Apache .htaccess Guide
Apache .htaccess Guide
Set Apache directives for each web directory and file.
If you run a web server, you most likely know that directives such as blocking users, preventing hot linking
and so on are set in Apache’s httpd.conf and they apply for each and every file and directory your webserver
is hosting. What if you want to set some different directives for certain files or directories, without influencing
others? This is when .htaccess comes in handy. With it, you can protect directories with a password and you
can block certain IPs from reading certain files or folders. This ability to plant .htaccess files in any directory
of your site allows you to set up a finely-tuned tree of server directives, each subfolder inheriting proprieties
from its parent, until you decide to override certain directives for a subfolder by planting its own .htaccess file.
Control access
No entry!
.htaccess is mostly used to restrict or deny access to individual files and folders. If your website has an
‘include’ directory containing site configuration files and passwords, you wouldn’t want users to access those
files directly.
NOTE: Some Apache installations will set the AllowOverride httpd.conf directive to “None”. This will disable
the use of .htaccess file. To enable it, open httpd.conf, search for the following section and set AllowOverride
to all:
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be “All”, “None”, or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride All
So, create a plain text file in the ‘include’ or whatever directory you want to block access to, name it
.htaccess and add these lines in its content:
# nobody can access this folder
deny from all
Of course, the # line is just a comment so you will know later what that directive is for. Optionally, you may
lose it.
No entry outside the LAN!
If the above directive will block access to everything and everyone, this directive will only allow access to
certain IPs or range of IPs:
# block everyone from accessing this folder
order deny,allow
deny from all
# except for LAN IPs
allow 192.168.0.0/24
# and for my home Internet IP
allow 86.12.34.56
Now, whenever a visitor is trying to access that directory (‘includes’ in our case), will get a 403 “access
denied” error page in his browser.
Password protect directories
The second most important use for .htaccess is to allow access only to specific users by password protecting
folders. A simple authorization mechanism might look like this:
AuthType Basic
AuthName “restricted area”
AuthUserFile /var/www/html/.htpasswd
require valid-user
Also, you can use the same mechanism in order to limit certain kinds of requests. For example, if you only
want valid users to be able to POST in this directory, but anyone to be allowed to GET, PUT, etc, use:
AuthType Basic
AuthName “restricted area”
AuthUserFile /var/www/html/.htpasswd
require valid-user
You might notice a new file in the directive, the .htpasswd file. This file contains the user names allowed to
access the directory, and their passwords. To create this file, you have to use the htpasswd utility. If it’s the
first time you use it and the .htpasswd file doesn’t exist, use it with -c option so it will be created:
# htpasswd -c /var/www/html/.htpasswd alex
As a hint, the .htpasswd file can reside in any location of your choice, as long as you use the same path in
.htaccess file and when creating new users with the htpasswd tool. If you want to add another user after the
file has been created, lose the -c option as it will override the current .htpasswd file.
Allowing directories to be fully browsable
By default, if a directory doesn’t have an index file, the user browsing that directory will most likely get a
nasty error. To bring back the ability to browse through a directory without an index file, add this to its
.htaccess file:
Options +Indexes +MultiViews +FollowSymlinks
Moreover, if your web server has autoindex_module, you can also get a nice indexing:
IndexOptions FancyIndexing
This allows users to click the titles and order the listing by date, file size, etc. You can also control certain
parameters such as icon height and width:
IndexOptions FancyIndexing IconHeight=16 IconWidth=16
Save bandwidth
You can enable PHP’s built-in transparent zlib compression but for this, you need, of course, to have PHP
installed for you Apache web server.
php_value zlib.output_compression 16386
Hide files
By default, every Apache httpd.config file is configured to ignore .ht files, disallowing access to them as
those files contain passwords and stuff you don’t want everyone to see. So, based on those directives, you
can set your own for certain files. For instance, if you want to deny access to *.log files, add this to your
.htaccess file:
Order allow,deny
Deny from all
Satisfy All
You can also insert multiple file extensions into each rule, separating them with a “|”. So, if you want to deny
access to *.log, *.conf and *.ini files, use something like this:
Order allow,deny
Deny from all
Satisfy All
Prevent hot-linking
Nowadays, with so many websites popping up from nowhere, getting original content on a website is starting
to get more and more difficult and there are some webmasters who, rather than coming up with their own
content, will steal and use yours. And even worse, there are some that don’t even bother to upload the stolen
content to their web servers so they’ll just link to your content. To prevent this case scenario, the .htaccess is
one of the best ways to use. Except for preventing hot-linking to your image files, you can also notify the
visitor that the image he is trying to see has been hot-linked from another website without permission. So,
create a simple PNG file and write in it “hot-linking not allowed” or something like that and add this to your
.htaccess file:
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?yourdomain.com/ [nc] RewriteRule
.*.(gif|jpg|png)$ http://www.yourdomain.com/no-hotlink.png [nc]
This basically checks if the browser sent a referrer header and yourdomain wasn’t in the domain part of it,
then it forces a rewrite for this request. The RewriteRule directive instructs mod_rewrite to do a rewrite for all
matched requests (anything without yourdomain.com in their referrers), asking for image files, to an alternate
image which you have previously created and uploaded to your site.
Redirecting
If you will ever change significant portions of your site, your visitors will have a hard time finding the new
files. Also, there are many other reasons you will want to redirect visitors to other files. This can be done
through http-equiv, javascript or other methods and can also be done with .htaccess. So, if you want to
redirect anyone accessing and old file, to a new one, simply add this to your .htaccess file:
Redirect /oldfolder/oldfile.html http://yoursite.com/newdirectory/newfile.html
Also, you can redirect an entire folder by using:
Redirect /olddirectory http://yoursite.com/newdirectory/
