.Htaccess
The a Magic Wand


Prathik S Shetty
Aug 20, 2011

In this tutorial you will find out about the .htaccess file and the power it has to improve your website. We will look into some use cases and examples

 

PS: No Original Content. No Waranty

Intro

Intro

A .htaccess (hypertext access) file is a directory-level configuration file supported by several web servers, that allows for decentralized management of web server configuration.

The .htaccess files can be used to alter the configuration of the Web Server software to enable/disable additional functionality and features that the Web Server software has to offer. These facilities include basic redirect functionality, for instance if a 404 file not found error occurs, or for more advanced functions such as content password protection or image hot link prevention.

.htaccess is the filename in full, it is not a file extension. For instance, you would not create a file called, 'file.htaccess', it is simply called, '.htaccess'. This file will take effect when placed in any directory which is then in turn loaded via the Web Server software. The file will take effect over the entire directory it is placed in and all files and subdirectories within the specified directory.

Intro

.htaccess files must be uploaded as ASCII mode, not BINARY. You may need to CHMOD the .htaccess file to 644 or (RW-R--R--). This makes the file usable by the server, but prevents it from being read by a browser, which can seriously compromise your security

You need to make sure you are allowed to use .htaccess before you actually use it. Some things that .htaccess can do, can compromise a server configuration that has been specifically setup by the admin, so don't get in trouble.

Common usage

Common Usage

Common usage

Pros and Cons

Pros and Cons

Pros Cons
Immediate changes Performance
Non-privileged user Access Security

Because .htaccess files are read on every request, changes made in these files take immediate effect - as opposed to the main configuration file which requires the server to be restarted for the new settings to take effect. This leads to siight performace hit.

For servers with multiple users, it is often desirable to allow individual users the ability to alter their site configuration. The use of .htaccess files allows such individualization by unprivileged users - because the main server configuration files do not need to be changed.

Hence Controlling Apache using the main server configuration file httpd.conf is often preferred for security and performance reasons.

Error Responses

Error Responses

You will probably want to create an error document for codes 404 and 500, at the least 404 since this would give you a chance to handle requests for pages not found. 500 would help you out with internal server errors in any scripts you have running 

ErrorDocument 404 /errors/notfound.html
//This would cause any error code resulting in 404 to be forward to 
yoursite.com/errors/notfound.html

If you were to use an error document handler for each of the error codes I mentioned, the .htaccess file would look like the following (note each command is on its own line): 

ErrorDocument 400 /errors/badrequest.html
ErrorDocument 401 /errors/authreqd.html
ErrorDocument 403 /errors/forbid.html
ErrorDocument 404 /errors/notfound.html
ErrorDocument 500 /errors/serverr.html

 
 

HTTP Error Codes : 100 Continue   101 Switching protocols   200 Successful   201 Created   202 Accepted   203 Non-authoritative information   204 No content   205 Reset content   206 Partial content   300 Multiple choices   301 Moved permanently   302 Moved temporarily   303 See other location   304 Not modified    305 Use proxy   307 Temporary redirect   400 Bad request   401 Not authorized   403 Forbidden   404 Not found   405 Method not allowed   500 Internal server error   501 Not implemented   502 Bad gateway   503 Service unavailable   504 Gateway timeout   505 HTTP version not supported  

Error Responses

You can also specify HTML, believe it or not! 

ErrorDocument 401 "<body> bgcolor=#ffffff>You have to actually <b>BE</b> 
a <a href='member.html' class='red'>member</a> to view this page, Colonel!
</body>"

Password Protection

Password Protection

Ever wanted a specific directory in your site to be available only to people who you want it to be available to? Ever got frustrated with the seeming holes in client-side options for this that allowed virtually anyone with enough skill to mess around in your source to get in? htaccess is the answer!

.htaccess is about as secure as you can or need to get in everyday life, though there are ways above and beyond even that of htaccess.

The first thing you will need to do is create a password file say .htpasswd 

htpasswd  /path/to/file/.htpasswd username
guest@ssid21:/var/www/html/ppt$ htpasswd -c /var/www/htm1/ppt/.htpasswd prath
New password:
Re—type new password:
Adding password for user prath
please note that do not use '-c' option after htpasswd command, it can overwrite the old password

Password protection

Now create new .htaccess file inside the same folder with the following content 

AuthUserFile /var/www/pass/.htpasswd
AuthGroupFile /dev/null
AuthName "Htaccess trial"
AuthType Basic
require valid-user

  • The AuthUserFile is the full server path to your password file.
  • The AuthName is the name of the area you want to access. It could anything,
  • The AuthType is either Basic or Digest. Use Basic for basic HTTP authentication.
  • The require user is where you enter the username of those who you want to have access to that portion of your site

