17 December 2021

The Apache web server uses various configuration files. It always has a primary configuration file (typically httpd.conf) and often a config file with options specific to a domain / virtual host. On shared servers users can also override a subset of directives using .htaccess files in their home directory. For instance, users can set up rules to rewrite URLs or to limit access to web pages to specific IP addresses.

Inheritance

Apache options are inherited. The rules defined in the main httpd.conf apply to all subdirectories, unless they are overridden somewhere else. This allows you to fine-tune what rules should apply to which directories.

To illustrate, the httpd.conf file on cPanel servers allows directory listings. Users often change that setting, as it allows anyone to view the contents of folders that don’t have an index file. The rule in the httpd.conf file looks like this:

<Directory "/">
  AllowOverride All
  Options Indexes
</Directory>

The <Directory> directive defines the settings for the server’s / directory. That is the top-level directory on Unix-like operating systems, and the rules therefore apply globally.

The AllowOverride directive defines whether or not settings can be overridden. In the above example it is set to All, which is the most permissive option. If it is set to None then any .htaccess files are ignored.

And finally, the Options Indexes rule is what enables directory listings. To disable indexes you can change the value to Options -Indexes.

Overrides

WordPress Toolkit has an option to disable directory browsing. When you enable the option the default setting is overridden. Toolkit does this via a domain-specific configuration file. This is the rule Toolkit creates:

<Directory "/home/example/public_html">
    Options -Indexes
</Directory>

So, indexes are now allowed globally, but not in /home/example/public_html (and any of its subdirectories). If you want to enable directory listings for a subfolder then you can override the settings again via a .htaccess file. For instance, you can use this to allow directory browsing for a folder named “downloads”:

<Directory "/home/example/public_html/downloads">
    Options +Indexes
</Directory>

Performance

.htaccess files are essential on shared servers. They allow users to override settings and set up custom rules, such as redirects. The only downside of .htaccess files is that they come with a small performance penalty. The more configuration files Apache has to process, the more work it has to do.

If you have full access to a server then you can use just the main httpd.conf file. However, there are downsides to that as well. Most importantly, you really need to know your stuff. A small typo can throw all websites on your server offline. Plus, you need root access. Unless you are comfortable managing servers on the command line you probably want to use .htaccess files. Or, you can let us make certain changes for you!

Working with .htaccess files

.htaccess files are plain text files that can be edited directly. As said, you do need to be very careful, as a small typo can cause an error 500 (the dreaded “internal server error”). If you need to manually edit a .htaccess file then it is best to first make a copy of the original file. That way you can always revert your changes.

It is also worth noting that the file is a so-called dot file. On Linux systems, files that start with a dot are not displayed by default. In cPanel’s file manager you need to enable the “show hidden files” option before you can see the files. When you enable the option you will see quite a few extra files and folders. These are mostly used to store configuration options. Similarly, on the command line you need to add the -a (--all) option to ls to include dot files in directory listings.

On cPanel servers you can also make various configuration changes using a graphical interface. For instance, you can set up a redirect with just a few clicks. That is useful, as the Apache configuration is complex and can work in unexpected ways.

Complexity

The Apache web server is thoroughly documentated, but the documentation is a little dry. It is also very extensive – Apache has a very large number of bells and whistles. If you are new to Apache, the main things to know up front are that there are different Apache versions and that it has a huge number of directives.

This is important, as things work differently in different Apache versions. For instance, if you do an online search to find out how to block an IP address via a .htaccess file then you probably end up doing something like this:

Order Allow,Deny
Allow from all
Deny from 1.2.3.4

This syntax is specific to Apache 2.2 and was deprecated in version 2.4. It still works in Apache 2.4, but it will stop working in a future version. The new way of blocking an IP address is this:

<RequireAll>
  Require all granted
  Require not ip 1.2.3.4
</RequireAll>

So, it is always a good idea to have a look at the official documentation. It will help you better understand how the configuration works, and it will prevent that things suddenly stop working.