14 DAY TRIAL // If you run a web server, you most likely know that directives such as blocking users, preventing hot linking and so on are set in Apache's httpd.conf and they apply for each and every file and directory your webserver is hosting. What if you want to set some different directives for certain files or directories, without influencing others? This is when .htaccess comes in handy. With it, you can protect directories with a password and you can block certain IPs from reading certain files or folders. This ability to plant .htaccess files in any directory of your site allows you to set up a finely-tuned tree of server directives, each subfolder inheriting proprieties from its parent, until you decide to override certain directives for a subfolder by planting its own .htaccess file.
Control access No entry!
.htaccess is mostly used to restrict or deny access to individual files and folders. If your website has an 'include' directory containing site configuration files and passwords, you wouldn't want users to access those files directly.
NOTE: Some Apache installations will set the AllowOverride httpd.conf directive to "None". This will disable the use of .htaccess file. To enable it, open httpd.conf, search for the following section and set AllowOverride to all:
# AllowOverride controls what directives may be placed in .htaccess files. # It can be "All", "None", or any combination of the keywords: # Options FileInfo AuthConfig Limit # AllowOverride All
So, create a plain text file in the 'include' or whatever directory you want to block access to, name it .htaccess and add these lines in its content:
# nobody can access this folder deny from all
Of course, the # line is just a comment so you will know later what that directive is for. Optionally, you may lose it.
No entry outside the LAN!
If the above directive will block access to everything and everyone, this directive will only allow access to certain IPs or range of IPs:
# block everyone from accessing this folder order deny,allow deny from all # except for LAN IPs allow 192.168.0.0/24 # and for my home Internet IP allow 86.12.34.56
Now, whenever a visitor is trying to access that directory ('includes' in our case), will get a 403 ?access denied? error page in his browser.
Password protect directories
The second most important use for .htaccess is to allow access only to specific users by password protecting folders. A simple authorization mechanism might look like this:
AuthType Basic AuthName "restricted area" AuthUserFile /var/www/html/.htpasswd require valid-user
Also, you can use the same mechanism in order to limit certain kinds of requests. For example, if you only want valid users to be able to POST in this directory, but anyone to be allowed to GET, PUT, etc, use:
AuthType Basic AuthName "restricted area" AuthUserFile /var/www/html/.htpasswd
require valid-user
You might notice a new file in the directive, the .htpasswd file. This file contains the user names allowed to access the directory, and their passwords. To create this file, you have to use the htpasswd utility. If it's the first time you use it and the .htpasswd file doesn't exist, use it with -c option so it will be created:
# htpasswd -c /var/www/html/.htpasswd alex
As a hint, the .htpasswd file can reside in any location of your choice, as long as you use the same path in .htaccess file and when creating new users with the htpasswd tool. If you want to add another user after the file has been created, lose the -c option as it will override the current .htpasswd file.
Allowing directories to be fully browsable
By default, if a directory doesn't have an index file, the user browsing that directory will most likely get a nasty error. To bring back the ability to browse through a directory without an index file, add this to its .htaccess file:
Options +Indexes +MultiViews +FollowSymlinks
Moreover, if your web server has autoindex_module, you can also get a nice indexing:
IndexOptions FancyIndexing
This allows users to click the titles and order the listing by date, file size, etc. You can also control certain parameters such as icon height and width:
IndexOptions FancyIndexing IconHeight=16 IconWidth=16
Save bandwidth
You can enable PHP's built-in transparent zlib compression but for this, you need, of course, to have PHP installed for you Apache web server.
php_value zlib.output_compression 16386
Hide files
By default, every Apache httpd.config file is configured to ignore .ht files, disallowing access to them as those files contain passwords and stuff you don't want everyone to see. So, based on those directives, you can set your own for certain files. For instance, if you want to deny access to *.log files, add this to your .htaccess file:
Order allow,deny Deny from all Satisfy All
You can also insert multiple file extensions into each rule, separating them with a ?|?. So, if you want to deny access to *.log, *.conf and *.ini files, use something like this:
Order allow,deny Deny from all Satisfy All
Prevent hot-linking
Nowadays, with so many websites popping up from nowhere, getting original content on a website is starting to get more and more difficult and there are some webmasters who, rather than coming up with their own content, will steal and use yours. And even worse, there are some that don't even bother to upload the stolen content to their web servers so they'll just link to your content. To prevent this case scenario, the .htaccess is one of the best ways to use. Except for preventing hot-linking to your image files, you can also notify the visitor that the image he is trying to see has been hot-linked from another website without permission. So, create a simple PNG file and write in it ?hot-linking not allowed? or something like that and add this to your .htaccess file:
Options +FollowSymlinks RewriteEngine On RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www.)?yourdomain.com/ [nc] RewriteRule .*.(gif|jpg|png)$ http://www.yourdomain.com/no-hotlink.png [nc]
This basically checks if the browser sent a referrer header and yourdomain wasn't in the domain part of it, then it forces a rewrite for this request. The RewriteRule directive instructs mod_rewrite to do a rewrite for all matched requests (anything without yourdomain.com in their referrers), asking for image files, to an alternate image which you have previously created and uploaded to your site.
Redirecting
If you will ever change significant portions of your site, your visitors will have a hard time finding the new files. Also, there are many other reasons you will want to redirect visitors to other files. This can be done through http-equiv, javascript or other methods and can also be done with .htaccess. So, if you want to redirect anyone accessing and old file, to a new one, simply add this to your .htaccess file:
Redirect /oldfolder/oldfile.html http://yoursite.com/newdirectory/newfile.html
Also, you can redirect an entire folder by using:
Redirect /olddirectory http://yoursite.com/newdirectory/
These are only a few of Apache directives you can use with .htaccess, more of them can be found in the Apache documentation, here.