projects / tools.git / blame
search:
summary | shortlog | log | commit | commitdiff | tree
plain | HEAD | blame
add html boilerplate
[tools.git] / doc / htaccess.md
Maxious 1 [HTML5 Boilerplate homepage](http://html5boilerplate.com) | [Documentation
2 table of contents](README.md)
3
4 # .htaccess
5
6 In Apache HTTP server, `.htaccess` (hypertext access) is the configuration file
7 that allows for web server configuration. HTML5 Boilerplate includes a number
8 of best practice server rules for making web pages fast and secure, these rules
9 can be applied by configuring `.htaccess` file.
10
11 **You'll want to have these modules enabled for optimum performance:**
12
13 * `mod_setenvif.c` (setenvif_module)
14 * `mod_headers.c` (headers_module)
15 * `mod_deflate.c` (deflate_module)
16 * `mod_filter.c` (filter_module)
17 * `mod_expires.c` (expires_module)
18 * `mod_rewrite.c` (rewrite_module)
19
20
21 ## On Windows
22
23 You've got a couple of options that depend on how you installed Apache.
24
25 1. **WampServer**. This is by far the simplest option. If you have installed
26 WampServer just click on the icon in the task bar, hover over the Apache
27 section in the menu that comes up and then hover over the modules section.
28 You will be presented with a list of modules. Simply click on a module name
29 to enable it (or disable it if it is already enabled). A check mark next to
30 a module indicates that it is enabled. WampServer will automatically restart
31 the Apache service after you enable a module.
32
33 2. **Manually editing `httpd.conf`**. This assumes that you have manually
34 installed Apache. You will need to locate the `httpd.conf` file which is
35 normally in the `conf` folder in the folder where you installed Apache (for
36 example `C:\apache\conf\httpd.conf`). Open up this file in a text editor. Near
37 the top (after a bunch of comments) you will see a long list of modules. Check
38 to make sure that the modules listed above are not commented out. If they
39 are, go ahead and uncomment them and restart Apache.
40
41 That's it, you're done!
42
43
44 ## On Linux
45
46 These instructions should work on any distribution where `apt-get` has been
47 used to install Apache.
48
49 1. Open up a terminal and type the following command. Enter your password when
50 prompted.
51
52 `sudo a2enmod setenvif headers deflate filter expires rewrite include`
53
54 1. Restart apache by using the following command so the new configuration takes
55 effect.
56
57 `sudo /etc/init.d/apache2 restart`
58
59 That's it, you're done!
60
61
62 ## On Mac
63
64 Coming soon...
65
66
67 ## Security
68
69 Do not turn off your ServerSignature (i.e., the `Server:` HTTP header). Serious
70 attackers can use other kinds of fingerprinting methods to figure out the
71 actual server and components running behind a port. Instead, as a site owner,
72 you should keep track of what's listening on ports on hosts that you control.
73 Run a periodic scanner to make sure nothing suspicious is running on a host you
74 control, and use the ServerSignature to determine if this is the web server and
75 version that you expect.
76
77
78 ## Performance
79
80 ### Configure ETags
81
82 ```apache
83 FileETag None
84 ```
85
86 Entity tags (ETags) is a mechanism that web servers and browsers use to
87 determine whether the component in the browser's cache matches the one on the
88 origin server. (An "entity" is another word a "component": images, scripts,
89 stylesheets, etc.) ETags were added to provide a mechanism for validating
90 entities that is more flexible than the last-modified date. An `ETag` is a
91 string that uniquely identifies a specific version of a component. The only
92 format constraints are that the string be quoted. The origin server specifies
93 the component's `ETag` using the `ETag` response header.
94
95 ```http
96 HTTP/1.1 200 OK
97 Last-Modified: Tue, 12 Dec 2006 03:03:59 GMT
98 ETag: "10c24bc-4ab-457e1c1f"
99 Content-Length: 12195
100 ```
101
102 Later, if the browser has to validate a component, it uses the `If-None-Match`
103 header to pass the `ETag` back to the origin server. If the ETags match, a 304
104 status code is returned reducing the response by 12195 bytes for this
105 example.
106
107 ```http
108 GET /i/yahoo.gif HTTP/1.1
109 Host: us.yimg.com
110 If-Modified-Since: Tue, 12 Dec 2006 03:03:59 GMT
111 If-None-Match: "10c24bc-4ab-457e1c1f"
112 HTTP/1.1 304 Not Modified
113 ```
114
115 The problem with ETags is that they typically are constructed using attributes
116 that make them unique to a specific server hosting a site. ETags won't match
117 when a browser gets the original component from one server and later tries to
118 validate that component on a different server, a situation that is all too
119 common on web sites that use a cluster of servers to handle requests. By
120 default, both Apache and IIS embed data in the ETag that dramatically reduces
121 the odds of the validity test succeeding on web sites with multiple servers.
