Introduction to .htaccess

A text file called .htaccess can be used to control web server (Apache) behavior for your web site. The other sections of this .htaccess tutorial deal with actual commands (called directives) which can be used.


What are .htaccess files?
.htaccess files are plain text files you can use to make configuration changes to your server. Each line in a .htaccess file is called a directive. Directives are applied to the directory the .htaccess file resides in and any subdirectories within that directory.

Creating A .htaccess File

Creating a .htaccess file may cause you a few problems. Writing the file is easy, you just need enter the appropriate code into a text editor (like notepad). You may run into problems with saving the file. Because .htaccess is a strange file name (the file actually has no name but a 8 letter file extension) it may not be accepted on certain systems (e.g. Windows 3.1). With most operating systems, though, all you need to do is to save the file by entering the name as:

.htaccess"

(including the quotes). If this doesn't work, you will need to name it something else (e.g. htaccess.txt) and then upload it to the server. Once you have uploaded the file you can then rename it using an FTP program.

Using .htaccess files

To put a .htaccess file to work, you have to upload it to your server.

Before uploading a .htaccess file, always make sure there's isn't one already in the directory you're uploading it into. This can be tricky as many servers are configured to hide files with names that begin with a period. Here's how to set up your FTP client to show .htaccess files.

Once you've checked for an existing .htaccess file, you can upload your file (in ASCII mode) into the directory you want to work with, overwrite the existing .htaccess file, or add the directives from your .htaccess file to the one that's already on your server.

Is .htaccess enabled?


It's unusual, but possible that .htaccess is not enabled on your site. If you are hosting it yourself, it's easy enough to fix; open your httpd.conf in a text editor, and locate this <Directory> section..

Your  DocumentRoot may be different, of course..

# This should be changed to whatever you set DocumentRoot to.
 #
 <Directory "/var/www/htdocs">
 #

..locate the line that reads..

AllowOverride None

..and change it to..

AllowOverride All

Restart Apache. Now .htaccess will work. You can also make this change inside a virtual host, which would normally be preferable.

 If your site is hosted with someone else, check your control panel (Plesk. CPanel, etc.) to see if you can enable it there, and if not, contact your hosting admins. Perhaps they don't allow this. In which case, switch to a better web host.


What can you do with .htaccess?

• Well, you can reach all sorts of things. Like:
•  Make own error pages.
•  Protect directories with .htaccess and .htpasswd.
•  Choose for www for you domain or not.
•  Make a redirect.
•  Block IP-addresses.
•  Set your index page.
•  Avoid directory browsing.
•  A HTML file parse as PHP file.
•  Avoid hot linking
•  Mod-Rewrite

 If you want to know more about Mod-Rewrite and choosing for www for your domain name and avoid hot linking. You can read this article, made by Stefan van Elsas

(Log in om link te zien!)

 You can make .htaccess files with your text-editor. Just type in the text and save it. With no name, it’s just an extension. If you can’t save it like that, save it as .htaccess.txt and upload it to your server. You can rename it to .htaccess.

Own error pages

You probably have seen this before on an internet site: ERROR 404 – FILE NOT FOUND. You’ll get this error if you go to an internet page that doesn’t exist. Well, if you are a webmaster and if you don’t want to let see this message to your visitors. You can make your own error pages or you can send your visitors to another page, like your index. With this example you sent your visitor to the file: error/404.shtml if a file doesn’t exist.


ErrorDocument 404 /error/404.html

Here’s a list of all error-codes. You can make of the most a special document.

