Hacker News new | past | comments | ask | show | jobs | submit login
A collection of useful .htaccess snippets (github.com)
163 points by scapbi on Feb 9, 2015 | hide | past | favorite | 19 comments

While I think this is a very valuable resource, and patterns are always welcome by me, it should be noted that the Apache docs recommend against using .htaccess files due to the performance penalty.

From the docs (http://httpd.apache.org/docs/current/howto/htaccess.html):

You should avoid using .htaccess files completely if you have access to httpd main server config file. Using .htaccess files slows down your Apache http server. Any directive that you can include in a .htaccess file is better set in a Directory block, as it will have the same effect with better performance.

PSA: Authorization snippets are based on Apache 2.2 config syntax. Care should be taken to review, update and test Authorization config when upgrading to Apache 2.4 (http://httpd.apache.org/docs/2.4/upgrading.html).

These snippets should all be fine to go straight into a directory block, so it's still a really good resource,

Are you sure this is true also for the Rewrite Rules?

I agree completely!

For some hosting situations, the only control you would have would be through the .htaccess file.

Cool idea! I've created a similar repo for Nginx from my experiences: https://github.com/lebinh/nginx-conf

Pretty sweet! Would love to see something similar for nginx.

There is some stuff listed at http://wiki.nginx.org/Configuration but it's more laid out in full examples rather than this code block does X

The most important thing when it comes to web server configuration is to have a testing setup you understand and that is fully under you're control. That goes twice for working with mod_rewrite.

My recommendation: use only curl -I so caching is ruled out as a problem source. Use a virtual machine that you can reprovision quickly and reliably. Crank up the log level to debug in you apache config. And don't give up!

The HTML5 boilerplate project also provides a great source for sane apache config:


I think the arguments for www are just as valid, if not more valid, than the arguments against. http://www.yes-www.org/why-use-www/

Thank You :-) Please make nginx one now in similar style and categories. ^_^

You can make good http(s) firewalls (albeit not fast as a IP one) against threats.

Needs to add more to this, especially configs against SQL injections and other hacks.

Actually, I dont' think that is the webserver's job.

Relying on your webserver to protect you against SQL injection is probably not what you want to do. The webserver has no knowledge at all about what kind of program you run behind it. You would need to teach it everything about what you're doing.

Seriously, you are much better off just using prepared statements everywhere than trying to teach a webserver the finer points of your particular combination of SQL and the language you use. It's like parsing HTML with regular expressions. It might hold up for a while or for certain tasks, but will explode quite unexpectedly at some later point.

That's true, but sometimes (especially with completely naive or old PHP) 'using prepared statements everywhere' means 'rewriting everything.' In those cases, htaccess might be the only flexible option you have until you can.

Consider ModSecurity with the Core Rule Set (or Trustwave Commercial Rule Set) instead of attempting to repurpose .htaccess files as a substitute WAF.

Nice, this is very useful, thanks!

Thanks a lot for making this!

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact