.Htaccess
The a Magic Wand
Prathik S Shetty
Aug 20, 2011
Prathik S Shetty
Aug 20, 2011
In this tutorial you will find out about the .htaccess file and the power it has to improve your website. We will look into some use cases and examples
PS: No Original Content. No Waranty
A .htaccess (hypertext access) file is a directory-level configuration file supported by several web servers, that allows for decentralized management of web server configuration.
The .htaccess files can be used to alter the configuration of the Web Server software to enable/disable additional functionality and features that the Web Server software has to offer. These facilities include basic redirect functionality, for instance if a 404 file not found error occurs, or for more advanced functions such as content password protection or image hot link prevention.
.htaccess is the filename in full, it is not a file extension.
For instance, you would not create a file called, 'file.htaccess', it is simply called,
'.htaccess'. This file will take effect when placed in any directory
which is then in turn loaded via the Web Server software. The file will take effect over
the entire directory it is placed in and all files and subdirectories within the specified directory.
.htaccess files must be uploaded as ASCII mode, not BINARY.
You may need to CHMOD the .htaccess file to 644 or (RW-R--R--)
. This makes
the file usable by the server, but prevents it from being read by a browser, which can seriously
compromise your security
You need to make sure you are allowed to use .htaccess before you actually use it. Some things that .htaccess can do, can compromise a server configuration that has been specifically setup by the admin, so don't get in trouble.
Pros | Cons |
---|---|
Immediate changes | Performance |
Non-privileged user Access | Security |
Because .htaccess files are read on every request, changes made in these files take immediate effect - as opposed to the main configuration file which requires the server to be restarted for the new settings to take effect. This leads to siight performace hit.
For servers with multiple users, it is often desirable to allow individual users the ability to alter their site configuration. The use of .htaccess files allows such individualization by unprivileged users - because the main server configuration files do not need to be changed.
Hence Controlling Apache using the main server configuration file httpd.conf is often preferred for security and performance reasons.
You will probably want to create an error document for codes 404 and 500, at the least 404 since this would give you a chance to handle requests for pages not found. 500 would help you out with internal server errors in any scripts you have running
ErrorDocument 404 /errors/notfound.html //This would cause any error code resulting in 404 to be forward to yoursite.com/errors/notfound.html
If you were to use an error document handler for each of the error codes I mentioned, the .htaccess file would look like the following (note each command is on its own line):
ErrorDocument 400 /errors/badrequest.html ErrorDocument 401 /errors/authreqd.html ErrorDocument 403 /errors/forbid.html ErrorDocument 404 /errors/notfound.html ErrorDocument 500 /errors/serverr.html
You can also specify HTML, believe it or not!
ErrorDocument 401 "<body> bgcolor=#ffffff>You have to actually <b>BE</b>
a <a href='member.html' class='red'>member</a> to view this page, Colonel!
</body>"
Ever wanted a specific directory in your site to be available only to people who you want it to be available to? Ever got frustrated with the seeming holes in client-side options for this that allowed virtually anyone with enough skill to mess around in your source to get in? htaccess is the answer!
.htaccess is about as secure as you can or need to get in everyday life, though there are ways above and beyond even that of htaccess.
The first thing you will need to do is create a password file say .htpasswd
htpasswd /path/to/file/.htpasswd username
guest@ssid21:/var/www/html/ppt$ htpasswd -c /var/www/htm1/ppt/.htpasswd prath New password: Re—type new password: Adding password for user prathplease note that do not use '-c' option after htpasswd command, it can overwrite the old password
Now create new .htaccess file inside the same folder with the following content
AuthUserFile /var/www/pass/.htpasswd AuthGroupFile /dev/null AuthName "Htaccess trial" AuthType Basic require valid-user
Is there a pesky person perpetrating pain upon you? Stalking your site from the vastness of the electron void? Blockem! In your htaccess file, add the following code--changing the IPs to suit your needs--each command on one line each:
order allow,deny deny from 123.45.6.7 deny from 012.34.5. allow from all
You can deny access based upon IP address or an IP block.If there is a site scraping your content you can block them this way.You can also set an option for
deny from all
which would of course deny everyone. You can also allow or deny by domain name rather than IP address like google.com
Blocking users or sites that originate from a particular domain is another useful trick of .htaccess. Blocking access by referrer in .htaccess requires the help of the Apache module mod_rewrite to make out the referrer first
RewriteEngine on # Options +FollowSymlinks RewriteCond %{HTTP_REFERER} badsite\.com [NC,OR] RewriteCond %{HTTP_REFERER} anotherbadsite\.com RewriteRule .* - [F]
Some more blocking rules
RewriteCond %{HTTP_USER_AGENT} badbot
Do you have a directory full of images or zips that you do not want people to be able to browse through? Typically a server is setup to prevent directory listing, but sometimes they are not. If not, become self-sufficient and fix it yourself:
IndexIgnore *
The * is a wildcard that matches all files, so if you stick that line into an htaccess file in your images directory, nothing in that directory will be allowed to be listed.
