Options and Aliases

Sections that will be covered in the exam look like this.

Options

The options directive controls features of the web server that are useful, but are also security risks. It is the responsibility of the web administrator to decide which of these features will be enabled on the server. The biggest security risk is the addition of user directories on the server. If the abilities in the options directive are given to normal users, then many areas of your local file system can be opened to the web.

More than one parameter can be specified in the options directive by separating them with a space. For example:
options Includes Indexes Multiviews
It is also allowed to add or remove an option by using the + or - signs. For example,
options +ExecCGI -FollowSymLinks
This would add ExecCGI and remove FollowSymLinks from the current set of options.

These are the possible parameters for the options directive.

All

All options except for MultiViews. This is the default setting.

ExecCGI

Execution of CGI scripts is permitted.

FollowSymLinks

The server will follow symbolic links in this directory.
Note: even though the server follows the symlink it does not change the pathname used to match against <Directory> sections.
Note: this option gets ignored if set inside a <Location> section.

Includes

Server-side includes are permitted.

IncludesNOEXEC

Server-side includes are permitted, but the #exec command and #exec CGI are disabled. It is still possible to #include virtual CGI scripts from ScriptAliase'd directories.

Indexes

If a URL which maps to a directory is requested, and the there is no DirectoryIndex (e.g., index.html) in that directory, then the server will return a formatted listing of the directory.

MultiViews

Content negotiated MultiViews are allowed.

SymLinksIfOwnerMatch

The server will only follow symbolic links for which the target file or directory is owned by the same user id as the link.
Note: this option gets ignored if set inside a <Location> section.

Enabling Options vs. Activating Options

The options directive activates certain features of the server, but it is usually necessary to place some statements in the configuration files in order to enable the features. Think of activating as the ON/OFF switch on a cell phone. Think of enabling as the battery for the cell phone. You cannot make a call on the phone if you don't have a battery.

Multiviews

This controls content negotiation and language negotiation. Content negotiation is always enabled on the server, so all that is needed is the options directive to activate it. However, language negotiation is not enabled on the server by default, so statements must be added to the configuration files in order to enable it. AddLanguage must be added for each language that is to be recognized.
AddLanguage de .de
AddLanguage en .en
AddLanguage es .sp
AddLanguage fr .french
Note: The first parameter is the international abbreviation for the language, the second parameter is the extension that will be used for a file in that language.

Includes

This controls Server Side Include commands. They are not enabled by default. In order to make them available, it is necessary to define the mime type for the extension that will be used for SSI files, and it is necessary to associate this extension with the filter that will parse the SSI file. The filter is built into Apache and is called INCLUDES.
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml

ExecCGI

This controls CGI programs. By default they are not enabled on the server. CGI programs will all end in the same extension. It is necessary to associate this extension with the program that will process the CGI program. The program is built into Apache and is called cgi-script. Such a program that processes files is known as a handler.
AddHandler cgi-script .cgi

Indexes, FollowSymLinks, SymLinksIfOwnerMatch

These are enabled by default. Only the options directive is needed to activate them.