NiyasHussain.com

.htaccess (Hypertext Access) is the default name of Apache’s directory-level configuration file. It allows webmasters to customize configuration directives, normally available in the main httpd.conf.

htaccess allows webmasters to do a range of customization to a webservers behaviour in a directory, including password protecting them, denying access, error handlers, redirects and a lot more. htaccess is particularly useful when you don’t have root access to the server. For example, in virtual Web Hosting and ISPs.

Before making any of these configurations, however, the following points need to be kept in mind.

Your webserver Administrator should allow you to make these
changes by using “AllowOverride All” in the main configuration
file(httpd.conf).

You need to make sure that you are not using Microsoft Frontpage
on your website. Frontpage uses htaccess for its own directives.

Changing the .htaccess files to insert new directives “will” break
your website.

Test, Test, Test. Test new htaccess configurations on an empty
directory before making it LIVE.

A .htaccess file controls the directory it is in, plus all subdirectories. However, by placing additional .htaccess files in the subdirectories, this can be overruled. Therefore, if you have an .htaccess file in a subdirectory and another one in a parent directory, the one in the subdirectory will be followed.
Showing error pages

Error handlers are setup so that custom pages can be displayed to users, should they encounter an error on your website. For example, if they should encounter a “Not found” 404 error, they could get directed to a good looking page, rather than the boring default error page.

To achieve this, simply put this little snippet in your .htaccess file.

ErrorDocument 400 /errors/404.html

ErrorDocument 403 /errors/403.html

ErrorDocument 404 /errors/404.html

ErrorDocument 500 /errors/500.html

You can name the pages anything you want, provided it is linked correctly in the .htaccess file.

The most common error pages are

404 - Page not found error400 - Bad Request

403 - Forbidden error

500 - Internal server error

Password protect

Password protecting a web directory can be achieved by putting this little snippet in your .htaccess file in the directory you want to protect.

AuthType Basic

AuthName “Password Required”

AuthUserFile /www/passwords/.htpasswd

In order for the password protect to work, you should create a .htpasswd file. You can create it by doing these steps.

[root@localhost ~]# cd /var/passwords

[root@localhost ~]# htpasswd -c .passwd username

New password:

Re-type new password:

Adding password for user username

[root@localhost ~]# cat .passwd

username:wLU7nnYVpdXO2

[root@localhost ~]#

In order for this to work, your Web administrator should have allowed “AllowOverride AuthConfig” in the server wide httpd.conf.
Denying users by IP or domain

You can deny users based on IP or IP block by putting in this snippet in your .htaccess.

order allow,denydeny from 98.654.321.12

deny from 98.654.322.

allow from all

The second line, specifically denies one IP 98.654.321.12. The third line denies all the IPs starting with 98.654.322. . This is particularly useful if you have seen strange activity on your website by unknown IPs in your access logs.

Some webmasters use this feature to deny whole ISPs or datacenters access, especially if they find credit card fraud or increased attempts from poorly secured servers.

You can also deny by domain name. For example “deny from .madguy.com”, denies all users from www.madguy.com or abc.madguy.com .
Changing the default page

Assume you are using index.php instead of index.html as your main home page. But the webserver is configured to access index.html first. All you need to do is to add this to your .htaccess.

DirectoryIndex index.php index.html

This makes the php file the default file. In case the php file is not around, it will look for the index.html file.
Controlling PHP using htaccess

The good thing about htaccess is that I can use it to control the php variables as well. PHP’s behaviour is controlled a large extent by the /etc/php.ini file. In a server shared by many websites, it may not be possible to change the php.ini file for everyone’s special needs. Thats where the .htaccess file comes in.

For example, if you want to turn the register globals off, simply put this in the .htaccess file

php_flag register_globals Off

In this way, you can override any php.ini variable, by putting such entries in the .htaccess file. Of course, this works only if it is allowed by the administrator.
Redirects

Webmasters use Redirects during maintenance(to redirect from index.html to tempmessage.html) or to redirect from an old file to a new file.

In order to redirect from http://yoursite.com/old/file.html to http://yoursite.com/new/file.html, simply put this line in your .htaccess file.

Redirect /old/file.html http://yoursite.com/new/file.html

The /old is relative to the root of your website. i.e at http://yoursite.com/old.
SSI

In order to allow SSI(Server Side Includes) in one directory, simply include this snippet in the .htaccess file in that directory.

Options +Includes AddType text/html shtml AddHandler server-parsed shtml

If you want to protect /home/username/publlic_html do as follows

cd /home/username/publlic_html
touch .htaccess [if it is already there you can use it no need to create]

Add the following line to the .htaccess file

AuthUserFile /home/username/public_html/.htpasswd
AuthName “Title for Protected Site”
AuthType Basic
Require valid-user

The next stage is creating the .htpasswd file create it in the same directory as .htaccess

cd /home/username/public_html [same place where your .htaccess is]

touch .htpasswd
htpasswd -c .htpasswd test
New password:
Re-type new password:
Adding password for user test

Thats it dont forget to change ownership and permission

For httpd servers
——————

In the webmaster community, “hot linking” is a curse phrase. Also known as “bandwidth stealing” by the angry site owner, it refers to linking directly to non-html objects not on one own’s server, such as images, .js files etc. The victim’s server in this case is robbed of bandwidth (and in turn money) as the violator enjoys showing content without having to pay for its deliverance. The most common practice of hot linking pertains to another site’s images

Using .htaccess, you can disallow hot linking on your server, so those attempting to link to an image or CSS file on your site, for example, is either blocked (failed request, such as a broken image) or served a different content (ie: an image of an angry man) . Note that mod_rewrite needs to be enabled on your server in order for this aspect of .htaccess to work. Inquire your web host regarding this.

With all the pieces in place, here’s how to disable hot linking of certain file types on your site, in the case below, images, JavaScript (js) and CSS (css) files on your site. Simply add the below code to your .htaccess file, and upload the file either to your root directory, or a particular subdirectory to localize the effect to just one section of your site:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpg|js|css)$ - [F]

Serving alternate content when hot linking is detected

You can set up your .htaccess file to actually serve up different content when hot linking occurs. This is more commonly done with images, such as serving up an Angry Man image in place of the hot linked one. The code for this is:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ http://www.mydomain.com/angryman.gif [R,L]

Same deal- replace mydomain.com with your own, plus angryman.gif.

Time to pour a bucket of cold water on hot linking!