Options and Aliases

Sections that will be covered in the exam look like this.

Options

The options directive controls features of the web server that are useful, but are also security risks. It is the responsibility of the web administrator to decide which of these features will be enabled on the server. The biggest security risk is the addition of user directories on the server. If the abilities in the options directive are given to normal users, then many areas of your local file system can be opened to the web.

More than one parameter can be specified in the options directive by separating them with a space. For example:
options Includes Indexes Multiviews
It is also allowed to add or remove an option by using the + or - signs. For example,
options +ExecCGI -FollowSymLinks
This would add ExecCGI and remove FollowSymLinks from the current set of options.

These are the possible parameters for the options directive.

All
All options except for MultiViews. This is the default setting.
ExecCGI
Execution of CGI scripts is permitted.
FollowSymLinks
The server will follow symbolic links in this directory.
Note: even though the server follows the symlink it does not change the pathname used to match against <Directory> sections.
Note: this option gets ignored if set inside a <Location> section.
Includes
Server-side includes are permitted.
IncludesNOEXEC
Server-side includes are permitted, but the #exec command and #exec CGI are disabled. It is still possible to #include virtual CGI scripts from ScriptAliase'd directories.
Indexes
If a URL which maps to a directory is requested, and the there is no DirectoryIndex (e.g., index.html) in that directory, then the server will return a formatted listing of the directory.
MultiViews
Content negotiated MultiViews are allowed.
SymLinksIfOwnerMatch
The server will only follow symbolic links for which the target file or directory is owned by the same user id as the link.
Note: this option gets ignored if set inside a <Location> section.

Enabling Options vs. Activating Options

The options directive activates certain features of the server, but it is usually necessary to place some statements in the configuration files in order to enable the features. Think of activating as the ON/OFF switch on a cell phone. Think of enabling as the battery for the cell phone. You cannot make a call on the phone if you don't have a battery.

Multiviews
This controls content negotiation and language negotiation. Content negotiation is always enabled on the server, so all that is needed is the options directive to activate it. However, language negotiation is not enabled on the server by default, so statements must be added to the configuration files in order to enable it. AddLanguage must be added for each language that is to be recognized.
AddLanguage de .de
AddLanguage en .en
AddLanguage es .sp
AddLanguage fr .french

Note: The first parameter is the international abbreviation for the language, the second parameter is the extension that will be used for a file in that language.
Includes
This controls Server Side Include commands. They are not enabled by default. In order to make them available, it is necessary to define the mime type for the extension that will be used for SSI files, and it is necessary to associate this extension with the filter that will parse the SSI file. The filter is built into Apache and is called INCLUDES.
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
ExecCGI
This controls CGI programs. By default they are not enabled on the server. CGI programs will all end in the same extension. It is necessary to associate this extension with the program that will process the CGI program. The program is built into Apache and is called cgi-script. Such a program that processes files is known as a handler.
AddHandler cgi-script .cgi
Indexes, FollowSymLinks, SymLinksIfOwnerMatch
These are enabled by default. Only the options directive is needed to activate them.

AllowOverride

This directive controls what the user can change in the .htaccess file. See http://httpd.apache.org/docs/mod/core.html#allowoverride for all the possibilites. The most dangerous parameter is options. If the administrator gives this ability to the user, then the user can set any options. So this is another chance for opening a security risk on the server.

Aliases

By default, the web server can only access files and directories that are descended from the document root. The administrator can add other directories to the scope of the web server by using the Alias directive. This is not considered a security risk, because only the administrator can add aliases to the server.