On Monday 27 September 2010, Graham Leggett wrote: > .htaccess files are what they are, a way to configure the server > at request time. For obvious reasons, with a server where the > configuration is parsed on startup and then shared amongst all > children processes using copy-on-write, any attempt at configuring > the server at request time will be significantly slower by > definition. Giving an unprivileged user the power to change the > config of the server has security implications again by > definition. But on the other hand, configuring at request time may > be the only choice an admin has, and .htaccess is a very simple > solution that fills that bill.
.htaccess allow two things: 1) configure the server at request time 2) allow unprivileged user the power to change the configuration (and the admin can limit what the user can change with the various AllowOverride options) It may be a good idea to provide a solution for 2) which does not require the performance penalty from 1). For example, IncludeRestricted AuthConfig,FileInfo /home/user/httpd.conf which would pose the same limitations on the directives allowed in /home/user/httpd.conf as on .htaccess. If such a IncludeRestricted was included in a <VirtualHost> section, it should only affect that single virtual host. I don't know if this would actually be useful. Maybe it would also need a periodic stat()/reload of the config file.
