httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@kiwi.ics.uci.edu>
Subject Re: directory restrictiosn in access.conf-dist
Date Sun, 10 Aug 1997 11:45:51 GMT
>I propose consolidating them into one Directory section covering /.  It
>has the advantage of not making people edit access.conf depending on where
>they install Apache.

That would be a bad configuration on any machine.  A good configuration
always starts with something like

<Directory />
Options FollowSymLinks
AllowOverride None
order allow,deny
deny from all
</Directory>

and proceeds after that with more permissive sections like

<Directory /extra/fielding0/private/ws/apache/htdocs>
Options Indexes FollowSymLinks MultiViews Includes
AllowOverride All
order allow,deny
allow from all
</Directory>

<Directory /extra/fielding0/private/ws/apache/icons>
Options Indexes MultiViews
AllowOverride None
order allow,deny
allow from all
</Directory>

<Directory /extra/fielding0/private/ws/apache/cgi-bin>
AllowOverride None
Options None
order allow,deny
allow from all
</Directory>

This provides for both a more efficient directory_walk and doesn't
immediately open any (additional) security holes.

If you want to make the default configuration easier, then I suggest
finding a way to make the argument of <Directory> a pathname relative
to the server root.

....Roy

Mime
View raw message