httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Robert S. Thau)
Subject Re: Authentication API
Date Wed, 17 Jul 1996 21:04:23 GMT
  And a bunch of other modules that are floating about out there are also
  configurable on a per directory basis.  I think a completely general
  case would be a good idea.  Limiting the configurability to just a few
  known modules will just frustrate everyone.


  My first shot at writing mod_info was to try to walk through the currently
  loaded internal configurations of all modules.  This proved to be impossible
  both because I couldn't actually get at all the data, and also because the
  configurations could change on a per-directory basis.  I would have had to
  choose a directory and see what the different configurations were in that
  particular case.  Instead, I made it parse the startup configuration files
  and only report on those.  Taking mod_info and making it parse .htaccess
  files in individual directories would be trivial.  The hard part would
  be writing the code to allow you to edit and write back changes.

Actually, I'm not sure the problems of uploading .htaccess files are
all that much worse than the problems of uploading anything else
(though there is the awkward problem of managing auxiliary files such
as .htaccess and .htpasswd in addition).  In each case, you have to
verify that this *particular* client has the right to update the
server's contents.  (The main problem is that it doesn't fit terribly
well with our current access control model --- one possibility is to
have the script under its own access control rules, and have a rules
database which would allow the config script to determine whether a
particular REMOTE_USER was authorized to update the configuration of a
particular <Directory> or <Location> --- FWIW, Location might well be
a better way to do it). 

Regarding changes to the server --- if it's just editing .htaccess
files, I'm not convinced I see the need for any.  If we stick things
in a ConfigDir or something like that instead, we would need a way to
get the server to read the updated config files without causing
terribly obnoxious consequences.  This would require changes to the
server --- however, I think "gentle restart", which we seem to be
drifting towards for other reasons anyway, would take care of the
worst of them (assuming that config updates are not extremely frequent
events).  Even if not, working on ways to make gentle restart gentler
(e.g., having a thread in each copy of a threaded server reread the
new config while requests are served in the meantime with the old one)
might be easier than reasonable alternatives.


View raw message