Recommended Option FollowSymLinks

Hi,

Just a question here...

What is the recommended global Apache configuration WRT "Options FollowSymLinks"?

Our older 14.04 server had "Options FollowSymLinks" enabled in "/" and "/var/www/" by default, as does a newer 16.04 server.

We used the standard Virtualmin installation script.

Do you have any comments or recommendations on this issue? (no dissertation required)

One issue we have seen is that Apache throws an error if a site .htaccess file includes "Options +FollowSymLinks".

Thanks in advance,

G

Status: 
Closed (fixed)

Comments

Howdy -- thanks for contacting us!

For security reasons, we recommend using "SymlinksIfOwnerMatch" rather than "FollowSymlinks".

They both achieve a very similar thing, but SymlinksIfOwnerMatch is a more secure setting for a multi-user environment.

OK, I have a newish server with few web sites on it yet, so I edited apache2.conf and replaced FollowSymlinks with SymlinksIfOwnerMatch and Apache seems happy so far.

I also see that "FollowSymlinks" is in these two files as well:

./mods-available/alias.conf:            Options FollowSymlinks
./conf-available/apache2-doc.conf:    Options Indexes FollowSymlinks

Is it recommended I edit those as well?

apache2-doc.conf is not enabled, but alias.conf is.

I made the two additional edits and Apache restarts OK...

Sorry for my ignorance,

G

I wouldn't edit those entries, those shouldn't cause any trouble. The key is just to ensure "untrusted" users can't link to any file on the system from their own directories, as it could give them access to more than they should be able to see.

But there shouldn't be any problems with any of the entries you referenced above.

Joe's picture
Submitted by Joe on Mon, 11/26/2018 - 23:06 Pro Licensee

Also note those aren't actually active configuration files, unless they also appear in mods-enabled and conf-enabled. The mods-available and conf-available directories are not included in the Apache configuration...you'd have to enable them (which puts a symlink into the mods-enabled or conf-enabled directories which are included in the Apache configuration).

Joe's picture
Submitted by Joe on Mon, 11/26/2018 - 23:07 Pro Licensee

Status: Active » Fixed
Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.