Apache FollowSymLinks

From CS Wiki

FollowSymLinks is a directive in the Apache HTTP Server configuration that controls whether symbolic links (symlinks) in the server's document root or other directories can be followed. Symbolic links are files that point to other files or directories. The FollowSymLinks directive is often used to manage access and behavior related to these links in a web server environment.

Syntax[edit | edit source]

The directive is used within Apache configuration files (e.g., `httpd.conf` or `.htaccess`) and is applied at the directory level.

Example:

Options FollowSymLinks

Functionality[edit | edit source]

  • When FollowSymLinks is enabled, the server follows symbolic links to serve the target file or directory.
  • When FollowSymLinks is disabled, the server ignores symbolic links and does not allow access through them.

Example[edit | edit source]

Suppose the following configuration exists:

<Directory "/var/www/html">
    Options FollowSymLinks
    AllowOverride None
</Directory>

In this case:

  • Any symbolic link in the `/var/www/html` directory will be followed by the server, and the target content will be served.

If `FollowSymLinks` is removed or replaced with `Options -FollowSymLinks`, symbolic links will not be followed, and attempting to access them will result in an error.

Security Considerations[edit | edit source]

While enabling FollowSymLinks can be convenient, it also introduces potential security risks:

  • Unauthorized Access:
    • If symbolic links point to sensitive files or directories outside the web root, they could inadvertently expose sensitive data.
  • Avoiding Abuse:
    • Attackers may create malicious symbolic links to access unauthorized files.

Mitigation[edit | edit source]

To mitigate risks:

  • Use `Options -FollowSymLinks` in sensitive directories where symbolic links should not be allowed.
  • Consider using the SymLinksIfOwnerMatch directive to allow following symbolic links only if the link owner matches the target file's owner.

Example:

<Directory "/var/www/html">
    Options SymLinksIfOwnerMatch
</Directory>

Alternatives[edit | edit source]

If symbolic links must be used but with stricter control:

  • SymLinksIfOwnerMatch:
    • Ensures that symbolic links are only followed if the link and target have the same owner.
  • Alias Directive:
    • Use Apache’s `Alias` directive to map specific paths to desired files or directories instead of relying on symbolic links.

Common Use Cases[edit | edit source]

  • Hosting environments where symbolic links are used to manage multiple virtual hosts or shared content.
  • Development environments where symbolic links simplify directory structure and access.

Troubleshooting[edit | edit source]

If symbolic links are not working as expected:

  • Ensure FollowSymLinks is explicitly enabled in the relevant configuration block.
  • Check permissions of the symbolic link and the target file/directory.
  • Verify that symbolic links are supported by the underlying file system.

See Also[edit | edit source]