.Htaccess Reference
by Scott Allen - February 7, 2007
Filed Under .htaccess, SEO, URL Rewriting, Website Security
Wikipedia used to have a very informative article about .htaccess. It unfortunately was deleted (against the objections of many, including myself) and merged with the Apache article. However, I had the foresight to archive the page. I felt that it was a great loss to the internet and the community of web developers because of the useful information it contained, so I’m re-posting the article here.
UPDATE 07/08/07 – The Wikipedia article has been reinstated. Apparently the editors finally listened to the overwhelming objections. Since no one can predict the future stability of the Wikipedia article, this version will still remain available here for your reference.
.Htaccess
(Hypertext Access) is the default name of Apache’s directory-level configuration file. It provides the ability to customize configuration directives defined in the main configuration file. The configuration directives need to be in .htaccess context and the user needs appropriate permissions.
Statements such as the following can be used to configure a server to send out customized documents in response to client errors such as “404: Not Found” or server errors such as “503: Service Unavailable” (see List of HTTP status codes):
ErrorDocument 404 /error-pages/404.html
ErrorDocument 503 /error-pages/503.html
When setting up custom error pages, it is important to remember that these pages may be accessed from various different URLs, so the links in these error documents (including those to images, stylesheets and other documents) must be specified using URLs that are either absolute (e.g., starting with “http://”) or relative to the document root (starting with “/”). Also, the error page for “403: Forbidden” errors must be placed in a directory that is accessible to users who are denied access to other parts of the site. This is typically done by making the directory containing the error pages accessible to everyone by creating another .htaccess file in the /error-pages directory containing these lines:
Order allow,deny
Allow from all
Contents
- 1 Password protection
- 2 Enable SSI
- 3 Deny users by IP address
- 4 Change the default directory page
- 5 Redirects
- 6 Prevent hotlinking of images
- 7 Standardise web address to require www with SEO-friendly 301 Redirect
- 8 Directory rules
- 9 User permissions
- 10 Other uses
- 11 See also
- 12 External links
Make the user enter a name and password before viewing a directory.
AuthUserFile /home/newuser/www/stash/.htpasswd
AuthGroupFile /dev/null
AuthName "Protected Directory"
AuthType Basic
<Limit GET POST>
require user newuser
</Limit>
The same behavior can be applied to specific files inside a directory.
<Files protected_file.php>
AuthUserFile /home/newuser/www/stash/.htpasswd
AuthName "Protected File"
AuthType Basic
Require valid-user
</Files>
Now run this command to create a new password for the user ‘newuser’.
htpasswd /home/newuser/www/stash/.htpasswd newuser
Unprotect a directory inside an otherwise protected structure:
Satisfy any
Extra secure method to force a domain to only use SSL and fix double login problem
If you really want to be sure that your server is only serving documents over an encrypted SSL channel (you wouldn’t want visitors to submit an .htaccess password prompt on an unencrypted connection) then you need to use the SSLRequireSSL directive with the +StrictRequire Option turned on.
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "site.com" #or www.site.com
ErrorDocument 403 https://site.com
An interesting thing when using the mod_ssl instead of mod_rewrite
to force SSL is that apache give mod_ssl priority ABOVE mod_rewrite so
it will always require SSL. (may be able to get around first method using http://example.com:443 or https://example.com:80)
- An in-depth article about what this is doing can be found in the SSL Forum
Enable SSI
AddType text/html .shtml
AddHandler server-parsed .shtml
Options Indexes FollowSymLinks Includes
Deny users by IP address
Order allow,deny
Deny from 123.45.67.8
Deny from 123.123.7
Allow from all
This would ban anyone with an IP address of 123.45.67.8 and would also ban anyone with an IP address starting in 123.123.7: for example, 123.123.74.42 would not gain access.
Change the default directory page
DirectoryIndex homepage.html
Here, anyone visiting http://www.example.org/ would see the homepage.html page, rather than the default index.html.
Redirect page1.html page2.html
If someone were to visit http://www.example.org/page1.html, he would be sent (with an HTTP status code of 302) to http://www.example.org/page2.html
Prevent hotlinking of images
The following .htaccess rules use mod rewrite.
