It is widely known that, if virtual hosts in Apache (httpd) are configured to permit vhost administrators override specific configuration options at the directory level using htaccess files, the web server consumes valuable time in order to check whether an htaccess file exists in every directory included in the requested path and parse it. On the other hand, many popular web applications utilize htaccess files, especially those residing in the DocumentRoot, in order to implement pretty URLs or HTTP redirections, which is extremely convenient since the virtual host owner does not have to edit httpd’s configuration directly. So, I had the idea to include the htaccess file of the DocumentRoot directory on the filesystem into the virtual host’s configuration.
Suppose we have the /home/example.org/public_html/
directory on the filesystem, which serves as the document root of our virtualhost. The relevant httpd configuration for that vhost would look like this:
<VirtualHost 123.123.123.123:80> ServerName example.org:80 ... DocumentRoot /home/example.org/public_html <Directory /home/example.org/public_html> AllowOverride All ... </Directory> ... </VirtualHost>
In order to prevent the htaccess lookups on the filesystem without losing the htaccess functionality – at least at the DocumentRoot level- I transformed the configuration to the following:
<VirtualHost 123.123.123.123:80> ServerName example.org:80 ... DocumentRoot /home/example.org/public_html <Directory /home/example.org/public_html> AllowOverride None Include /home/example.org/public_html/.htaccess ... </Directory> ... </VirtualHost>
Let’s see what we have accomplished with this:
- httpd does not waste any time looking for and parsing htaccess files resulting in faster request processing,
- the virtual host administrator can still override the configuration options of the document root manually or through the web interface of the web application.
Seems like a win-win situation performance and functionality wise.
But, as usual, there is no win-win situation without a downside. In this case, the above trick weakens the server’s security. Let’s see how.
Although the configuration of a directory can be set in both httpd.conf
and the directory’s htaccess file, not all directives can be used in both contexts. htaccess files support a subset of the directives that can be used in the Directory
context within httpd.conf
. By including the htaccess file in httpd’s configuration the vhost admin is no longer restricted to that subset of directives.
This means that by implementing the above configuration the virtual host administrator is granted more privileges regarding the configuration of the virtual host. This also means that a potential attacker, that would exploit a vulnerability of the web application, would be granted the same privileges once he got write access to that htaccess file.
So, although this trick may seem like a good idea at first, it is in fact a rather bad idea and should never be used in production, unless you trust the virtual host administrator and the web application. I do not intend to use such a configuration and I do not recommend it. There are by far better ways to speed up Apache.
Speed up Apache by including htaccess files into httpd.conf by George Notaras is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Copyright © 2011 - Some Rights Reserved