Why you should not use .htaccess (AllowOverride All) in production
Rabu, 27 Februari 2013
0
komentar
http://www.eschrade.com/page/why-you-should-not-use-htaccess-allowoverride-all-in-production
Commonly known as .htaccess, AllowOverride is a neat little feature that allows you to tweak the server’s behavior without modifying the configuration file or restarting the server. Personally, I think this is great for development purposes. It allows you to quickly test various server configurations without needing to mess with restarting the server. It helps you be more (buzzword alert!) agile.
Beyond the obvious security problems of allowing configuration modifications in a public document root there is also a performance impact. What happens with AllowOverride is that Apache will do an open() call on each parent directory from the requested file onward.
To demonstrate this I used a program called strace which checks for system calls and gives you a list of each system call that is made.
First we’ll take a look at the strace with AllowOverride set to None.
Now let’s take a look at the strace results with AllowOverride set to All.
You can clearly see the additional open() calls being made to try and discover the .htaccess file. In this case the calls are completely superfluous because we have nothing there. But even so we have a significant impact on static file throughput.
AllowOverride None
AllowOverride All
The requests where AllowOverride was turned off were executed at 60% of the time of the ones where AllowOverride was turned on.
And remember, this is just the impact of file operations and does not take into account the time to reconfigure Apache during the course of these requests.
So the data would clearly show that there is a negative impact to having AllowOverride turned on in a production environment. Instead it will generally be better to take those changes in .htaccess and place them in your httpd configuration file.
[UPDATE]
In fact Mike Willbanks says you should never do it. I agree with him, but I wouldn’t make as big a stink in dev as I would in prod.
Commonly known as .htaccess, AllowOverride is a neat little feature that allows you to tweak the server’s behavior without modifying the configuration file or restarting the server. Personally, I think this is great for development purposes. It allows you to quickly test various server configurations without needing to mess with restarting the server. It helps you be more (buzzword alert!) agile.
Beyond the obvious security problems of allowing configuration modifications in a public document root there is also a performance impact. What happens with AllowOverride is that Apache will do an open() call on each parent directory from the requested file onward.
To demonstrate this I used a program called strace which checks for system calls and gives you a list of each system call that is made.
First we’ll take a look at the strace with AllowOverride set to None.
1 | semop(1638426, {{0, -1, SEM_UNDO}}, 1) = 0 |
1 | semop(1736730, {{0, -1, SEM_UNDO}}, 1) = 0 |
AllowOverride None
1 | Concurrency Level: 10 |
1 | Concurrency Level: 10 |
And remember, this is just the impact of file operations and does not take into account the time to reconfigure Apache during the course of these requests.
So the data would clearly show that there is a negative impact to having AllowOverride turned on in a production environment. Instead it will generally be better to take those changes in .htaccess and place them in your httpd configuration file.
[UPDATE]
In fact Mike Willbanks says you should never do it. I agree with him, but I wouldn’t make as big a stink in dev as I would in prod.
TERIMA KASIH ATAS KUNJUNGAN SAUDARA
Judul: Why you should not use .htaccess (AllowOverride All) in production
Ditulis oleh Unknown
Rating Blog 5 dari 5
Semoga artikel ini bermanfaat bagi saudara. Jika ingin mengutip, baik itu sebagian atau keseluruhan dari isi artikel ini harap menyertakan link dofollow ke https://androidjapane.blogspot.com/2013/02/why-you-should-not-use-htaccess.html. Terima kasih sudah singgah membaca artikel ini.Ditulis oleh Unknown
Rating Blog 5 dari 5
0 komentar:
Posting Komentar