400 – Bad Request

401 – Authorization Required

 402 – Payment Required

 403 – Forbidden

 404 – File Not Found

 405 – Method Not Allowed

 406 – Not Acceptable

 407 – Proxy Authentication Required

 408 – Request Time-out

 409 – Conflict

 410 – Gone

 411 – Length Required

 412 – Precondition Failed

 413 – Request Entity Too large

 414 – Request-URI Too Large

 415 – Unsupported Media Type

 500 – Internal Server Error

 501 – Method Not Implemented

 502 – Bad Gateway

 503 – Service Temporarily Unavailable

 504 – Gateway Time-out

 505 – HTTP Version Not Supported

Protect directories


If you want a protected directory. You also can use .htaccess. First you need to make a directory on your server. The next thing to do is making the .htaccess file. If you have DirectAdmin or software like that on your server. You don’t need to make the .htaccess file. With DirectAdmin you can make protected directories without typing any code, except for a username and a password. But if you want to make the file. This is what you need:

AuthUserFile /home/name/pad/to/.htpasswd
 AuthGroupFile /dev/null
 AuthName "Secret page"
 AuthType Basic

For a protected directory, you also need an .htpasswd file. And in the first rule of the .htaccess file is the pad to this .htpasswd file. In your .htpasswd file state you username and password separated by a “:”. So something likes this:

username:password 

You need to place the .htaccess file in your protected directory and you place your .htpasswd file anywhere you want. But the pad in .htaccess needs to be good. If it’s wrong, you can’t login. This is how it looks in your browser:

 <img src="http://i35.tinypic.com/243n72v.jpg" alt="" />

Make a redirect 


You can send your visitor to another page or directory with .htaccess. You can do that because a page is somewhere else or things like that. To do that, you need this code:

Redirect /directory-name  (Log in om link te zien!)
 So if your visitor goes to  (Log in om link te zien!)  , he will be redirected to  (Log in om link te zien!)  . You also can use some error codes for this redirect. Namely:

•  Permanent – This is a permanent redirect

•  Temp – This is a temporary redirect

•  Seeother – This is for if your page is replaced

•  Gone – This is for if your map/page is removed 

Redirect permanent /directory-name  (Log in om link te zien!)
Block IP-Addresses
You can block IP-Addresses with .htaccess. Or you can block all addresses and accept your own. This code shows how you allow everyone and you block two addresses.

order allow, deny
 deny from 123.123.123.123
 deny from 234.234.234.234
 allow from all

And this code shows how you block all IP addresses and you allow 2 other.

oder allow, deny
 deny from all
 allow from 123.123.123.123
 allow from 234.234.234.234

HTML file as PHP file 


You can parse an HTML file as a PHP file. Now you will think: “why would you do that?” Well if you have an old website with only HTML files and you are linked by other websites or you are in Google with your HTML files and you will change to PHP files. Then all the HTML files will be gone and that is bad for Google and your link partners. Well, you can do this also with a redirect, but there’s a better manor to do that. You can parse a HTML file as a PHP file. And you can do that with this code:

AddType application/x-httpd-php .php .htm. html

This code will say to Apache that all the .htm and .html files need to be parsing as .php. You can test it yourself. Make a HTML page with a php code inside. Add this code to you .htaccess file and look!
 Set your standard page in your directory
 Not everyone wants an index.php or index.html as standard page. With .htaccess you can change this. If you want hous.html as standard page. You can use this code:

DirectoryIndex hous.html 

 You also can use more files. By this code the server first will try to go to hous.html, if that file don’t exists, he will try garage.html.

DirectoryIndex hous.html garage.html

Avoid directory browsing 


Directory browsing is that if you don’t have an index page, you can see a list of all files. By some servers is this already standard that nobody can see that list. And the visitor get’s a forbidden message. But if it doesn’t is standard. You can use this simple code.

Options -Indexes

Alternative Index Files 



You may not always want to use index.htm or index.html as your index file for a directory, for example if you are using PHP files in your site, you may want index.php to be the index file for a directory. You are not limited to 'index' files though. Using .htaccess you can set foofoo.blah to be your index file if you want to!

 Alternate index files are entered in a list. The server will work from left to right, checking to see if each file exists, if none of them exisit it will display a directory listing (unless, of course, you have turned this off).

