[Pmwiki-users] more thoughts on .htaccess

Joachim Durchholz jo
Tue Dec 7 05:21:13 CST 2004


Neil Herber wrote:
> I have been reading the Apache 2.0 docs, which is probably a dangerous 
> thing ...

Knowledge has always been dangerous :-))

> In the .htaccess tutorial:
> 
> http://httpd.apache.org/docs-2.0/howto/htaccess.html
> 
> they suggest that to improve performance, all the configuration done 
> using per-directory .htaccess files should be moved into the main 
> httpd.conf file. The .htaccess file in the PmWiki "local/" directory 
> ignores this advice.

Actually the advice goes farther: disable all .htaccess files (via 
AllowOverride none) and move everything into httpd.conf.

On a box that serves mostly static content, this advice is sound though 
its relevance is limited. Every request to Apache will hit the disk (or 
the harddisk cache) in various ways:
* Once for every subdirectory mentioned in the URL,
   to check that the next element of the URL path exists.
* Once to check whether a .htaccess file exists. [1]
* Once to read the contents of the .htaccess file. [2]
* Once for the final filename in the URL.
* Once for the file contents.
* Once to write the access log.

Disabling .htaccess will spare the accesses marked [1] and [2] in that 
process. If Apache is serving mostly static contents from a flat 
directory structure, Apache will have three disk hits with .htaccess 
enabled and a single hit with .htaccess disabled, which is quite a 
substantial saving.

If you have a deep directory hierarchy, or a PHP site without PHP 
precompilation of any form, every HTTP request will cause so many disk 
hits that adding another couple of disk hits doesn't really change 
matters much.

There are two massive downsides to putting everything into httpd.conf:
1) Those who live in a shared hosting environment usually don't have 
access to httpd.conf. (Actually I wouldn't accept shared hosting on a 
box where other users have access to httpd.conf...)
2) You can't simply take the PmWiki file tree from one machine and plug 
it onto another machine. You'll always have to take care that you 
transplant the corresponding sections of httpd.conf together with it. 
The prospect alone is giving me headaches. (Of course, anybody with an 
efficiency concern can still copy the .htaccess contents to the 
appropriate places in httpd.conf and set AllowOverride=none. Having a 
.htaccess in all appropriate subdirectories doesn't limit your options.)
3) PmWiki is doing so much behind the scenes that I don't think that 
avoiding .htaccess accesses would really matter. Even if it did matter, 
I'd think that obtaining a faster machine is cheaper than the 
maintenance issues that putting everything into httpd.conf would involve 
- except if you have a mega site and can afford a full-time 
administrator or two for it (whom you'd probably need to monitor traffic 
and CPU load anyway).

> Should there be similar protection applied to the "uploads/" directory 
> to keep people from uploading scripts and executing them?

Most definitely!!!
That's even more important than on the local/ directory. End users don't 
have access to local/, but they do have access to uploads/ and can place 
arbitrary contents into it.
The standard policy for upload directories is:
1) Don't give out read access to anybody.
2) Have some CGI code that takes the uploads, does any HTML quoting or 
whatever is necessary to render the contents harmless, and only after 
that copies the content to directories from which the uploads may then 
be served.

Gunnar Wagenknecht wrote:
 > Mhm. If you deny access to the uploads directory nobody can upload
 > files to it and nobody can download files from it.

This isn't entirely correct.
I have my Apache boxes set up so that they generally disallow specific 
HTTP methods. More precisely, my httpd.conf says:

<Location />
   # HTTP methods that one might want to allow:
   # Read-only: GET POST OPTIONS PROPFIND
   # Read/write: PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK
   <Limit GET POST OPTIONS PROPFIND>
     Order deny,allow
   </Limit>
   <LimitExcept GET POST OPTIONS PROPFIND>
     Order allow,deny
   </LimitExcept>
</Location>

which means that GET, POST, OPTIONS, and PROPFIND are allowed, and that 
all other methods (including those that might be invented for future 
versions of the HTTP protocol) are forbidden.
Of course, these are only default settings that can be overridden in 
subdirectories; i.e. for the upload directory, I have a setting that 
says Order deny,allow for the PUT method.

Regards,
Jo



More information about the pmwiki-users mailing list