<p>There are two basic types of containers. Most containers are
evaluated for each request. The enclosed directives are applied only
for those requests that match the containers. The <code class="directive"><a href="./mod/core.html#ifdefine"><IfDefine></a></code> and <code class="directive"><a href="./mod/core.html#ifmodule"><IfModule></a></code> containers, on the
other hand, are evaluated only at server startup and restart. If
their conditions are true at startup, then the enclosed directives
will apply to all requests. If the conditions are not true, the
directive is very similar, except it encloses directives that will
only be applied if a particular module is available in the server.
The module must either be statically compiled in the server, or it
must be dynamically compiled and its <code class="directive"><a href="./mod/mod_so.html#loadmodule">LoadModule</a></code> line must be earlier in the
configuration file. This directive should only be used if you need
your configuration file to work whether or not certain modules are
installed. It should not be used to enclose directives that you want
to work all the time, because it can suppress useful error messages
about missing modules.</p>
<p>In the following example, the <code class="directive"><a href="./mod/mod_mime_magic.html#mimemagicfiles">MimeMagicFiles</a></code> directive will be
applied only if <code class="module"><a href="./mod/mod_mime_magic.html">mod_mime_magic</a></code> is available.</p>
directives can each use shell-style wildcard characters as in
<code>fnmatch</code> from the C standard library. The character "*"
matches any sequence of characters, "?" matches any single character,
and "[<em>seq</em>]" matches any character in <em>seq</em>. The "/"
character will not be matched by any wildcard; it must be specified
explicitly.</p>
<p>If even more flexible matching is required, each
container has a regular-expression (regex) counterpart <code class="directive"><a href="./mod/core.html#directorymatch"><DirectoryMatch></a></code>, <code class="directive"><a href="./mod/core.html#filesmatch"><FilesMatch></a></code>, and <code class="directive"><a href="./mod/core.html#locationmatch"><LocationMatch></a></code> that allow
to be used in choosing the matches. But see the section below on
configuration merging to find out how using regex sections will change
how directives are applied.</p>
<p>A non-regex wildcard section that changes the configuration of
all user directories could look as follows:</p>
<div class="example"><p><code>
<Directory /home/*/public_html><br />
Options Indexes<br />
</Directory>
</code></p></div>
<p>Using regex sections, we can deny access to many types of image files
at once:</p>
<div class="example"><p><code>
<FilesMatch \.(?i:gif|jpe?g|png)$><br />
Order allow,deny<br />
Deny from all<br />
</FilesMatch>
</code></p></div>
<h3><a name="whichwhen" id="whichwhen">What to use When</a></h3>
<p>Choosing between filesystem containers and webspace containers is
actually quite easy. When applying directives to objects that reside
in the filesystem always use <code class="directive"><a href="./mod/core.html#directory"><Directory></a></code> or <code class="directive"><a href="./mod/core.html#files"><Files></a></code>. When applying directives to objects
that do not reside in the filesystem (such as a webpage generated from
a database), use <code class="directive"><a href="./mod/core.html#location"><Location></a></code>.</p>
<p>It is important to never use <code class="directive"><a href="./mod/core.html#location"><Location></a></code> when trying to restrict
access to objects in the filesystem. This is because many
different webspace locations (URLs) could map to the same filesystem
location, allowing your restrictions to be circumvented.
For example, consider the following configuration:</p>
<div class="example"><p><code>
<Location /dir/><br />
Order allow,deny<br />
Deny from all<br />
</Location>
</code></p></div>
<p>This works fine if the request is for
<code>http://yoursite.example.com/dir/</code>. But what if you are on
a case-insensitive filesystem? Then your restriction could be easily
circumvented by requesting
<code>http://yoursite.example.com/DIR/</code>. The <code class="directive"><a href="./mod/core.html#directory"><Directory></a></code> directive, in
contrast, will apply to any content served from that location,
regardless of how it is called. (An exception is filesystem links.
The same directory can be placed in more than one part of the
filesystem using symbolic links. The <code class="directive"><a href="./mod/core.html#directory"><Directory></a></code> directive will follow the symbolic
link without resetting the pathname. Therefore, for the highest level
of security, symbolic links should be disabled with the appropriate
works only in <code class="directive"><a href="./mod/core.html#directory"><Directory></a></code>
sections.</li>
<li>The <code>FollowSymLinks</code> and
<code>SymLinksIfOwnerMatch</code> <code class="directive"><a href="./mod/core.html#options">Options</a></code> work only in <code class="directive"><a href="./mod/core.html#directory"><Directory></a></code> sections or
and <code class="directive"><a href="./mod/core.html#locationmatch"><LocationMatch></a></code> done simultaneously</li>
</ol>
<p>Apart from <code class="directive"><a href="./mod/core.html#directory"><Directory></a></code>, each group is processed in
the order that they appear in the configuration files. <code class="directive"><a href="./mod/core.html#directory"><Directory></a></code> (group 1 above)
is processed in the order shortest directory component to longest.
So for example, <code><Directory /var/web/dir></code> will
be processed before <code><Directory
/var/web/dir/subdir></code>. If multiple <code class="directive"><a href="./mod/core.html#directory"><Directory></a></code> sections apply
to the same directory they are processed in the configuration file
order. Configurations included via the <code class="directive"><a href="./mod/core.html#include">Include</a></code> directive will be treated as if
they were inside the including file at the location of the
<p>Below is an artificial example to show the order of
merging. Assuming they all apply to the request, the directives in
this example will be applied in the order A > B > C > D >
E.</p>
<div class="example"><p><code>
<Location /><br />
E<br />
</Location><br />
<br />
<Files f.html><br />
D<br />
</Files><br />
<br />
<VirtualHost *><br />
<Directory /a/b><br />
B<br />
</Directory><br />
</VirtualHost><br />
<br />
<DirectoryMatch "^.*b$"><br />
C<br />
</DirectoryMatch><br />
<br />
<Directory /a/b><br />
A<br />
</Directory><br />
<br />
</code></p></div>
<p>For a more concrete example, consider the following. Regardless of
any access restrictions placed in <code class="directive"><a href="./mod/core.html#directory"><Directory></a></code> sections, the <code class="directive"><a href="./mod/core.html#location"><Location></a></code> section will be
evaluated last and will allow unrestricted access to the server. In
other words, order of merging is important, so be careful!</p>
<div class="example"><p><code>
<Location /><br />
Order deny,allow<br />
Allow from all<br />
</Location><br />
<br />
# Woops! This <Directory> section will have no effect<br />
<Directory /><br />
Order allow,deny<br />
Allow from all<br />
Deny from badguy.example.com<br />
</Directory>
</code></p></div>
</div></div>
<div class="bottomlang">
<p><span>Available Languages: </span><a href="./en/sections.html" title="English"> en </a> |
<a href="./ja/sections.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a> |
<a href="./ko/sections.html" hreflang="ko" rel="alternate" title="Korean"> ko </a></p>
</div><div id="footer">
<p class="apache">Copyright 1999-2004 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>