[Pmwiki-users] more thoughts on .htaccess

Joachim Durchholz jo
Fri Dec 10 06:48:04 CST 2004

Neil Herber wrote:

> At 2004-12-07  09:12 PM +0100, Joachim Durchholz is rumored to have said:
>> Neil Herber wrote:
>>> I suggest that .htaccess be removed from the default install and that 
>>> the page PmWiki/Security have an entry added that describes how to 
>>> install and activate it on Apache or other servers that use 
>>> .htaccess. (I think both Sambar and Xitami use .htaccess). I am more 
>>> than willing to contribute such a page, but I would want someone like 
>>> Jo Durchholz to check the Apache descriptions.
>> Can do, willing to do :-)
> Jo
> I created a page here:
> http://www.pmwiki.org/wiki/Cookbook/WebServerSecurity
> which does *not* suggest removing .htaccess, but notes that with a 
> default Apache 2 install, it won't work. It also offers suggestions of 
> how to rectify the situation. Your corrections or comments are most 
> welcome!

AllowOverride tells what kinds of directives in a .htaccess file will be 
honored. I.e. "AllowOverride AuthConfig" will allow authentication 
directives in .htaccess files and nothing else.

.htaccess files are read whenever anything in it may be relevant. I.e. 
anything but "AllowOverride None" will make Apache read the .htaccess file.

Note that while I'm glad to offer any help that I can, I'm sceptical 
that the entire issue is worth an entry in the cookbook or even 
discussing it in this list. Easy-to-do optimizations like this one tend 
to pop up over and over, and because it's so so simple, almost nobody 
does a realistic effort-to-effect assessment (both for the implementers 
and for the documenters).

Points in particular:

It's another tweak that needs to be documented fully or not at all - and 
documenting it well enough that it's usable and so that installers get a 
full idea of what they're doing requires some work.

It does give a speedup, and it reduces I/O load on the server, since 
those .htaccess accesses require two additional disk hits (one for the 
directory, one for the file itself).
It's a rather dubious change though - if the directory is accessed 
repeatedly, it's quite likely that disk caching will still have the 
directory and file data in RAM, so the effect is even smaller. On the 
other hand, if the directories contain hundreds of files, scanning the 
directory for a given file may require reading two, three, or a dozen 
directory blocks - except if you're using ReiserFS which stores 
directories in a tree structure and doesn't need more than two or three 
disk accesses to find a file.
Disk caching aside, there's the question of how much time a disk access 
actually incurs. Today's hard disks have a latency of some 15 ms... 
which is an order of magnitude less than typical networking latencies in 
the order of 100-300 ms.

It reduces administrative flexibility. I can't easily do a multi-domain 
web server on my machine, as I constantly have to reconfigure httpd.conf 
to adapt to the various web sites' needs. With .htaccess, I can make the 
subsite adminstrators responsible for their own stuff without having to 
bother with it.

So I see some minimal gain vs. two small-to-medium downsides - and, in 
summary, not worth the effort even though the effort isn't large.

YMMV :-)


More information about the pmwiki-users mailing list