matching the criteria. Here's an example which disables lookups
except for <code>.html</code> and <code>.cgi</code> files:</p>
- <div class="example"><p><code>
- HostnameLookups off<br />
- <Files ~ "\.(html|cgi)$"><br />
- <span class="indent">
- HostnameLookups on<br />
- </span>
- </Files>
- </code></p></div>
+ <pre class="prettyprint lang-config">
+HostnameLookups off
+<Files ~ "\.(html|cgi)$">
+ HostnameLookups on
+</Files>
+ </pre>
+
<p>But even still, if you just need DNS names in some CGIs you
could consider doing the <code>gethostbyname</code> call in the
system calls to check up on symlinks. One extra call per
filename component. For example, if you had:</p>
- <div class="example"><p><code>
- DocumentRoot /www/htdocs<br />
- <Directory /><br />
- <span class="indent">
- Options SymLinksIfOwnerMatch<br />
- </span>
- </Directory>
- </code></p></div>
+ <pre class="prettyprint lang-config">
+DocumentRoot /www/htdocs
+<Directory />
+ Options SymLinksIfOwnerMatch
+</Directory>
+ </pre>
+
<p>and a request is made for the URI <code>/index.html</code>.
Then Apache will perform <code>lstat(2)</code> on
every single request. If you really desire the symlinks
security checking you can do something like this:</p>
- <div class="example"><p><code>
- DocumentRoot /www/htdocs<br />
- <Directory /><br />
- <span class="indent">
- Options FollowSymLinks<br />
- </span>
- </Directory><br />
- <br />
- <Directory /www/htdocs><br />
- <span class="indent">
- Options -FollowSymLinks +SymLinksIfOwnerMatch<br />
- </span>
- </Directory>
- </code></p></div>
+ <pre class="prettyprint lang-config">
+DocumentRoot /www/htdocs
+<Directory />
+ Options FollowSymLinks
+</Directory>
+
+<Directory /www/htdocs>
+ Options -FollowSymLinks +SymLinksIfOwnerMatch
+</Directory>
+ </pre>
+
<p>This at least avoids the extra checks for the
<code class="directive"><a href="../mod/core.html#documentroot">DocumentRoot</a></code> path.
<code>.htaccess</code> for each filename component. For
example,</p>
- <div class="example"><p><code>
- DocumentRoot /www/htdocs<br />
- <Directory /><br />
- <span class="indent">
- AllowOverride all<br />
- </span>
- </Directory>
- </code></p></div>
+ <pre class="prettyprint lang-config">
+DocumentRoot /www/htdocs
+<Directory />
+ AllowOverride all
+</Directory>
+ </pre>
+
<p>and a request is made for the URI <code>/index.html</code>.
Then Apache will attempt to open <code>/.htaccess</code>,
penalties. There's one case where you can speed up the server.
Instead of using a wildcard such as:</p>
- <div class="example"><p><code>
- DirectoryIndex index
- </code></p></div>
+ <pre class="prettyprint lang-config">DirectoryIndex index</pre>
+
<p>Use a complete list of options:</p>
- <div class="example"><p><code>
- DirectoryIndex index.cgi index.pl index.shtml index.html
- </code></p></div>
+ <pre class="prettyprint lang-config">DirectoryIndex index.cgi index.pl index.shtml index.html</pre>
+
<p>where you list the most common choice first.</p>
do not match the code, they're contrived for pedagogical
purposes):</p>
- <div class="example"><p><code>
- for (;;) {<br />
- <span class="indent">
- for (;;) {<br />
- <span class="indent">
- fd_set accept_fds;<br />
- <br />
- FD_ZERO (&accept_fds);<br />
- for (i = first_socket; i <= last_socket; ++i) {<br />
- <span class="indent">
- FD_SET (i, &accept_fds);<br />
- </span>
- }<br />
- rc = select (last_socket+1, &accept_fds, NULL, NULL, NULL);<br />
- if (rc < 1) continue;<br />
- new_connection = -1;<br />
- for (i = first_socket; i <= last_socket; ++i) {<br />
- <span class="indent">
- if (FD_ISSET (i, &accept_fds)) {<br />
- <span class="indent">
- new_connection = accept (i, NULL, NULL);<br />
- if (new_connection != -1) break;<br />
- </span>
- }<br />
- </span>
- }<br />
- if (new_connection != -1) break;<br />
- </span>
- }<br />
- process the new_connection;<br />
- </span>
+ <pre class="prettyprint lang-c">
+ for (;;) {
+ for (;;) {
+ fd_set accept_fds;
+
+ FD_ZERO (&accept_fds);
+ for (i = first_socket; i <= last_socket; ++i) {
+ FD_SET (i, &accept_fds);
+ }
+ rc = select (last_socket+1, &accept_fds, NULL, NULL, NULL);
+ if (rc < 1) continue;
+ new_connection = -1;
+ for (i = first_socket; i <= last_socket; ++i) {
+ if (FD_ISSET (i, &accept_fds)) {
+ new_connection = accept (i, NULL, NULL);
+ if (new_connection != -1) break;
+ }
+ }
+ if (new_connection != -1) break;
+ }
+ process_the(new_connection);
}
- </code></p></div>
+ </pre>
+
<p>But this naive implementation has a serious starvation problem.