122
123 The ETag format for Apache 1.3 and 2.x is inode-size-timestamp. Although a
124 given file may reside in the same directory across multiple servers, and have
125 the same file size, permissions, timestamp, etc., its inode is different from
126 one server to the next.
127
128 IIS 5.0 and 6.0 have a similar issue with ETags. The format for ETags on IIS is
129 Filetimestamp:ChangeNumber. A ChangeNumber is a counter used to track
130 configuration changes to IIS. It's unlikely that the ChangeNumber is the same
131 across all IIS servers behind a web site.
132
133 The end result is ETags generated by Apache and IIS for the exact same
134 component won't match from one server to another. If the ETags don't match, the
135 user doesn't receive the small, fast 304 response that ETags were designed for;
136 instead, they'll get a normal 200 response along with all the data for the
137 component. If you host your web site on just one server, this isn't a problem.
138 But if you have multiple servers hosting your web site, and you're using Apache
139 or IIS with the default ETag configuration, your users are getting slower
140 pages, your servers have a higher load, you're consuming greater bandwidth, and
141 proxies aren't caching your content efficiently. Even if your components have a
142 far future Expires header, a conditional GET request is still made whenever the
143 user hits Reload or Refresh.
144
145 If you're not taking advantage of the flexible validation model that ETags
146 provide, it's better to just remove the ETag altogether. The Last-Modified
147 header validates based on the component's timestamp. And removing the ETag
148 reduces the size of the HTTP headers in both the response and subsequent
149 requests. This Microsoft Support article describes how to remove ETags. In
150 Apache, this is done by simply adding the above line to your Apache
151 configuration file.
152
153
154 ### Gzip Components
155
156 Compression reduces response times by reducing the size of the HTTP response.
157
158 Starting with HTTP/1.1, web clients indicate support for compression with the
159 Accept-Encoding header in the HTTP request.
160
161 ```
162 Accept-Encoding: gzip, deflate
163 ```
164
165 If the web server sees this header in the request, it may compress the response
166 using one of the methods listed by the client. The web server notifies the web
167 client of this via the Content-Encoding header in the response.
168
169 ```
170 Content-Encoding: gzip
171 ```
172
173 Gzip is the most popular and effective compression method at this time. It was
174 developed by the GNU project and standardized by RFC 1952. The only other
175 compression format you're likely to see is deflate, but it's less effective and
176 less popular.
177
178 Gzipping generally reduces the response size by about 70%. Approximately 90% of
179 today's Internet traffic travels through browsers that claim to support gzip.
180 If you use Apache, the module configuring gzip depends on your version: Apache
181 1.3 uses `mod_gzip` while Apache 2.x uses `mod_deflate`.
182
183 There are known issues with browsers and proxies that may cause a mismatch in
184 what the browser expects and what it receives with regard to compressed
185 content. Fortunately, these edge cases are dwindling as the use of older
186 browsers drops off. The Apache modules help out by adding appropriate Vary
187 response headers automatically.
188
189 Servers choose what to gzip based on file type, but are typically too limited
190 in what they decide to compress. Most web sites gzip their HTML documents. It's
191 also worthwhile to gzip your scripts and stylesheets, but many web sites miss
192 this opportunity. In fact, it's worthwhile to compress any text response
193 including XML and JSON. Image and PDF files should not be gzipped because they
194 are already compressed. Trying to gzip them not only wastes CPU but can
195 potentially increase file sizes.
196
197 Gzipping as many appropriate file types as possible is an easy way to reduce
198 page weight and accelerate the user experience.
199
200
201 ### Cache busting
202
203 A first-time visitor to your page may have to make several HTTP requests, but
204 by using the Expires header you make those components cacheable. This avoids
205 unnecessary HTTP requests on subsequent page views. Expires headers are most
206 often used with images, but they should be used on all components including
207 scripts, stylesheets, etc.
208
209 Traditionally, if you use a far future Expires header you have to change the
210 component's filename whenever the component changes.
211
212 The H5BP `.htaccess` has built-in filename cache busting. To use it, uncomment
213 the relevant lines in the `.htaccess` file.
214
215 Doing so will route all requests for `/path/filename.20120101.ext` to
216 `/path/filename.ext`. To use this, just add a time-stamp number (or your own
217 numbered versioning system) into your resource filenames in your HTML source
218 whenever you update those resources.
219
220 #### Example:
221