Apache Directives Reference

Key Apache httpd directives filterable by context and module.

Searchable Apache HTTP Server directive reference with valid context, AllowOverride class, syntax, status flag and providing module — covering RewriteRule, Require, Header, ProxyPass and more. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What does the Override column mean?

It names the AllowOverride class (FileInfo, AuthConfig, Options, Indexes, Limit, All) that must be enabled for a directory before the directive may appear in a .htaccess file. If the class is off, the directive is ignored or causes a 500 error.

Look up Apache httpd directives without the manual

Apache HTTP Server is configured by directives, and each one has rules about where it may appear and whether a .htaccess file can use it. This reference lets you search directives by name, module or description and filter by status, showing the valid context, the AllowOverride class, the syntax and the providing module. It runs entirely in your browser.

How Apache processes configuration

Directives are evaluated in the order they appear, with scope narrowing as Apache walks from the main config down through <VirtualHost>, <Directory>, and finally .htaccess. A directive set in a broader scope can be overridden in a narrower one — but only if the narrower scope has permission. The AllowOverride setting in the parent <Directory> block controls which directive classes .htaccess can touch.

The four main processing contexts:

ContextWhere used
server configOutside any <VirtualHost> or <Directory>
virtual hostInside <VirtualHost> block
directoryInside <Directory>, <Files>, <Location>
.htaccessPer-directory, only if AllowOverride permits

Common directives and their modules

mod_rewrite — URL rewriting. Requires RewriteEngine On before any rules. RewriteCond tests a condition; RewriteRule transforms the matched path.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

mod_headers — Set, append, or unset HTTP response headers.

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Content-Type-Options "nosniff"

mod_authz_core — Access control (Apache 2.4+). Replaces the old Order/Allow/Deny from mod_access_compat.

Require all granted           # open to everyone
Require ip 10.0.0.0/8        # restrict to a subnet
Require valid-user            # must authenticate

mod_proxy + mod_proxy_http — Reverse proxy to a backend.

ProxyPass "/api/" "http://127.0.0.1:3000/"
ProxyPassReverse "/api/" "http://127.0.0.1:3000/"

Tips for safe config changes

  • Always run apachectl configtest (or httpd -t) before reloading. A syntax error with a live reload takes the server down.
  • Apply with apachectl graceful to reload configuration without dropping existing connections.
  • Prefer main config over .htaccess when you control the server — .htaccess is read on every request and cannot be cached.
  • The AllowOverride class must match. Rewrites need AllowOverride FileInfo; auth directives need AllowOverride AuthConfig. AllowOverride None (the default) silently ignores the entire .htaccess file.