Recall that multiple children execute this loop at the same
entry into the inner loop. The loop looks like this
(differences highlighted):</p>
- <div class="example"><p><code>
- for (;;) {<br />
- <span class="indent">
- <strong>accept_mutex_on ();</strong><br />
- for (;;) {<br />
- <span class="indent">
- fd_set accept_fds;<br />
- <br />
- FD_ZERO (&accept_fds);<br />
- for (i = first_socket; i <= last_socket; ++i) {<br />
- <span class="indent">
- FD_SET (i, &accept_fds);<br />
- </span>
- }<br />
- rc = select (last_socket+1, &accept_fds, NULL, NULL, NULL);<br />
- if (rc < 1) continue;<br />
- new_connection = -1;<br />
- for (i = first_socket; i <= last_socket; ++i) {<br />
- <span class="indent">
- if (FD_ISSET (i, &accept_fds)) {<br />
- <span class="indent">
- new_connection = accept (i, NULL, NULL);<br />
- if (new_connection != -1) break;<br />
- </span>
- }<br />
- </span>
- }<br />
- if (new_connection != -1) break;<br />
- </span>
- }<br />
- <strong>accept_mutex_off ();</strong><br />
- process the new_connection;<br />
- </span>
+ <pre class="prettyprint lang-c">
+ for (;;) {
+ <strong>accept_mutex_on ();</strong>
+ for (;;) {
+ fd_set accept_fds;
+
+ FD_ZERO (&accept_fds);
+ for (i = first_socket; i <= last_socket; ++i) {
+ FD_SET (i, &accept_fds);
+ }
+ rc = select (last_socket+1, &accept_fds, NULL, NULL, NULL);
+ if (rc < 1) continue;
+ new_connection = -1;
+ for (i = first_socket; i <= last_socket; ++i) {
+ if (FD_ISSET (i, &accept_fds)) {
+ new_connection = accept (i, NULL, NULL);
+ if (new_connection != -1) break;
+ }
+ }
+ if (new_connection != -1) break;
+ }
+ <strong>accept_mutex_off ();</strong>
+ process the new_connection;
}
- </code></p></div>
+ </pre>
+
<p><a id="serialize" name="serialize">The functions</a>
<code>accept_mutex_on</code> and <code>accept_mutex_off</code>
<code>http_main.c</code>). The function looks roughly like
this:</p>
- <div class="example"><p><code>
- void lingering_close (int s)<br />
- {<br />
- <span class="indent">
- char junk_buffer[2048];<br />
- <br />
- /* shutdown the sending side */<br />
- shutdown (s, 1);<br />
- <br />
- signal (SIGALRM, lingering_death);<br />
- alarm (30);<br />
- <br />
- for (;;) {<br />
- <span class="indent">
- select (s for reading, 2 second timeout);<br />
- if (error) break;<br />
- if (s is ready for reading) {<br />
- <span class="indent">
- if (read (s, junk_buffer, sizeof (junk_buffer)) <= 0) {<br />
- <span class="indent">
- break;<br />
- </span>
- }<br />
- /* just toss away whatever is here */<br />
- </span>
- }<br />
- </span>
- }<br />
- <br />
- close (s);<br />
- </span>
+ <pre class="prettyprint lang-c">
+ void lingering_close (int s)
+ {
+ char junk_buffer[2048];
+
+ /* shutdown the sending side */
+ shutdown (s, 1);
+
+ signal (SIGALRM, lingering_death);
+ alarm (30);
+
+ for (;;) {
+ select (s for reading, 2 second timeout);
+ if (error) break;
+ if (s is ready for reading) {
+ if (read (s, junk_buffer, sizeof (junk_buffer)) <= 0) {
+ break;
+ }
+ /* just toss away whatever is here */
+ }
+ }
+
+ close (s);
}
- </code></p></div>
+ </pre>
+
<p>This naturally adds some expense at the end of a connection,
but it is required for a reliable implementation. As HTTP/1.1
matching the criteria. Here's an example which disables lookups
except for <code>.html</code> and <code>.cgi</code> files:</p>
- <example>
- HostnameLookups off<br />
- <Files ~ "\.(html|cgi)$"><br />
- <indent>
- HostnameLookups on<br />
- </indent>
- </Files>
- </example>
+ <highlight language="config">
+HostnameLookups off
+<Files ~ "\.(html|cgi)$">
+ HostnameLookups on
+</Files>
+ </highlight>
<p>But even still, if you just need DNS names in some CGIs you