On the other hand, what if you did want the directory contents to be listed, but only if they were HTML pages and not images? Simple says I:
IndexIgnore *.gif *.jpg
This would return a list of all files not ending in .jpg or .gif, but would still list .txt, .html, etc.
And conversely, if your server is setup to prevent directory listing, but you want to list the directories by default, you could simply throw this into an htaccess file the directory you want displayed:
Options +Indexes
If you do use this option, be very careful that you do not put any unintentional or
compromising files in this directory. And if you guessed it by the plus sign before Indexes,
you can throw in a minus sign (Options -Indexes)
to prevent directory listing entirely.We can also list extendend details
like date, icon or file size of the directoty
Options +Indexes IndexOptions FancyIndexing
Ever go through the nightmare of changing portions of your site, then having to deal with the problem of people finding their way from old pages to the new? It can be nasty. There are different ways of redirecting pages through http-equiv, javascript or through server-side languages but the fastest and the most effective way is .htaccess
Redirect /olddirectory/oldfile.html http://pickaroo.com/newfile.html
Above code does a temp. redirection. To inform the agent that you wish to do a permanent redirection use
Redirect Redirect /olddirectory/oldfile.html http://pickaroo.com/newfile.html
Each of the 4 is separated by a single space, but all on one line. You can also redirect an entire directory by simple using.
Redirect /olddirectory/oldfile.html http://pickaroo.com/newfile.html
So you want detect iPhone users on your website and redirect them to a specific page or version of your site. Here is how to redirect iPhone traffic with .htaccess:
RewriteEngine on RewriteCond %{HTTP_USER_AGENT} iPhone RewriteCond .* http://iphone.pickaroo.com/ [R]
The code will redirect iPhone users to a iPhone specific site on iphone.pickaroo.com Or if you want to redirect to a sub directory of your site, ie pickaroo.com/my-iPhone-site/, you should use the following code:
RewriteEngine on RewriteCond %{HTTP_USER_AGENT} iPhone RewriteCond %{REQUEST_URI} !^/my-iPhone-site/ RewriteRule .* /my-iPhone-site/ [R]
Many people want to use SSI, but don't seem to have the ability to do so with their current web host. You can change that with htaccess.
AddType text/html .shtml AddHandler server-parsed .shtml Options Indexes FollowSymLinks Includes
The first line tells server that pages with a .shtml extension(Server parsed HTML) are valid. The second line tells server that any .shtml file should be parsed for server side commands. The last line is just techno-junk that you should throw in there.
We may wish to permit execution of CGI programs in a directory.
Options +ExecCGI AddHandler cgi-script cgi pl
Alternately, if we wish to have all files in a given directory be considered as CGI programs.
Options +ExecCGI SetHandler cgi-script
What if your server wasn't set up to deliver certain file types properly? A common occurrence with MP3 or even SWF files. Simple enough to fix
AddType application/x-shockwave-flash swf
AddType is specifying that you are adding a MIME type. The application string is the MIME you are adding, and the final little bit is the default extension for the MIME type.
You can force a file to be downloaded, via the Save As browser feature by using.
AddType application/octet-stream swf
You we can change extentions and use dummy extention with this method.
AddType application/x-httpd-php html
You can use an htaccess file to control what kind of files should be cached, and for how long. Caching is not just for static sites, even dynamic sites can benefit from caching. One quick way to enable cache control headers for existing sites is to target files by extension
ExpiresActive on ExpiresDefault A0 <FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)$"> Header set setCache-Control "max-age=2592000, public" </FilesMatch>
Error No : | Page : | Add |
Block IP or hostname |
Add
|
|
Mime : | Extention : |
Add
|
.htpasswd Location : | Realm Name : | Auth : |
Old location : | New location : | Permanent : |
Allow Directory Listing | Extentions To Ignore | Index File |
Use Fancy Indexing |