sliverule. Putting configuration restrictions in a <code><Location
c3b8fe2327e10aafbf419315dca8a683c1974327slive/></code> section is perfectly safe because this section will apply
c3b8fe2327e10aafbf419315dca8a683c1974327sliveto all requests regardless of the specific URL.</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>The <directive type="section" module="core">VirtualHost</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slivecontainer encloses directives that apply to specific hosts.
c3b8fe2327e10aafbf419315dca8a683c1974327sliveThis is useful when serving multiple hosts from the same machine
c3b8fe2327e10aafbf419315dca8a683c1974327slivewith a different configuration for each. For more information,
c3b8fe2327e10aafbf419315dca8a683c1974327slivesee the <a href="vhosts/">Virtual Host Documentation</a>.</p>
8e3ff39cc6fe48e65a920cbc1dcbe30ca9db688dslive<p>The <directive type="section" module="mod_proxy">Proxy</directive>
8e3ff39cc6fe48e65a920cbc1dcbe30ca9db688dsliveand <directive type="section" module="mod_proxy">ProxyMatch</directive>
8e3ff39cc6fe48e65a920cbc1dcbe30ca9db688dslivecontainers apply enclosed configuration directives only
c3b8fe2327e10aafbf419315dca8a683c1974327sliveto sites accessed through <module>mod_proxy</module>'s proxy server
c3b8fe2327e10aafbf419315dca8a683c1974327slivethat match the specified URL. For example, the following configuration
c3b8fe2327e10aafbf419315dca8a683c1974327slivewill prevent the proxy server from being used to access the
c3b8fe2327e10aafbf419315dca8a683c1974327sliveOrder allow,deny<br />
c3b8fe2327e10aafbf419315dca8a683c1974327sliveDeny from all<br />
c3b8fe2327e10aafbf419315dca8a683c1974327slive</Proxy>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<section id="whatwhere"><title>What Directives are Allowed?</title>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>To find out what directives are allowed in what types of
c3b8fe2327e10aafbf419315dca8a683c1974327sliveconfiguration sections, check the <a
c3b8fe2327e10aafbf419315dca8a683c1974327slivehref="mod/directive-dict.html#Context">Context</a> of the directive.
c3b8fe2327e10aafbf419315dca8a683c1974327sliveEverything that is allowed in
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">Directory</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slivesections is also syntactically allowed in
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">DirectoryMatch</directive>,
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">Files</directive>,
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">FilesMatch</directive>,
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">Location</directive>,
c3b8fe2327e10aafbf419315dca8a683c1974327slive<directive type="section" module="core">LocationMatch</directive>,
fb34b161f35ff05215e80fe7a54ce19cc0648ac6slive<directive type="section" module="mod_proxy">Proxy</directive>,
fb34b161f35ff05215e80fe7a54ce19cc0648ac6sliveand <directive type="section" module="mod_proxy">ProxyMatch</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slivesections. There are some exceptions, however.</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<li>The <directive module="core">AllowOverride</directive> directive
c3b8fe2327e10aafbf419315dca8a683c1974327sliveworks only in <directive type="section" module="core">Directory</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slivesections.</li>
c3b8fe2327e10aafbf419315dca8a683c1974327slivemodule="core">Options</directive> work only in <directive
c3b8fe2327e10aafbf419315dca8a683c1974327slivetype="section" module="core">Directory</directive> sections or
c3b8fe2327e10aafbf419315dca8a683c1974327slive<li>The <directive module="core">Options</directive> directive cannot
c3b8fe2327e10aafbf419315dca8a683c1974327slivebe used in <directive type="section" module="core">Files</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327sliveand <directive type="section" module="core">FilesMatch</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slivesections.</li>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<section id="mergin"><title>How the sections are merged</title>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>The configuration sections are applied in a very particular order.
c3b8fe2327e10aafbf419315dca8a683c1974327sliveSince this can have important effects on how configuration directives
c3b8fe2327e10aafbf419315dca8a683c1974327sliveare interpreted, it is important to understand how this works.</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive module="core">Directory</directive> (except regular expressions)
c3b8fe2327e10aafbf419315dca8a683c1974327slive and .htaccess done simultaneously (with .htaccess, if allowed,
c3b8fe2327e10aafbf419315dca8a683c1974327slive <li><directive type="section" module="core">DirectoryMatch</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slive type="section" module="core">FilesMatch</directive> done
c3b8fe2327e10aafbf419315dca8a683c1974327slive simultaneously</li>
c3b8fe2327e10aafbf419315dca8a683c1974327slive <li><directive type="section" module="core">Location</directive>
c3b8fe2327e10aafbf419315dca8a683c1974327slive module="core">LocationMatch</directive> done simultaneously</li>
c3b8fe2327e10aafbf419315dca8a683c1974327slive module="core">Directory</directive>, each group is processed in
c3b8fe2327e10aafbf419315dca8a683c1974327slive the order that they appear in the configuration files. <directive
c3b8fe2327e10aafbf419315dca8a683c1974327slive type="section" module="core">Directory</directive> (group 1 above)
c3b8fe2327e10aafbf419315dca8a683c1974327slive is processed in the order shortest directory component to longest.
