I have a set of Apache configuration settings (in apache.conf) contained within a <Directory /srv/*/public> block which are intended to apply to any public directory.
However, for some of the sites hosted on this server, the public directory is nested one level deeper (so the required path would be /srv/*/app/public), and so the directives in the Directory block are failing to be applied to these, even though I'd like them to be.
I don't want to duplicate the contents of the whole Directory block (it contains quite a lot of directives), but I can't find any way to apply it to two separate paths, and Apache's docs suggest that no use of wildcards can match paths of different depths (since the * doesn't match a /).
What's the best way to do this?
Related
My hosting allows use of .htaccess files as the configuration files are not available.
I'm aware of the performance hit that override files incur though - so I was thinking - If Apache provided a mode for having a single .htaccess file - wouldn't that be faster than having to check for multiple .htaccess files whilst still maintaining the convenience?
If Apache provided a mode for having a single .htaccess file
Well, not a "mode" as such, but you could achieve this by allowing .htaccess for the parent directory (root directory or even one above the document root) and disable the use of .htaccess files in all subdirectories. The .htaccess file in the parent directory will still apply.
Realistically (if indeed this is at all "realistic"), you would probably need to enable .htaccess for the directory "above the document root" and disable .htaccess in the document root and below, rather than enabling .htaccess for the document root. Otherwise, if you enable .htaccess for the document root, you will have to disable .htaccess for each subdirectory individually. And if you add more subdirectories, the server config will need to be updated accordingly. (Since, the AllowOverride directive is only allowed in <Directory> containers without regex, not <DirectoryMatch> containers.) However, this might not be possible on some shared hosting environments (there might not be an "above the document root") and it could impact the installation of some CMSs.
Note that you obviously need access to the server config (or VirtualHost) in order to implement this, so it is hypothetical in this instance.
wouldn't that be faster than having to check for multiple .htaccess files
Possibly. But you are only talking about a micro-optimsation at best in real terms. On most sites, even enabling .htaccess files at all will hardly be noticeable - if at all. The "performance hit" you speak of is not as big as you might think. To put it another way, if you are finding that .htaccess is proving to be a bottle neck then you've either done something wrong, or you have far more serious problems to address.
Note, however, that you are generally only using .htaccess files on smaller sites anyway. On larger / high traffic sites you will have your own VPS / Server and access to the server config, so there wouldn't be any need to use .htaccess (or, importantly, have it enabled).
whilst still maintaining the convenience?
Not exactly. Part of the "convenience" is being able to put the .htaccess file in any directory you like, overriding parent directives and have it apply to just that directory tree. (It is the userland equivalent of the <Directory> container in the server config.)
Im not that familiar with Apache.
When using <Location>, I am able to redirect users to a sign-on page, forcing them to authenticate and have proper privileges before accessing the URL.
When using <Directory>, it is supposed to allow me to control access to specified folders and directories, right?
Question:
How does <Directory> behave similarly and differently from <Location>?
With <Location /web>: www.mysite.com/web and www.mysite.com/web/foo will be controlled.
With <Directory /webforms>: how will www.mysite.com/web look like if some of the scripts are from that folder?
With <Directory /pictures>: how will www.mysite.com/web look like if some of the picture are from that folder?
What about a situation where you have both types of directives active and affecting a single page? What kinds of things should I expect or watch out for?
The Apache HTTP server documentation has a section called What to use When which, I think, directly, answer your question :
Choosing between filesystem containers and webspace containers is actually quite easy. When applying directives to objects that reside in the filesystem always use <Directory> or <Files>. When applying directives to objects that do not reside in the filesystem (such as a webpage generated from a database), use <Location>.
The important part is the following :
It is important to never use <Location> when trying to restrict access to objects in the filesystem. This is because many different webspace locations (URLs) could map to the same filesystem location, allowing your restrictions to be circumvented.
Read on for more information...
I am working on a product that runs Apache, and i'm trying to make the configuration more DRY — right now there are many different vhost configs that get loaded in different situations but are 90% identical, and this is very tedious to deal with when a change needs made. I don't think Apache is really designed with this kind of dynamic environment in mind, but w/e, here i am anyway.
So i've first turned to environment variables — i have a small boot-strap script that determines the necessary configuration and dumps variables into /etc/apache2/envvars (which is loaded by apache2ctl and similar on Ubuntu). This allows me to do things like this:
envvars:
export MYKEY='/path/to/mykey'
export MYCERT='/path/to/mycert'
export MYBUNDLE='/path/to/mybundle'
vhost config:
SSLCertificateKeyFile ${MYKEY}
SSLCertificateFile ${MYCERT}
SSLCACertificateFile ${MYBUNDLE}
This works fine, but only as long as MYKEY, &al., are non-empty variables referencing non-empty files. In some configurations, for example, no CA bundle is required, so i tried just pointing MYBUNDLE to /dev/null. Apache considers this a 'syntax error' because /dev/null is an empty file, and refuses to start.
