.htaccess for security and server optimization

Forum Moderators: phranque

Message Too Old, No Replies

.htaccess for security and server optimization

need help

notset

10:14 am on Sep 3, 2006 (gmt 0)

Hello,

I'm using shared hosting plan, so I can't edit http.conf file. All what i can do - configurate my settings in .htaccess.

What i wan't?

1) To hide server's signature.

2) To optimize server (to prevent from high loads) - if it's possible to do in .htaccess.

3) To deny from accessing all directories and files (except index.php and style.css) and to activate all possible security settings.

Thank's for help.

encyclo

2:32 pm on Sep 3, 2006 (gmt 0)

Welcome to WebmasterWorld notset!

If you don't have access to the server configuration, just .htaccess, then your choices are somewhat limited.

1) To hide server's signature.

Done by the ServerTokens [httpd.apache.org] directive - unfortunately in httpd.conf only. You can set the ServerSignature [httpd.apache.org] as

Off

for the error pages at least.

If you are using Apache 2.x rather than 1.x, try mod_headers [httpd.apache.org] and add something like:

Header set Server "Microsoft IIS/6.0"

I'm not sure it works outside of httpd.conf though...

2) To optimize server (to prevent from high loads) - if it's possible to do in .htaccess.

Not much you can do with .htaccess again - all directives such as MaxClients [httpd.apache.org] are for httpd.conf only.

3) To deny from accessing all directories and files (except index.php and style.css) and to activate all possible security settings.

You may be able to do something here, but what exactly are you trying to do? If they are private files you should store them outside the document root, or change the file permissions via SSH or FTP. Or are we talking about image leeching etc. which can be fixed with mod_rewrite?

notset

5:48 pm on Sep 3, 2006 (gmt 0)

3) To deny from accessing all directories and files (except index.php and style.css) and to activate all possible security settings.

------------------------------

I want to do something like this:

Options None
<Directory />
Order Deny,Allow
Deny from All
</Directory>
<Files index.php>
Order Deny,Allow
Allow from All
</Files>
<Files style.css>
Order Deny,Allow
Allow from All
</Files>

The problem is with "<Directory />", because this code returns "Internal Server Error".

I could put .htaccess file with "Deny from all" to all directories and to deny from accessing some files in the root individually, but maybe is possible to get the same result with only one .htaccess file and a few commands?

Thank's

encyclo

8:03 pm on Sep 3, 2006 (gmt 0)

<Directory />

only works only within httpd.conf. But what other files do you have in the web space for which you need to restrict access? If they are not part of the site, then can they be stored elsewhere (ie. below document root)? Can you use standard UNIX file permissions (

chmod

) to control access?

I'm just not certain why you would have files there that you don't want publicly accessible.