11.7 Symbolic Links Lookup
The two options
FollowSymLinks
and
SymLinksIfOwnerMatch
are designed for the user's security. Unless
FollowSymLinks is enabled, symbolic links will not
be followed by the server. If SymLinksIfOwnerMatch
is enabled, the server will follow symbolic links only when the
target file or directory is owned by the same user as the link. Note
that the two options are ignored if set within a
<Location> block.
This protection costs a little overhead for each request. Wherever in
your URL-space you do not have this setting:
Options FollowSymLinks
or you do have this setting:
Options SymLinksIfOwnerMatch
Apache will have to issue an extra call to lstat(
) per directory segment in the path to the file. For
example, if you have:
DocumentRoot /home/httpd/docs
<Directory />
Options SymLinksIfOwnerMatch
</Directory>
and a request is made for the URI /index.html,
Apache will perform lstat( ) on these three
directories and one file:
/home
/home/httpd
/home/httpd/docs
/home/httpd/docs/index.html
The deeper the file is located in the filesystem, the more
lstat( ) system calls will be made. The results of
these lstat( ) calls are never cached, so they
will occur for every single request. If you really want the
symbolic-links security checking, you can do something like this:
DocumentRoot /home/httpd/docs
<Directory />
Options FollowSymLinks
</Directory>
<Directory /home/httpd/docs>
Options -FollowSymLinks +SymLinksIfOwnerMatch
</Directory>
This at least avoids the extra checks for the
DocumentRoot path. Note that
you'll need to add similar sections if you have any
Alias or RewriteRule paths
outside of your document root. For highest performance, and no
symbolic link protection, set the FollowSymLinks
option everywhere, and never set the
SymLinksIfOwnerMatch option.
|