could consider doing the <code>gethostbyname</code> call in the
system calls to check up on symlinks. One extra call per
filename component. For example, if you had:</p>
- <example>
- DocumentRoot /www/htdocs<br />
- <Directory /><br />
- <indent>
- Options SymLinksIfOwnerMatch<br />
- </indent>
- </Directory>
- </example>
+ <highlight language="config">
+DocumentRoot /www/htdocs
+<Directory />
+ Options SymLinksIfOwnerMatch
+</Directory>
+ </highlight>
<p>and a request is made for the URI <code>/index.html</code>.
Then Apache will perform <code>lstat(2)</code> on
every single request. If you really desire the symlinks
security checking you can do something like this:</p>
- <example>
- DocumentRoot /www/htdocs<br />
- <Directory /><br />
- <indent>
- Options FollowSymLinks<br />
- </indent>
- </Directory><br />
- <br />
- <Directory /www/htdocs><br />
- <indent>
- Options -FollowSymLinks +SymLinksIfOwnerMatch<br />
- </indent>
- </Directory>
- </example>
+ <highlight language="config">
+DocumentRoot /www/htdocs
+<Directory />
+ Options FollowSymLinks
+</Directory>
+
+<Directory /www/htdocs>
+ Options -FollowSymLinks +SymLinksIfOwnerMatch
+</Directory>
+ </highlight>
<p>This at least avoids the extra checks for the
<directive module="core">DocumentRoot</directive> path.
<code>.htaccess</code> for each filename component. For
example,</p>
- <example>
- DocumentRoot /www/htdocs<br />
- <Directory /><br />
- <indent>
- AllowOverride all<br />
- </indent>
- </Directory>
- </example>
+ <highlight language="config">
+DocumentRoot /www/htdocs
+<Directory />
+ AllowOverride all
+</Directory>
+ </highlight>
<p>and a request is made for the URI <code>/index.html</code>.
Then Apache will attempt to open <code>/.htaccess</code>,
penalties. There's one case where you can speed up the server.
Instead of using a wildcard such as:</p>
- <example>
- DirectoryIndex index
- </example>
+ <highlight language="config">DirectoryIndex index</highlight>
<p>Use a complete list of options:</p>
- <example>
- DirectoryIndex index.cgi index.pl index.shtml index.html
- </example>
+ <highlight language="config">DirectoryIndex index.cgi index.pl index.shtml index.html</highlight>
<p>where you list the most common choice first.</p>
do not match the code, they're contrived for pedagogical
purposes):</p>
- <example>
- for (;;) {<br />
- <indent>
- for (;;) {<br />
- <indent>
- fd_set accept_fds;<br />
- <br />
- FD_ZERO (&accept_fds);<br />
- for (i = first_socket; i <= last_socket; ++i) {<br />
- <indent>
- FD_SET (i, &accept_fds);<br />
- </indent>
- }<br />
- rc = select (last_socket+1, &accept_fds, NULL, NULL, NULL);<br />
- if (rc < 1) continue;<br />
- new_connection = -1;<br />
- for (i = first_socket; i <= last_socket; ++i) {<br />
- <indent>
- if (FD_ISSET (i, &accept_fds)) {<br />
- <indent>
- new_connection = accept (i, NULL, NULL);<br />
- if (new_connection != -1) break;<br />
- </indent>
- }<br />
- </indent>
- }<br />
- if (new_connection != -1) break;<br />
- </indent>
- }<br />
- process the new_connection;<br />
- </indent>
+ <highlight language="c">
+ for (;;) {
+ for (;;) {
+ fd_set accept_fds;
+
+ FD_ZERO (&accept_fds);
+ for (i = first_socket; i <= last_socket; ++i) {
+ FD_SET (i, &accept_fds);
+ }
+ rc = select (last_socket+1, &accept_fds, NULL, NULL, NULL);
+ if (rc < 1) continue;
+ new_connection = -1;
+ for (i = first_socket; i <= last_socket; ++i) {
+ if (FD_ISSET (i, &accept_fds)) {
+ new_connection = accept (i, NULL, NULL);
+ if (new_connection != -1) break;
+ }
+ }
+ if (new_connection != -1) break;
+ }
+ process_the(new_connection);
}
- </example>
+ </highlight>
<p>But this naive implementation has a serious starvation problem.
