OpenSourceVarsity

pdf icons

.htaccess File

What is the .htaccess file and What it does?

Hypertext Access, commonly shortened to .htaccess, is a configuration file which super controls the directory it is placed in and all the subdirectories underneath it.

The .htaccess (do note the period in front of the file name) permits webmasters to control many aspects of their website. Page redirects, page extension changes, password protecting directories and more. Hence, the .htaccess file which is used on Apache based web servers can super control features of Apache.

.htaccess itself is a basic text file (i.e. A pure ASCII file). This can be created on your local machine using your favorite programming editor and then uploaded to the root directory of the virtual domain, under Apache whose contents must be controlled.

How is it created?

The .htaccess file is created by using any text editor and saving an empty file (zero byte file) as .htaccess. Notepad, a commonly used text editor would save the file as .htaccess.txt. Do remember to delete the .txt (or any other file extension) to obtain the .htaccess file. Files can also be renamed via telnet or an ftp program if required.

What is its content?

.htaccess files are very versatile, and can easily contain complex control instructions. This document contains enough information to set simple access restrictions/limits on a directory in your virtual domain.

Where is this placed?

The .htaccess file usually resides in the root (i.e. normally the public_html) directory of your server.

When placed in the public_html directory, the contents of the .htaccess file effects every file / folder in the public_html directory together with all associated subdirectories.

For example public_html/.htaccess would effect files in public_html as well as files in public_html/files/ and public_html/files/morefiles.

You can override the effects of the public_html .htaccess file on a subdirectory, by placing another .htaccess file in that subdirectory.

Since .htaccess file allows us to make changes on a per-directory basis, the following are valid places to put a .htaccess file in:

/.htaccess [placing in root folder of the site]
/content/.htaccess [placing in content folder]
/content/html/images/.htaccess [in the images folder]

Therefore, any command that you place in .htaccess file will affect it’s current directory where it is placed and also it’s sub-directories. You may put a .htaccess file in the root folder such that it will affect the whole site.

What value does the .htaccess file add to a website?

Custom error pages

The most common errors are 404 (Not Found) and 500 (Internal Server Error). Design your custom Web pages for these errors (you are not limited to these errors, you can create an error page for each and every error).

Add the following commands to your .htaccess file

ErrorDocument 404 /404.html

ErrorDocument 500 /500.html

You can name the pages anything you want, and you can place them anywhere you want within your website directory tree.
NOTE: The initial slash in the directory location above represents the root directory of the website.

Enabling SSI

If you want to use SSI, but cannot do so with your current Web host, you can change that with .htaccess file. The following lines tell the webserver that any file named .shtml should be parsed for server side commands…

AddType text/html .shtml

AddHandler server-parsed .shtml

Options Indexes FollowSymLinks Includes

If you do not care about the performance hit of having all .html files parsed for SSI, change the second line to

AddHandler server-parsed .shtml .html

If you’re going to keep SSI pages with the extension of .shtml, and you want to use SSI on your index pages, you need to add the following line to your .htaccess file…

DirectoryIndex index.shtml index.html

This allows a page named index.shtml to be your default page, and if that is not found, index.html is loaded.

Redirects

You can use .htaccess file to redirect any request for a specific page to a completely different page

Redirect /OldDir/old.html http://site.com/NewDir/new.html

Server-side redirects are very useful for shortening affiliate links. Your visitors will not be turned off by long links that are obviously affiliate links. For example, to create a redirect at the URL:
http://YourSite.com/link
to point to the URL:
http://www.MerchantDomain.com/affil.cgi?12345

put this line in your .htaccess file…

Redirect /link http://www.MerchantDomain.com/affil.cgi?12345

Protect your bandwidth – Preventing hot linking of images from your website

“Bandwidth stealing,” also known as “hot linking,” is linking directly to non-html objects on another server, such as images, electronic books etc. The most common practice of hot linking pertains to another site’s images.

To disallow hot linking on your server, create the following .htaccess file and upload it to the folder that contains the images you wish to protect.

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http://(www\.)?YourSite\.com/.*$ [NC]

RewriteRule \.(gif|jpg)$ – [F]

Replace “YourSite.com” with your own. The above code causes a broken image to be displayed when it’s hot linked. If you’d like to display an alternate image in place of the hot linked one, replace the last line with…

RewriteRule \.(gif|jpg)$ http://www.YourSite.com/stop.gif [R,L]

Replace “YourSite.com” and stop.gif with real names.

Preventing directory listing

Typically servers are setup to prevent directory listing, but sometimes they are not. If you have a directory full of downloads or images that you do not want people to be able to browse through, add the following line to your .htaccess file

IndexIgnore *

The * matches all files. If, for example, you want to prevent only listing of images, use

IndexIgnore *.gif *.jpg

Or

Allow/Deny Directory Browsing

When directory browsing is on, people accessing a URL from your site with no index page or no pages at all, will see a list of files and folders. To prevent such directory access, just place the following line in your .htaccess file.

IndexIgnore */*

Many hosting companies, by default deny directory browsing and having said that, just in case you need to enable directory browsing, place the following line in your .htaccess file.

Options +Indexes

Redirecting YourSite.com to www.YourSite.com

If search engines find both www and non-www links from other sites to your site, they may treat http://YourSite.com and http://www.YourSite.com as two different websites with the same content. This means that your site can be penalized for duplicate content.

Many experts recommend a 301 redirect (permanent redirect) from YourSite.com to www.YourSite.com.

