We experimented with putting configuration directives in a file called ... /htdocs/.htaccess rather than in httpd.conf. It worked, but how do you decide whether to do things this way rather than the other?
The point of the .htaccess mechanism is that you can change configuration directives without having to restart the server. This is especially valuable on a site where a lot of people are maintaining their own home pages but are not authorized to bring the server down or, indeed, to modify its Config files. The drawback to the .htaccess method is that the files are parsed for each access to the server, rather than just once at startup, so there is a substantial performance penalty.
The httpd.conf (from ... /site.htaccess) file contains the following:
User webuser Group webgroup ServerName www.butterthlies.com AccessFilename .myaccess ServerAdmin [email protected] DocumentRoot /usr/www/site.htaccess/htdocs/customers ErrorLog /usr/www/site.htaccess/logs/customers/error_log TransferLog /usr/www/site.htaccess/logs/customers/access_log ScriptAlias /cgi-bin /usr/www/cgi-bin <VirtualHost sales.butterthlies.com> ServerAdmin [email protected] DocumentRoot /usr/www/site.htaccess/htdocs/salesmen ServerName sales.butterthlies.com ErrorLog /usr/www/site.htaccess/logs/salesmen/error_log TransferLog /usr/www/site.htaccess/logs/salesmen/access_log ScriptAlias /cgi-bin /usr/www/cgi-bin #<Directory /usr/www/site.htaccess/htdocs/salesmen> #AuthType Basic #AuthName darkness #AuthUserFile /usr/www/ok_users/sales #AuthGroupFile /usr/www/ok_users/groups #require valid-user #require group cleaners #</Directory> <Directory /usr/www/cgi-bin> AuthType Basic AuthName darkness AuthUserFile /usr/www/ok_users/sales AuthGroupFile /usr/www/ok_users/groups #either flat files - above - or DBM below #AuthDBMUserFile /usr/www/ok_dbm/sales #AuthDBMGroupFile /usr/www/ok_dbm/groups </Directory> </VirtualHost>
Notice that the security part of the salespeople's section has been commented out in ... /httpd.conf. The following lines, which were part of it, are found in ... /htdocs/salesmen/.myaccess:
AuthType Basic AuthName darkness AuthUserFile /usr/www/ok_users/sales AuthGroupFile /usr/www/ok_users/groups #require valid-user require group cleaners
If you run the site with ./go and access http://sales.butterthlies.com/, you are asked for an ID and a password in the usual way. You had better be daphne or sonia if you want to get in, because only members of the group cleaners are allowed. It has to be said, though, that Netscape got into a tremendous muddle over passwords, and the only reliable way to make sure that it was really doing what it claimed was to exit and reload it before each test.
Now, if by way of playfulness, we rename ... /htdocs/salesmen/.myaccess to .noaccess and retry, without restarting Apache, we should find that password control has disappeared. This makes the point that Apache parses this file each time the directory is accessed, not just at startup.
If you decide to go this route, there are a number of things that can be done to make the way smoother. For example, the name of the control file can be changed (as we did earlier) with the AccessFileName directive in the file httpd.conf.
AccessFileName filename, filename ... Server config, virtual host
AccessFileName gives authority to the files specified. Include the following line in httpd.conf:
AccessFileName .myaccess1, myaccess2 ...
Restart Apache (since the AccessFileName has to be read at startup) and then restart your browser to get rid of password caching. When you reaccess the site, password control has reappeared.
You might expect that you could limit AccessFileName to .myaccess in some particular directory, but not elsewhere. You can't -- it is global (well, more global than per-directory). Try editing ... /conf/httpd.conf to read:
<Directory /usr/www/site.htaccess/htdocs/salesmen> AccessFileName .myaccess </Directory>
Apache complains:
Syntax error on line 2 of /usr/www/conf/srm.conf: AccessFileName not allowed here
As we have said, this file is found and parsed on each access, and this takes time. When a client requests access to a file /usr/www/site.htaccess/htdocs/salesmen/index.html, Apache searches for the following:
/.myaccess
/usr/.myaccess
/usr/www/.myaccess
/usr/www/site.htaccess/.myaccess
/usr/www/site.htaccess/htdocs/.myaccess
/usr/www/site.htaccess/htdocs/salesmen/.myaccess
This multiple search also slows business down. You can turn multiple searching off, and make a noticeable difference to Apache's speed, with the following directive:
<Directory /> AllowOverride none </Directory>
It is important to understand that "/" means the real, root directory (because that is where Apache starts searching) and not the URL.
Copyright © 2001 O'Reilly & Associates. All rights reserved.