Securing Apache's default configuration

IBM Home

Products

Consulting

Industries

News

About IBM

IBM developerWorks : Security : Education - Tutorials

Access control on your server page 8 of 8

Here's a "real-life" access control directive taken direct from the httpd.conf file installed with Apache:


<Directory "/usr/local/apache/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

Requests to the .../apache/htdocs (or subdirectories) will be honored with indexes (when applicable), and symlinks can be followed to the source file. Users cannot override the defined settings by placing less stringent directives in an .htaccess file (more on this in the next section, User authentication). All users are initially denied, then all Allow directives are checked. The first "allow from..." statement found that matches a client's request is honored.

Tip: An easy way to remember how the Order directive functions is to note the last statement, which in the above example, is deny. In this case, the Order directive first denys, then searches any directive that follow for an Allow directive that allows client access.

Next up, user authentication.

Privacy		Legal		Contact