Options directive - Apache

This sort of protection will not help with incorrectly or maliciously placed symbolic links that point outside the /var/www/htdocs web server root. System users could create symbolic links to resources they do not own. If someone creates such a link and the web server can read the resource, it will accept a request to serve the resource to the public. Symbolic link usage and other file access restrictions are controlled with the Options directive (inside a <Directory> directive). The Optionsdirective can have one or more of the following values:

All
   All options listed below exceptMultiViews. This is the default setting.

None
   None of the options will be enabled.

ExecCGI
   Allows execution of CGI scripts.

FollowSymLinks
   Allows symbolic links to be followed.

Includes
   Allows server-side includes.

IncludesNOEXEC
   Allows SSIs but not theexeccommand, which is used
   to execute external scripts. (This setting does not
   affect CGI script execution.)

Indexes
   Allows the server to generate the list of files in a
      directory when a default index file is absent.

MultiViews
   Allows content negotiation.

SymLinksIfOwnerMatch
   Allows symbolic links to be followed if the owner of
   the link is the same as the owner of the file it points
   to.

The following configuration directive will disable symbolic link usage in Apache:

  Options -FollowSymLinks

The minus sign before the option name instructs Apache to keep the existing configuration and disable the listed option. The plus character is used to add an option to an existing configuration.

The Apache syntax for adding and removing options can be confusing. If all option names in a givenOptionsstatement for a particular directory are preceded with a plus or minus character, then the new configuration will be merged with the existing configuration, with the new configuration overriding the old values. In all other cases, the old values will be ignored, and only the new values will be used.

If you need symbolic links consider using theAlias directive, which tells Apache to incorporate an external folder into the web server tree. It serves the same purpose but is more secure. For example, it is used in the default configuration to allow access to the Apache manual:

  Alias /manual/ /usr/local/apache/manual/

If you want to keep symbolic links, it is advisable to turn ownership verification on by setting theSymLinksIfOwnerMatchoption. After this change, Apache will follow symbolic links if the target and the destination belong to the same user:

  Options -FollowSymLinks +SymLinksIfOwnerMatch

Other features you do not want to allow include the ability to have scripts and server-side includes executed anywhere in the web server tree. Scripts should always be placed in special folders, where they can be monitored and controlled.

  Options -Includes -ExecCGI

If you do not intend to use content negotiation (to have Apache choose a file to serve based on the client’s language preference), you can (and should) turn all of these features off in one go:

  Options None

Modules sometimes use the settings determined with theOptions directive to allow or deny access to their features. For example, to be able to use mod_rewrite in per-directory configuration files, theFollowSymLinks option must be turned on.