[Pmwiki-users] more thoughts on .htaccess
Tue Dec 7 05:21:13 CST 2004
Neil Herber wrote:
> I have been reading the Apache 2.0 docs, which is probably a dangerous
> thing ...
Knowledge has always been dangerous :-))
> In the .htaccess tutorial:
> they suggest that to improve performance, all the configuration done
> using per-directory .htaccess files should be moved into the main
> httpd.conf file. The .htaccess file in the PmWiki "local/" directory
> ignores this advice.
Actually the advice goes farther: disable all .htaccess files (via
AllowOverride none) and move everything into httpd.conf.
On a box that serves mostly static content, this advice is sound though
its relevance is limited. Every request to Apache will hit the disk (or
the harddisk cache) in various ways:
* Once for every subdirectory mentioned in the URL,
to check that the next element of the URL path exists.
* Once to check whether a .htaccess file exists. 
* Once to read the contents of the .htaccess file. 
* Once for the final filename in the URL.
* Once for the file contents.
* Once to write the access log.
Disabling .htaccess will spare the accesses marked  and  in that
process. If Apache is serving mostly static contents from a flat
directory structure, Apache will have three disk hits with .htaccess
enabled and a single hit with .htaccess disabled, which is quite a
If you have a deep directory hierarchy, or a PHP site without PHP
precompilation of any form, every HTTP request will cause so many disk
hits that adding another couple of disk hits doesn't really change
There are two massive downsides to putting everything into httpd.conf:
1) Those who live in a shared hosting environment usually don't have
access to httpd.conf. (Actually I wouldn't accept shared hosting on a
box where other users have access to httpd.conf...)
2) You can't simply take the PmWiki file tree from one machine and plug
it onto another machine. You'll always have to take care that you
transplant the corresponding sections of httpd.conf together with it.
The prospect alone is giving me headaches. (Of course, anybody with an
efficiency concern can still copy the .htaccess contents to the
appropriate places in httpd.conf and set AllowOverride=none. Having a
.htaccess in all appropriate subdirectories doesn't limit your options.)
3) PmWiki is doing so much behind the scenes that I don't think that
avoiding .htaccess accesses would really matter. Even if it did matter,
I'd think that obtaining a faster machine is cheaper than the
maintenance issues that putting everything into httpd.conf would involve
- except if you have a mega site and can afford a full-time
administrator or two for it (whom you'd probably need to monitor traffic
and CPU load anyway).
> Should there be similar protection applied to the "uploads/" directory
> to keep people from uploading scripts and executing them?
That's even more important than on the local/ directory. End users don't
have access to local/, but they do have access to uploads/ and can place
arbitrary contents into it.
The standard policy for upload directories is:
1) Don't give out read access to anybody.
2) Have some CGI code that takes the uploads, does any HTML quoting or
whatever is necessary to render the contents harmless, and only after
that copies the content to directories from which the uploads may then
Gunnar Wagenknecht wrote:
> Mhm. If you deny access to the uploads directory nobody can upload
> files to it and nobody can download files from it.
This isn't entirely correct.
I have my Apache boxes set up so that they generally disallow specific
HTTP methods. More precisely, my httpd.conf says:
# HTTP methods that one might want to allow:
# Read-only: GET POST OPTIONS PROPFIND
# Read/write: PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK
<Limit GET POST OPTIONS PROPFIND>
<LimitExcept GET POST OPTIONS PROPFIND>
which means that GET, POST, OPTIONS, and PROPFIND are allowed, and that
all other methods (including those that might be invented for future
versions of the HTTP protocol) are forbidden.
Of course, these are only default settings that can be overridden in
subdirectories; i.e. for the upload directory, I have a setting that
says Order deny,allow for the PUT method.
More information about the pmwiki-users