In this series last month, we introduced the main configuration file for Apache Web Server, the httpd.conf. We explained that the file is split into three sections—one for child process and global directives, a second for directives to configure the server, and a third for virtual hosting. Last month we had covered section one, and touched upon section two. This time, we’ll go into section two in more detail with some sample code.
Section two contains directives to configure Apache server, its document root, other Webdirectories, CGI directories, language, and MIME types. Here, the directive ‘DocumentRoot’ specifies the Web directory from where to serve the files and is preset to /var/ www/html. The next few directives set permissions for the ‘DocumentRoot’ Web directory. These permissions allow/disallow some features and client access to the Web directory. The features allowed for each Web directory are specified using the directive named ‘Options’. These include things like inserting an e-mail id of the webmaster in an error page, defining the root directory of a website, and setting its permissions, which are different from your ordinary file system permissions. The Options directive contains the values FollowSymLinks, SymLinksIfOwnerMatch, Indexes, Includes, IncludesNOEXEC, ExecCGI, MultiViews, All, and None. Let’s understand what these values mean.
FollowSymLinks: This makes the server follow the symbolic links in the Web directory. For example: suppose there is file named ‘link.html’ in the directory /var/www/html which is linked to a file named ‘pcquest.html’ in /opt directory ( ln -s /opt/pcquest. html/var/www/html/link.html ), then the server would send the contents of the latter upon a request for the file ‘link.html’. Setting this option and having symbolic links pointing to directories outside the Web directory is not a good idea as this allows the client to reach other parts of the filesystem.
SymLinksIfOwnerMatch: Same as FollowSymLinks but allows access to the linked file—pcquest.html—only when owner of the symbolic link is the same as the file to which the link points to. For example suppose link.html as well as the file pcquest.html is owned by same the user say ‘pcq’, you can set this as
chown pcq /var/www/html/link.html
chown pcq /opt/pcquest.html
Only then, the server would send the contents of the file ‘pcquest.html’ on a request for the file ‘link.html’ or else a ‘HTTP 403 Forbidden error’ is displayed.
Indexes: When the browser is pointed to the ‘document root’ as http://127.0.0.1/ then the Webserver sends the contents of a file specified by the ‘DirectoryIndex’ directive. If you move down in httpd.conf you can find a line as:
DirectoryIndex index.html index.htm index.shtml index.php index.php4 index.php3 index.cgi
This means, in case there is a file from among index.html, index.htm index.shtml, index.php, index.php4, index.php3 or index.cgi in the Web directory, that file is delivered to the client. If no such file is present and if ‘Indexes’ option is specified then a listing of the files in the Web directory is sent and displayed by the browser. To see this working, delete index.html file (or rename or move it to another location) found in /var/www/html directory and then point your Linux browser—Netscape Navigator or Konqueror—to http://127.0.0.1, (assuming that you are running the browser on the same machine as the server) and this time instead of the ‘Apache Test Page’ you will see the directory listing of /var/www/html directory. This happened because the ‘Indexes’ feature is enabled for this Web directory.
Includes: A HTML page may contain Server Side Includes (SSI). SSI are special tags that can be embedded along with HTML tags in the same file but the contents of these tags are evaluated by the Web server before sending the page to the browser. Such pages usually have an extension of .shtml. For example, create a file named test.shtml in the directory /var/ www/html and type the following lines in it:
Date (in GMT) : <!—# echo var=”DATE_GMT” —>
The SSI in this page is
<!— # echo var=”DATE_GMT” — >
SSI is embedded within special starting and closing tags : <!—# SSI contents —>. The above SSI displays the current date and time according to the Greenwhich Mean Time. Now point your Web browser to http:// 127.0.0.1 /test.shtml
You would see a Web page showing something like the following:
Of course the current date and time displayed will be different in your case. To allow such pages containing SSI to be displayed the option ‘Includes’ must be specified for the Web directory.
