What does <Directory /> entry mean in Apache2 default configuration

6

1

This is from file /etc/apache2/sites-enabled/000-default right after installing apache2 from repositories.

DocumentRoot /var/www
<Directory />
        Options FollowSymLinks
        AllowOverride None
</Directory>
<Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
</Directory>

What does that first part set up? For me this looks that DocumentRoot should be / instead /var/www allowing that <Directory /> part to have any effect but I have to be wrong.

Joni

Posted 2010-09-29T18:42:29.487

Reputation: 244

Answers

4

It sets up perms for the root ('/' is a dir in this context, it's not anything to do with closing the tag) and all the way down, unless overridden. Root down => your entire disk. Then it does override it for your DocRoot.

So in this file, it sets up very very restrictive perms (AllowOverride None) on the whole disk, then the next Directory stanza opens it up specifically for your DocRoot.

These restrictive perms on / also speeds things up. It allows FollowSymLinks, which means the webserver does NOT have to do an lstat() call on each directory all the way up to root, saving some disk syscalls. AllowOverrideNone also means you don't have to search for .htaccess files in those directories, cutting some more (slow) disk syscalls. Remember that for every request, the webserver has to consider every directory from the dir the content lives in all the way up to root. With these perms, you short circuit those checks, eliminating hits to disk, which are a real enemy.

Rich Homolka

Posted 2010-09-29T18:42:29.487

Reputation: 27 121

So in <Directory /var/www/> Options FollowSymlinks and AllowOverride None are redudant? And the reason why those options are set in <Directory /> is becouse there are symlinks enabled and it is possible to "break out" from /var/www folder? – Joni – 2010-09-29T19:00:06.033

@joni. It depends how you look at it. Now you have 2 stanzas that are independent. you can change one, and know the other will still have the same perms as you thought. And yes, symlinks is one way you can 'break out', but there are others. Edited above some. – Rich Homolka – 2010-09-29T19:35:49.850

Asked: 2010-09-29T18:42:29.487

Viewed: 1 610 times

Active: 2010-09-29T19:49:24.213