 DirectoryIndex index.php index.php3 messagebrd.pl index.html index.htm

Redirection



One of the most useful functions of the .htaccess file is to redirect requests to different files, either on the same server, or on a completely different web site. It can be extremely useful if you change the name of one of your files but allow users to still find it. Another use (which I find very useful) is to redirect to a longer URL, for example in my newsletters I can use a very short URL for my affiliate links. The following can be done to redirect a specific file:

 Redirect /location/from/root/file.ext http://www.othersite.com/new/file/location.xyz

 In this above example, a file in the root directory called oldfile.html would be entered as:

 /oldfile.html

 and a file in the old subdirectory would be entered as:

 /old/oldfile.html

 You can also redirect whole directoires of your site using the .htaccess file, for example if you had a directory called olddirectory on your site and you had set up the same files on a new site at: http://www.newsite.com/newdirectory/ you could redirect all the files in that directory without having to specify each one:

 Redirect /olddirectory http://www.newsite.com/newdirectory

 Then, any request to your site below /olddirectory will bee redirected to the new site, with the
 extra information in the URL added on, for example if someone typed in:

 http://www.youroldsite.com/olddirecotry/oldfiles/images/image.gif

 They would be redirected to:

 http://www.newsite.com/newdirectory/oldfiles/images/image.gif

 This can prove to be extremely powerful if used correctly.

The .htpasswd File


Password protecting a directory takes a little more work than any of the other .htaccess functions because you must also create a file to contain the usernames and passwords which are allowed to access the site. These should be placed in a file which (by default) should be called .htpasswd. Like the .htaccess file, this is a file with no name and an 8 letter extension. This can be placed anywhere within you website (as the passwords are encrypted) but it is advisable to store it outside the web root so that it is impossible to access it from the web.

Accessing The Site


When you try to access a site which has been protected by .htaccess your browser will pop up a standard username/password dialog box. If you don't like this, there are certain scripts available which allow you to embed a username/password box in a website to do the authentication. You can also send the username and password (unencrypted) in the URL as follows:

http://username:password@www.website.com/directory/

Get better protection..



The authentication examples above assume that your web server supports "Basic" http authorisation, as far as I know they all do (it's in the Apache core). Trouble is, some browsers aren't sending password this way any more, personally I'm looking to php to cover my authorization needs. Basic auth works okay though, even if it isn't actually very secure - your password travels in plain text over the wire, not clever.

 If you have php, and are looking for a more secure login facility, check out pajamas. It's free. If you are looking for a password-protected download facility (and much more, besides), check out my distro machine, also free.

Save bandwidth with .htaccess!


If you pay for your bandwidth, this wee line could save you hard cash..

save me hard cash! and help the internet!

<ifModule mod_php4.c>
  php_value zlib.output_compression 16386
 </ifModule>

All it does is enables PHP's built-in transparent zlib compression. This will half your bandwidth usage in one stroke, more than that, in fact. Of course it only works with data being output by the PHP module, but if you design your pages with this in mind, you can use php echo statements, or better yet, php "includes" for your plain html output and just compress everything! Remember, if you run phpsuexec, you'll need to put php directives in a local php.ini file, not .htaccess.

Hide and deny files..


Do you remember I mentioned that any file beginning with .ht is invisible? .."almost every web server in the world is configured to ignore them, by default" and that is, of course, because .ht_anything files generally have server directives and passwords and stuff in them, most  servers will have something like this in their main configuration..

Standard setting..

<Files ~ "^\.ht">
  Order allow,deny
  Deny from all
  Satisfy All
 </Files>

which instructs the server to deny access to any file beginning with .ht, effectively protecting our .htaccess and other files. The "." at the start prevents them being displayed in an index, and the .ht prevents them being accessed. This version..

ignore what you want

<Files ~ "^.*\.([Ll][Oo][Gg])">
  Order allow,deny
  Deny from all
  Satisfy All
 </Files>

tells the server to deny access to *.log files. You can insert multiple file types into each rule, separating them with a pipe "|", and you can insert multiple blocks into your .htaccess file, too. I find it convenient to put all the files starting with a dot into one, and the files with denied extensions into another, something like this..