IncludesNOEXEC: You can use SSI ‘exec’ to run a shell command. For example, the following SSI:
<!—# exec cmd=”ls /usr/bin” —>
will display the directory listing of /usr/bin directory on the page.
If you specify ‘IncludesNOEXEC’ along with the ‘Includes’ option, then you can disallow the ‘exec’ SSI tag for the directory.
ExecCGI: This allows the execution of script files called CGI scripts (refer to the article ‘How Web Servers Work’ for more on CGI scripts) in the Web directory. For example, type the following CGI script in a Linux text editor :
print “Content-type: text/html \\r\\n\\r\\n”;
print “Hello CGI”;
Suppose you place this file in the Web directory /var/www/html and give it executable permission as :
chmod +x /var/www/html/test.cgi
Next if you add the option ‘ExecCGI’ for this directory and uncomment the following line —by removing the # before it—found in httpd.conf if you scroll down
AddHandler cgi-script .cgi
and then execute the script by pointing the browser to http:// 127.0.0.1/ test.cgi, then you will see the output as :
If you don’t have the ExecCGI option enabled for this Web directory, then you get a ‘HTTP 403 Forbidden error’.
MultiViews: Suppose there are files named pcq.html, pcq.doc, and pcq.jpg in the Web directory. If we have specified the MultiViews option and if we type in http://127.0.0.1/pcq, the server would find out the best file to be delivered depending on its content, and delivers pcq.html. In case, the server has to make a choice from among pcq.jpg and pcq.doc, then it delivers pcq.jpg.
Now we come to the directive ‘AllowOverride’. The main configuration file httpd.conf should be allowed to be modified only by the Web administrator. But if the server is hosting many sites (like in case of UserDir, where each person having an account on the Linux machine can host a website or virtual hosting) then the burden of some feature and access control and can be moved to the individual site owner. Such access control information can be typed in a file named .htaccess in the owners Web directory. The name of this file is specified using the ‘AccessFileName’ directive in httpd.conf. The AllowOverride directive specifies what kind of access control information can be typed in a .htaccess file. In case of /var/www/html Web directory the line:
does not allow any access control options in a .htaccess file in this directory. We will talk about the .htaccess file and the AllowOverride directive in details in the next issue along with ‘UserDir’ directive.
The ‘Order’ directive coupled with ‘Allow’ and ‘Deny’ directive can be used to specify which machines or hosts are allowed access to the Web directory. The ‘Order’ directive specifies the order in which ‘Allow’ and ‘Deny’ directive are processed for the Web directory. For example, consider the following case of a private network:
Order allow deny
Allow from all
Deny from 192.168.1.10
Here ‘all’ stands for all machines or hosts. The above three lines mean that allow any machine but the one with the IP address 192.168.1.10 to access the Web directory. If you reverse the order as:
Order deny allow
This means first the Deny directive is processed which denies the access to 192.168.1.10 but when the Allow directive is processed then it allows access to all machines including 192.168. 1.10. In place of IP address range you can also specify a host name, IP address range, CIDR notation (192.168.1.0/24).
After going through all this explanation, take a look at the following lines taken from httpd.conf with the comments stripped off.
Options Indexes Includes FollowSymLinks
Allow from all
The first group of ‘Directory’ directive—enclosed within <Directory> </Directory>—specifies a Web directory “/”. The default value for ‘Options’ directive is ‘All’, which allows all the features on a Web directory except for ‘MultiViews’. This may not be desirable. Hence to override this, a Directory directive for “/”, called ‘parent’ of all Web directories, is defined with only one feature enabled namely ‘FollowSymLinks’. When we further define any Web directory, which will be relative to the parent Web directory, we must explicitly declare a feature to be allowed for it. Hence when the Web directory /var/www/html is specified using the ‘Directory’ directive, the values ‘Indexes’, Includes’ and ‘FollowSymLinks’ are explicitly set for the Options directive.
We will further scroll down httpd.conf in the next issue.