From specific domains
RewriteEngine on
RewriteCond %{HTTP_REFERER} ^http://([^/]+\.)?baddomain1\.com [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://([^/]+\.)?baddomain2\.com [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://([^/]+\.)?baddomain3\.com [NC]
RewriteRule \.(gif|jpg)$ http://www.example.org/hotlink.gif [R,L]
Except from specific domains
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example.org/.*$ [NC]
RewriteRule \.(gif|jpg)$ http://www.example.org/hotlink.gif [R,L]
Unless the image is displayed on example.org, browers would see the image hotlink.gif.
Note: Hotlink protection using .htaccess relies on the client sending the correct “Referer” value in the http GET request. Programs such as Windows Media Player send a blank referrer, so that attempts to use .htaccess to protect movie files for example are ineffective.
Standardise web address to require www with SEO-friendly 301 Redirect
If an address without the “www.” prefix is entered, this will redirect to the page with the “www.” prefix.
Options +FollowSymLinks
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} !^$ #check that HTTP_HOST field is present
RewriteCond %{HTTP_HOST} !^www\.sitename\.com$ [NC] #case-insensitive
RewriteRule ^(.*)$ http://www.sitename.com/$1 [R=301,L] #301 Redirect, very efficient
A .htaccess file controls the directory it is in, plus all subdirectories. However, by placing additional .htaccess files in the subdirectories, this can be overruled.
The user permissions for .htaccess are controlled on server level with the AllowOverride directive which is documented in the Apache Server Documentation.
Some web developers have modified .htaccess to perform custom tasks server-side before serving content to the browser. Developer Shaun Inman shows it is possible to edit .htaccess to allow for Server Side Constants within CSS.
- AskApache htaccess Category
- Comprehensive guide to .htaccess – Tutorial from JavaScript Kit
- Documentation for mod_rewrite, frequently used in .htaccess files
- Apache configuration directives allowed in .htaccess context
- Apache Docs .htaccess Howto
- Beginner’s .htaccess tutorial and Custom Error Page Generator – Beginner’s tutorial on .htaccess and custom error page generator in PHP
- htaccess + htpasswd File Generator – .htaccess & .htpasswd generator for directory password protection
- htaccess File Generator at cooletips.de
- Repository of .htaccess/mod_rewrite snippets, examples and tricks
- htaccess Cheatsheet
- Stupid .htaccess Tricks
- The Ultimate Guide to .htaccess Files
- Guide to Blocking Bad Visitors with .htaccess
Tags:
htaccess | htaccess reference | webgeek
If you enjoyed this post, make sure you subscribe to the RSS feed!
Related Posts:
- Duplicate Content Prevention: WWW vs. Non-WWW and .Htaccess
- .Htaccess IP Banning – Block Bad Visitors
- Search Engine Friendly URLs and .htaccess / mod_rewrite – Part 1
- URL Rewriting – Search Engine Friendly URL’s – Part 2
- Improve Site Security and SEO with One Line of Code
Comments
8 Responses to “.Htaccess Reference”
Leave a Reply
If you have any questions about commenting, please see our Comment Policy.
[...] have nuisance visitors, site scrapers, or spammers, you may want to add some lines of code to your .htaccess file that will block bad visitors by IP address or by blocks of IP addresses. You want to [...]
[...] .htaccess technique will also work to to block other bad visitors to your web site. [...]
[...] sending scraper bots to steal your data and use in their spammy sites? Then you need to use your .htaccess file to block bad visitors. Place the following lines into the beginning of your .htaccess [...]
Scott,
Thank you for posting this information. Do you happen to know the reason Wikipedia decided to remove it?
Excellent site, by the way.
Thanks again,
Jeff
Hey Jeff,
You’re very welcome. As far as I know they removed it because they felt that Wikipedia “wasn’t intended to be a manual”. I think that’s a lame reason because it was a strong article and a real asset to the internet community. Thanks! BTW, your page is a great resource on the topic as well!
- Scott
[...] web hosts will have the server configured out of the box to let you use PHP flags in your .htaccess file. To do so, simply add a line near the beginning of your [...]
[...] the following is not already in your .htaccess file, then insert it near the [...]
[...] solution is, to turn of Directory Indexes in your .htaccess file. (If you’re not familiar, .htaccess is a configuration file for Apache servers that goes in the public root folder of your [...]