In addition to serving any file it can access by default, Apache also by default allows parts of configuration data to be placed under the web server tree, in files normally named .htaccess. Configuration information in such files can override the information in the httpd.conf configuration file. Though this can be useful, it slows down the server (because Apache is forced to check whether the file exists in any of the sub-folders it serves) and allows anyone who controls the web server tree to have limited control of the web server. This feature is controlled with the AllowOverride directive, which, like Options, appears within the <Directory> directive specifying the directory to which the options apply. TheAllowOverride directive supports the following options:
AuthConfig Allows use (in .htaccess files) of the authorization directives (explained in Chapter 7)
FileInfo Allows use of the directives controlling document types
Indexes Allows use of the directives controlling directory indexing
Limit Allows use of the directives controlling host access
Options Allows use of the directives controlling specific directory functions (theOptions andXbitHack directives)
All Allows all options listed
None Ignores .htaccess configuration files
For our default configuration, we choose theNone option. So, our <Directory>directives are now:
<Directory /> Order Deny,Allow Deny from all Options None AllowOverride None </Directory>
<Directory /var/www/htdocs> Order Allow,Deny Allow from all </Directory>
Modules sometimes useAllowOverridesettings to make other decisions as to whether something should be allowed. Therefore, a change to a setting can have unexpected consequences. As an example, includingOptionsas one of theAllowOverride options will allow PHP configuration directives to be used in .htaccess files. In theory, every directive of every module should fit into one of theAllowOverridesettings, but in practice it depends on whether their respective developers have considered it.