RewriteEngine On

RewriteCond %{HTTP_HOST} ^YourSite\.com [nc]

RewriteRule (.*) http://www.YourSite.com/$1 [R=301,L]

Replace “YourSite.com” with your real domain name.

Redirect visitors from one page or directory to another

It’s quite simple. Look at the example lines below and place similar lines in your .htaccess file of the root folder and it will do the rest. [Remember to use the permanent keyword in the line to tell the search engines that the old link has moved to the new link]. You can also setup multiple redirects using .htaccess.

Redirect permanent [old directory/file name][space][new directory/file name]

Redirect permanent /olddirectory /newdirectory
Redirect permanent /olddirectory /somedirectory/newdirectory
Redirect permanent /oldhtmlfile.htm /newhtmlfile.htm
Redirect permanent /oldhtmlfile.htm http://your-domain.com/newhtmlfile.htm

All the above lines are valid. Just remember to replace the file/directory names with actual ones.

Prevent access to your .htaccess file (.htaccess security)

To prevent visitors from viewing your .htaccess file, place the following lines in your file. Of course, by default most Apache installations will not show .htaccess file but just in case.

<Files .htaccess>

order allow, deny

deny from all

</Files>

URL Rewriting

  • Rewriting product.php?id=12 to product-12.html

It is a simple redirection in which .php extension is hidden from the browser’s address bar and dynamic URL (containing the ? character) is converted into a static URL.

RewriteEngine on

RewriteRule ^product-([0-9]+)\.html$ product.php?id=$1

  • Rewriting product.php?id=12 to product/ipod-nano/12.html

SEO experts always suggest displaying the main keyword(s) in the URL. In the following URL rewriting technique you can display the name of a product in the URL.

RewriteEngine on

RewriteRule ^product/([a-zA-Z0-9_-]+)/([0-9]+)\.html$ product.php?id=$2

  • Rewriting yoursite.com/user.php?username=xyz to yoursite.com/xyz

If you want to redirect i.e http://yoursite.com/xyz to http://yoursite.com/user.php?username=xyz then you can add the following code to the .htaccess file.

RewriteEngine On

RewriteRule ^([a-zA-Z0-9_-]+)$ user.php?username=$1

RewriteRule ^([a-zA-Z0-9_-]+)/$ user.php?username=$1

  • Redirecting the domain to a new subfolder of inside public_html.

Suppose you have redeveloped your site and all the new development resides inside the folder new inside the public_html folder. Then the new development of the website can be accessed like test.com/new. Now moving these files to the root folder can be a hectic process so you can create the following code inside the .htaccess file and place it under the root folder of the website. As a result, www.test.com points to the files inside the folder new.

RewriteEngine On

RewriteCond %{HTTP_HOST} ^test\.com$ [OR]

RewriteCond %{HTTP_HOST} ^www\.test\.com$

RewriteCond %{REQUEST_URI} !^/new/

RewriteRule (.*) /new/$1

Custom error document

One quick and simple method is to specify the text in the directive itself, you can even use HTML (though there is probably a limit to how much HTML you can squeeze onto one line). Remember, for Apache 1; begin with a , but DO NOT end with one. For Apache 2, you can put a second quote at the end, as normal.

# quick custom error “document”..

ErrorDocument 404

<html>
<head>
	<title>NO!</title>
</head>
<body>
	<h2>There is nothing here.. go away quickly!</h2>
</body>
</html

Using a custom error document is a Very Good Idea, and will give you a second chance at your almost-lost visitors.

<FilesMatch>

These days, using <FilesMatch> is preferred over <Files>, mainly because you can use regular expression in the conditions (very handy), produce clean, more readable code. Here’s an example. which I use for my php-generated style sheets..

parse file.css and file.style with the php machine..

# handler for phpsuexec..

<FilesMatch “\.(css|style)$”>

SetHandler application/x-httpd-php

</FilesMatch>

Any files with a *.css or *.style extension will now be handled by php, rather than simply served up by Apache. And because you can use regexp, you could do stuff like <FilesMatch “\.s?html$”>, which is handy. Any <Files> statements you come across can be advantageously replaced by <FilesMatch> statements.

Allow access from a certain IP address:

order allow deny

deny from all

allow from <your_IP>

In this case, <your_IP> stands for a specific address. For example:

order allow deny

deny from all

allow from 192.126.12.199

Forbid access from a certain IP address:

order allow deny

deny from all

deny from <your_IP>

Forbidding a group of files by mask:

<Files ~ “\.(inc|sql|…other_extensions…)$”>

order allow,deny

deny from all

</Files>

Defines access to a file by its extension. For example, forbidding web visitors to access files with the “inc” extension:

<Files ~ “\.(inc)$”>

order allow,deny

deny from all

</Files>

In this example the Apache server can access files with this extension.

Forbidding a particular file:

You can forbid a particular file using its name and extension.

<Files config.inc.php>

order allow,deny

deny from all

</Files>

This example forbids the file config.inc.php to be accessed.

How to enable .htaccess?

It’s unusual, but possible that .htaccess is not enabled on your site. If you are hosting it yourself, it’s easy enough to fix; open your httpd.conf in a text editor, and locate this <Directory> section.

Your DocumentRoot may be different..

# This should be changed to whatever you set DocumentRoot to.

#

<Directory “/var/www/htdocs”>

#

locate the line that reads

AllowOverride None

and change it to

AllowOverride All

Restart Apache. Now .htaccess will work. You can also make this change inside a virtual host, which would normally be preferable.

April 15, 2016
Design by Ivan Bayross and Meher Bala © 2017 All Rights Reserved
X