Blocking

Blocking

Is there a pesky person perpetrating pain upon you? Stalking your site from the vastness of the electron void? Blockem! In your htaccess file, add the following code--changing the IPs to suit your needs--each command on one line each: 

order allow,deny
deny from 123.45.6.7 
deny from 012.34.5. 
allow from all

You can deny access based upon IP address or an IP block.If there is a site scraping your content you can block them this way.You can also set an option for

deny from  all

which would of course deny everyone. You can also allow or deny by domain name rather than IP address like google.com

Blocking

Blocking users or sites that originate from a particular domain is another useful trick of .htaccess. Blocking access by referrer in .htaccess requires the help of the Apache module mod_rewrite to make out the referrer first 

RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} badsite\.com [NC,OR]
RewriteCond %{HTTP_REFERER} anotherbadsite\.com
RewriteRule .* - [F]

Some more blocking rules

RewriteCond %{HTTP_USER_AGENT} badbot

Directory Listing

Directory Listing

Do you have a directory full of images or zips that you do not want people to be able to browse through? Typically a server is setup to prevent directory listing, but sometimes they are not. If not, become self-sufficient and fix it yourself: 

IndexIgnore *

The * is a wildcard that matches all files, so if you stick that line into an htaccess file in your images directory, nothing in that directory will be allowed to be listed.

On the other hand, what if you did want the directory contents to be listed, but only if they were HTML pages and not images? Simple says I: 

IndexIgnore *.gif *.jpg

This would return a list of all files not ending in .jpg or .gif, but would still list .txt, .html, etc.

Directory Listing

And conversely, if your server is setup to prevent directory listing, but you want to list the directories by default, you could simply throw this into an htaccess file the directory you want displayed: 

Options +Indexes

If you do use this option, be very careful that you do not put any unintentional or compromising files in this directory. And if you guessed it by the plus sign before Indexes, you can throw in a minus sign (Options -Indexes) to prevent directory listing entirely.We can also list extendend details like date, icon or file size of the directoty 

Options +Indexes
IndexOptions FancyIndexing

Redirection

Redirection

Ever go through the nightmare of changing portions of your site, then having to deal with the problem of people finding their way from old pages to the new? It can be nasty. There are different ways of redirecting pages through http-equiv, javascript or through server-side languages but the fastest and the most effective way is .htaccess 

Redirect /olddirectory/oldfile.html http://pickaroo.com/newfile.html

Above code does a temp. redirection. To inform the agent that you wish to do a permanent redirection use 

Redirect Redirect /olddirectory/oldfile.html http://pickaroo.com/newfile.html

Each of the 4 is separated by a single space, but all on one line. You can also redirect an entire directory by simple using. 

Redirect /olddirectory/oldfile.html http://pickaroo.com/newfile.html

Redirection

So you want detect iPhone users on your website and redirect them to a specific page or version of your site. Here is how to redirect iPhone traffic with .htaccess: 

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} iPhone
RewriteCond .* http://iphone.pickaroo.com/ [R]

The code will redirect iPhone users to a iPhone specific site on iphone.pickaroo.com Or if you want to redirect to a sub directory of your site, ie pickaroo.com/my-iPhone-site/, you should use the following code: 

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} iPhone
RewriteCond %{REQUEST_URI} !^/my-iPhone-site/ 
RewriteRule .* /my-iPhone-site/ [R]

SSI & CGI

SSI & CGI

Many people want to use SSI, but don't seem to have the ability to do so with their current web host. You can change that with htaccess. 

AddType text/html .shtml
AddHandler server-parsed .shtml
Options Indexes FollowSymLinks Includes

The first line tells server that pages with a .shtml extension(Server parsed HTML) are valid.
The second line tells server that any .shtml file should be parsed for server side commands.
The last line is just techno-junk that you should throw in there.

We may wish to permit execution of CGI programs in a directory. 

Options +ExecCGI
AddHandler cgi-script cgi pl

Alternately, if we wish to have all files in a given directory be considered as CGI programs. 

Options +ExecCGI
SetHandler cgi-script

MIME Types

MIME Types

What if your server wasn't set up to deliver certain file types properly? A common occurrence with MP3 or even SWF files. Simple enough to fix 

AddType application/x-shockwave-flash swf

AddType is specifying that you are adding a MIME type. The application string is the MIME you are adding, and the final little bit is the default extension for the MIME type.

You can force a file to be downloaded, via the Save As browser feature by using. 

AddType application/octet-stream swf

You we can change extentions and use dummy extention with this method. 

AddType application/x-httpd-php html

Cache Control

Cache Control

You can use an htaccess file to control what kind of files should be cached, and for how long. Caching is not just for static sites, even dynamic sites can benefit from caching. One quick way to enable cache control headers for existing sites is to target files by extension 

ExpiresActive on
ExpiresDefault A0
<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)$">
Header set  setCache-Control "max-age=2592000, public"
</FilesMatch>

Automate

Automate

Error No : Page : Add
Block IP or hostname
Add
Mime : Extention :
Add
.htpasswd Location : Realm Name : Auth :
Old location : New location : Permanent :
Allow Directory Listing Extentions To Ignore Index File
Use Fancy Indexing

Bibilography

Thank You

Yawn :O