AllowOverrides can be set to All or any combination of Options, FileInfo, AuthConfig, and Limit. These options are explained in Table 17.3.
TABLE 17.3 Switches Used by the AllowOverrides Directive
| Switch | Description |
|---|---|
Options | The .htaccess file can add options not listed in the Options directive for this directory. |
FileInfo | The .htaccess file can include directives for modifying document type information. |
AuthConfig | The .htaccess file might contain authorization directives. |
Limit | The .htaccess file might contain allow, deny, and order directives. |
File System Authentication and Access Control
You're likely to include material on your website that isn't supposed to be available to the public. You must be able to lock out this material from public access and provide designated users with the means to unlock the material. Apache provides two methods for accomplishing this type of access: authentication and authorization. You can use different criteria to control access to sections of your website, including checking the client's IP address or hostname, or requiring a username and password. This section briefly covers some of these methods.
Allowing individual users to put web content on your server poses several important security risks. If you're operating a web server on the Internet rather than on a private network, you should read the WWW Security FAQ at http://www.w3.org/Security/Faq/ www-security-faq.html.
Restricting Access with allow and deny
One of the simplest ways to limit access to website material is to restrict access to a specific group of users, based on IP addresses or hostnames. Apache uses the allow and deny directives to accomplish this.
Both directives take an address expression as a parameter. The following list provides the possible values and use of the address expression:
> all can be used to affect all hosts.
> A hostname or domain name, which can either be a partially or a fully qualified domain name; for example, test.gnulix.org or gnulix.org.
> An IP address, which can be either full or partial; for example, 212.85.67 or 212.85.67.66.
> A network/netmask pair, such as 212.85.67.0/255.255.255.0.
> A network address specified in classless inter-domain routing (CIDR) format; for example, 212.85.67.0/24. This is the CIDR notation for the same network and netmask that were used in the previous example.
If you have the choice, it's preferable to base your access control on IP addresses rather than hostnames. Doing so results in faster performance because no name lookup is necessary — the IP address of the client is included with each request.
You also can use allow and deny to provide or deny access to website material based on the presence or absence of a specific environment variable. For example, the following statement denies access to a request with a context that contains an environment variable named NOACCESS:
deny from env=NOACCESS
The default behavior of Apache is to apply all the deny directives first and then check the allow directives. If you want to change this order, you can use the order statement. Apache might interpret the preceding statement in three different ways:
> Order deny,allow — The deny directives are evaluated before the allow directives. If a host isn't specifically denied access, it is allowed to access the resource. This is the default ordering if nothing else is specified.
> Order allow,deny — All allow directives are evaluated before deny directives. If a host isn't specifically allowed access, it is denied access to the resource.
> Order mutual-failure — Only hosts that are specified in an allow directive and at the same time do not appear in a deny directive are allowed access. If a host doesn't appear in either directive, it is not granted access.
Consider this example. Suppose that you want to allow only persons from within your own domain to access the server-status resource on your web. If your domain were named gnulix.org, you could add these lines to your configuration file:
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from gnulix.org
</Location>
Authentication
