welcome: please sign in

Include all attachments?

Edit

DomTool / WhyNoHtaccess

One common way of configuring Apache web sites is through ".htaccess files," which are files stored among your regular web site content that specify new configuration to override Apache's defaults. HCoop doesn't support .htaccess files for security reasons. Certain directives can break other people's web sites when used improperly or maliciously. This includes some of the most common directives found in .htaccess files, like RewriteRule. With the right flags, you can set up a proxying rewrite from Apache to itself, creating an infinite loop that quickly eats up all available Apache processes, disabling Apache for everyone.

Instead, you can configure your web sites using DomTool, as shown on DomTool/Examples. All of the most common Apache directives have DomTool counterparts, and we can add counterparts to unsupported Apache directives on request. Crucially, DomTool validates all configuration you request before letting Apache see it. For instance, DomTool won't allow you to use rewriteRule directives with the proxy flag P.

It can certainly be a pain to learn DomTool when you're used to Apache's configuration language, but we believe that the DomTool language is objectively superior to Apache's language. DomTool can also be used to control a host of different daemons, not just Apache, in a uniform way. Every Apache directive has arbitrary syntactic conventions that you need to learn by reading prose documentation. In contrast, by learning DomTool's type system, you become able to understand how to use any directive just by looking at its type, which can be found in the standard library reference. We don't expect most members to take the time to learn the type system, but we promise that it's worth doing.

Afterword: The suggestion of allowing .htaccess files that use directives from a carefully-vetted whitelist has come up before. Somehow it's never gotten anywhere. Anyone is welcome to post suggestions on exactly how this could/should be done on the hcoop-sysadmin list.