Topic: htaccess question/confirmation

[ElFroggio]

Hi,

I need to create an .htaccess files for redirections, rewrite rules... The new web site is static, no php, no perl, just straight html

Can I still use the:

Code: [Select]

db accounts setprop ibayname AllowOverride All to enable it?

I ask because it will be on a production server and the person responsible for that server is not available for the next while.

Thanks

Syv

[janet]

ElFroggio

For a more secure approach, it is recommended to use a custom template instead of a .htaccess file.
http://wiki.contribs.org/Htaccess

[DanB35]

Yes, you can use the AllowOverride property to enable .htaccess files; the question is whether you should.  Is it a requirement that users (not the server admin) be able to change the contents of the .htaccess file?  If so, and there's a good reason for that requirement, then you'd need to use .htaccess.  If not, everything that could go in .htaccess can also go within a <Directory> ... </Directory> section in your httpd.conf file.  The Apache docs recommend this method primarily for performance reasons, and it's also marginally more secure.

[ElFroggio]

Yes, you can use the AllowOverride property to enable .htaccess files; the question is whether you should.  Is it a requirement that users (not the server admin) be able to change the contents of the .htaccess file?  If so, and there's a good reason for that requirement, then you'd need to use .htaccess.  If not, everything that could go in .htaccess can also go within a <Directory> ... </Directory> section in your httpd.conf file.  The Apache docs recommend this method primarily for performance reasons, and it's also marginally more secure.

Eventually the admin will do it and not the users (the admin is not available for the next while). But it's not about passwords, just a "whole bunch" of rewrites. No write for any user, only apache:shared and the whole website is just static html files.

Is there a better way of doing the rewrites?

Thanks

Syv

[DanB35]

The method described at the wiki page Janet cites can be used for any httpd.conf directives.  I thought I'd made some edits to the page to make that clearer, but perhaps it isn't clear enough.

If the directory in question is only admin-writable, then I seriously question whether there's any security difference at all between using a .htaccess file and adding the directives to httpd.conf--I certainly haven't seen any evidence that there's a significant issue, despite a good bit of handwaving.  The Apache docs (http://httpd.apache.org/docs/current/howto/htaccess.html) do recommend avoiding .htaccess files if possible, though.

The wiki article has a lot of stuff about passwords which can obscure the issue, but it boils down to creating a custom httpd.conf template fragment that looks like this:

<Directory /home/e-smith/files/ibays/youribay/html>
RewriteEngine On
RewriteRule whatever
...
</Directory>

Then expand-template /etc/httpd/conf/httpd.conf; service httpd-e-smith restart.

[ElFroggio]

Thank you very much for the clarification/confirmation

/Syv

[raem]

DanB35

I thought I'd made some edits to the page to make that clearer, but perhaps it isn't clear enough.

Clarity is something that is not always easily achieved, so I had another go at it too !

Following on from your edits, I have significantly re-arranged & improved the text in the htaccess wiki article.
See
http://wiki.contribs.org/Htaccess

[ElFroggio]

Following on from your edits, I have significantly re-arranged & improved the text in the htaccess wiki article.
See
http://wiki.contribs.org/Htaccess

Perfecto!

Thanks