21 comments

[ 81.8 ms ] story [ 375 ms ] thread
The most important thing when it comes to web server configuration is to have a testing setup you understand and that is fully under you're control. That goes twice for working with mod_rewrite.

My recommendation: use only curl -I so caching is ruled out as a problem source. Use a virtual machine that you can reprovision quickly and reliably. Crank up the log level to debug in you apache config. And don't give up!

While I think this is a very valuable resource, and patterns are always welcome by me, it should be noted that the Apache docs recommend against using .htaccess files due to the performance penalty.

From the docs (http://httpd.apache.org/docs/current/howto/htaccess.html):

You should avoid using .htaccess files completely if you have access to httpd main server config file. Using .htaccess files slows down your Apache http server. Any directive that you can include in a .htaccess file is better set in a Directory block, as it will have the same effect with better performance.

These snippets should all be fine to go straight into a directory block, so it's still a really good resource,
Are you sure this is true also for the Rewrite Rules?
For some hosting situations, the only control you would have would be through the .htaccess file.
You can make good http(s) firewalls (albeit not fast as a IP one) against threats.

Needs to add more to this, especially configs against SQL injections and other hacks.

Actually, I dont' think that is the webserver's job.

Relying on your webserver to protect you against SQL injection is probably not what you want to do. The webserver has no knowledge at all about what kind of program you run behind it. You would need to teach it everything about what you're doing.

Seriously, you are much better off just using prepared statements everywhere than trying to teach a webserver the finer points of your particular combination of SQL and the language you use. It's like parsing HTML with regular expressions. It might hold up for a while or for certain tasks, but will explode quite unexpectedly at some later point.

That's true, but sometimes (especially with completely naive or old PHP) 'using prepared statements everywhere' means 'rewriting everything.' In those cases, htaccess might be the only flexible option you have until you can.
Consider ModSecurity with the Core Rule Set (or Trustwave Commercial Rule Set) instead of attempting to repurpose .htaccess files as a substitute WAF.
(comment deleted)
(comment deleted)
Thank You :-) Please make nginx one now in similar style and categories. ^_^
Nice, this is very useful, thanks!