

A collection of useful .htaccess snippets - scapbi
https://github.com/phanan/htaccess

======
_cudgel
While I think this is a very valuable resource, and patterns are always
welcome by me, it should be noted that the Apache docs recommend against using
.htaccess files due to the performance penalty.

From the docs
([http://httpd.apache.org/docs/current/howto/htaccess.html](http://httpd.apache.org/docs/current/howto/htaccess.html)):

 _You should avoid using .htaccess files completely if you have access to
httpd main server config file. Using .htaccess files slows down your Apache
http server. Any directive that you can include in a .htaccess file is better
set in a Directory block, as it will have the same effect with better
performance._

~~~
DrStalker
These snippets should all be fine to go straight into a directory block, so
it's still a really good resource,

~~~
tobltobs
Are you sure this is true also for the Rewrite Rules?

------
lebinh
Cool idea! I've created a similar repo for Nginx from my experiences:
[https://github.com/lebinh/nginx-conf](https://github.com/lebinh/nginx-conf)

------
csharperer
Pretty sweet! Would love to see something similar for nginx.

~~~
keidian
There is some stuff listed at
[http://wiki.nginx.org/Configuration](http://wiki.nginx.org/Configuration) but
it's more laid out in full examples rather than this code block does X

------
loevborg
The most important thing when it comes to web server configuration is to have
a testing setup you understand and that is fully under you're control. That
goes twice for working with mod_rewrite.

My recommendation: use only curl -I so caching is ruled out as a problem
source. Use a virtual machine that you can reprovision quickly and reliably.
Crank up the log level to debug in you apache config. And don't give up!

------
oneeyedpigeon
The HTML5 boilerplate project also provides a great source for sane apache
config:

[https://github.com/h5bp/server-configs-
apache/blob/master/di...](https://github.com/h5bp/server-configs-
apache/blob/master/dist/.htaccess)

------
raziel2p
I think the arguments _for_ www are just as valid, if not more valid, than the
arguments against. [http://www.yes-www.org/why-use-www/](http://www.yes-
www.org/why-use-www/)

------
tux
Thank You :-) Please make nginx one now in similar style and categories. ^_^

------
emersonrsantos
You can make good http(s) firewalls (albeit not fast as a IP one) against
threats.

Needs to add more to this, especially configs against SQL injections and other
hacks.

~~~
rostigerpudel
Actually, I dont' think that is the webserver's job.

Relying on your webserver to protect you against SQL injection is probably not
what you want to do. The webserver has no knowledge at all about what kind of
program you run behind it. You would need to teach it everything about what
you're doing.

Seriously, you are much better off just using prepared statements everywhere
than trying to teach a webserver the finer points of your particular
combination of SQL and the language you use. It's like parsing HTML with
regular expressions. It might hold up for a while or for certain tasks, but
will explode quite unexpectedly at some later point.

~~~
krapp
That's true, but sometimes (especially with completely naive or old PHP)
'using prepared statements everywhere' means 'rewriting everything.' In those
cases, htaccess might be the only flexible option you have until you can.

~~~
theblueprint
Consider ModSecurity with the Core Rule Set (or Trustwave Commercial Rule Set)
instead of attempting to repurpose .htaccess files as a substitute WAF.

------
neoterics
Nice, this is very useful, thanks!

------
roshansingh
Thanks a lot for making this!