Recall that multiple children execute this loop at the same
entry into the inner loop. The loop looks like this
(differences highlighted):</p>
- <example>
- for (;;) {<br />
- <indent>
- <strong>accept_mutex_on ();</strong><br />
- for (;;) {<br />
- <indent>
- fd_set accept_fds;<br />
- <br />
- FD_ZERO (&accept_fds);<br />
- for (i = first_socket; i <= last_socket; ++i) {<br />
- <indent>
- FD_SET (i, &accept_fds);<br />
- </indent>
- }<br />
- rc = select (last_socket+1, &accept_fds, NULL, NULL, NULL);<br />
- if (rc < 1) continue;<br />
- new_connection = -1;<br />
- for (i = first_socket; i <= last_socket; ++i) {<br />
- <indent>
- if (FD_ISSET (i, &accept_fds)) {<br />
- <indent>
- new_connection = accept (i, NULL, NULL);<br />
- if (new_connection != -1) break;<br />
- </indent>
- }<br />
- </indent>
- }<br />
- if (new_connection != -1) break;<br />
- </indent>
- }<br />
- <strong>accept_mutex_off ();</strong><br />
- process the new_connection;<br />
- </indent>
+ <highlight language="c">
+ for (;;) {
+ <strong>accept_mutex_on ();</strong>
+ for (;;) {
+ fd_set accept_fds;
+
+ FD_ZERO (&accept_fds);
+ for (i = first_socket; i <= last_socket; ++i) {
+ FD_SET (i, &accept_fds);
+ }
+ rc = select (last_socket+1, &accept_fds, NULL, NULL, NULL);
+ if (rc < 1) continue;
+ new_connection = -1;
+ for (i = first_socket; i <= last_socket; ++i) {
+ if (FD_ISSET (i, &accept_fds)) {
+ new_connection = accept (i, NULL, NULL);
+ if (new_connection != -1) break;
+ }
+ }
+ if (new_connection != -1) break;
+ }
+ <strong>accept_mutex_off ();</strong>
+ process the new_connection;
}
- </example>
+ </highlight>
<p><a id="serialize" name="serialize">The functions</a>
<code>accept_mutex_on</code> and <code>accept_mutex_off</code>
<code>http_main.c</code>). The function looks roughly like
this:</p>
- <example>
- void lingering_close (int s)<br />
- {<br />
- <indent>
- char junk_buffer[2048];<br />
- <br />
- /* shutdown the sending side */<br />
- shutdown (s, 1);<br />
- <br />
- signal (SIGALRM, lingering_death);<br />
- alarm (30);<br />
- <br />
- for (;;) {<br />
- <indent>
- select (s for reading, 2 second timeout);<br />
- if (error) break;<br />
- if (s is ready for reading) {<br />
- <indent>
- if (read (s, junk_buffer, sizeof (junk_buffer)) <= 0) {<br />
- <indent>
- break;<br />
- </indent>
- }<br />
- /* just toss away whatever is here */<br />
- </indent>
- }<br />
- </indent>
- }<br />
- <br />
- close (s);<br />
- </indent>
+ <highlight language="c">
+ void lingering_close (int s)
+ {
+ char junk_buffer[2048];
+
+ /* shutdown the sending side */
+ shutdown (s, 1);
+
+ signal (SIGALRM, lingering_death);
+ alarm (30);
+
+ for (;;) {
+ select (s for reading, 2 second timeout);
+ if (error) break;
+ if (s is ready for reading) {
+ if (read (s, junk_buffer, sizeof (junk_buffer)) <= 0) {
+ break;
+ }
+ /* just toss away whatever is here */
+ }
+ }
+
+ close (s);
}
- </example>
+ </highlight>
<p>This naturally adds some expense at the end of a connection,
but it is required for a reliable implementation. As HTTP/1.1
<p>In the server configuration file, put</p>
- <div class="example"><p><code>
- <Directory /> <br />
- AllowOverride None <br />
+ <pre class="prettyprint lang-config">
+ <Directory />
+ AllowOverride None
</Directory>
- </code></p></div>
+ </pre>
+
<p>This prevents the use of <code>.htaccess</code> files in all
directories apart from those specifically enabled.</p>
work around this, add the following block to your server's
configuration:</p>
- <div class="example"><p><code>
- <Directory /> <br />
- Order Deny,Allow <br />
- Deny from all <br />
+ <pre class="prettyprint lang-config">
+ <Directory />
