----- "Jason Nunnelley" <jason@xxxxxxxxxx> wrote: > > Why .htaccess? Security tip #1 should be 'disable .htaccess'. > Performance > > tip #1 too. > > I'm not running a vhost clients can control. I'm running a vhost for > production sites my dev team manages, and I don't always want my dev > team restarting Apache to make changes. Also, .htaccess is in version > control (along with all other important app and config files). Aside > from the chance your users will modify .htaccess, why would you > disallow .htaccess? I assume disallowing overrides allows you to set > permissions and behavior in stone. But, it sure makes for a nice tool > to handle redirect changes, new file type restrictions, etc. .htaccess kills performance. As simple as that. Enabling .htaccess means that httpd has to stat(2) each directory along the way until it hits the resource you're asking for: stat("/.htaccess", 0x1230fe) = ENOENT stat("/srv/.htaccess", 0x1230fe) = ENOENT stat("/srv/web/.htaccess", 0x1230fe) = ENOENT stat("/srv/web/domain.tld/.htaccess", 0x1230fe) = ENOENT stat("/srv/web/domain.tld/www/.htaccess", 0x1230fe) = ENOENT stat("/srv/web/domain.tld/www/htdocs/.htaccess", 0x1230fe) = ENOENT stat("/srv/web/domain.tld/www/htdocs/index.html", 0x1230fe) = 0 For each request. That adds up. Now, if you where to put complex rules in your .htaccess, it also means that those have to be merged - for each request. > -- > > Jason N i -- Igor GaliÄ Tel: +43 (0) 664 886 22 883 Mail: i.galic@xxxxxxxxxxxxxx URL: http://brainsware.org/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx