14.5 Configuring Apache Containers

14.5.1 About Nested Containers

Apache containers are special directives that group other directives, often to create separate web directory hierarchies with different characteristics. A container is delimited by the XML-style tags <type> and </type>, where type is the container type.

The following are examples of container types:

<Directory directory-path>

Applies the contained directives to directories under directory-path. The following example applies the Deny, Allow, and AllowOverride directives to all files and directories under /var/www/html/sandbox.

<Directory /var/www/html/sandbox>
  Deny from all
  Allow from 192.168.2.
  AllowOverride All
</Directory>

The AllowOverride directive is only used in Directory containers and specifies which classes of directives are allowed in .htaccess files. (.htaccess configuration files typically contain user authentication directives for a web directory.) The directive classes control such aspects as authorization, client access, and directory indexing. You can specify the argument All to permit all classes of directives in .htaccess files, a space-separated list of directive classes to permit only those classes, or None to make the server ignore .htaccess files altogether.

Note

If SELinux is enabled on the system, you must change the default file type if the file system hierarchy specified by <Directory> is not under /var/www/html.

<IfModule [!]module>

Applies directives if the specified module has been loaded, or, when the exclamation point (!) is specified, if the module has not been loaded.

The following example disallows user-published content if mod_userdir.c has been loaded:

<IfModule mod_userdir.c>
  UserDir disabled
</IfModule>
<Limit method ...>

Places limits on the specified HTTP methods (such as GET, OPTIONS, POST, and PUT) for use with a Uniform Resource Identifier (URI).

The following example limits systems in mydom.com to using only the GET and PUT methods to perform HTTP downloads and uploads:

<Limit GET PUT>
  Order deny,allow
  Deny from all
  Allow from .example.com
</Limit>

Systems outside mydom.com cannot use GET and PUT with the URI.

<LimitExcept method ...>

Places limits on all except the specified HTTP methods for use with a Uniform Resource Identifier (URI).

The following example disallows any system from using any method other than GET and POST:

<LimitExcept GET POST>
  Order deny,allow
  Deny from all
</Limit>
VirtualHost IP_address:port ...

Specifies a group of directives that define a container for a virtual host. See Section 14.6, “Configuring Apache Virtual Hosts”.

14.5.1 About Nested Containers

The following example illustrates how you can nest containers, using <Limit> and <LimitExcept> containers to permit GET, POST, and OPTIONS to be used with user directories under /home/*/public_html.

<Directory /home/*/public_html>
  AllowOverride FileInfo AuthConfig Limit
  Options MultiViews Indexes SymLinksIfOwnerMatch \
  IncludesNoExec
  <Limit GET POST OPTIONS>
    Order allow,deny
    Allow from all
  </Limit>
  <LimitExcept GET POST OPTIONS>
    Order deny,allow
    Deny from all
  </LimitExcept>
</Directory>

In the example, the AllowOverride directive specifies the following directive classes:

AuthConfig

Permits the use of the authorization directives.

FileInfo

Permits the use of directives that control document types.

Limit

Permits the use of directives that control host access.

The Options directive controls the features of the server for the directory hierarchy, for example:

FollowSymLinks

Follow symbolic links under the directory hierarchy.

Includes

Permits server-side includes.

IncludesNoExec

Prevents the server from running #exec cmd and #exec cgi server-side includes.

Indexes

Generates a web directory listing if the DirectoryIndex directive is not set.

MultiViews

Allows the server to determine the file to use that best matches the client's requirements based on the MIME type when several versions of the file exist with different extensions.

SymLinksIfOwnerMatch

Allows the server to follow a symbolic link if the file or directory being pointed to has the same owner as the symbolic link.

For more information, see http://httpd.apache.org/docs/current/mod/directives.html.