如果我们设置 Apache Web 服务器来将 Apache 配置为将所有 HTML 作为 PHP 处理,是否会存在任何安全/性能问题?我特意指的是:
AddType application/x-httpd-php .php .php3 .php4 .html
我当时的情况是需要将一些 PHP 逻辑添加到一些 HTML 文件中;理想情况下,我不必将文件名例如 page.html 更改为 page.php (以保持 page.html< 的页面排名等) /代码>)。
这与以下问题相关: httpd AddType 指令
编辑:
从下面现有的答案/评论来看,社区似乎建议使用重定向或仅针对特定的 HTML 文件。限制是我正在重新设计一个现有站点(400 多个 HTML 页面;每个页面都使用某种 Dreamweaver 模板,从不同的文件中提取页眉和页脚)。我希望完全避开 Dreamweaver,转向非专有的领域。因此,我有两个选择:
- 使用服务器端包含 (SSI) 来拉入页眉和页脚。这将导致我的所有 HTML 文件都用 SSI 进行装饰。
- 撒上一些 PHP 片段以包含页眉和页脚。对于这个选择,我必须确保文件名保持不变。
Are there any security / performance concerns if we set the Apache web server to configure Apache to handle all HTML as PHP? I was specifically referring to:
AddType application/x-httpd-php .php .php3 .php4 .html
I was in a situation where I needed to add some PHP logic into some HTML files; ideally, I didn't have to change the filename e.g. page.html to page.php (to keep the page rank, etc. for page.html).
This is related to the following question: httpd AddType directive
Edits:
From the existing answers / comments below, it looks like the community suggests to either use redirects or only target specific HTML files. The constraint is that I am redesigning an existing site (400+ HTML pages; each of them uses some sort of Dreamweaver template that pulls in the header and footer from different files). I was hoping to completely shy away from Dreamweaver move into something non-proprietary. So, I am down with two options:
- Use Server Side Includes (SSI) to pull in the header and footer. This will result in all my HTML files to be decorated with SSI.
- Sprinkle some PHP snippet to include the header and footer. For this choice, I have to make sure the file name stays unchanged.
发布评论
评论(2)
服务器确定需要通过 PHP 解释器传递的文件越多,涉及的开销就越大,但我认为这是不言而喻的。如果您的网站没有任何带有纯 HTML 的页面,那么您已经付出了可能付出的所有性能损失 - 在这种情况下将 HTML 添加到列表中与简单地重命名所有页面没有什么不同文件具有 .php 扩展名。
如果您确实有纯 HTML 页面,那么真正的性能损失将会出现 - 服务器将不必要地将这些页面传递给 PHP 进行解释,而无需这样做。但即便如此,这也不是戏剧性的 - 这些 HTML 页面不需要 PHP 解释器,因此除了确定不需要执行任何操作之外,它不会执行任何操作。这是有成本的,但并不重要。
现在,如果我们在这里谈论大容量,那么每一点性能都很重要,这不是一个可行的解决方案。然而,对于中低容量站点来说,性能损失几乎为零。
如果这是一次性更改,并且受影响的文件数量有限,那么使用
FilesMatch指令可能会更保守。The more files the server determines it needs to pass through the PHP interpreter, the more overhead involved, but I think this goes without saying. If your site does not have ANY pages with plain HTML, then you're already paying all the performance penalties that you could possibly pay - adding HTML to the list is no different in this case than simply renaming all the files to have a .php extension.
The real performance penalty would come if you do have plain HTML pages - the server will needlessly pass these pages to PHP for interpretation when none is necessary. But even then, it isn't dramatic - the PHP interpreter won't be needed for those HTML pages, so it won't do anything aside from determining that it doesn't need to do anything. This has a cost, but it isn't significant.
Now, if we're talking high-volume here, every little bit of performance matters and this would not be a practicable solution. For low- to mid-volume sites, however, the performance penalty would be nill.
If this is a one-time change and there are a limited number of files that are affected, then it may be more conservative to use a
FilesMatchdirective.我不同意图加的观点。我认为您不应该对所有文件进行此更改。任何时候处理安全问题时,都应该尝试控制环境。仅对一个文件执行此操作可能是最安全的。您可以执行类似的操作
This will only match
file_name.html并将其处理为.php,这样做比处理 ALL 更安全.html文件为 php。I disagree with Tuga. I don't think you should make this change for all your files. Anytime you deal with security, you should try to control the environment. Doing it only for one file is probably the safest. You could do something like
This will only match
file_name.htmland process it as.phpwhere it is much safer to do this than treat ALL.htmlfiles as php.