c3b8fe2327e10aafbf419315dca8a683c1974327slive So for example, <code><Directory /var/web/dir></code> will
c3b8fe2327e10aafbf419315dca8a683c1974327slive be processed before <code><Directory
c3b8fe2327e10aafbf419315dca8a683c1974327slive /var/web/dir/subdir></code>. If multiple <directive
c3b8fe2327e10aafbf419315dca8a683c1974327slive type="section" module="core">Directory</directive> sections apply
c3b8fe2327e10aafbf419315dca8a683c1974327slive to the same directory they are processed in the configuration file
c3b8fe2327e10aafbf419315dca8a683c1974327slive order. Configurations included via the <directive
c3b8fe2327e10aafbf419315dca8a683c1974327slive module="core">Include</directive> directive will be treated as if
c3b8fe2327e10aafbf419315dca8a683c1974327slive they were inside the including file at the location of the
c3b8fe2327e10aafbf419315dca8a683c1974327slive <directive module="core">Include</directive> directive.</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive are applied <em>after</em> the corresponding sections outside
c3b8fe2327e10aafbf419315dca8a683c1974327slive the virtual host definition. This allows virtual hosts to
c3b8fe2327e10aafbf419315dca8a683c1974327slive override the main server configuration.</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive There is actually a
c3b8fe2327e10aafbf419315dca8a683c1974327slive <code><Location></code>/<code><LocationMatch></code>
c3b8fe2327e10aafbf419315dca8a683c1974327slive sequence performed just before the name translation phase
c3b8fe2327e10aafbf419315dca8a683c1974327slive (where <code>Aliases</code> and <code>DocumentRoots</code>
c3b8fe2327e10aafbf419315dca8a683c1974327slive are used to map URLs to filenames). The results of this
c3b8fe2327e10aafbf419315dca8a683c1974327slive sequence are completely thrown away after the translation has
c3b8fe2327e10aafbf419315dca8a683c1974327slive<section id="merge-examples"><title>Some Examples</title>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>Below is an artificial example to show the order of
c3b8fe2327e10aafbf419315dca8a683c1974327slivemerging. Assuming they all apply to the request, the directives in
c3b8fe2327e10aafbf419315dca8a683c1974327slivethis example will be applied in the order A > B > C > D >
c3b8fe2327e10aafbf419315dca8a683c1974327slive<Location /><br />
c3b8fe2327e10aafbf419315dca8a683c1974327slive</Location><br />
c3b8fe2327e10aafbf419315dca8a683c1974327slive</Files><br />
c3b8fe2327e10aafbf419315dca8a683c1974327slive<VirtualHost *><br />
c3b8fe2327e10aafbf419315dca8a683c1974327slive<Directory /a/b><br />
c3b8fe2327e10aafbf419315dca8a683c1974327slive</Directory><br />
c3b8fe2327e10aafbf419315dca8a683c1974327slive</VirtualHost><br />
c3b8fe2327e10aafbf419315dca8a683c1974327slive<DirectoryMatch "^.*b$"><br />
c3b8fe2327e10aafbf419315dca8a683c1974327slive</DirectoryMatch><br />
c3b8fe2327e10aafbf419315dca8a683c1974327slive<Directory /a/b><br />
c3b8fe2327e10aafbf419315dca8a683c1974327slive</Directory><br />
c3b8fe2327e10aafbf419315dca8a683c1974327slive<p>For a more concrete example, consider the following. Regardless of
c3b8fe2327e10aafbf419315dca8a683c1974327sliveany access restrictions placed in <directive module="core"
c3b8fe2327e10aafbf419315dca8a683c1974327slivetype="section">Directory</directive> sections, the <directive
c3b8fe2327e10aafbf419315dca8a683c1974327slivemodule="core" type="section">Location</directive> section will be
c3b8fe2327e10aafbf419315dca8a683c1974327sliveevaluated last and will allow unrestricted access to the server. In
c3b8fe2327e10aafbf419315dca8a683c1974327sliveother words, order of merging is important, so be careful!</p>
c3b8fe2327e10aafbf419315dca8a683c1974327slive<Location /><br />
c3b8fe2327e10aafbf419315dca8a683c1974327sliveOrder deny,allow<br />
c3b8fe2327e10aafbf419315dca8a683c1974327sliveAllow from all<br />
c3b8fe2327e10aafbf419315dca8a683c1974327slive</Location><br />
c3b8fe2327e10aafbf419315dca8a683c1974327slive# Woops! This <Directory> section will have no effect<br />
c3b8fe2327e10aafbf419315dca8a683c1974327slive<Directory /><br />
c3b8fe2327e10aafbf419315dca8a683c1974327sliveOrder allow,deny<br />
c3b8fe2327e10aafbf419315dca8a683c1974327sliveAllow from all<br />
c3b8fe2327e10aafbf419315dca8a683c1974327slive</Directory>
c3b8fe2327e10aafbf419315dca8a683c1974327slive</manualpage>