Complete Analysis of httpd.conf Structure

httpd.conf is the core configuration file that controls all Apache behavior. While it plays a similar role to Nginx's nginx.conf, the structure and directive system are quite different. Let's thoroughly understand global settings, Directory/Files/Location containers, and what AllowOverride means.

Overall httpd.conf Structure

# ============================================================
# Section 1: Global Environment Settings
# ============================================================
ServerRoot "/etc/apache2"
Listen 80
ServerName www.example.com:80
ServerAdmin webmaster@example.com
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule ssl_module modules/mod_ssl.so
User www-data
Group www-data
ServerTokens Prod
ServerSignature Off

# ============================================================
# Section 2: Main Server Configuration
# ============================================================
DocumentRoot "/var/www/html"

<Directory />
    Options None
    AllowOverride None
    Require all denied
</Directory>

<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>

<Files ".ht*">
    Require all denied
</Files>

# ============================================================
# Section 3: Virtual Hosts
# ============================================================
Include /etc/apache2/sites-enabled/*.conf

Key Global Directives

ServerRoot "/etc/apache2"   # Base directory for relative paths
Listen 80
Listen 443
ServerName www.example.com
ServerAdmin webmaster@example.com
ServerTokens Prod           # Show only "Apache" in headers (security)
ServerSignature Off         # Hide server signature from error pages
MaxRequestWorkers 150       # Max concurrent connections
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5

Directory Container

Defines settings for specific filesystem paths.

<Directory />
    Options None
    AllowOverride None
    Require all denied       # Block all access by default
</Directory>

<Directory "/var/www/html">
    Options Indexes FollowSymLinks  # Directory listing + symlinks
    AllowOverride All               # Allow all .htaccess directives
    Require all granted             # Allow all access
</Directory>

<Directory "/var/www/admin">
    Options None
    AllowOverride None
    Require ip 192.168.1.0/24       # Only internal IP allowed
</Directory>

Options Directive

Option	Description	Security Risk
`Indexes`	Auto-generate directory listing	High (remove in production)
`FollowSymLinks`	Follow symbolic links	Medium
`SymLinksIfOwnerMatch`	Follow links only if owner matches	Low
`ExecCGI`	Allow CGI execution	High
`None`	No options allowed	None (recommended)
`All`	All options allowed	High (caution in production)

Files Container

Defines settings for specific filename patterns.

# Block access to hidden files (.htaccess, .htpasswd)
<Files ".ht*">
    Require all denied
</Files>

# Cache headers for static assets
<FilesMatch "\.(jpg|jpeg|png|gif|css|js)$">
    Header set Cache-Control "max-age=604800, public"
</FilesMatch>

# Block executable files
<FilesMatch "\.(exe|sh|bat|py)$">
    Require all denied
</FilesMatch>

Location Container

Defines settings for specific URL paths, independent of the filesystem.

# Proxy /api/ to Tomcat
<Location "/api/">
    ProxyPass http://127.0.0.1:8080/api/
    ProxyPassReverse http://127.0.0.1:8080/api/
</Location>

# Restrict /admin/ with authentication
<Location "/admin/">
    AuthType Basic
    AuthName "Admin Only"
    AuthUserFile /etc/apache2/.htpasswd
    Require valid-user
</Location>

# Server status (internal only)
<Location "/server-status">
    SetHandler server-status
    Require ip 127.0.0.1
</Location>

Directory vs Files vs Location

Container	Basis	Wildcard	Regex variant
`Directory`	Filesystem path	`*`, `?`	`DirectoryMatch`
`Files`	Filename	`*`, `?`	`FilesMatch`
`Location`	URL path	`*`, `?`	`LocationMatch`

AllowOverride Deep Dive

Controls what directives can be used in .htaccess files.

# AllowOverride None — completely disable .htaccess (recommended for production)
# Benefit: Apache doesn't scan directories for .htaccess files → performance gain
<Directory "/var/www/html">
    AllowOverride None
</Directory>

# AllowOverride All — allow all directives
<Directory "/var/www/html/app">
    AllowOverride All
</Directory>

# Granular AllowOverride
<Directory "/var/www/html/blog">
    # AuthConfig: authentication directives
    # FileInfo: file type, headers, URL rewriting
    AllowOverride AuthConfig FileInfo
</Directory>

Performance: With AllowOverride None, Apache doesn't traverse directories searching for .htaccess files, reducing I/O per request. Prefer configuring directly in httpd.conf when possible.

Include Directive for Config Separation

Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf
Include /etc/apache2/ports.conf
IncludeOptional /etc/apache2/sites-enabled/*.conf
IncludeOptional /etc/apache2/conf-enabled/*.conf

Include: Error if file is missing
IncludeOptional: Silently ignored if file is missing

Summary

Container	Role	Key Use Cases
`Directory`	Settings per filesystem path	Web root access control, Options
`Files`	Settings per filename pattern	Block specific files, cache headers
`Location`	Settings per URL path	Proxy, authentication, status page
`AllowOverride`	.htaccess permission scope	`None` (performance), `All` (flexibility)

Overall httpd.conf Structure​

Key Global Directives​

Directory Container​

Options Directive​

Files Container​

Location Container​

Directory vs Files vs Location​

AllowOverride Deep Dive​

Include Directive for Config Separation​

Summary​