GuidesUsing .htaccess Files with Apache Page 5

Using .htaccess Files with Apache Page 5




As shown above, the AllowOverride directive takes a
whitespace-separated list of category names as its argument.

Be Aware of What You’re Granting

By allowing the use of .htaccess files in user (or
customer or client) directories, you’re essentially extending a
bit of your Webmaster privileges to anyone who can edit those
files. So if you choose to do this, you should consider
occasionally performing an audit to make sure the files are
appropriately protected — and, if you’re really ambitious,
that they contain only settings of which you approve.

Because of the very coarse granularity of the possible override
categories, it’s quite possible that by granting a user the
aility to override one set of directives you’re inadvertently
delegating more power than you anticipate. For instance,
you might want to include a “AllowOverride FileInfo
directive for user directories so that individuals can use the
AddType directive to label documents with MIME
types that aren’t in the server-wide list — but were you aware
when you did this that you were also giving them access to the
Alias, Header, Action, and
Rewrite* directives as well? Directives are
associated with override categories on a per-module
basis, so tracking down what’s permitted by allowing a particular
category of override can be a tedious process.

The ultimate answer to what directives are in which categories is
the source code. If you really want to know, examine the
source for the following strings:

String Corresponding AllowOverride Keyword
OR_AUTHCFG AllowOverride AuthConfig
OR_FILEINFO AllowOverride FileInfo
OR_INDEXES AllowOverride Indexes
OR_LIMIT AllowOverride Limit
OR_OPTIONS AllowOverride Options

(See the
previous section
for a description of what the different override categories mean.)

As you can see, with the exception of the AuthConfig/AUTHCFG keywords,
the source keywords are identical to the directive keywords. This
is convenient!

Putting It All Together

Before enabling .htaccess files, consider the
advantages and disadvanteges. On servers I run myself, with
no users, I tend to use .htaccess files for
testing and debugging, and when I have a configuration I
like, I move the directives into a
container in the httpd.conf file and delete the
.htaccess file. For this reason, I have
overrides enabled just about everywhere. This allows me to balance
the convenience of .htaccess files against
their performance impact.

On some of my servers I have some user accounts for people
I know and trust, and in those environments I’m more
cautious and don’t allow all overrides globally. I do
tend to allow whatever overrides my friends need for their
own directories, though.

And in some cases I have real ‘user’ accounts, for people I
do not know as well — and on those servers
AllowOverride None is the rule. I
occasionally allow .htaccess files in their
private directories, but I carefully audit the possible
effects before granting an override category.

Latest Posts

Related Stories