the whole lot

# deny all .htaccess, .DS_Store $hî†é and ._* (resource fork) files
 <Files ~ "^\.([Hh][Tt]|[Dd][Ss]_[Ss]|[_])">
  Order allow,deny
  Deny from all
  Satisfy All
 </Files>
 # deny access to all .log and .comment files
 <Files ~ "^.*\.([Ll][Oo][Gg]|[cC][oO][mM][mM][eE][nN][tT])">
  Order allow,deny
  Deny from all
  Satisfy All
 </Files> 

would cover all ._* resource fork files, .DS_Store files (which the Mac Finder creates all over the place) *.log files, *.comment files and of course, our .ht* files. You can add whatever file types you need to protect from direct access. I think it's clear now why the file is called ".htaccess".

<FilesMatch> 


These days, using <FilesMatch> is preferred over <Files>, mainly because you can use regular expression in the conditions (very handy), produce clean, more readable code. Here's an example. which I use for my php-generated style sheets..

parse file.css and file.style with the php machine..

# handler for phpsuexec..
 <FilesMatch "\.(css|style)$">
  SetHandler application/x-httpd-php
 </FilesMatch>

Any files with a *.css or *.style extension will now be handled by php, rather than simply served up by Apache. And because you can use regexp, you could do stuff like <FilesMatch "\.s?html$">, which is handy. Any <Files> statements you come across can be advantageously replaced by <FilesMatch> statements. Good to know.

More stuff.. 


At the end of my .htaccess files, there always seems to be a section of "stuff"; miscellaneous commands, mainly php flags and switches; so it seems logical to finish up the page with a wee selection of those..

php flags, switches and other stuff..

# let's enable php (non-cgi, aka. 'module') for EVERYTHING..'
 AddType application/x-httpd-php5 .htm .html .php .blog .comment .inc
 # better yet..
 AddHandler php5-script .php
 # legacy php4 version..'
 AddType application/x-httpd-php .htm .html .php .blog .comment .inc
 # don't even think about setting this to 'on'
php_value register_globals off
 # no session id's in the URL PULEEZE!
 php_value session.use_trans_sid 0
 # should be the same as..
 php_flag session.use_trans_sid off
 # using both should also work fine!
 # php error logs..
 php_flag display_errors off
 php_flag log_errors on
php_value track_errors on
 php_value error_log /home/cor/errors/phperr.log
 # if you like to collect interesting php system shell access and web hack scripts
 # get yourself a SECURE upload facility, and just let the script-kiddies come …
 # in no time you will have a huge selection of fascinating code. If you want folk to
 # also upload zips and stuff, you might want to increase the upload capacities..
 php_value upload_max_filesize 12M
 php_value post_max_size 12M
 # php 5 only, afaik. handy when your server isn't where YOU are.
 php_value date.timezone Europe/Aberdeen
 # actually, Europe/Aberdeen isn't a valid php timezone, so that won't work.
 # I recommend you check the php manual for this function, because many crazy places ARE!

Note: For most of the flags I've tested, you can use on/off and true/false interchangeably, as well as 0/1, also php_value and php_flag can be switched around while things continue to work as expected! I guess, logically, booleans should always be php_flag, and values, php_value; but suffice to say, if some php erm, directive  isn't working, these would all be good things to fiddle with!

 Of course, the php manual explains all. The bottom line is; both will work fine, but if you use the wrong type in .htaccess, say, set a php_flag using php_value, a php ini_get() command, for instance, would return true, even though you had set the value to off, because it reads off value as a string, which of course evaluates to not-zero, i.e. 1, or "true". If you don't rely on get_ini(), or similar, it's not a problem, though clearly it's better to get it right from the start. By the way; one of the values above is incorrectly set. Did you spot it?

 Most php settings, you can override inside your actual scripts, but I do find it handy to be able to set defaults for a folder, or an entire site, using .htaccess.

Summary 


.htaccess is one of the most useful files a webmaster can use. There are a wide variety of different uses for it which can save time and increase security on your website.