Is the Apache Directory directive supposed to be relative to the DocumentRoot or not? I ask in the context of a VirtualHost, but it shouldn't make any difference.

In other words, is it supposed to be:

    DocumentRoot /var/www
    <Directory /var/www>


    DocumentRoot /var/www
    <Directory />

Both work. The Apache Directory docs say:

Directory-path is either the full path to a directory, or a wild-card string...

... but then they show two examples contradicting the "full path" statement.

ED: There are also contradictory examples on the Apache Performance Tuning page in the FollowSymLinks and SymLinksIfOwnerMatch and AllowOverride sections.

For fun I looked at Debian's default vhost setup and found this:

<VirtualHost *:80>
    DocumentRoot /var/www
    <Directory />
        Options FollowSymLinks
        AllowOverride None

    <Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all

The documentation is correct, and the <Directory> directive should be the full path.

Your first example is how you should configure the directive for VirtualHosts, and applies the options within the directive to just the DocumentRoot. Your second example is referring to the filesystem root (literally /).

You haven't posted the rest of the directive, but this is typically used as a way of attempting to jail Apache and restrict its access, and is usually (but not always) placed inside the main apache2.conf or httpd.conf configuration files, with your VirtualHosts explicitly allowing access for their own DocumentRoot directories, so the two are often used together.

From the Apache documentation:

Note that the default access for <Directory /> is to permit all access. This means that Apache httpd will serve any file mapped from an URL. It is recommended that you change this with a block such as:
    <Directory />
      Require all denied
and then override this for directories you want accessible. See the Security Tips page for more details.
  • If the second example literally refers to the filesystem /, then why does Apache serve the /var/www directory?
    – Jeff
    Commented Aug 21, 2013 at 13:58
  • 1
    Apache will serve the DocumentRoot. The Directory directive is totally separate, and has the effect of saying "apply the enclosed configuration to this directory and all subdirectories". More specific configurations take priority, so <Directory /var/www/> will override <Directory />. Commented Aug 21, 2013 at 14:06
  • I see. So <Directory /> from a VirtualHost context can override server-wide Options (or other settings) of <Directory />? That makes sense. Thanks for the help.
    – Jeff
    Commented Aug 21, 2013 at 14:35

