What is .htaccess for?
By typing the address into your browser, you get the files that the browser displays on your computer. The web server controls which files are shown to you and how they are shown (forwarded). The most popular servers are two: IIS and Apache.
Like any program, a web server has certain settings. But, you, as an Apache user can (and most likely won’t, as far as shared hosting is concerned) have rights to change Apache configuration through its main files, which apply to all users of that server. But you can change some configuration files, which apply only to your site. One of these files is .htaccess
This is the Apache web server flexible configuration file. “Flexible” means that as soon as you change something in this file, the changes take effect immediately. With it you can override many directives from the httpd.conf file (this file is the main configuration file of the Apache server and its actions apply completely to all users of a given copy of Apache). In cases where you do not have access to the Apache configuration file (the same shared hosting), this file will help you.
This file is not accessible to the web user from the browser. If the .htaccess file is located in the root directory of the server, it applies to the entire server, except for those folders where another .htaccess file is located (and except for all folders “below” that folder with the second .htaccess file).
Example:
The structure of your directories on the server is as follows:
|-user
| |
| -user1
| |
| -user2
|
|-data
| |
| -data1
| |
| -data2
|
The directories user1 and user2 will be nested under the user directory. If we put a .htaccess file in the www directory, it will automatically apply to user1 and user2 as well.
In the directory data we put another file .htaccess, in comparison with the one in the directory user. And for directories data1 and data2 will act .htaccess file, located in the data.
Now, in the directory user2 we put another .htaccess file, which is different from the one in the directory 2 levels above (this directory is user). As a result, the settings for user2 will be determined only by the .htaccess file in this directory.
Since most Apache is configured to always look for this file in the directory, .htaccess will help you quickly reconfigure it without stopping the server.
Syntax .htaccess
Here is the obligatory syntax, non-compliance with which leads to server errors:
– paths to files (directories) are specified from the root of the server. Example: /opt/home/www.astanafoto.com/htdocs/config/.htpasswords
– domains with a protocol indication
Example: Redirect / http://www.site.ua
The file is named exactly “point” htaccess
Must be written in UNIX format. For the FAR shell, reach F4 (edit file), Shift+F2 (select “save as UNIX-text”).
How can I prevent web visitors from reading files in a directory?
Ban all files:
Deny from all
Where all means “all.
Allow access from a certain ip:
order allow deny
Deny from all
allow from <your ip>
In this case, <your ip> denotes a specific address.
For example:
order allow deny
Deny from all
allow from 192.126.12.199
Deny access from a certain ip:
order allow deny
deny from <your ip>
Using <your ip> is similar to the example above.
Prohibit a group of files by mask:
<Files “\.(inc|sql|…other extensions…)$”>
order allow,deny
Deny from all
</Files>
Determines access to a file by its extension.
For example, banning web visitors from accessing files with the “inc” extension:
<Files “\.(inc)$”>
order allow,deny
Deny from all
</Files>
In this example, the Apache web server itself can access files with these extensions.
A ban on a specific file:
You can ban a specific file by its name and extension.
<Files config.inc.php>
order allow,deny
Deny from all
</Files>
In this example, the config.inc.php file is banned.
Password for the directory:
AuthName “Private zone”
AuthType Basic
AuthUserFile /pub/home/your_login/.htpasswd
require valid-user
</Files>
The AuthName value will be displayed to the visitor and can be used to explain the authorization request. The AuthUserFile value points to the location where the file with passwords for access to this directory is stored. This file is created by a special utility htpasswd.exe.
For example, in the directory that we protect with a password, we create such a .htaccess:
AuthName “For Registered Users Only”
AuthType Basic
AuthUserFile /pub/site.ua/.htpasswd
require valid-user
</Files>
In this example, the visitor when requesting the directory, will read the phrase “For Registered Users Only”, the file with passwords for access must be in the directory /pub/site.ua/ and called .htapasswd. The directory is specified from the root of the server, if you specify the wrong directory, then Apache will not be able to read the .htapasswd file and no one will have access to this directory.
The password is only for 1 file:
Similar to the full directory password, you can put a password on only 1 file.
An example of setting a password on a private.zip file:
<Files private.zip>
AuthName “Users zone”
AuthType Basic
AuthUserFile /pub/home/your_login/.htpasswd
</Files>
Password for a group of files:
Similarly, using <Files “\.(inc|sql|…other extensions…)$”>, you can set passwords by file mask.
An example of setting a password to access all files with the “sql” extension:
<Files “\.(sql)$”>
AuthName “Users zone”
AuthType Basic
AuthUserFile /pub/home/your_login/.htpasswd
</Files>
Checking access rights
Problem: there is directory a1 and in it two subdirectories a2, a3, introduced two levels of users. Group 1 has access only to a1 and a2, group 2 has access to all three directories. It is necessary to authenticate only once – when accessing a1, but still respect the rights to access a2 and a3.
Nickname and password are requested only when logging into A1 – if the user has access to a2 the password is no longer asked. If there is no access on a3, the “enter password” message will pop up.
www.site.ua/a1
www.site.ua/a1/а2
www.site.ua/a1/a3
a1 is general and at the same time closed. a2 and a3 only for individuals.
