9.2. Using Access Files

But this isn't delegating control. We have allowed for variation in subdirectories but we have not truly delegated the controls to anyone who cannot rewrite the configuration file and tell the server to reread it. We need a means to delegate control of a subdirectory into the subdirectory itself.

The AccessFileName command names a file (or set of files) that will be looked for within the directory being served and whose contents will be regarded as if they had been inside a <Directory> block for that specific directory. The name of the command tells of its origins; it was used to set the access rights for a directory tree. It is, however, a fully generic delegated configuration, not just delegated access control.

The default file name used, .htaccess, also reflects its history as a delegated access control mechanism. It is also traditionally a "dot file" to hide it from the index listings. It's far better to list the file name in a IndexIgnore statement and to give it a plain file name so the conventional Unix utilities will actually show you it's there.

So we could copy the contents of the <Directory /var/www/WWW/games> block to /var/www/WWW/games/configuration and the contents of the <Directory /var/www/WWW/bestiary> block to /var/www/WWW/bestiary/configuration.

There may be certain properties that you don't want the users messing with. To this end there is limited support for restricting what the users can override with their delegated configurations. This is controlled via the AllowOverride command. For the time being we will allow users to mess with everything.

AccessFileName  configuration
IndexIgnore     configuration
<Directory /srv/www/>
  AllowOverride All

A suitable configuration for the /games/ directory might be:

DirectoryIndex      main.html index.html

This puts the control of the files in the hands of the people who have access to the directories.

Once configured, these files are searched for and read by Apache every time it accesses the directories in which they appear. This has the advantage that you don't have to restart the web server to make changes to them visible (which is vital since the people that use these files don't normally have the rights to restart Apache). The downside is that Apache has to do more work to serve every request.

The AllowOverride command is rather unsatisfactory - it allows the controllers of httpd.conf to stop the Options command being used in the AccessFileName files, but not to specify which options can and can't be set. It can specify what you can do with IndexOptions but not whether or not you can enable/disable indexes at all. It has many limitations.

Simple uses of AllowOverride

AllowOverride None

The delegated configuration files aren't even read. Their content is entirely ignored.

AllowOverride All

Any command that is syntactically legal in the delegated configuration file is allowed to have effect.

AllowOverride Options

The delegated configuration file is allowed to run the Options command. There is no mechanism to control which of its arguments are permitted.

AllowOverride Indexes

The delegated configuration file is allowed to run the IndexOptions command and all the commands that modify the index. This does not permit the use of Options [+|-]Indexes; you need AllowOverride Options for that.