Читать онлайн "Fedora™ Unleashed, 2008 edition" - Hudson Andrew - RuLit

Using .htaccess Configuration Files

Apache also supports special configuration files, known as .htaccess files. Almost any directive that appears in httpd.conf can appear in an .htaccess file. This file, specified in the AccessFileName directive in httpd.conf (or srm.conf prior to version 1.3.4) sets configurations on a per-directory (usually in a user directory) basis. As the system administrator, you can specify both the name of this file and which of the server configurations can be overridden by the contents of this file. This is especially useful for sites in which there are multiple content providers and you want to control what these people can do with their spaces.

To limit which server configurations the .htaccess files can override, use the AllowOverride directive. AllowOverride can be set globally or per directory. For example, in your httpd.conf file, you could use the following:

# Each directory to which Apache has access can be configured with respect

# to which services and features are allowed and/or disabled in that

# directory (and its subdirectories).

#

# First, it's best to configure the "default" to be a very restrictive set of

# permissions.

#

<Directory />

Options FollowSymLinks

AllowOverride None

</Directory>

Options Directives

To configure which configuration options are available to Apache by default, you must use the Options directive. Options can be None; All; or any combination of Indexes, Includes, FollowSymLinks, ExecCGI, and MultiViews. MultiViews isn't included in All and must be specified explicitly. These options are explained in Table 17.2.

TABLE 17.2 Switches Used by the Options Directive

Switch	Description
`None`	None of the available options are enabled for this directory.
`All`	All the available options, except for `MultiViews`, are enabled for this directory.
`Indexes`	In the absence of an `index.html` file or another `DirectoryIndex` file, a listing of the files in the directory is generated as an HTML page for display to the user.
`Includes`	Server-side includes (SSIs) are permitted in this directory. This can also be written as `IncludesNoExec` if you want to allow includes but don't want to allow the `exec` option in them. For security reasons, this is usually a good idea in directories over which you don't have complete control, such as `UserDir` directories.
`FollowSymLinks`	Allows access to directories that are symbolically linked to a document directory. You should never set this globally for the whole server and only rarely for individual directories. This option is a potential security risk because it allows web users to escape from the document directory and could potentially allow them access to portions of your file system where you really don't want people poking around.
`ExecCGI`	CGI programs are permitted in this directory, even if it isn't a directory defined in the `ScriptAlias` directive.
`MultiViews`	This is part of the mod_negotiation module. When a client requests a document that can't be found, the server tries to figure out which document best suits the client's requirements. See http://localhost/manuals/mod/_mod_negotiation.html for your local copy of the Apache documentation.

NOTE

These directives also affect all subdirectories of the specified directory.

AllowOverrides Directives

The AllowOverrides directives specify which configuration options .htaccess files can override. You can set this directive individually for each directory. For example, you can have different standards about what can be overridden in the main document root and in UserDir directories. This capability is particularly useful for user directories, where the user doesn't have access to the main server configuration files.

AllowOverrides can be set to All or any combination of Options, FileInfo, AuthConfig, and Limit. These options are explained in Table 17.3.

TABLE 17.3 Switches Used by the AllowOverrides Directive

Switch	Description
`Options`	The `.htaccess` file can add options not listed in the `Options` directive for this directory.
`FileInfo`	The `.htaccess` file can include directives for modifying document type information.
`AuthConfig`	The `.htaccess` file might contain authorization directives.
`Limit`	The `.htaccess` file might contain `allow, deny`, and `order` directives.

File System Authentication and Access Control

You're likely to include material on your website that isn't supposed to be available to the public. You must be able to lock out this material from public access and provide designated users with the means to unlock the material. Apache provides two methods for accomplishing this type of access: authentication and authorization. You can use different criteria to control access to sections of your website, including checking the client's IP address or hostname, or requiring a username and password. This section briefly covers some of these methods.

CAUTION

Allowing individual users to put web content on your server poses several important security risks. If you're operating a web server on the Internet rather than on a private network, you should read the WWW Security FAQ at http://www.w3.org/Security/Faq/ www-security-faq.html.