+ Order Deny,Allow
+ Deny from all
</Directory>
- </code></p></div>
+ </pre>
+
<p>This will forbid default access to filesystem locations. Add
appropriate <code class="directive"><a href="../mod/core.html#directory">Directory</a></code> blocks to
allow access only in those areas you wish. For example,</p>
- <div class="example"><p><code>
- <Directory /usr/users/*/public_html> <br />
- Order Deny,Allow <br />
- Allow from all <br />
- </Directory> <br />
- <Directory /usr/local/httpd> <br />
- Order Deny,Allow <br />
- Allow from all <br />
+ <pre class="prettyprint lang-config">
+ <Directory /usr/users/*/public_html>
+ Order Deny,Allow
+ Allow from all
</Directory>
- </code></p></div>
+ <Directory /usr/local/httpd>
+ Order Deny,Allow
+ Allow from all
+ </Directory>
+ </pre>
+
<p>Pay particular attention to the interactions of <code class="directive"><a href="../mod/core.html#location">Location</a></code> and <code class="directive"><a href="../mod/core.html#directory">Directory</a></code> directives; for instance, even
if <code><Directory /></code> denies access, a <code>
recommend that you include the following line in your server
configuration files:</p>
- <div class="example"><p><code>
- UserDir disabled root
- </code></p></div>
+ <pre class="prettyprint lang-config">UserDir disabled root</pre>
+
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
you probably commented out the following in your server configuration
file:</p>
- <div class="example"><p><code>
- <Files ".ht*"> <br />
- Order allow,deny <br />
- Deny from all <br />
+ <pre class="prettyprint lang-config">
+ <Files ".ht*">
+ Order allow,deny
+ Deny from all
</Files>
- </code></p></div>
+ </pre>
+
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<p>In the server configuration file, put</p>
- <example>
- <Directory /> <br />
- AllowOverride None <br />
+ <highlight language="config">
+ <Directory />
+ AllowOverride None
</Directory>
- </example>
+ </highlight>
<p>This prevents the use of <code>.htaccess</code> files in all
directories apart from those specifically enabled.</p>
work around this, add the following block to your server's
configuration:</p>
- <example>
- <Directory /> <br />
- Order Deny,Allow <br />
- Deny from all <br />
+ <highlight language="config">
+ <Directory />
+ Order Deny,Allow
+ Deny from all
</Directory>
- </example>
+ </highlight>
<p>This will forbid default access to filesystem locations. Add
appropriate <directive module="core">Directory</directive> blocks to
allow access only in those areas you wish. For example,</p>
- <example>
- <Directory /usr/users/*/public_html> <br />
- Order Deny,Allow <br />
- Allow from all <br />
- </Directory> <br />
- <Directory /usr/local/httpd> <br />
- Order Deny,Allow <br />
- Allow from all <br />
+ <highlight language="config">
+ <Directory /usr/users/*/public_html>
+ Order Deny,Allow
+ Allow from all
</Directory>
- </example>
+ <Directory /usr/local/httpd>
+ Order Deny,Allow
+ Allow from all
+ </Directory>
+ </highlight>
<p>Pay particular attention to the interactions of <directive
module="core">Location</directive> and <directive
recommend that you include the following line in your server
configuration files:</p>
- <example>
- UserDir disabled root
- </example>
+ <highlight language="config">UserDir disabled root</highlight>
</section>
you probably commented out the following in your server configuration
file:</p>
- <example>
- <Files ".ht*"> <br />
- Order allow,deny <br />
- Deny from all <br />
+ <highlight language="config">
+ <Files ".ht*">
+ Order allow,deny
+ Deny from all
</Files>
- </example>
+ </highlight>
</section>
projects / apache / commitdiff