.htaccess file for directory a1:
AuthName “Input password”
AuthType Basic
AuthUserFile “/pub/home/login/htdocs/clousearea/.htpasswd”
<Files *.*.>
require valid-user
</Files>
.htaccess file for directory a2:
AuthName “Input password”
AuthType Basic
AuthUserFile “/pub/home/login/htdocs/clousearea/.htpasswd”
<Files *.*.>
require user user1 user2 user3
</Files *.*>
.htaccess file for the a3 directory:
AuthName “Input password”
AuthType Basic
AuthUserFile “/pub/home/abv/htdocs/clousearea/.htpasswd”
<Files *.*.>
require user user1 user4 user5
</Files *.*>
How do I redirect a visitor?
Redirect to another url:
To redirect a visitor to http://site.ua in .htaccess Redirect / http://www.site.ua
Redirect any page of the site to an index file:
RewriteEngine on
RewriteRule !\index.html$ /index.html
Display different pages, depending on the IP address of the visitor:
SetEnvIf REMOTE_ADDR <desired ip address> REDIR=”redir”
RewriteCond %{REDIR} redir
RewriteRule ^/$ /another_page.html
For example, redirecting visitors with ip address 192.12.131.1 to the about_my_sity.html page:
SetEnvIf REMOTE_ADDR 192.12.131.1 REDIR=”redir”
RewriteCond %{REDIR} redir
RewriteRule ^/$ /about_my_sity.html
Redirect the visitor when requesting certain pages:
This is already for all network viruses and scanners. Now any request with the /_vti_bin address will be automatically redirected to Microsoft:
redirect /_vti_bin http://www.microsoft.com
redirect /scripts http://www.microsoft.com
redirect /MSADC http://www.microsoft.com
redirect /c http://www.microsoft.com
redirect /d http://www.microsoft.com
redirect /_mem_bin http://www.microsoft.com
redirect /msadc http://www.microsoft.com
RedirectMatch (.*)\cmd.exe$ http://www.microsoft.com$1
How do I make a different page my start page?
To change the page that will be displayed when the directory is accessed, write:
DirectoryIndex <the desired page>
You can specify more than one page.
DirectoryIndex index.shtml index.php index.php3 index.html index.htm
How can I get Apache to process SSI directives?
SSI allows you to “assemble” a page from pieces. You have the menu code in one piece, the code for the top of the page in another, and the code for the bottom of the page in a third. And the visitor sees an ordinary page, which consists of the code that is included in your pieces.
Mandatory settings in httpd.conf are required:
In the block starting with <Directory/> and ending with </Directory>, add Includes to the Options Indexes line.
After that, in the .htaccess file we write:
AddHandler server-parsed .shtml .shtm .html .htm
How do I get Apache to execute php code in html documents?
Sometimes it is useful to “cheat” the visitor, giving him his php-scripts or other files as html files. Really used for indexing by the search engine Rambler php-scripts. Some do little tricks, like giving files extensions that coincide with some “iconic” names.
RemoveHandler .html .htm
AddType application/x-httpd-php .php .htm .html .phtml
With high server traffic can cause slowdowns. Ask the administrator.
For cloudlinux servers, the design would look like this:
<FilesMatch “.(php|htm|html)$”>
AddHandler application/x-httpd-lsphp .php .htm .html
</FilesMatch>
How do I handle Apache errors myself?
The most interesting and useful Apache errors are: 403-404, 500.
403 – user not authenticated, access denied (Forbidden).
404 – the requested document (file or directory) was not found.
500 – internal server error (for example, an error in the syntax of the .htaccess file).
In order to display your own error messages to the user on these errors, we write in .htaccess:
ErrorDocument 403 /errors/403.html
ErrorDocument 404 /errors/404.html
ErrorDocument 500 /errors/500.html
In this case, when a 404 error occurs, the file errors/403.html will be loaded to the user.
It is convenient to make your own handler for some errors. In .htaccess we write:
ErrorDocument 403 /errors/error.php?403
ErrorDocument 404 /errors/error.php?404
ErrorDocument 500 /errors/error.php?500
In error.php use $HTTP_SERVER_VARS[‘REQUEST_URI’] to determine which document caused the error and then process it. If ErrorDocument in .htaccess has the full path (http://site.ua/error.php), then $HTTP_SERVER_VARS[‘REQUEST_URI’] will contain this file, not the one that caused the error.
Internet Explorer 5.0 does not correctly handle the file called by an error if its size is less than 1 kilobyte. The standard IE 404 page will be called.
How can I disable the display of directory contents if there is no index file?
Suppose you have all the graphics used on your site in the img directory. A visitor can type that directory into the browser address bar and see a list of all your graphic files. Of course, this won’t do you any damage, but you can prevent the visitor from seeing this. In .htaccess we write:
Options -Indexes
Can I specify the default encoding for all files that my browser receives documents in?
In the early days of the Internet and the birth of browsers, there was often a situation where the browser could not automatically determine which of the Russian encodings the document was written in, and the browser outputted some mush. To avoid this, specify that all output pages will be encoded windows-1251:
AddDefaultCharset windows-1251
Is it possible to specify the encoding on the downloaded files?
When a visitor uploads a file to the server, it is possible to recode it – specify that all received files will be encoded windows-1251:
CharsetSourceEnc windows-1251
I created a .htaccess file, but the server gives 500 error – Internal Erorr
Syntax error or the file is in the wrong format.
See question #2.