access.conf - Detailed Explanation

Table of Contents

• Introduction
• Directory Sections
• Access Overrides
• Server Options
• Authorization Directives
• Access Limiting Sections
• Resource Directives

Access control for an httpd server is configured by means of one or more Access Control Files (ACFs). There is a global ACF and one or more per-directory ACFs.

The global ACF is a required server configuration file located in the conf directory. The exact location is specified by the AccessConfig directive of httpd.conf. It can contain access controls for any directories on the server.

Per-directory ACFs are files named by the AccessFileName directive of srm.conf. They can contain access controls for that directory and any subdirectories.

Access control directives can be placed into groups. The following sections describe these groups of directives. Each section lists the directives it contains and provides links to the NCSA documentation for each directive.

Directory sections specify the access information for a single directory or pattern of directories. They are specified using the Directory directive.

• Directory

  All access control directives are applied to a specific set of directories. In the global ACF, these directories must be named by directory section directives. The syntax for a directory section is similar to a pair of HTML tags:

  <Directory dir>
  ...
  access control directives
  ...
  </Directory>
  

  dir is an identifier for the directory where the access control directives will apply. It can contain wildcards.

  For a per-directory ACF, a directory section directive is already implied, in effect it encloses the entire contents of the file. The dir to which it applies is the directory where it resides.

  In either case, directory sections apply to all their subdirectories unless overridden by another ACF.

• AllowOverride

  The AllowOverride directive can appear only in the global ACF. It determines which server access control features can be controlled by directives in the per-directory ACFs. The syntax is:

  AllowOverride override-list
  

  where override-list contains one or more of the following:

  • None
    ACFs are not allowed in this directory.
  • All
    ACFs are unrestricted in this directory.
  • Options
    Allow use of the Options directive.
  • FileInfo
    Allow use of the AddType and AddEncoding directives.
  • AuthConfig
    Allow use of the authorization directives
  • Limit
    Allow use of the access limiting directives

• Options

  The Options directive determines which server features can be controlled by directives in the per-directory ACFs. The syntax is:

  Options options-list
  

  where options-list contains one or more of the following:

  • None
    No features are enabled for in directory.
  • All
    All features are enabled for in directory.
  • FollowSymLinks
    The server will follow symbolic links in this directory.
  • SymLinksIfOwnerMatch
    The server will only follow symbolic links for which the target file/directory is owned by the same user id as the link.
  • ExecCGI
    Execution of CGI scripts is allowed in this directory.
  • Includes
    Server side include files are enabled in this directory.
  • Indexes
    The server allows users to request automatically generated directory indexes in this directory. Disabling this option disables ONLY the server-generated indexes. It does not stop the erver from sending any precompiled index file it may find in here.
  • IncludesNoExec
    This enables server side includes in the directory, but disables the exec feature.

With browsers that support user authentication, it is possible to require users to enter a name and password before accessing a protected document. These directives control the authentication support in the server.

• AuthName

  The AuthName directive sets the name of the authorization realm for a directory. This is so your users will know which username and password to use. The syntax is:

  AuthName name
  

  where name is the name of the authorization realm.

• AuthType

  The AuthType directive sets the type of authorization used in a directory. The syntax is:

  AuthType type
  

  where type is "Basic", the only type currently supported.

• AuthUserFile

  The AuthUserFile directive specifies the user file to be used for authentication. The user file can be created with the htpasswd support program. The syntax is:

  AuthUserFile path
  

  where path is the absolute path of a user file.

• AuthGroupFile

  The AuthGroupFile directive directive specifies the group file to be used for authentication. The format of a group file is a series of lines containing a group name immediately followed by a colon, then a list of members separated by spaces. The syntax is:

  AuthGroupFile path
  

  where path is the absolute path of a group file.

Access limiting sections allow or deny access to documents within a directory based on the name of the host trying to retrieve them. They are specified using the Limit directive.

• Limit

  All access limiting directives must appear inside of a limit section. The syntax for a limit section is similar to a pair of HTML tags:

  <Limit method-list>
  ...
  limiting directives
  ...
  </Limit>
  

  where method-list contains one or more of the following:

  • GET
    Allows clients to retrieve documents and execute scripts.
  • PUT
    Not yet implemented.
  • POST
    Not fully implemented. Currently, allows clients to use POST scripts.

  Only the following directives are allowed inside of a limit section:

  • order

    The order directive affects the order in which deny and allow directives are evaluated within a Limit section. The syntax is:

    order ord
    

    where is one of the following:

    • deny,allow
      Deny directives are evaluated before the allow directives.
    • allow,deny
      Allow directives are evaluated before the deny directives.
    • mutual-failure
      With this order, you specify specific hosts which must be allowed or denied. Any host appearing on the allow list is allowed, and any list on the deny list is denied. Any appearing on neither is denied.

  • deny

    The deny directive specifies hosts which will be denied access. The syntax is:

    deny from host-list
    

    where host-list contains one or more hosts specified in one of the following ways:

    • A domain name
      A domain name, like .chem.uci.edu, which host names must end in to be denied.
    • A host name
      
    • A full IP address
      
    • A partial IP address
      The first 1-3 bytes of an IP address, for subnet restriction.
    • The keyword all
      This means that all hosts will be denied.

  • allow

    The deny directive specifies hosts which will be allowed access. The syntax is:

    allow from host-list
    

    where host-list contains one or more hosts specified in one of the following ways:

    • A domain name
      A domain name, like .chem.uci.edu, which host names must end in to be allowed.
    • A host name
      
    • A full IP address
      
    • A partial IP address
      The first 1-3 bytes of an IP address, for subnet restriction.
    • The keyword all
      This means that all hosts will be allowed.

  • require

    The syntax is:

    require entity entity-list
    

    where entity is of the following:

    • user
      Only the named users can access this directory with the given methods.
    • group
      Only users in the named groups can access this directory with the given methods.
    • valid-user
      All of the users defined in the AuthUserFile are allowed access upon providing a valid password.

    and entity-list is a list of named entities.

Many directives that you can use in directory sections of an ACF are exactly the same as directives from srm.conf, with the exception of the scope where they are in effect. These duplicated directives are:

• The following directives apply to both the global and per-directory ACFs.
  • AddType
  • AddEncoding
  • AddIcon
  • IndexIgnore
  • DefaultIcon
  • ReadmeName

• The following directives apply only to per-directory ACFs.
  • DefaultType
  • AddDescription