My question: Is there any way i can dynamically disable/omit configuration directives in the Apache config (based on environment variables or a similar mechanism) without having to maintain separate files for each possible scenario?
Alternative question: Is there any way i can provide an empty value/certificate to this particular directive (SSLCACertificateFile) in a manner that Apache won't consider invalid?
Ubuntu 12.04.5
Apache 2.2.22
Looks like what you want is a management tool for your configuration.
Now I'm not sure how often you deploy but you probably could make a script that generates your templates for you?
If you have a greater need, maybe consider automation software and use some kind of template? I'm thinking something like chef (https://www.chef.io/) or puppet (http://puppetlabs.com/) or ... They all support template and you can provide value based on environment / server / moods for the different values.
I'm using a script on several webhosting providers and want just to transfer the whole script to the server if a new version is released.
But every server has its own absolute path to the AuthFile (for directory protection). .htaccess needs an absolute path to the AuthFile and this absolute path is different on every server.
My first approach was to use one .htaccess-file with several <Directory>-directives. Each with an absolute path which sets the AuthFile for the specific server.
But I got a 500 internal server error: .htaccess: <Directory not allowed here
The second idea was to use SetEnv and <IfDefine>. But IfDefine is not able to read environment-variables as shown in this blog entry.
The specific paths and servers are known.
Is there a way to find out on which server the .htaccess is called and to set the specific path for the AuthFile?
Now I solved this problem to create a script which parses the .htaccess files and checks whether the paths are set correctly for the specific server.
Not the solution I hoped for, but better than no solution :-/
I've taken over development of a fairly heavy-duty LAMP application. The original dev used an .htaccess file with RewriteMap and a PHP script to handle certain conditions of the app.
Specifically, when certain subdomain patterns are requested by the client, the RewriteMap catches them and sends them to the appropriate application module.
I'm quite comfortable with typical mod_rewrite redirects, and I think I've got the basic RewriteMap concept figured out; but I'm struggling to find decent documentation on how RewriteLock works. According to the Apache docs:
This directive sets the filename for a synchronization lockfile which mod_rewrite needs to communicate with RewriteMap programs. Set this lockfile to a local path (not on a NFS-mounted device) when you want to use a rewriting map-program. It is not required for other types of rewriting maps.
But this is still a little vague for me. Whats the exact purpose and function of RewriteLock and how does it work?
RewriteLock is used with the prg: keyword. RewriteMap can be used with several keywords, to use text files (txt:), hashfiles (dbm:), randomized text (rnd:) or external mapping scripts ( this one is the prg: keyword ). In this mode the external script is launched when apache start. Then for every incoming request, when mod-rewrite is calling the prg: mapping, apache sends input to that script and reads the output stream to get the value.
RewriteLock must be used in that case to prevent parallel requests (so parallel inputs to that external process) to mix answers on this process standard output. It's a locking mechanism (a file, the given path, which is a classical token, only one user) to enforce serialization of the calls to this external mapping script. IMHO it should be transparently applied by mod-rewrite when using prg: as I never found a prg case where this locking thing is not mandatory.
Edit:
Well in fact you could use an external prg: without the rewriteLock if randomization of the output is not a problem, i.e. for a given entry you can get a response which was given for another entry, like in a script doing some advanced rnd:, your own round-robin service. But if the output must reflect the entry, then you need that semaphore, which of course can slow down the rewritemap process.
So if you're only using the hashmap or textmap you do not need to set the RewriteLock.
Edit:
You may find useful details on this thread, like the fact the lock file exists only for a few milliseconds, when apache calls the prg and waits for an answer.
Edit:
On the question one strange fact is:
The original dev used an .htaccess file with RewriteMap
This is strange because RewriteMap cannot work on .htaccess files, .htaccess are configuration entries read dynamically and RewriteMap as stated here in the Context line can only be set in the main configuration or in a VirtualHost configuration. It cannot be in a Location, a Directory or a .htaccess. So chances are this will never work in a .htaccess.
Now #puk asked for an example of RewriteMap usage. Well, searching for "RewriteMap" in Stack overflow will show you several real examples:
here in a question
here a list of example in my answer
another here
Apache hangs if you define more than one RewriteLock directives or if you use it in a VHOST config.
The RewriteLock should be specified at server config level and ONLY ONCE. This lock file will be used by all prg type maps. So if you want to use multiple prg maps, I suggest using an internal locking mechanism, for example in PHP there is the flock function, and simply ignore the warning apache writes in the error log.
See here for more info:
http://books.google.com/books?id=HUpTYMf8-aEC&lpg=PP1&pg=PA298#v=onepage&q&f=false