httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Galić <>
Subject Re: [users@httpd] Hardening Apache against attacks
Date Wed, 27 Oct 2010 01:06:01 GMT

----- "Jason Nunnelley" <> wrote:

> > Why .htaccess? Security tip #1 should be 'disable .htaccess'.
> Performance
> > tip #1 too.
> I'm not running a vhost clients can control. I'm running a vhost for
> production sites my dev team manages, and I don't always want my dev
> team restarting Apache to make changes. Also, .htaccess is in version
> control (along with all other important app and config files). Aside
> from the chance your users will modify .htaccess, why would you
> disallow .htaccess? I assume disallowing overrides allows you to set
> permissions and behavior in stone. But, it sure makes for a nice tool
> to handle redirect changes, new file type restrictions, etc.

.htaccess kills performance. As simple as that.
Enabling .htaccess means that httpd has to stat(2) each directory
along the way until it hits the resource you're asking for:

stat("/.htaccess", 0x1230fe) = ENOENT
stat("/srv/.htaccess", 0x1230fe) = ENOENT
stat("/srv/web/.htaccess", 0x1230fe) = ENOENT
stat("/srv/web/domain.tld/.htaccess", 0x1230fe) = ENOENT
stat("/srv/web/domain.tld/www/.htaccess", 0x1230fe) = ENOENT
stat("/srv/web/domain.tld/www/htdocs/.htaccess", 0x1230fe) = ENOENT
stat("/srv/web/domain.tld/www/htdocs/index.html", 0x1230fe) = 0

For each request.
That adds up.

Now, if you where to put complex rules in your .htaccess, it
also means that those have to be merged - for each request.

> --
> Jason N


Igor Galić

Tel: +43 (0) 664 886 22 883

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message