FollowSymLinks is a directive in your web server configuration that tells your web server to follow so called symbolic links. As one would expect, FollowSymLinks is an acronym for Follow Symbolic Links. FollowSymLinks is a very important setting that plays a role in your website security.
In the following text, we will explain general knowledge about FollowSymLinks with some emphasis and how it relates to the Apache web server and Drupal content management system.
First, let's remind where the FollowSymLinks directive can be found and what it relates to.
FollowSymLinks in httpd.conf and .htaccess files
You can find the FollowSymLinks directive mentioned in two places. One of them is the httpd.conf file which holds configuration information for your web server. This info is loaded upon server startup. This file holds the "default" settings for your server. The following example shows this file:
The .htaccess file is used to override default server settings in particular folders (directories). The following file is used to override the FollowSymLinks setting provided in the httpd.conf file, and override it for the test_files folder. Note, see one difference. While httpd.conf specifies Options FollowSymLinks, the .htaccess file adds this permission in a way Options +FollowSymLinks.
Now that we know where we find the FollowSymLinks setting, let's explain what it does.
What is FollowSymLinks?
We already mentioned that FollowSymLinks tells the web server to follow symbolic links while looking for a file, but what does it really mean?
Symbolic links (also called symlinks or softlinks) most resemble Windows shortcuts. Websites are often set up in a way that they show pictures and other content as being physically located at some other location than they really are. Let's say you browse to some website and look at the web page source. You might see something like IMG SRC="/system/files/images/image.png" for the location of some picture that interests you. If you browse to this location in your Internet browser, it will show you the picture. But if you log into the server and go to that location /system/files/images/, you will not find it. The image.png file is not physically located in a /system/files/images/ folder, but let's say it is in a folder called /pictures.
How does the server know that it should pull image.png from the /pictures folder when you visit the website and browse to the /system/files/images folder in your web browser? A so-called symbolic link is the guy that is responsible for this behavior. Somewhere in your system, there is a symlink that tells your server "If a visitor requests /system/files/images/image.png then show him /pictures/image.png."
And what is the role of the FollowSymLinks setting in this?
FollowSymLinks relates to server security. When dealing with web servers, you can't just leave things undefined. You have to tell who has access to what. The FollowSymLinks setting tells your server whether it should or should not follow symlinks. In other words, if FollowSymLinks was disabled in our case, browsing to the /system/files/images/image.png file would return depending on other settings either the 403 (access forbidden) or 404 (not found) error.
What is the difference between a symbolic link and hard link?
In addition to symlinks, we also talk about so-called hard links. You can find more about hard links on the next page: Difference between symbolic link and hard link.
FollowSymLinks is important for Drupal-powered websites. Since Drupal uses the so-called private download method by default and takes advantage of symbolic links when rewriting URLs, FollowSymLinks must be enabled when using mod_rewrite. If FollowSymLinks is disabled together with mod_rewrite, you will encounter the 500 internal server error.
Note, FollowSymLinks is usually enabled in your server httpd.conf file, so you might not necessarily need to specify that directive in your .htaccess files.
Note, the FollowSymLinks option gets ignored if set inside a <Location> section in your httpd.conf file.
FollowSymLinks and performance
FollowSymLinks is an area in which you need to weigh performance against security and make the decision that makes the most sense in your particular situation.
If FollowSymlinks is NOT set at all, Apache has to issue some extra system calls when looking for a file. For example, if you browse to the /index.html document, Apache would look for that file in your /www, /www/htdocs, and /www/htdocs/index.html. These additional system calls will add to the latency. The system call results are not cached, so they will occur on every request.
If you are concerned about performance, then always use Options FollowSymLinks. Options FollowSymlinks permits Apache to follow symbolic links in the manner of most Unix applications which is that Apache does not even need to check to see if the file in question is a symlink or not. Enable FollowSymLinks by default and disable it where necessary case-by-case.
Is there any other setting related to FollowSymLinks?