httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Galić <>
Subject Re: htaccess support
Date Mon, 27 Sep 2010 14:09:53 GMT

----- "Rich Bowen" <> wrote:

> On Sep 27, 2010, at 7:44 AM, Igor Galić wrote:
> Hi folks,
> I remotely remember that we briefly touched this topic on IRC, but I'd
> really like to
> bring this to the lists attention:
> .htaccess is one of the features that have guaranteed httpd's success
> in the past, and
> at the same time it's the single biggest clutch imaginable. It's a
> support nightmare,
> exploit vector and a performance bottleneck.
> Most competing products don't have such a thing either, and if needed,
> solve it via
> scripting:
> (first hit in google, I'm sure you can do better)
> I'd like to discuss the possibility to either disable the use of
> .htaccess at
> compile time, or alternatively concentrate it into a module.
> With mod_lua in place, people who chose to, could use yet a different
> way for
> per-dir configs, I suppose...
> As much as we dislike .htaccess files, they certainly seem to be a
> necessary evil. You *can* disable them (although not at compile time),
> but this is simply not an option for many folks. Educating them when
> it's better to use the main config than .htaccess files is the job of
> documentation, and we've done a somewhat poor job of that. Perhaps
> that can be improved. The largest problem here is the *HUGE* number of
> third-party sites peddling bad advice, and I honestly have no idea how
> to address that problem.

Whenever we encounter someone on IRC or users@ trying to abuse
.htaccess we educate them, but this isn't so effective, given the fact that
> It's been frequently suggested that .htaccess files could be improved
> via some kind of "cache and only reload if the timestamp has changed"
> mechanism, but in my benchmarking, simply stat'ing a .htaccess file
> (even in cases when there's no file there to begin with) accounts for
> an awful lot of the performance hit of "AllowOverride All", so I don't
> know whether this would really be a solution.

AllowOverride All is actually the default.

> For the most part, folks who need to use .htaccess files are not in a
> position to really do much in the way of performance tuning, and vice
> versa.
> --
> Rich Bowen

Igor Galić

Tel: +43 (0) 664 886 22 883

View raw message