[horde] Recommended Apache config

Vilius Šumskas vilius at lnk.lt
Tue Apr 2 13:19:11 UTC 2013 

> >> Hello,
> >>
> >> stumbeled the hard way across the need for activated .htaccess and
> >> rewrite stuff for Horde/Nag and maybe other parts of Horde. This
> >> really makes me wonder if there is some resource which explains what
> >> are the recommended/needed webserver features are. In the installation
> >> docs i have not found anything about this and it looks like older
> >> versions of Horde/IMP/Nag haven't need it also.
> >> With something around this it is now working but with the below quote
> >> from the Apache documentation i'm not sure if this is the preferred way:
> >>
> >> <Directory "/var/www/horde">
> >>    Options -Indexes -ExecCGI -Includes -MultiViews
> >>    AllowOverride FileInfo Limit
> >>    Order allow,deny
> >>    Allow from all
> >> </Directory>
> >>
> >>
> >> Quota from Apache docus regarding .htaccess:
> >>
> >> You should avoid using .htaccess files completely if you have access
> >> to httpd main server config file. Using .htaccess files slows down
> >> your Apache http server. Any directive that you can include in a
> >> .htaccess file is better set in a Directory block, as it will have the
> >> same effect with better performance.
> >>
> >> So should i try to merge the .htaccess in the main config?
> >>
> >> Is this documented somwhere?
> >
> > The only thing which is not mentioned in INSTALL docs is that you
> > need mod_rewrite module for the Apache.
> >
> > Other settings are really out of scope of the install documentation
> > because there are too many different webserver configurations out
> > there. You cannot prepare to them all. It's up to system
> > administrators to know what they are doing.
> 
> If these settings are vital for the working of a application it should
> be included in the documentation, even more if it was not necessary
> before. If have run all webservers with "AllowOverride None" until now
> because i have never needed it. It is common pratice to disable all
> unneeded things, so simply blame the admin is lazy to say at least.
> With the above argumentation one could also delete the test.php script
> and the documentation about enabling PHP.

IMHO this goes under the same category as "it is recommended to *not* use root MySQL user but create a separate user and give it access to Horde database". MySQL is a requirement, but configuring and properly securing an environment is totally the job of the administrator. In your case Apache + mod_rewrite is a requirement, but allowing Apache to use .htaccess files is totally different story. It has nothing to do with laziness, it's just simple best practices/know-how every admin should know.

As for the mod_rewrite requirement itself, yes, INSTALL files could be adjusted.

> > Regarding .htacess vs httpd.conf file I suppose the documentation
> > talks about administration global settings. When settings need to be
> > adjusted per application level .htaccess files are the only option
> > to have a good out-of-the-box experience. I suggest to *not* try to
> > merge them because it is too much work. A) the performance
> > difference is negligible, b) they will be recreated on next "pear
> > update" anyway, c) you would need to follow .htaccess changes as
> > Horde versions progresses and apply them to your configuration.
> 
> That's exactly the kind of pointers which should go to the documentation.

Yes, into Apache documentation, or into PEAR management documentation :)

This is not Horde specific. Any other web application which needs to use .htaccess files have exactly the same installation issues.
 
-- 
   Vilius

More information about the horde mailing list