| home / internet / security / apache / chap5 / 3 | [previous] [next] |
|
|
We experimented with putting configuration directives in a file called ... /htdocs/.htaccess rather than in httpd.conf. It worked, but how do you decide whether to do things this way rather than the other?
The point of the .htaccess mechanism is that you can change configuration directives without having to restart the server. This is especially valuable on a site where a lot of people maintain their own home pages but are not authorized to bring the server down or, indeed, to modify its Config files. The drawback to the .htaccess method is that the files are parsed for each access to the server, rather than just once at startup, so there is a substantial performance penalty.
The httpd1.conf (from ... /site.htaccess) file contains the following:
User webuser
Group webgroup
ServerName www.butterthlies.com
AccessFileName .myaccess
ServerAdmin sales@butterthlies.com
DocumentRoot /usr/www/APACHE3/site.htaccess/htdocs/salesmen
ErrorLog /usr/www/APACHE3/site.htaccess/logs/error_log
TransferLog /usr/www/APACHE3/site.htaccess/logs/access_log
ServerName sales.butterthlies.com
Access control, as specified by AccessFileName, is
now in ... /htdocs/salesmen/.myaccess:
AuthType Basic
AuthName darkness
AuthUserFile /usr/www/APACHE3/ok_users/sales
AuthGroupFile /usr/www/APACHE3/ok_users/groups
require group cleaners
If you run the site with ./go 1 and access
http://sales.butterthlies.com /, you are asked
for an ID and a password in the usual way. You had better be
daphne or sonia if you want
to get in, because only members of the group
cleaners are allowed.
You can then edit ... /htdocs/salesmen/.myaccess
to require group directors instead.
Without reloading Apache, you now have to be
bill or ben.
AccessFileName gives authority to the files
specified. If a directory is given, authority is given to all files
in it and its subdirectories.
AccessFileName filename, filename|direcory and subdirectories ...
Server config, virtual host
Include the following line in httpd.conf:
AccessFileName .myaccess1, myaccess2 ...
Restart Apache (since the AccessFileName has to be
read at startup). You might expect that you could limit
AccessFileName to .myaccess
in some particular directory, but not elsewhere. You
can't — it is global (well, more global than
per-directory). Try editing ... /conf/httpd.conf
to read:
<Directory /usr/www/APACHE3/site.htaccess/htdocs/salesmen>
AccessFileName .myaccess
</Directory>
Apache complains:
Syntax error on line 2 of /usr/www/APACHE3/conf/srm.conf: AccessFileName not allowed
here
As we have said, this file is found and parsed on each access, and this takes time. When a client requests access to a file /usr/www/APACHE3/site.htaccess/htdocs/salesmen/index.html, Apache searches for the following:
/.myaccess
/usr/.myaccess
/usr/www/APACHE3/.myaccess
/usr/www/APACHE3/site.htaccess/.myaccess
/usr/www/APACHE3/site.htaccess/htdocs/.myaccess
/usr/www/APACHE3/site.htaccess/htdocs/salesmen/.myaccess
This multiple search also slows business down. You can turn multiple searching off, making a noticeable difference to Apache's speed, with the following directive:
<Directory />
AllowOverride none
</Directory>
It is important to understand that / means the real, root directory (because that is where Apache starts searching) and not the server's document root.
| home / internet / security / apache / chap5 / 3 | [previous] [next] |
Created: March 10, 2003
Revised: March 10, 2003
URL: http://webreference.com/internet/apache/chap5/3/6.html